Blocking Youtube for the Kids on ALL devices, as well as other undesirable content…
Yep, I’m one of those parents, but it’s not entirely a complete ban with the right networking gear.
This isn’t as easy as blocking the ‘youtube.com’ DNS entry at the network level, because there are several various DNS entries used with the various Youtube apps on other devices. I’ve found lists on the internet but always one device seems to slip through; combining what works from various sources and investigation, I have compiled a DNS list that should work for everything below.
This DNS list is verified to work with the Xbox, Amazon Kindle Fire, Fire TV, and other Android powered devices, and of all these iThings, iPads, iPhones, whatever etc. etc. (not that we have iDevices in our house, but guests have had them…) The kids’ various Nintendo things (if they have the capability) don’t work either, but I haven’t verified if this works for Playstation because the kids ignore that anyway, that’s just my Street Fighter box…
For this article, I’m going to assume you have or can use OpenDNS (or some similar service) and that if you aren’t using it, you can create an account and will know how to set that up with your IP, navigate the site and settings, etc. as well as set this up as your the router’s DNS. In your OpenDNS Dashboard, head to your network and then “Web Content Filtering” settings. First, you might want to check off some things by selecting “Custom” in the bullet point list such as “Video Sharing” but that won’t do the trick until we add some individual domains below.
Domains required to block Youtube and Youtube apps
At the bottom under “Manage Individual Domains” add the following domains with “Always Block” as the selected option:
- youtubei.googleapis.com <- note the “i” on the end of “youtube”, that is not a typo.
- ytimg.l.google.com <- that’s an “L” before the “.google.com” part. just copy/paste, you’ll be fine.
How I still watch Youtube
But wait, don’t I watch Youtube? Of course, and not just on my PC but also the Fire TV in the living room and bedroom. In the living room we can also let the kids watch with our supervision.
I have Ubiquiti gear for my gateway, router, and access points, so I have some flexibility in setup, however many consumer wireless routers will offer similar features these days even without custom firmware. While I can’t tell you how to do it, I can tell you what to do.
I simply use two different SSIDs, one on a VLAN that is strictly the kid’s network, and this uses the OpenDNS rig as described above. The adult SSID and LAN connections have no such restrictions because that network is NOT configured to use OpenDNS.
When the kids get smart, you get smarter…
But wait, are your kids old enough and/or smart enough to setup static DNS on their laptops or other devices? If so, then you need to be smart enough (and with the right gateway/router) to force/reroute all TCP traffic on port 53 through OpenDNS servers.
This works because no matter what DNS your kids try to manually configure (e.g. Google’s IP, CloudFlare, your ISP’s even, etc. etc.) the DNS traffic always goes out on port 53, therefore forcing all traffic on that port to the OpenDNS servers solves this issue.
This can be done with the Ubiquiti gear that I currently use (USG) and the firewall/routing rules, though I have to do it via config scripts not through the user interface. It can also be configured for either each individual VLAN or all traffic period, but I’ll be honest, while I have got the config scripts to work for all traffic on port 53, I have so far failed isolating that to each individual VLAN. As a result I haven’t implemented this yet, since I don’t want my own gear going through OpenDNS (but luckily my kids aren’t to the point yet that I need to figure out isolating that rule to a specific VLAN!)
Now if they start up with VPNs and their devices (somehow) then you can worry about blocking them also, but yeah, right…
Blocking OpenDNS categories
In OpenDNS I checked off a bunch of other items under the custom settings, such as “Pornography” of course and more, and for some reason I ended up having to whitelist aka “Never Block” under “Manage Individual Domains” several domains for the full functionality of the Xbox, and while I didn’t troubleshoot to determine the blocks, these were “live.com” “xbox.com” and “xboxlive.com” …additionally the kids ended up needing “pokemon.com” but that’s another thing…
Just in case you check off too many categories while you were setting up OpenDNS, you may need to determine what is being blocked by which category. If you know the domain that isn’t working for you, try this search to see what turns up in OpenDNS Domain Tagging: (replace “thedomain.com” with the domain in question)
Also via instructions on a link that seems to have disappeared completely from support.umbrella.com (Cisco’s site for Umbrella, the rebranded OpenDNS service after Cisco purchased them), a blocked domain should return a category name when you use this at a command prompt: (replace “thedomain.com” with the domain in question)
nslookup -type=TXT thedomain.com.cat.opendns.com 220.127.116.11
Hope that helps in your troubleshooting…