
Blocklist of all Facebook domains - temp
https://github.com/jmdugan/blocklists/blob/master/corporations/facebook/all
======
marios
Not the way I'd do it, since you can easily miss on some new domain that
belongs to facebook (or perhaps some server that does not look like it belongs
to facebook in the first place, but it is sitting in their assigned subnets).

If you really want to block all traffic from/to facebook, lookup the IP
prefixes associated with their AS number(AS32934), and setup your firewall to
block those. If you are using PF, tables are your friend. With netfilter,
consider using ipset.

~~~
droopyEyelids
Facebook only has one AS?

~~~
dredmorbius
That's fairly typical.

An AS (identified by an ASN) is an _autonomous system_. It's comprised of
multiple _CIDR blocks_ , contiguous regions of IP addresses. The _network
definition_ (by CIDR block) is fairly dynamic, as blocks can be added,
deleted, or consolidated.

An autonomous system is _a single administrative domain_ over public IP space.
Essentially, autonomous systems _are what the Internet is inter-networking
between_ , through BGP (border gateway protocol). BGP and AS are what Cisco
(and other router) gear are ultimately all about.

So yes: organisations typically have one AS. Exceptions are typically the
result of corporate mergers (not uncommon) or government space (where the
domains are large).

(Disclaimer: I'm not a networking bithead, don't muck with routers much, and
have a rough knowledge of much of this, though it should be vaguely accurate.)

~~~
mioelnir
And if you end up with more than one AS due to a merge, you usually pick one
them as your primary and connect the other ones to it, then announce their
prefixes from your primary, ie. your primary AS becomes transit for your other
ones. That way you only have to maintain one external border.

------
kazinator
It's inefficient to specify a large number of hosts in the facebook.com domain
instead of blocking the whole domain.

For this, you can run dnsmasq and use the "\--address" option or "address"
command in dnsmasq.conf:

    
    
      $ man dnsmasq
      [...]
           -A, --address=/<domain>/[domain/]<ipaddr>
                  Specify an IP address to  return  for  any  host  in  the  given
                  domains.   Queries in the domains are never forwarded and always
                  replied to with the specified IP address which may  be  IPv4  or
                  IPv6.  To  give  both  IPv4 and IPv6 addresses for a domain, use
                  repeated -A flags.  Note that /etc/hosts and DHCP  leases  over‐
                  ride this for individual names. A common use of this is to redi‐
                  rect the entire doubleclick.net domain to  some  friendly  local
                  web  server  to avoid banner ads. The domain specification works
                  in the same was as for --server, with  the  additional  facility
                  that  /#/  matches  any  domain.  Thus --address=/#/1.2.3.4 will
                  always return 1.2.3.4 for any query not answered from /etc/hosts
                  or  DHCP  and  not sent to an upstream nameserver by a more spe‐
                  cific --server directive.

~~~
yrro
Is there the concept of an 'administratively prohibited' error in the DNS? So
your resolver could return an error with that code rather than an incorrect
result.

~~~
Borating
NXDOMAIN [1] ?

Dnsmasq can return nxdomain responses

echo 'server=/.example.tld/' >> /etc/dnsmasq.conf

Check dnsgate [2] or FreeContributor [3]

[1] [https://www.dnsknowledge.com/whatis/nxdomain-non-existent-
do...](https://www.dnsknowledge.com/whatis/nxdomain-non-existent-domain-2/)

[2] [https://github.com/jakeogh/dnsgate](https://github.com/jakeogh/dnsgate)

[3]
[https://github.com/tbds/FreeContributor](https://github.com/tbds/FreeContributor)

------
mp3geek
Alternatively you can use Adblock to block it.

[https://secure.fanboy.co.nz/fanboy-
antifacebook.txt](https://secure.fanboy.co.nz/fanboy-antifacebook.txt)

Disclaimer, list Author.

~~~
avree
Your list blocks fewer things, though.

~~~
mp3geek
When a site adds Facebook it's using connect.facebook.* the main bulk of the
list is just whitelists for Facebook users (first-party). The hosts file will
break all of Facebook even if you visit it directly. The better option is to
just block Facebook outside of Facebook.

~~~
jjuhl
No. The better option is to just block facebook _everywhere_ , including
direct access.

Just my humble opinion.

------
avree
If you're blocking Instagram, shouldn't you be blocking the Oculus Rift site
(and any subdomains) too?

~~~
arcticfox
Not really, Instagram is a social network, Oculus is a device?

It depends on the purpose of the list, of course, but for me they're very
different.

~~~
entheon
Knowing corporate org charts for what they tend to be, reporting and analytics
initiatives, and any server statistics therein, are considered revenue
generating information (leads), and thus subject to agreements for the
exchange mutually beneficial data sets.

