Blocking TikTok on Your Router: Effective Methods for Home Network & Mobile Apps Usage

Dear Colleagues and Colleagues
I'm fighting the topic of blocking TikTok at home, because there is nothing smart there, and children spend a lot of time on this application. There are a lot of guides on the net on how to block any application using OpenDNS. However, I am of the opinion that this method is not effective.
I have set up my own DNS server. I directed TikTok domains into nothingness and in fact TikTok does not work on computers.
But the mobile app still works. In the same way, I blocked the entire list of addresses that I found in guides, but the app still works. Yesterday I did an experiment and manually set the ip, mask, gateway and dns on the phone. While I set the first three parameters in accordance with the router, I entered the dns from scratch. The phone threw a message that there is no internet, but the App is still working, of course. So I don't limit it with DNS.
Does anyone have an idea how to do that?

Make a router on a computer with WFI.
Connect with mobile, turn off other net sources on mobile. Limit all movement from the computer.
Run the sniffer.

If you have it, you can try directly on the router from the command line, but it will be best to do it when you limit other traffic.
It may be that he has his "DNS" hard-coded, the point is rather to make it easier for them to manage traffic because their DNS will resolve the ip so that the request goes to, for example, where there are resources or to a place appropriate for the location (due to the "distance on the Web").

How will you know how the transmission is going and where you will know what and how to block within your capabilities.
And in order not to play with their own DNSs, some routers allow themselves to poison etc/hosts.

Tommy82 wrote:

It may be that he has his "DNS" hard-coded, the point is rather to make it easier for them to manage traffic because their DNS will solve the ip so that the request goes, for example, to where the resources are

This is not done on DNS, but on load balancers. An address is issued to the world that represents a pool of servers. By opening a connection to this pool, you are redirected to the server in the background.
Another thing is that even if you block it on the router, TikTok will work over LTE or when connected to any other WiFi network. The only way is to block the application on the smartphone (parental control).

So the sniffer will catch what these addresses are and then prohibit connection to them and it should do the trick. By the way, I'm not the first to block Tiktok. No such list available?

@speedy9
That's why I wrote "DNS"

I suggest you get a handle on piHole, it's a soft for linux (not only raspberry).
I block redundant things from the net for my children, I go to the website and look at the last activity in the panel (simple and free).
It often turns out that you have to block Akamai servers, a lot of services are sitting there.
In addition, you can choose to have piHole use child-safe DNS with forcing e.g. no comments on Youtube.

In addition, logging in using microsoft works perfectly, from the parent panel on MS you block applications on the PC, it probably also works on phones. And there is a google link, which also seems to allow a lot of control on androids.
Finally, I don't know if there is such an option, but you could force the phone to connect to the net via VPN (to the router at home) when the wifi is down, and then the routers at home would filter the traffic despite being outside, and block the ability to change the settings on the phone ^ ^

@Keli
You need to check what's flying there and that's it.

VaM VampirE wrote:

In addition, logging in using microsoft works perfectly, from the parent panel on MS you block applications on the PC, it probably also works on phones.

I agree. The only problem with MS solution is that web filtering only works in Edge. Of course, you can block other browsers, Edge is not that bad right now. On Android, I still use Kaspersky Family Safety. The free version has limitations, but apps can be blocked.

Now children are very smart and can circumvent every security measure.

Of course, but that doesn't mean you shouldn't try. Of course, it's best to convince them not to consciously use it, but it's not that simple. Environmental pressure and all that

Rather, there is no need to install additional security software on the phone, because they can handle it in a moment. There is everything on the net and they will find a way to remove the blockage.
I see that the topic was created today, and already a lot of people are following it. I'll go to the sniffer and see what comes up. I will inform about the results.

If phones on android, I recommend "Family Link" from google, it works natively on any android phone, so you have control over what, where and when your kids can do on the phone. It's not easy for dummies to circumvent :)

If you use the iPhone and IOS, you create a family cloud and you also have full control over the actions of your children. It's already very hard to break. The phone is released only when the child turns 18

Unfortunately, FamilyLink is not always available on older Android devices.

Family Link has one serious flaw, which in my case disqualified it. It gives you the option to log in with your Google account only on trusted devices, so if a child wants to use Google Docs for an IT lesson at school, it will not be possible.

Ryszard49 wrote:

Now children are very smart and can circumvent every security measure.

If their smartness surpasses mine in this regard, I can safely assume that they are smart enough to manage without my supervision :)

Overall, a slippery topic, friends had problems with their daughter who set an e-mail, Facebook and other crap on the side, then when they looked through what she wrote (because in the end the young one started to behave strangely and someone moved his head) it was all what the parents were doing, where lives, a young village, she wrote how it goes.
Now a ban on the net, maybe they will take it off in a few years, the net is cut off 24/7, the phone is under control, and the young one is screwed.
I generally work in IT, so friends with "parental problems" often came to visit me. Young (probably 14 years old) buys e-cigarettes for a parcel locker, pornography, gaming, ripping pirates to power, attaching a parent's card to shops with goodies to play.
Yes, kids are getting smarter and doing dumber things at the same time.
The wife also thought that "how can you be under surveillance like this", and suddenly there was one fire in the family and suddenly it was taken away. End of discussion

Keli wrote:

Dear Colleagues and Colleagues
I'm struggling with the topic of blocking TikTok at home because there's nothing smart there (...)
Does anyone have an idea how to do that?

If you are and feel like a father and you know that your child visits forbidden sites - take your phone.
Deal with the child's rebellion by talking to the child yourself. If you can't do it - you need a psychologist's advice yourself.

Filters are essential; at school, in the office, in the company - but as data protection, not a stick for naughty people.
You may consider it a cliché, but you won't make a green cucumber out of a pickled cucumber.

A child is not harmed by something drastic given in an appropriate form, e.g. a grandmother eaten by a wolf in the fairy tale Little Red Riding Hood, but too early sexual initiation is irreversible (taking away a child's childhood) and if it is done or allowed by an adult - it is a crime against a child, it is pedophilia .

To some extent you are right and some discussion about why something "will not be" should take place. Everyone should know what and why, because it helps to understand.

However, that's not all and unfortunately it's not enough, first of all that at different ages people approach wisdom differently from their parents, in addition we have: the environment, trends in the group, point of view (after all, it's funny and cool, what's wrong with that), boredom, rebellion , etc. Adults often use various patents themselves not to do some stupidity that is harmful and they know it perfectly well, and yet they do it. It will exceed these 50 km / h, it will pass on a late yellow one, it will not fix something on time, it will promise the diagnostician to embrace it and do nothing until the next check, it will take a beer in the basket more than once a week, it will eat before going to sleep, or kisi ass on the couch instead of moving, spend an hour on memes, exchange on?
Grown-up, self-contained people with some kind of developed value system, who know the value of time and do stupid things, mostly small and harmless ones, but they do. So now you will explain to the child, yes you will explain. How many times will it apply? How many times will he ignore and finally the approach will be the same as for sins in the Catholic Church, uj I confess :)

It's like playing and videos on YT, playing once a week, and cartoons 30 minutes a day. Take a chance to fall asleep during this time, well, maybe a few times it happened that they came that the end of fairy tales, but 90% of it is watching in resistance, the same playing.
In addition, the parent turns it off, you can make some boraty, maybe he will finish the episode.
And this is how the e-mail comes, tick 30 minutes, after 30 minutes the browser closes itself, no problems, no one turned it off, it does itself, because 30 minutes is 30 minutes. It really works great.

I know how much "silly" I do and did, how much time I spent, especially when I was a calf. Now I am asking ideal people to present the other side of the coin because I have never been there
Anyway, in our time, when things went wrong, everyone knew what would happen when parents found out, or what the translation "no because no and end of discussion" looked like. It would be unimaginable today, such violence, pathology, this stress. Normally, when I hear these parenting tips from the 21st century sometimes, I wonder how it is possible that children were ever alive at all.

At the moment I have blocked the following IP and so far the videos are not loading. If it turns out that additional IPs need to be added, I will try to add them here.
143.244.0.0 255.255.0.0
92.223.0.0 255.255.0.0
185.52.170.0 255.255.255.0
185.76.10.0 255.255.255.0
104.81.60.114 255.255.255.255
104.94.100.0 255.255.255.0
95.101.23.112 255.255.255.255
34.102.215.99 255.255.255.255
2.18.29.0 255.255.255.0

In a word of explanation. In some cases I have blocked the entire pot.

I suggest you take an interest in Pi Hole.

PS VaM VampirE
I used to live a lazy life
Now I'm responsible for my family, other people and I had to take care of myself.
True relaxation is a bike, a walk,...

I do it with "open DNS". You log into Cisco (opendns.com). You decide who can go where.
I am doing DNS forwarding on the router. From the addresses that have restrictions, I forward to open DNS, and from those that do not, I leave the standard DNS.
How do you want no one to care for you (cell phones are difficult ) then you are blocking port 53 traffic.

Here is the list of domains to be blocked: https://ichi.pro/pl/jak-zablokowac-adresy-ip-tiktok-248071383255352

will pi-hole help with DNS over HTTPS cases?

Keli wrote:

Does anyone have an idea how to do that?

What's on your gate? What equipment?

przeqpiciel wrote:

will pi-hole help with DNS over HTTPS cases?

I don't think so. If you want to filter traffic over HTTPS, you need to decode it. There are such solutions, but only commercial ones.

In general, the list of looking at HTTPs traffic can be glued together - the easiest way is probably using Linux.

It's done like this:
1) you generate your own CA certificate - in general, some self-signed cert
2) you add the above-mentioned CA certs to the trusted certs on the end station - i.e. on the desktop, phone, etc
3) in the place where the traffic goes - i.e. on the router - you put a banner proxy that receives HTTPS traffic from the public internet, it does it in L7, i.e. it removes the HTTPS encryption; then he rummages in this content as he pleases, then encrypts it with a cert signed by this locally added CA and sends it to the end station;

I don't know if there are any out-of-the-box open source solutions for this, but there are probably guides on the net;

the problem with this approach will be certificate-pinning - i.e. the fact that some applications (mainly for mobile phones) but also web browsers for the most popular websites (e.g. firefox for google, facebook and many others) have serial numbers stored inside and cert abbreviations - and after such a substitution they will rebel