First, you need to force all DNS requests (port 53 UDP and TCP) through your own resolve (for example, a DNS server that makes recursive queries), because nothing prevents the user from configuring a different DNS on the machine itself. Directing all requests to your server, you will have a greater facility to block. For this, the iptables
solves well (redirecting everything port 53, regardless of name or IP).
Ex: the user places the 208.67.222.222 (Opendns) server as DNS on the client machine, but its routes redirect any access to port 53 to its own server, not allowing the request to leave the internal network. As soon as any user types www.facebook.com, your server will be consulted (remembering that you have m.facebook.com, and a number of other things that can be filtered).
After that, you need to configure your own DNS server, as in the example given by bfavaretto, or customizing the DNS configuration installed on the server according to the documentation.
Even so, someone could run a local DNS server, which would make an external request on a port other than 53, escaping the lock (rarely happens, but it’s good that you know the risk). Or simply by the desired Ips in the file hosts
of the machine itself.
If it is for use in companies, often the solution is to put in the contract of the employees the prohibition, and a clause giving knowledge that there is remote monitoring of the screens, and the first one to "slip", a written warning. Thus you will avoid a lot of "infiltratable" problems more effectively, including personal misuse of machines, and avoiding a claim of invasion of privacy on the part of the employee (provided he has full knowledge of the monitoring).
Include the following in the archive
/etc/hosts
:facebook.com 127.0.0.1
– bfavaretto