Mission Brief: Shut Down the Fun
Our eleven-year-old discovered the boundless universe of browser games, social feeds and—yikes—stuff we’d rather not mention. The goal: strip the laptop of distractions without breaking homework, Zoom and Minecraft Education.
- 🔒 Block: adult, gambling, and free-game portals.
- 🚫 Display: a parent-branded “Access Blocked” splash for psychological deterrence.
- 📝 Log: every access attempt for weekly reviews.
- 🛡️ Outsmart: all bypass tricks—without spending a cent on paid software.
Layer 1 — Hosts-File Hard Stop + “Access Blocked” Splash
We hard-wired the riskiest domains to 127.0.0.1 and ::1. Because the browser now resolves them to localhost, no DNS query ever leaves the laptop — and our tiny Python server instantly flips up the Access Blocked splash. (We briefly considered using Mum’s legendary death-stare… but a clean red banner proved scary enough.)
# === Adult & Games (excerpt) ===
127.0.0.1 xvideos.com
::1 xvideos.com
127.0.0.1 crazygames.com
::1 crazygames.com
...
Layer 2 — Tiny Python Web Server on 80 / 443
A 60-line svc_host.py script serves our Access Blocked splash, time-stamps every hit to a log, and records the HTTPS SNI it sees on port 443. It launches at startup as a Scheduled Task with a 2-second delay—just long enough to avoid the port-race with Windows’ own services, yet too short for a savvy kid to slip in a DNS lookup to a dodgy site.
python.exe "C:\ProgramData\SystemServices\svc_host.py"
Log snippet (blocked_access.log):
2025-11-14T09:12:18Z | HTTP hit | host=roblox.com | UA=Edge/125
2025-11-14T09:13:04Z | TLS SNI | sni=pornhub.com | ip=192.168.1.9
Layer 3 — Technitium DNS Server (Always-on Windows Service)
Installed via DnsServerSetup.exe, bound to 127.0.0.1:5380, password-protected, service name DnsService.
Forwarders
Protocol: DNS-over-HTTPS
Forwarder: https://family.cloudflare-dns.com/dns-query
Exclusive DoH Block-List
Resolver ▸ Firewall / Blocked Domains:
dns.google
dns.google.com
chrome.cloudflare-dns.com
mozilla.cloudflare-dns.com
dns.quad9.net
doh.quad9.net
dns.adguard-dns.com
dns.opendns.com
doh.opendns.com
dns.nextdns.io
doh.powerdns.org
Layer 4 — Cloudflare Family Filter
DoH lookup → Cloudflare returns 0.0.0.0 (or NXDOMAIN) for adult & malware domains; Technitium logs every query.
nslookup pornhub.com 127.0.0.1 ➜ 0.0.0.0 (blocked)
nslookup mathletics.com 127.0.0.1 ➜ 52.243.96.246 (allowed)
Layer 5 — Browser DoH Disabled + Firewall Tweaks
- Chrome / Edge: reg key
DnsOverHttpsMode=off - Firefox:
[HKLM\Policies\Mozilla\Firefox\DNSOverHTTPS] Enabled = 0 - Inbound firewall: port 5380 allowed only for Administrators.
- Optional outbound: allow UDP/TCP 53 only to 127.0.0.1.
Results—Fun-Ruin Scoreboard
| 📅 Day | 🚫 Deterrent Hits | 🔒 DNS Blocks | 🕵️♂️ Successful Bypass |
|---|---|---|---|
| 1 | 34 | 112 | 0 |
| 7 | 6 | 59 | 0 |
*Data supplied by one mildly annoyed 11-year-old beta-tester.
Hardening Checklist
- 🔑 Technitium UI locked down: strong password & bind IP =
127.0.0.1 - 🔄 Service auto-start: set to
Automatic (Delayed Start) - 🛡️ Hardware lock: BIOS password set and USB-boot disabled
Takeaways
- 🧅 Layering wins: hosts → Python splash → Technitium → Cloudflare Family. If one tier slips, the next picks up the block.
- 📈 Log everything: DNS + HTTP/TLS logs turn mystery clicks into a two-minute weekly review.
- 🧪 Test with a site you expect to fail: we used
pornhub.comfor adult checks andcrazygames.comfor game checks—much clearer than testing social media.
Gotchas we got around:
- ✅ DoH vs DoT endpoints: landed on Cloudflare Family DoH (
https://family.cloudflare-dns.com/dns-query). - ✅ Technitium “Use forwarders only” toggle: kept ON so every query hits Cloudflare—no root-hint leaks.
- ✅ SmartScreen prompt: clicked More info → Run anyway; installer is clean and signed.
Downloadables
- 📜 svc_host.py – Python splash server
- 🗂️ PcRiot_hosts_parental_blocklist.txt – adult, gambling, & game portals
- 🛡️ Disable_DoH_Chrome_Edge_Firefox.reg – Reg DoH lockdown for Chrome, Edge & Firefox
- 🖥️ access_block.html – “Access Blocked” splash page (right-click, save-as)
Final Thoughts
We started out to “ruin” an 11-year-old’s fun and ended up with a resilient, transparent filter stack—no slow-downs, no monthly fees.
Kids deserve the web—minus the rabbit-holes.
If you want the same multilayer shield on your child’s laptop (or a sanity-check on your current setup), I can install it, swap Google/Bing for a kid-safe search engine, and tune the block-lists to your child’s age and curiosity—no constant policing required.
Or message 📲 0451 129 245 and I’ll reply as soon as I’m free.