DNS Record/Response on a Per Client Basis with BIND

With transparent proxy you could do this without a need for any proxy setup on client side. You would then just nned to create rule, based on MAC address, to filter this device out.

But as MAC is Layer 2, you would probably need to make DHCP reservation on IP for this MAC, which moves you one step away from some secure setup.

Instead, try IPTABLES rule and play with it:

iptables -I FORWARD 7 -p tcp -d restricted.com -m mac --mac-source XX:XX:XX:XX:XX:XX --dport 80 -j DROP 
iptables -I FORWARD 7 -p tcp -d www.restricted.com -m mac --mac-source XX:XX:XX:XX:XX:XX --dport 80 -j DROP

Select allOpen in new window

Unfortunately the set of devices I wish to block are all on different networks. I simply have an Adtran router for each network. I could add a rule in the ACL to block all for that particular host and then an allow for each website... I would have to do this for 8+ routers. These devices will see more use

Transparent Proxy would be ideal. In this situation I cannot apply it.

Ex. "device a" is 192.168.66.85  and DNS is 192.168.1.3. My Squid Proxy is on 192.168.1.4.

If there was someway to "tie a zone" to a certain set of hosts...

If you have multiple DNS servers you may be able to use a hybrid DNS solution. For example if device A has a MAC address of AA:BB:CC:DD:EE:FF, you could use DHCP to set a static reservation for AA:BB:CC:DD:EE:FF and set its DNS server as 192.168.x.x. This 192.168.x.x dns server could server its own ip addres for whatever dns zones you want blocked. For example you could have this DNS server host facebook.com.  Any clients getting addresses through regular DHCP would resolve the regular address, any clients you have registered as 'blocked' would get 192.168.x.x from the alternative dns server. Just be sure you don't replicate zones from this blocked DNS service to the normal DNS servers

Found it myself. I need a pat on the back :)