Use a website or app blocker to restrict adult content and targeted social media platforms.
Use a website or app blocker to restrict adult content and targeted social media platforms.
It's possible using a firewall with content filtering, such as Sophos XG. https://www.sophos.com/en-us/free-tools/...me-edition There are also complimentary options like OpenDNS (part of Cisco) that can restrict adult material. DNS-level blocking is straightforward to bypass on the client side, as simply directing your main DNS to 8.8.8.8 works well. https://www.opendns.com/setupguide/#familyshield
Blocking content depends on it being plain text, not encrypted. Avoid splitting HTTPS, as it’s a major security risk. You’ll need to manage client certificates yourself, which can be bypassed via a VPN—unless the VPN is restricted.
@Elarion I use AdGuard (Home/DNS) at my home and at family's home. While I don't currently have family members that even know that the service is running to want to circumvent, I'm sure they could if they really wanted to... And I'd be very impressed! AdGuard is similar to PiHole in terms of function, but why I chose to run AdGuard were its ease of blocklist integration and one-click social media blocking. I don't think it's perfect, but it seems to work in the majority of cases and allows me to add my own black/whitelist. Home is free and you install it on a local appliance or in the cloud, then redirect all DNS requests through its IP address. DNS is hosted by AdGuard and has the same features except that you'll need to frequently update the linked IP address or implement DDNS. There's a free trial of you want to test it out.
You can tweak the firewall to only stop DNS requests to specific locations. At least until you switch to DNS over TLS. However, the client would still need to check those domains, which might be possible.
It's feasible to achieve what OP outlines. The challenge lies in the fact that consumer devices don't support this level of inspection. Firewalls can analyze HTTP traffic, check headers for domains, and block accordingly—effectively handling Cloudflare and IP-based restrictions. However, this capability isn't present on typical routers like Asus. While there are methods to replicate this behavior, they tend to be complex and costly for average users. Encrypted traffic also works because domain names appear in unencrypted parts of HTTPS handshakes (like certificates, client hello, and SNI). For TLS 1.3, you can secure the SNI or encrypt the Client Hello message, though these aren't widely standardized yet. In the future, blocking such connections outright might be a viable option if desired.
Consented to the initial aspect. Inspecting the SNI header is feasible. Content blocking refers to restricting access based on the website's material, not merely its IP or URL. The filter needs the capability to read the content.
Are you shielding yourself for personal reasons or to prevent children from accessing it? If the latter, the tech-savvy ones will figure a way and then pass it on to non-tech kids. As someone who’s tech-oriented, I discovered ten methods to bypass the firewall and get Minecraft on school computers. The only real solution is to use a whitelist instead of a blacklist. However, if your mental well-being matters, you can block files in your host file whenever you encounter an NSFW site—self-control comes with effort.
Absolutely, you're correct. Blocking based on page content isn't feasible when the page is encrypted, or if you're performing MITM attacks. However, it's still possible to fulfill the request by targeting specific websites and categories, even with encrypted traffic—unless the TLS 1.3 features are involved. The simplest approach for the OP would likely be handling it on the client side.
AdGuard offers flexibility beyond basic settings, allowing you to tailor its behavior to your needs. It isn't limited to a static list of sites.