How to Block Facebook with DNS Filtering

Step 1: Block Facebook with CleanBrowsing

The easiest way to block Facebook on your network is to use CleanBrowsing's paid filtering service. In the CleanBrowsing dashboard, simply toggle the Social Media category to blocked. This automatically blocks facebook.com and all associated CDN, API, and tracking domains.

When a user on your network tries to access Facebook after it has been blocked, they will see a DNS_PROBE_FINISHED_NXDOMAIN error in their browser. This means the DNS resolver returned no result for the domain, effectively making it unreachable.

Why Use CleanBrowsing?

• Automatic domain coverage: CleanBrowsing maintains a comprehensive list of all Facebook-related domains, including CDN subdomains, API endpoints, and tracking domains. You do not need to maintain this list yourself.
• Network-wide enforcement: Configure CleanBrowsing DNS at the router level and every device on the network inherits the block. No per-device setup needed.
• Granular control: Block Facebook while allowing other social media platforms, or block all social media at once.
• No maintenance: As Meta adds new domains or changes infrastructure, CleanBrowsing's categorization engine updates automatically.

To get started, configure your network to use CleanBrowsing DNS and enable the Social Media category in your dashboard. See our paid account configuration guide.

Step 2: Block Facebook with Hosts File

If you prefer a manual approach or need to block Facebook on a single device, you can map Facebook domains to 0.0.0.0 in your hosts file. This sends all Facebook requests to a null address, effectively blocking access.

Hosts File Location

• Linux / Mac: /etc/hosts
• Windows: C:\Windows\System32\drivers\etc\hosts

Core Facebook Domains

Add these entries to block the primary Facebook domains:

Meta-Owned Platforms

Meta (formerly Facebook) also owns Instagram. To block the full Meta ecosystem, add:

Note: For complete coverage, the full list of Facebook-related domains can include 800+ entries covering CDN subdomains, regional domains, API endpoints, and tracking pixels. See our full list: Complete Facebook Domain List.

Step 3: Verify and Maintain Your Block

After configuring your block, verify that it is working correctly and plan for ongoing maintenance.

Testing Your Block

Use nslookup or dig to confirm that Facebook domains are being blocked:

If the block is working via CleanBrowsing, you should see an NXDOMAIN response or a response pointing to a block page IP. If using hosts file blocking, the lookup will return 0.0.0.0.

Mobile App Considerations

The Facebook mobile app may use cached DNS responses or hardcoded IPs in some cases. If the app was recently used before the block was applied, it may continue working temporarily until the cache expires. Steps to address this:

• Flush DNS cache: Run ipconfig /flushdns on Windows or sudo dscacheutil -flushcache on Mac.
• Force close the app: Kill the Facebook app on mobile devices and reopen it.
• Wait for TTL expiry: DNS caches typically expire within a few minutes to hours.

Complete Blocking: Combine DNS with Firewall

For the most thorough blocking, combine DNS filtering with firewall rules that block Facebook's IP ranges. Facebook's primary AS number is AS32934. You can look up their published IP ranges and block them at the firewall level.

This is particularly important for apps that may bypass DNS or use encrypted DNS (DoH/DoT) to resolve Facebook domains outside your filtered DNS. Blocking the IP ranges at the firewall ensures Facebook is unreachable regardless of how DNS is handled.