73

Block by Country (GeoIP)

REQUEST: Please provide the ability to Block by Country, using the GeoIP details of the resulting IP.

Since the destination_country is listed in the 'Download logs', it should be possible to block the resolved Country. Blocking by Country will further improve security by blocking access to IP's in countries that may be hosting malicious / threat-based content, etc. or simply countries we do not want to visit.

timestamp,domain,query_type,dnssec,protocol,client_ip,status,reasons,destination_country,root_domain,device_id,device_name,device_model,device_local_ip,matched_name,client_name

 

NOTE: For those also interested in this, please understand that this can be a challenge to provide reliably, but it's still worth asking for even if they are unable to provide it immediately. GeoIP accuracy is not 100% accurate and as a result can cause trouble when trying to access a known good site when the resulting GeoIP detail comes back to an invalid Country. Further... it takes time for the related GeoIP details to be corrected.

Example: yesterday you were able to reach www[.]outlook[.]com which the IP's resolved to the US, but today it is blocked as the IP's now resolve to NL or some other Country which may be in your blocked Country list. 

The temporary workaround would be to add the related Domain to the Allowlist to bypass the related Country block. 

7 replies

null
    • cbuijs
    • 3 yrs ago
    • Reported - view

    Beside country, "Region" or "Area" would be nice as well. For example "Asia" or "Antarctica". Or "Eastern Europe". Most GEO databases (GeoNames for example) have these indicators (up to city level as well).

      • TechStud
      • 3 yrs ago
      • Reported - view

      Chris Buijs Blocking by continent might be too large. But I could envision that the countries are grouped under a Continent header. It would help further in understanding which continent the related country belongs to.  

    • cbuijs
    • 3 yrs ago
    • Reported - view

    Perhaps a "grouping" feature would help, not only for GEO but where you can create a blocking-group that can have "countries" and "block-list" entries, so you can pick your own.

    Or link the IP-Address of a country to its ccTLD and block/deny it with the existing TLD Blocking feature.

    The deny/allowlist functions should allow this as well.

    • Don_Clark
    • 2 yrs ago
    • Reported - view

    Is there an update on this? Reliability can improve over time. Is some protection better than none in this situation?
    My thoughts around this are... I do not want access to/from North Korea, Turkey, China, etc - to/from my network. Or is this overkill? Should we continue to nitpick specific websites?
    I would think individual websites may want this as well?
    What are the communities thoughts on this?
    https://www.reddit.com/r/selfhosted/comments/qes218/ive_set_up_geoip_block_on_my_website_and_it_works/
    https://virtualize.link/secure/
    https://www.cron.dk/firewalling-by-country-on-edgerouter/
    https://www.startpage.com/do/dsearch?query=reddit+block+by+geoip&cat=web&pl=ext-ff&language=english&extVersion=1.3.0

      • Pro subscriber ✓
      • DynamicNotSlow
      • 2 yrs ago
      • Reported - view

      Don Clark you can’t archive that with DNS. 

      • laurens_crince
      • 2 yrs ago
      • Reported - view

      DynamicNotSlow  I am kind of new to DNS, are you saying it is not possible to block by country/ region? 

      Edit: I read OP's NOTE and that answered my question.

    • Coral_River
    • 2 yrs ago
    • Reported - view

    FlashStart DNS provides geoblocking. Maybe NextDNS can copy some solutions from them:
    https://flashstart.com/geoblocking/
    "The technique of FlashStart’s Geoblocking allows you to inhibit access to websites that are physically hosted on Servers located in countries deemed at high risk of malware and compromising."

Content aside

  • 73 Likes
  • 2 yrs agoLast active
  • 7Replies
  • 1509Views
  • 6 Following