Permanently blocking a domain in iptables

Suppose I want to block Facebook permanently. To do this, I have followed following processes:

#host -t a www.facebook.com

Sample output:

www.facebook.com has address 69.171.224.40

Find CIDR

#whois 69.171.224.40 | grep CIDR

Sample output:

CIDR: 69.171.224.0/19

To prevent outgoing access to www.facebook.com

Approach 1:

#iptables -I FORWARD -p tcp -d 69.171.224.0/19 -j DROP

Approach 2:

#iptables -I FORWARD -p tcp -d www.facebook.com -j DROP

Both Approaches work well. In approach 1, IP address may be changed so it will not block Facebook permanently. I don't know about approach 2 whether it will block Facebook permanently or not. If above approaches are not right way to block a domain permanently, how can I do it?

Solution 1:

Using squid following thing if you use it do the same.

# Mon to Fry time
acl blockfacebooktime time MTWHF 8:30-8:30
# Domain name
acl blockfacebookdotcom  dstdomain .facebook.com

Solution 2:

Approach 2 will NOT work as you may think. You can read this from iptables manual:

[!] -s, --source address[/mask]
          Source specification. Address can be either a network name, a hostname (please note that specifying any name to be resolved with a remote query  such
          as  DNS  is  a  really bad idea), a network IP address (with /mask), or a plain IP address.

Of course, the same applies on destination option -d. This is because iptables will do DNS lookup only once and use the retrieved IP in the rule. So, it will not work if the IP is changed after that.

A better approach is to use a proxy server as suggested by @neolix. However, your users can try to bypass your proxy unless you are have really strict rules to prevent this.