Limiting web access using router's whitelist feature

Question

This setup has failed twice for me; for two different routers. Now I hear that this might be a problem with HTTPS rather than the routers. I'd love to hear from experts about a potential solution for me.

Problem

I want to limit Internet access for some of the PCs in my local network to a small set of websites. For example, those particular PCs should be able to access google.com, khanacademy.org and a handful of other sites, but nothing else.

Approach

Routers provide two types of Parental Controls called Blacklists and Whitelists. Whitelists provide exactly the feature that I need; i.e. I can type in a list of allowed websites for a MAC address and router will then not allow that machine to access any other website.

Failure

I have tried it with two routers from two different companies; one was Archer D7 from TP-LINK whereas the second one was EG8247H5 from Huawei. Both provide black and white list features in Parental Control, but none of them actually works. Having a whitelist configured for a machine's MAC address doesn't change anything about that machine's Internet access. All websites remain accessible as if there were no whitelists.

New Theory

I contacted my ISP about the problem. They told me that filtering Internet access is mostly not possible because of HTTPS. The information packet is encrypted end-to-end and therefore router has no way of knowing the server name that is being accessed, thereby making this white-listing feature totally useless. I argued that if that were the case, why did the router company added this option in the first place, to which they said that some high-end models from the company actually have specialized hardware that can dig deep into those packets and fetch destination server name from it, but the companies in order to save money deploy one generic software for all their models that includes all features, even the ones that are not supported on low-end models.

I don't know how realistic this story is; whether the ISP is just trying to play games or if this actually is the case. Has anyone successfully configured router-level white-listing and if yes, what router did you use (just to prove that HTTPS story is not true).

Answer 1

I was finally able to use OpenDNS to solve the issue for me. It is not 100% secure and a skilled person can easily dodge/disarm the setup. If like me, your kid(s) are young and aren't too tech savvy, this may provide just enough security.

Procedure is to setup a (free) OpenDNS account at OpenDNS and then change your machine's IPv4 properties to use their servers for DNS instead of default. You can then configure your OpenDNS account to allow only certain categories of websites.

The entire process is small and should take less than a few minutes. More details about the DNS setup are here.

Since most of us do not use static IP addresses, we need to update our IP Address in OpenDNS account whenever our ISP assigns us a new dynamic IP. Fortunately, OpenDNS also provides a small Windows utility that will keep running in the background and do this job automatically for us.

Strictly speaking, OpenDNS doesn't provide a white-listing mechanism, i.e. a way of specifying a list of website that will be allowed exclusively. Instead it provides a list of 63 (as of this writing) broad content categories and you can choose which ones you want to block. In addition you can also black-list specific URLs.