Across my various jobs, I've had to write reports for departments, and open up
permissions to internal people, to give read access for things they'd have no
natural reason to care about.

If data is being collected at all, weird people will be looking at it. If not
today, maybe tomorrow. But, no matter when, it's there for the looking
whenever some internal lookie-loo decides it might be interesting.

------
zhong
No need do this, come to China prepared everything for you like this.

~~~
personjerry
Well technically speaking, because of the way the Great Firewall works, you
might still be able to get some packets if the server is fast enough.

------
punnerud
This does just the same: _.facebook.com_.facebook.com _.fbcdn.com_.fbcdn.net
_.facebook.com.edgekey.net_.facebook.com.edgesuite.net
_.instagram.com_.instagramstatic-a.akamaihd.net
_.instagramstatic-a.akamaihd.net.edgesuite.net_.cdninstagram.com
_.tfbnw.net_.whatsapp.com _.fbsbx.com facebook-web-clients.appspot.com_.fb.me
fbcdn-profile-a.akamaihd.net h-ct-m-fbx.fbsbx.com.online-metrix.net ac-h-ct-m-
fbx.fbsbx.com.online-metrix.net

~~~
lsaferite
You can't do wildcards in a hosts file.

~~~
dredmorbius
You can with dnsmasq.

[http://www.thekelleys.org.uk/dnsmasq/doc.html](http://www.thekelleys.org.uk/dnsmasq/doc.html)

------
chriswarbo
I've been blocking facebook for years (nowhere near as comprehensive as this
list though).

Many of the most unfortunate problems with these sites are social in nature
rather than technical. For example, no matter how much I plead with people not
to, they keep uploading information about me to these type of sites, including
photographs with timestamps and GPS location metadata, which they then "tag"
my face as being me.

I don't have any idea how much of this information is even out there, since
these sites require signing up in order to find out. Maybe I should look into
my rights under data protection legislation...

~~~
ew
Who are you that you are so worried about this?

~~~
chriswarbo
This question sounds a little too close to "nothing to hide, nothing to fear"
to me, but in any case I think it's Facebook, attempting to build dossiers on
billions of people for profit, who need to justify themselves; not me for
wanting to remain undocumented.

As far as concrete reasons go, I've had to deal with far too much fallout from
being incorrectly flagged by braindead processes trawling private databases
which I didn't even know I was in. Since lots of these databases share
information, but not necessarily updated corrections, I still run into the
same mis-flagging every few years, across utilities, courts, credit agencies,
banks, letting agents, etc.

As far as Facebook goes, being a citizen of the CCTV-riddled UK makes me
acutely aware of the power, and potential abuse, that facial recognition
technology can bring; having images of my face tagged and fed into a database
does not sit well with me.

Since I don't use Facebook, I don't even get the meagre upside of whatever
services they build on top of this database (some kind of gallery, I presume).

------
maaaats
Would wildcard support in hosts files be too heavy for the performance needed?
Most of these are subdomains that *.facebook.com would have blocked.

~~~
Namidairo
My first impression when I saw it was something along the lines of "this would
be so much cleaner if one were writing this as a dnsmasq config"

~~~
Borating
I agree. From this project I discover FreeContributor [1], which use dnsmasq
has a DNSBL.

[1]
[https://github.com/tbds/FreeContributor](https://github.com/tbds/FreeContributor)

~~~
djKianoosh
Is it possible to apply this at the network level? I want to update my home
router easily so that all devices in my home can benefit, not just my own
laptop (since most of these lists are just updating /etc/hosts)

~~~
Borating
Is it possible to apply this at the network level?

Yes. Please check pi-hole project [1] or flash your router with open-wrt/dd-
wrt and run dnsmasq with the FreeContributor lists.

[1] [https://pi-hole.net/](https://pi-hole.net/)

~~~
djKianoosh
sweeeet thanks.

do people usually do this directly on their FIOS router or is it easier to get
a separate wifi router?

~~~
djKianoosh
oh you configure the fios router to use that as your dns:

[https://pi-hole.net/faq/can-i-set-the-pi-hole-to-be-the-dns-...](https://pi-
hole.net/faq/can-i-set-the-pi-hole-to-be-the-dns-server-at-my-router-so-i-
dont-have-to-change-settings-for-my-devices/)

good stuff

------
cm2187
I can understand the multiplication of sub domains, to be able to use multiple
connections. But what's the rationale for the multiplication of domain names?
Ad blocker avoidance?

~~~
robryk
Maybe separation of cookies?

------
mfo
I just want to say "Privacy matters, thanks you" (even more when FB decided to
leverage their like/share button for a global ad netwotk) :-) non tech saavy
guys may love a simple .sh / .bat to automatically add those entries to the
/etc/hosts on windows & unix

~~~
rochacon

        curl https://raw.githubusercontent.com/jmdugan/blocklists/master/corporations/facebook/all | sudo tee -a /etc/hosts

~~~
pixl97
Data straight from the net into a system file as root...

