mercutio: i'm a bit late to the party, but it looks like you can use squid to transparently proxy https: http://www.squid-cache.org/Doc/config/https_port/ . sure, you will have to install your own ca certificate on the clients and make sure that they don't do public key pinning but in a controlled environment that might work ant: it's probably more complicated than doing it with dns mercutio: if you just want to block youtube, most probably ant: it's anisfarhana that wanted to block youtube, but yeah. mercutio: yeah, i didn't actually meant _you_ with "you" ;) yeah generic you heh at my former school i once tried to block gaming sites and other non-school-realted stuff via the web proxy. but i ended up realising that one should try to solve social problems by technical measures For that matter, it's technically possible to filter https by examining the SNI in-transit and blocking the connection appropriately. (I'm not aware of any f/oss out there that does this, but I know how several firewall vendors do it) brycec: that's an interesting idea. i'm against blocking myself Even if it's blocking a botnet that uses https for control? well botnets may pretend to be facebook or something :/ but yeah i'm not a big fan of dpi it's too hard to keep up with (or another very legit use case, eg compliance or other "government rules") and leads to too much complexity. yeah there's a little danger in government enforced access blocks coming out more already a lot of countries do dns blocking sometimes forcing isp's hands. (I was referring to PCI-DSS compliance, but maybe that's not actually government-driven) whoops. just realised that i said the opposite of what i meant...one should _not_ try to solve social problems by technical measures ^ makes more sense now ant: we knew what you meant well i knew at least :) lots of workplaces monitor usage of facebook tehse days afaik but people are shifting more and more to passive monitoring. if people know that they're being watched they'll avoid detection and someone using facebook ontheir phone at work is no beter than their office pc as far as time wasting as long as disabling flash facebook is probably "reasonably safe" bdmail mercutio: doesnt have to be human readable compression (for that ipv6 listings) Perhaps only calculate a /64 listed out then we can multiply weird google's just changed their dns infrastructure it seems and www.google.com isn't working properly for me, which used to be a cname from www.google.co.nz but www.google.co.nz now has a direct a record. and the ip addresses on multiple dns all seemed to change, and the reverse lookups look different. oh and now they're returning single records instead of like 8 mercutio, not here mkb: it came right again. That's what she said!! it was giving SERVFAIL it seems there are a whole lot of 216 addresses suddenly when there were 74.125 ones before. but i found something to do dns lookups around the world, and some people seem to have the older addresses still. i assume they're changing things around a bit