Skip to main content

User Manual

How to block access to a specific site

Method 1

The easiest way is to use the SafeDNS Internet filter with a free trial period. With this service, you can block access to illegal or unwanted resources, filter the Internet across more than sixty categories of sites, maintain your own exclusion lists (up to 200 entries in size) and see your browsing statistics. The SafeDNS filter can be used to block access to all devices on a home network as well as specific ones.

Here's an example of how to block To do this, we'll blacklist, and the service will automatically suggest adding additional domains that are recommended to accept for complex blocking.


Then, in the router's web interface, turn on the SafeDNS filter on the 'Internet safety' page and set the 'Default' profile for the specific device. Depending on the task, the SafeDNS filter can also be applied to all registered and unregistered devices.


After setting this, we recommend that you restart your router and then check access to the blocked site.

In some cases, you can block access not only to a single site but to an entire category. For example, to block Skype and other messengers, block the Chats & Messengers category.


You can find more information on

Method 2

Blocking on the router. This method has a peculiarity — it will allow you to block access of all hosts in the local network to the specified site. It can not be used for a particular host.

The configuration is performed from the command-line interface (CLI) of your Keenetic router.

To block the site, we will use the ip host command:

(config)> ip host
  Usage template:
             host {domain} {address}

For example, if you want to block access to, run commands:

(config)> ip host
Dns::Manager: Added static record for "", address

(config)> ip host
Dns::Manager: Added static record for "", address

(config)> system configuration save

The IP address must be any non-existent (free, unused) IP address in the range of private addresses. This can be an IP address from a different subnet than the router's network.

In our example, when you access, a non-existent address of will be returned to the host, and the page will not open. In Keenetic routers, you can add up to 64 static bindings of IP addresses to the domain name using the command ip host.

To remove the binding, use the same command but add the prefix no at the beginning. For example:

(config)> no ip host
Dns::Manager: Added static record for "", address

(config)> system configuration save


Created by the ip host command static IP to domain binding records on the router have higher priority over Internet filters.

Method 3

Blocking the site via Keenetic firewall rules.

The article 'Firewall' gives a detailed description of how to use the Firewall in Keenetic routers.

Various examples of how to use firewall rules can be found in the article 'Firewall rule examples'.

For instance, let's block access to the site for all LAN devices using firewall rules.


Domain names cannot be used in the Keenetic firewall settings (you cannot specify a domain or site character name), but only IP addresses. Therefore, you need to determine the IP address(es) of the website you want to block before configuring the rules. A website may have multiple IP addresses, in which case you must block access to all IP addresses. Websites can also operate not only with HTTP but also with HTTPS. We recommend blocking traffic to the site using both protocols.

The first way to know the IP address of the site is to use a special command in the command line of the operating system:

nslookup <website_name>

In our example, we will run the command nslookup


The result of the above command will show the IP addresses where the website is located.

The second way to find out the site's IP address is to use one of the special online services (for example, In a special line, you will need to specify the site's name you are interested in and press the 'Check' button. After that, you will see all the IP addresses where the site works. For example:


Now that you know the IP addresses of the website, you can start creating firewall rules.

In this example, the site uses 4 IP addresses, so let's create 8 rules for the 'Home segment' LAN interface to block traffic by protocols: 4 for HTTP and 4 for HTTPS.

Create a 'Deny' rule where we specify the destination IP address (the site's IP address to be denied access to) and the protocol type (HTTP and HTTPS). We are blocking access to the site for all devices on the local network, but if you need to deny access only to a particular host, specify its IP address in the 'Source IP' field when creating the rule.


After creating the rules, test access to the site.

This method is not always convenient. For example, to block Skype at the network level, you need to know all the IP addresses it uses. Finding them all and keeping your list up to date is a challenge. Many websites also use several different addresses to download their data to increase productivity.


If you've been to sites you've changed settings for before, then DNS server responses are likely to be in the browser cache, the DNS client on the local computer, or the DNS caching on the router.

For the quickest applying of changes in settings, you may need to restart the browser. In most cases, this is enough.

If there are no changes after restarting the browser, run the ipconfig /flushdns command on the local computer, which will clear the Windows DNS client cache.

In even rarer cases, you may need to clear the DNS cache on the router (just restart the router).