You are a bad, bad man Mr Rochacon.

------
justsaysmthng
I'm sorry, I've been away for a couple of hours... What happened ?

Why should I (we) block all facebook domains ?

~~~
Thasc
This is probably a reaction to the news that Facebook is now officially
tracking non-users to create shadow profiles and serve adverts to them off
Facebook itself. I think it's the serve-adverts-off-Facebook-itself part
that's the actual news; all of the moderately chilling tracking and profile
construction was of course happening already.

[http://www.theverge.com/2016/5/27/11795248/facebook-ad-
netwo...](http://www.theverge.com/2016/5/27/11795248/facebook-ad-network-non-
users-cookies-plug-ins)

~~~
r3bl
And yet, Google started going down a similar path since December 2009 when
they introduced personalized searches for non-logged-in users and nobody tries
to block them.

~~~
barkbro
The problem with blocking all google doains is the amount of sites it would
break. Youtube, gmail, googleapis for js libraries, google's blog platform,
maps based on google maps and more would break.

~~~
renaudg
Technically true, but blocking all Facebook domains breaks comments on many
sites and the login feature on a few crucial ones too.

<sarcasm>It also 100% breaks your social life, but maybe there's little of
that left to disrupt anyway, amongst the typical target audience for these
lists :P</sarcasm>

~~~
ams6110
It's actually the other way around. Normal people have managed their social
lives without facebook for generations. It's only the recent crop or two who
seem unable to do it.

~~~
renaudg
No, "Normal people" who care about their social lives use whatever their
friends use to get together at the time. Nowadays this is social networking
sites, i.e. Facebook.

------
joeblau
Will there be a point where the government will step in or is all of this
tracking within fair use of non-logged in Facebook users visiting a website?

~~~
lake99
I doubt it. Judging by history, it's more likely they'll demand access to all
that data.

~~~
benevol
> they'll demand access to all that data

Snowden has made it clear that that government grants itself direct access,
whatever the legal situation really is.

It's also become clear that the government lets itself get away with it. And
that there is no resistance from the voters who voted the politicians in and
are paying not only for the politicians' salaries but also for their own total
surveillance.

------
TazeTSchnitzel
Should you not also include `::` IPv6 entries?

------
iam-TJ
With the help of a couple of prefix aggregation tools [1] [2], the BASH shell,
and the RIPE database, it is straightforward to block any Autonomous System
with, e.g:

    
    
        $ ASN=32934; for IP in 4 6; do \
         whois -h riswhois.ripe.net \!${IP/4/g}as${ASN} |\
          sed -n '2 p' | tr \  \\n | aggregate${IP/4/} |\
           while read NET; do echo ip${IP/4/}tables -I OUTPUT -d ${NET} -j REJECT;\
         done; done
    
    

(note this command uses _echo_ to show the command it could execute)

[1] aggregate
[http://packages.ubuntu.com/source/xenial/aggregate](http://packages.ubuntu.com/source/xenial/aggregate)

[2] aggregate6
[https://github.com/job/aggregate6](https://github.com/job/aggregate6)

------
stardogg
I'm wondering ... what's the best approach to automatically collect all
domains of a company?

~~~
rolfn
there is no consistent way of defining the meaning of "all domains of a
company". Who pays for the registration? Which email is listed as technical
contact? Who has the authority to change DNS-records? Which email listed in
the DNS SOA-record?

------
elcapitan
Oh wow, I didn't know it were that many, I had like 20 in my hosts file.
Thanks!

------
rotoole
Aside from being easier to automate, getting IP's via the ASN lookup is also
better for blocking HTTPS requests when you are MITM, since the HTTPS request
will only contain the IP and not the FQDN.

Also, many firewalls do a 1-time DNS lookup of a given FQDN to resolve a
single IP address when a FQDN based rule is created. This doesn't work well if
you have an FQDN that can resolve to many different IP's, which is typical for
cloud services.

~~~
toast0
TLS connections from browsers usually include the SNI extension that has the
destination host name in clear text. It requires an TLS specific blocker,
rather than IP firewalling, but is probably more flexible. You could also just
block the names in DNS.

------
hallatore
Isn't Ghostery a better solution for something like this? If we are talking
about browsers that is.

~~~
curiousgal
This uses less system resources.

------
jpkeisala
Slightly off topic: It would be nice to have some kind of extension for Chrome
that blocks all Time-Wasting websites with one click. Has anyone seen
something like that?

