05-11-2015 03:15 AM - edited 03-07-2019 11:57 PM
hi
i have a cisco c837 IOS version 12.4(15)T14
and I've applied an access-list that have all facebook IP addresses which i denied on e0 and every thing worked fine
then i noticed that if i manually changed the dns on any machine to some dns's facebook will work smoothly
why is that happening !!??
is there any method to shut facebook down completely
here is my access-list
ip access-list extended Block_Facebook
deny ip 192.168.1.0 0.0.0.255 173.252.100.16 0.0.63.255
deny ip 192.168.1.0 0.0.0.255 173.252.64.0 0.0.63.255
deny ip 192.168.1.0 0.0.0.255 31.13.24.0 0.0.7.255
deny ip 192.168.1.0 0.0.0.255 31.13.64.0 0.0.63.255
deny ip 192.168.1.0 0.0.0.255 66.220.144.0 0.0.15.255
deny ip 192.168.1.0 0.0.0.255 69.63.176.0 0.0.15.255
deny ip 192.168.1.0 0.0.0.255 69.171.224.0 0.0.31.255
deny ip 192.168.1.0 0.0.0.255 74.119.76.0 0.0.3.255
deny ip 192.168.1.0 0.0.0.255 103.4.96.0 0.0.3.255
deny ip 192.168.1.0 0.0.0.255 204.15.20.0 0.0.3.255
deny ip 192.168.1.0 0.0.0.255 173.252.70.0 0.0.0.255
permit udp any eq bootpc any eq bootps
permit ip 192.168.1.0 0.0.0.255 any
and on e0
ip access-group Block_Facebook in
Solved! Go to Solution.
05-11-2015 04:29 AM
Different DNS-servers might return different IPs for the same FQDN. That could be for redundancy load-balancing or for serving request based on location.
On the PC that has a changed DNS-server, look to which addresses your request resolve and compare that to your ACL.
Perhaps there is a better approach:
ip host www.facebook.com 10.10.10.10 ! or ip host www.facebook.com 127.0.0.1
05-11-2015 04:29 AM
Different DNS-servers might return different IPs for the same FQDN. That could be for redundancy load-balancing or for serving request based on location.
On the PC that has a changed DNS-server, look to which addresses your request resolve and compare that to your ACL.
Perhaps there is a better approach:
ip host www.facebook.com 10.10.10.10 ! or ip host www.facebook.com 127.0.0.1
05-11-2015 04:39 AM
You can use NBAR to block a website. See below an example.
It will work however only on HTTP sites and not HTTPS.
https://networklessons.com/quality-of-service/block-website-with-nbar-on-cisco-router/
05-11-2015 05:08 AM
I don't think that Facebook is reachable through HTTP.
05-11-2015 04:43 AM
I think its possible with the 837, if you have advipservices you can drop the http packets to facebook using nbar option.
access-list 10 permit 192.168.1.0 0.0.0.255
!
class-map BlockSites
match protocol http url "*facebook*"
match access-group 10
!
policy-map BlockSites
class BlockSites
drop
!
Int e0
service-policy output BlockSites
Otherwise the alternative would be as Karsten mentioned which is a perfectly simple solution, put DNS locally so you have control on name resolution, and can subsequently black-hole packets.
Bilal
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide