Blocklist Facebook domains

I highly recommend using uMatrix[1][2] if you&#x27;re very privacy-conscious. It&#x27;s the full-blown everything-at-your-fingertips console.<p>By default, it blocks third-party scripts&#x2F;cookies&#x2F;XHRs&#x2F;frames (with an additional explicit blacklist). You then manually whitelist on a matrix which types of requests from which domains you want to allow. Your preferences are saved.<p>It is a bit annoying the first time you visit any new domain, because you need to go through a bootstrapping whitelist process to make it work. After a while I find I do it almost automatically though.<p>I use it in conjunction with uBlock Origin and Disconnect, and it <i>still</i> catches the vast majority of things. As a nice side-effect, I find I keep pretty up-to-date with new SAAS companies coming out!<p>---<p>[1] <a href="https:&#x2F;&#x2F;chrome.google.com&#x2F;webstore&#x2F;detail&#x2F;umatrix&#x2F;ogfcmafjalglgifnmanfmnieipoejdcf" rel="nofollow">https:&#x2F;&#x2F;chrome.google.com&#x2F;webstore&#x2F;detail&#x2F;umatrix&#x2F;ogfcmafjal...</a><p>[2] <a href="https:&#x2F;&#x2F;addons.mozilla.org&#x2F;en-US&#x2F;firefox&#x2F;addon&#x2F;umatrix&#x2F;" rel="nofollow">https:&#x2F;&#x2F;addons.mozilla.org&#x2F;en-US&#x2F;firefox&#x2F;addon&#x2F;umatrix&#x2F;</a>

Yet again, software freedom fighters got there years ago.<p>Free Software Foundation got there earlier. From publishing <a href="https:&#x2F;&#x2F;www.fsf.org&#x2F;facebook" rel="nofollow">https:&#x2F;&#x2F;www.fsf.org&#x2F;facebook</a> published on on Dec 20, 2010. FSF &amp; GNU Project founder Richard Stallman has been rightly objecting to Facebook for years in his talks and on his personal website at <a href="https:&#x2F;&#x2F;stallman.org&#x2F;facebook.html" rel="nofollow">https:&#x2F;&#x2F;stallman.org&#x2F;facebook.html</a>.<p>Long-time former FSF lawyer Eben Moglen rightly called Facebook &quot;a monstrous surveillance engine&quot; and pointed out the ugliness of Facebook&#x27;s endless surveillance (at length in <a href="http:&#x2F;&#x2F;snowdenandthefuture.info&#x2F;PartIII.html" rel="nofollow">http:&#x2F;&#x2F;snowdenandthefuture.info&#x2F;PartIII.html</a> but in other places in the same lecture series as well). See <a href="http:&#x2F;&#x2F;snowdenandthefuture.info&#x2F;" rel="nofollow">http:&#x2F;&#x2F;snowdenandthefuture.info&#x2F;</a> for the entire series of talks.

I wonder how Facebook devs feel when they read such posts. Do they feel rejected ? shameful ? Does their salary really outweigh this collective disapproval of their peers ?

Pi-Hole [1] is another nice way to filter domains at the DNS level network wide, if you want a wider reaching solution that supports wildcards. Great way to use an extra Pi if you have one sitting around.<p>---<p>[1] <a href="https:&#x2F;&#x2F;pi-hole.net&#x2F;" rel="nofollow">https:&#x2F;&#x2F;pi-hole.net&#x2F;</a>

Looks like this is already covered by the &quot;Social&quot; add-on to StevenBlack&#x27;s hosts:<p><a href="https:&#x2F;&#x2F;github.com&#x2F;StevenBlack&#x2F;hosts&#x2F;blob&#x2F;master&#x2F;extensions&#x2F;social&#x2F;hosts" rel="nofollow">https:&#x2F;&#x2F;github.com&#x2F;StevenBlack&#x2F;hosts&#x2F;blob&#x2F;master&#x2F;extensions&#x2F;...</a>

Is it really any use trying to enumerate all variants under *.facebook.com and similar?<p>The counts:<p><pre><code> 307 facebook.com 295 fbcdn.net 250 tfbnw.net 12 whatsapp.com 9 instagram.com 3 fb.com 3 edgesuite.net 2 metrix.net 2 fbsbx.com 2 fbcdn.com 2 facebook.net 2 edgekey.net 2 cdninstagram.com 2 akamaihd.net 1 fb.me 1 appspot.com</code></pre>

Let&#x27;s put this in global context:<p><pre><code> Adblocking is a non-trivial task, but there are trivial solutions. 1.) Install hosts-gen from http:&#x2F;&#x2F;git.r-36.net&#x2F;hosts-gen&#x2F; % git clone http:&#x2F;&#x2F;git.r-36.net&#x2F;hosts-gen % cd hosts-gen % sudo make install # Make sure all your custom configuration from your current &#x2F;etc&#x2F;hosts is # preserved in a file in &#x2F;etc&#x2F;hosts.d. The files have to begin with a # number, a minus and then the name. % sudo hosts-gen 2.) Install the zerohosts script. # In the above directory. % sudo cp examples&#x2F;gethostszero &#x2F;bin % sudo chmod 775 &#x2F;bin&#x2F;gethostszero % sudo &#x2F;bin&#x2F;gethostszero % sudo hosts-gen </code></pre> Add a cron job, and enjoy your faster and adfree-er internet. Further, you can add your custom (this FB) block to the local files in &#x2F;etc&#x2F;hosts.d, which then will be concatenated automatically.<p>[source]: <a href="https:&#x2F;&#x2F;surf.suckless.org&#x2F;files&#x2F;adblock-hosts&#x2F;" rel="nofollow">https:&#x2F;&#x2F;surf.suckless.org&#x2F;files&#x2F;adblock-hosts&#x2F;</a>

This is a good thing to enable, but I think that smartphones contribute exponentially more data to Facebook services than laptops and browsers do. Smartphones give easy access to location, background running services, microphone. Even if you block these permissions to the app, Facebook gets the data from their data providers that use Facebook ads.

I advocate for iptables instead of DNS filtering.<p>Process of enumerating and rejecting facebook IPs :<p>* Query the RAD <a href="http:&#x2F;&#x2F;radb.net&#x2F;query&#x2F;" rel="nofollow">http:&#x2F;&#x2F;radb.net&#x2F;query&#x2F;</a> , search for AS32934<p>* Enumerate ip ranges by <a href="http:&#x2F;&#x2F;radb.net&#x2F;query&#x2F;?advanced_query=1" rel="nofollow">http:&#x2F;&#x2F;radb.net&#x2F;query&#x2F;?advanced_query=1</a><p>* Check inverse query by origin, use AS32934<p>* Grep the response route and route6 CIDR ranges<p>* Build a netfilter script with REJECT<p>Gives those scripts for iptables (updated once in a while) :<p>* <a href="https:&#x2F;&#x2F;cdn.rawgit.com&#x2F;smigniot&#x2F;mu&#x2F;ea0f32867907b855063c56ae8dbd7237d35913f1&#x2F;fbmute&#x2F;no_facebook_in_ipv4.sh" rel="nofollow">https:&#x2F;&#x2F;cdn.rawgit.com&#x2F;smigniot&#x2F;mu&#x2F;ea0f32867907b855063c56ae8...</a><p>* <a href="https:&#x2F;&#x2F;cdn.rawgit.com&#x2F;smigniot&#x2F;mu&#x2F;ea0f32867907b855063c56ae8dbd7237d35913f1&#x2F;fbmute&#x2F;no_facebook_in_ipv6.sh" rel="nofollow">https:&#x2F;&#x2F;cdn.rawgit.com&#x2F;smigniot&#x2F;mu&#x2F;ea0f32867907b855063c56ae8...</a><p>* <a href="https:&#x2F;&#x2F;cdn.rawgit.com&#x2F;smigniot&#x2F;mu&#x2F;ea0f32867907b855063c56ae8dbd7237d35913f1&#x2F;fbmute&#x2F;no_facebook_out_ipv4.sh" rel="nofollow">https:&#x2F;&#x2F;cdn.rawgit.com&#x2F;smigniot&#x2F;mu&#x2F;ea0f32867907b855063c56ae8...</a><p>* <a href="https:&#x2F;&#x2F;cdn.rawgit.com&#x2F;smigniot&#x2F;mu&#x2F;ea0f32867907b855063c56ae8dbd7237d35913f1&#x2F;fbmute&#x2F;no_facebook_out_ipv6.sh" rel="nofollow">https:&#x2F;&#x2F;cdn.rawgit.com&#x2F;smigniot&#x2F;mu&#x2F;ea0f32867907b855063c56ae8...</a><p>To enable :<p>* iptables -I OUTPUT -j no_facebook_out<p>* iptables -I INPUT -j no_facebook_in<p>* ip6tables -I OUTPUT -j no_facebook_out<p>* ip6tables -I INPUT -j no_facebook_in<p>By design, instagram and connect-with-facebook get muted too.

I don&#x27;t see <a href="https:&#x2F;&#x2F;messenger.com" rel="nofollow">https:&#x2F;&#x2F;messenger.com</a> or <a href="https:&#x2F;&#x2F;m.me" rel="nofollow">https:&#x2F;&#x2F;m.me</a> (which also leads to messenger)

Its actually quite annoying to block all of facebook. There are a lot of innocuous sites that have at least some small reliability on facebook and blocking all of facebook makes using these sites a tad bit difficult &#x2F; poor UX.

For anyone who&#x27;s interested, I also maintain a tracking protection list for Internet Explorer. It&#x27;s based originally on the Ghostery and Disconnect lists, but I now update it independently. It&#x27;s designed to be concise and speedy, yet also comprehensive. Note, however, that due to the limitations of tracking protection lists in IE, it can&#x27;t block everything. You may need to supplement it with a small hosts file. Check it out here: <a href="https:&#x2F;&#x2F;github.com&#x2F;amtopel&#x2F;tpl" rel="nofollow">https:&#x2F;&#x2F;github.com&#x2F;amtopel&#x2F;tpl</a>

Created a pi-hole friendly blocklist <a href="https:&#x2F;&#x2F;gist.githubusercontent.com&#x2F;angad&#x2F;3db2da1cb50a4432c9ea3cfa2bb249f5&#x2F;raw&#x2F;7fd0fddc08dd23ed205ec488fd5068c195662fe0&#x2F;facebook.txt" rel="nofollow">https:&#x2F;&#x2F;gist.githubusercontent.com&#x2F;angad&#x2F;3db2da1cb50a4432c9e...</a>

It&#x27;s a shame &#x2F;etc&#x2F;hosts doesn&#x27;t support wildcards<p>0.0.0.0 *.facebook.com

Someone should start a business for this:<p>Provide people that care about privacy with a public DNS server they can use that auto blocks those domains (and update&#x27;s its lists). I would pay for it (few dollars a month)<p>Feature suggestion: allow people to add their own entries so I can purposely block reddit or hacker news to reduce distractions.<p>Pretty sure I would set this DNS server on both my phone and desktop.

Can somebody elaborate why this link from 2016 is gaining steam here? Is it because Cambridge Analytica misused FB data? May be I am missing something, do we know if facebook was wittingly complicit?

The whole conversation, without having read into everything here in absolute detail, seem to be very tool oriented. Am I the only one here overwhelmed by the sheer amount of domains involved?

block all of Google&#x27;s IP addresses: <a href="https:&#x2F;&#x2F;support.google.com&#x2F;a&#x2F;answer&#x2F;60764?hl=en" rel="nofollow">https:&#x2F;&#x2F;support.google.com&#x2F;a&#x2F;answer&#x2F;60764?hl=en</a> (note: your internet (the web) will stop working properly if you do block all of those IPs, which is a big problem)

does this include instagram, messenger, and whatsapp domains too? I&#x27;m not sure if these services use their own domains.<p>&#x27;fb&#x27; itself will eventually be, if it&#x27;s not already, just a data holding company for these and other acquisitions.

I wish it were that easy. Good start, but Facebook will still:<p>1. Get your data from other websites&#x2F;apps that you allow<p>2. Get your data through your friends that use Facebook

Why would you block all the domains but still keep your account that you would no longer be able to access? The account is the problem not the domains. You would have to block the domains on every device you use. Just kill the problem at the source and delete your entire surveillance account with facebook.

Why only Facebook? All companies which store data are suspect.

Similar solution to blocking things at your local recursive DNS resolver, assuming you have a captive pool of devices, let&#x27;s say in 10.240.0.0&#x2F;24) in a LAN, all of which are given DHCP addresses and DHCP-assigned DNS resolvers, and you&#x27;re in control of a bind9 server that&#x27;s on the same LAN.<p>Not going to prevent people with admin rights on their workstations from using another DNS resolver (or VPN, or whatever), but a fairly low effort solution.<p><a href="https:&#x2F;&#x2F;community.jisc.ac.uk&#x2F;library&#x2F;janet-services-documentation&#x2F;how-block-or-sinkhole-domains-bind" rel="nofollow">https:&#x2F;&#x2F;community.jisc.ac.uk&#x2F;library&#x2F;janet-services-document...</a>

There is more coverage of this topic here: <a href="https:&#x2F;&#x2F;news.ycombinator.com&#x2F;item?id=11791052" rel="nofollow">https:&#x2F;&#x2F;news.ycombinator.com&#x2F;item?id=11791052</a>

Does anyone have this for Google ads domains and&#x2F;or YouTube?

Man, that person put in some effort. That’s a lot of good lists.<p>Scrolling through them it’s really interesting to see the other sites companies own.<p>I always forget WhatsApp is Facebook.

This list presumably updates&#x2F;moves around often.<p>Is there a service that, say, subscribes to a live list of this domain set (like adblock consumes easylist) and updates my hostfile automatically?<p>If not, that is a piece of software that I would find useful and worth paying for (with the ability to audit the software&#x27;s ability to phone home about the rest of my hosts file)

I wrote a small tool that translates AdBlock Plus filter lists into hosts file format [1]. It can only translate simple domain-name rules but might be of interest to people in this thread.<p>[1] <a href="https:&#x2F;&#x2F;github.com&#x2F;wwalexander&#x2F;hostsblock" rel="nofollow">https:&#x2F;&#x2F;github.com&#x2F;wwalexander&#x2F;hostsblock</a>

A lot of commenters mention dnsmasq. I wrote some scripts a while ago to help minimize a dnsmasq config that had been generated from a hosts file. People in this thread might find them useful.<p><a href="https:&#x2F;&#x2F;petedeas.co.uk&#x2F;dnsmasq&#x2F;" rel="nofollow">https:&#x2F;&#x2F;petedeas.co.uk&#x2F;dnsmasq&#x2F;</a>

I made one of these for Google: <a href="https:&#x2F;&#x2F;github.com&#x2F;Miserlou&#x2F;nogoogle" rel="nofollow">https:&#x2F;&#x2F;github.com&#x2F;Miserlou&#x2F;nogoogle</a><p>also: <a href="https:&#x2F;&#x2F;github.com&#x2F;Miserlou&#x2F;Poop" rel="nofollow">https:&#x2F;&#x2F;github.com&#x2F;Miserlou&#x2F;Poop</a>

Minor segue, is there any easy way to Geo-block URLs, both by ccTLDs and by geolocation of IPs from certain countries.<p>I have pi-hole running but it doesn&#x27;t support that currently, best it does is wildcard but even for that it needs domain and won&#x27;t do just on the ccTLD.

Nice to see HackerNews create pull requests to make the list more up to date. I hope they get committed.<p><a href="https:&#x2F;&#x2F;github.com&#x2F;jmdugan&#x2F;blocklists&#x2F;pulls" rel="nofollow">https:&#x2F;&#x2F;github.com&#x2F;jmdugan&#x2F;blocklists&#x2F;pulls</a>

This is a terrible approach. Facebook can rotate many of these names whenever they feel like.

Interesting to see several domain names&#x2F;servers with &#x27;mqtt&#x27; referenced. Wondering if Facebook interacts with IoT devices routinely, or perhaps they use MQTT for Messenger message transfers etc.?

I want to share my favorite HOSTS file provider [1] which includes FB addresses.<p>[1]: <a href="http:&#x2F;&#x2F;someonewhocares.org&#x2F;hosts&#x2F;" rel="nofollow">http:&#x2F;&#x2F;someonewhocares.org&#x2F;hosts&#x2F;</a>

on macOS i use a bash script to get all Facebook ip addresses:<p><pre><code> whois -h whois.radb.net &#x27;!gAS32934&#x27; | tr &#x27; &#x27; &#x27;\n&#x27; | awk &#x27;!&#x2F;[[:alpha:]]&#x2F;&#x27; &gt; &quot;&#x2F;etc&#x2F;pf.anchors&#x2F;usr.home.sub&#x2F;facebook.list&quot; </code></pre> and then use a pfctl anchor to block them all<p><pre><code> table &lt;facebook&gt; persist file &quot;&#x2F;etc&#x2F;pf.anchors&#x2F;usr.home.sub&#x2F;facebook.list&quot; block drop quick to &lt;facebook&gt;</code></pre>

I need something like this that I can install on friend and family&#x27;s phones&#x2F;iPads&#x2F;computers whenever they ask me to fix something for them &gt;:)

My setup: <a href="https:&#x2F;&#x2F;github.com&#x2F;jakeogh&#x2F;dnsgate" rel="nofollow">https:&#x2F;&#x2F;github.com&#x2F;jakeogh&#x2F;dnsgate</a>

A blacklist approach to this is for sure a cat and mouse game. A better approach is to incrementally whitelist the domains you trust.

I might do this. Just curious if this will break the internet for me... Will certain non Facebook pages fail to load?

The list has fbcdn-profile-a.akamaihd.net, but it missed fbcdn-creative-a.akamaihd.net<p>If anyone wants it

Are there any implications to having 40,000+ lines in your &#x2F;etc&#x2F;hosts?

One of the posts I wish I could upvote more than once. Thank you.

This list must&#x27;ve updated a lot since 2016.

what is the difference between 0.0.0.0 and 127.0.0.1 with respect to redire ction?<p>will redirecting to localhost eat more cpu cycles?

It&#x27;s pathetic that it takes a literal propaganda campaign to make people see the problem with facebook after 10 years, but whatever I&#x27;ll take it.

Any way to do this at the router level?

This is quite a powerful message!

Why would you block WhatsApp?

Wow the hate&#x2F;dislike is very real.

merci.

I can block domains on my laptop, no problem. But I have not been able to figure out any convenient way to block websites on my Android phone. My Android phone comes with a Chrome browser. Any ideas about how to block websites reliably on an unrooted&#x2F;jail-not-broken Android phone?

Why not do something like *facebook.com?

I&#x27;d like to mention a problem with blocklists like this that you put into &#x2F;etc&#x2F;hosts. I&#x27;ve noticed that many sites trivially evade the blocklist by adding a redirect. I.e., if example.com is blocked, but it redirects to example.ru or example123.com or example.team, then it still works. The spammers and advertisers don&#x27;t have to change all the existing links to example.com -- they simply need to add a new redirect every few weeks.