To have a kind of parental control for internet access on a Balance 310, the wish is to do domain/url filtering by DNS.
- Only allow DNS packets from client to router built in DNS server (no DNS resolving on any other host = firewall block rule)
- Have an allow list per client IP, that contains a white list of allowed domain names
- Move all allowed resolved IP addresses for that client IP address to a temporary firewall rule (live as long as the TTL of the DNS record), this to block website access by IP (without resolving DNS name).
- Have an internal warning page, that is sent back to the end user when he/she tries to access an unallowed page.
Would be nice to have:
- Have an option on the warning page to allow the user to continue, despite the block (Soft block mode)
- Have an option on the warning page to request the administrator for access to this domain (Hard block mode)
- In both soft and hard block modes list these exceptions and give the administrator a one click action to allow or deny the user request for website (domain) access; for example for google.com;  Allow www.google.com  Allow google.com  Deny www.google.com  Deny google.com