PFSense - DNS - Block YouTube

See Configure Access

Navigate to Services → DNS Resolver.

In Custom Options:

# Give pfSense a server: tag so it puts directives in correct place.
server:                                      

    # Define a new tag.
    define-tag: "notube"                         

    # Create an access-control entry.
    access-control: 10.1.1.6/32 allow

    # Tag the access.
    # Allocate some IP ranges to the tag, repeat for more.
    access-control-tag: 10.1.1.6/32 "notube"     

    # www.youtube.com is the only way to access youtube site.
    # All other language domains redirect to www.youtube.com.
    # You can verify this by the allowed domains in SSL wildcard cert - Certificate Subject Alt Name.
    
    # The variants like -nocookie edu and yt.be don't serve content.
    # The CNAME records for local caches and redirects don't serve content.
    # The cert is set HSTS (strict) so won't serve on incorrect redirects.
    # The plain http redirects everything to the https SSL.
    # Going to myriad IP addresses redirects to google search page.
    # So with local DNS control, you have tight control of access to youtube.
    # This of course doesn't exclude proxies & tunnels, but these require more effort & privileges on clients.

    # Create the local-zone, and allow normal service which allows non-blocked users access and allow all types like A and AAAA and CNAME.
    local-zone: www.youtube.com typetransparent

    # Tag the domain.
    local-zone-tag: www.youtube.com notube

    # Ensure local data served first.
    access-control-tag-action: 10.1.1.6/32 "notube" redirect  

    # Send users to your polite internal block page.
    access-control-tag-data: 10.1.1.6/32 "notube" "A 10.4.1.34"

NOTE:

  • The access-control-tag element is used to specify the tag to use for a client addresses.

References

https://forum.netgate.com/topic/116690/solved-dns-different-results-for-different-clients

https://blog.nlnetlabs.nl/client-based-filtering-in-unbound/