2

I am trying to figure out, whether or not it's possible to make sure, that if a user uses a browser and types in a domain name that ends on either "se" or "ru", they will be denied access to that site.

PS: this is a school assignment, and my teacher demands that I make use of tcp wrapper, so downloading some module that will do the trick is out of the question, unfortunately

sourcejedi
  • 48,311
  • 17
  • 143
  • 296
Brad Bit
  • 23
  • 3
  • 2
    Be much easier/quicker (but not the point of the assignment maybe) to set up a local DNS server and spoof being authoritative on your LAN for the TLDs you want to block access for. This is what I do at home, it is great being able to spoof Facebook with a message to my kids about "go do your homework instead" – ivanivan May 01 '19 at 17:09
  • I love that idea lol – Brad Bit May 01 '19 at 17:47
  • @ivanivan dnsmasq would be easier for a single computer. Saying that I also use a local BIND server to curb on advertisement/malware domains. – Rui F Ribeiro May 02 '19 at 07:35
  • If people are interested in DNS-based censorship, I recommend writing a dedicated question, where it would be easier to raise [any limitations or caveats](https://www.google.co.uk/search?q=dns+over+https) :-). – sourcejedi May 02 '19 at 13:32

2 Answers2

7

No, it is not possible. (It might be a trick question :-).

TCP Wrapper (tcp_wrappers_7.6.tar.gz)

Wietse Venema's network logger, also known as TCPD or LOG_TCP. These programs log the client host name of incoming telnet, ftp, rsh, rlogin, finger etc. requests.

To fetch a website, a web browser makes an outgoing request. (And web browsers do not abuse libwrap for a purpose it is not intended for.)

sourcejedi
  • 48,311
  • 17
  • 143
  • 296
  • by "no/ trick question", do you mean that it's impossible to make the restrictions I want with tcp wrappers? If so, I thought it might be the case, since my teacher has made mistakes in past assignments that he has corrected later on – Brad Bit May 01 '19 at 17:34
  • Thanks a ton. He mentioned iptables earlier (which I think also might be a bit outdated, but it should do the trick), so I think that's what he wants me to use :) – Brad Bit May 02 '19 at 13:19
1

TCP wrappers have been falling out of fashion. Webservers (Apache and others) might need to be compiled with support for TCP wrappers. Apache and Nginx have their own methods and modules which normally are used.

The Web server, Nginx, also does not support TCP wrappers, but there is a module to support them at this address: https://github.com/sjinks/ngx_tcpwrappers. This also requires compilation from source and has severe limitations.

It should be noted that TCP Wrappers have several peculiarities you should know about:

the most disappointing thing is that libwrap (library implementing TCP Wrappers functionality) is not a thread safe library. In other words, if two threads try to simultaneously use libwrap, the results could be weird. This is because libwrap uses non-reentrant functions like strtok(), gethostbyname(), gethostbyaddr() etc. If nginx is built with threading support (does it work yet?), use of libwrap can lead to performance penalties (because access to libwrap functions will have to be serialized). If nginx is configured without threading support (this is the default for Linux), everything is OK.
dynamic ACL configuration comes at a price: libwrap will read and parse /etc/hosts.allow and /etc/hosts.deny on every request; this may be an issue for high-loaded projects.

So in the end, using tcpwrappers is not feasible.

Rui F Ribeiro
  • 55,929
  • 26
  • 146
  • 227