~~~
apancik
I discovered that using
[https://chrome.google.com/webstore/detail/waitblock/kcnjfepp...](https://chrome.google.com/webstore/detail/waitblock/kcnjfeppclpdinikcljfjigoongebpkh)
to add a delay before opening the time-wasting website actually works better
when trying to procrastinate less. Waiting 60 seconds before Fb loads gives
you enough time to think about whether you want to visit it, but is also not
so inconveniencing that it would make you disable it straight away when you
actually want to visit the site.

~~~
aninhumer
It's really interesting. It kind of turns your impulsiveness against itself,
so your monkey is saying "Ugh, waiting for Facebook is boring, let's do
something else."

------
flavmartins
Did you add the Facebook Tor Onion address?

facebookcorewwwi.onion

Might as well make it a complete block. Make sure those creative types don't
find that last alternate path to FB.

------
ew
This list is missing the very obvious messenger.com

------
midgetjones
It is faintly terrifying just how long the list is.

~~~
marios
Considering the infrastructure Facebook is running, it's really not IMHO.

------
petrikapu
Do you how to apply this just for my user on OS X? My partner is heavy FB user
and I don't want to block her...

~~~
cheiVia0
uBlock Origin can handle hosts files, so you can just add it on the bottom of
the Third Party Filters tab. It will auto-update it too.

[https://raw.githubusercontent.com/jmdugan/blocklists/master/...](https://raw.githubusercontent.com/jmdugan/blocklists/master/corporations/facebook/all)

~~~
gorhill
Though hosts files can be fed to uBlock Origin ("uBO"), it will enforce their
content differently.

With uBO, a "facebook.com" entry in a hosts file will also cause _all_
subdomains of "facebook.com" to also be blocked, so there is no need to list
all subdomains as is done here if the goal is to block "facebook.com" with
uBO.

If one wants to block Facebook via uBO, I personally advise to do it through
dynamic filtering[1]. This way one can always point-and-click to create
exceptions on a per-site basis.

[1] [https://github.com/gorhill/uBlock/wiki/Dynamic-
filtering:-to...](https://github.com/gorhill/uBlock/wiki/Dynamic-
filtering:-to-easily-reduce-privacy-exposure)

~~~
cheiVia0
Well, if my goal is to block all of Facebook's domains, I wouldn't complain if
uBO happens also to block new.sub.domain.fbcdn.net even if it's not in the
hosts file :)

Does uBO optimize these cases, though? E.g. if there's "apps.facebook.com",
"connect.facebook.net" and plain "facebook.com", does it collapse to just 1
filter (facebook.com)? I see it says "880 used out of 881" which is the number
of entries in the file.

------
mickrussom
Im going to start trying this out. Awesome. Also as marios said block
AS32934's networks.

------
curiousgal
Any idea of an easy/quick way to toggle these edits on/off on Ubuntu?

~~~
maxschumacher91
I've put them in my host file and created an alias that switches between
naming the host-file "hosts" (which will be recognized by the OS) and hostx.

from my .zshrc:

#block Twitter, Facebook, reddit and Linkedin. alias on="sudo mv /etc/hostx
/etc/hosts" alias off="sudo mv /etc/hosts /etc/hostx"

~~~
curiousgal
Awesome! Thanks.

------
curiousgal
>On Windows 7, the default AV security scan will try to remove the #
facebook.com entry

Wat?

~~~
Namidairo
I'm guessing some sort of crude malware tried to MitM Facebook logins so they
started cleaning host files?

~~~
walterbell
Microsoft was an investor in Facebook,
[http://whoownsfacebook.com](http://whoownsfacebook.com) and they are planning
an undersea cable between the US and Europe that will only be used by the two
companies.

~~~
curiousgal
What for? I can see Trading companies doing that but why would
Microsoft/Facebook need that?

~~~
jamesdwilson
they are trading data

------
hackney
So awesome. Facebook: Server not found

------
ausjke
IMHO the only way to block things efficiently is via a proxy these days,
IP/domain-based blocking are not reliable or efficient.

~~~
effie
What can you set up on proxy that you can't set up on your machine?

------
hellbanner
Thank you! Now I can censor, too

------
zxcvcxz
Honest question because I seriously don't know: Is facebook really worse than
google when it comes to privacy?

I kind of wonder who exactly are the people telling everyone to block facebook
everywhere while everyone seems to collectively ignore google.

Google and facebook seem to both purposely ignore the known implications of
their data collection programs. They likely have handed over data to the NSA,
and we know they sell the data.

~~~
superuser2
Not really. We know that they sell ads which can be targeted to users with
specific characteristics. If you have discovered actual user data for sale
from Google or Facebook, that's news.

------
meeper16
This is awesome. Facebook needs to go to the graveyard with friendster,
myspace and AOL.

------
supergirl
dramatic and useless.

------
hartator
I would actually do it for Google. But, we all know we have became to
dependent on them.

------
labithiotis
Who really cares?

~~~
meeper16
Facebook is a disease on the net, the next aol.

