Force DNS on router instead of ClientSide DNS like OpenDNS or GooglePublicDNS
Im trying to implement some site blocking using DNS, the hardware is simple Routers like Linksys and Netgear that you use in house for family purpose.
Currently I tried to set a computer to opendns, while my router set to something else, when check using opendns.com/welcome, the computer is identified as opendns. and Vice versa, this time the computer didn't identified as opendns.
Is it posible to force user to use our DNS instead of their setting DNS?
-
No - as long as they are administrators of their machine they can override DHCP and set it to whatever they like.
If you have a higher end Modem/Router you could block DNS lookups except to your DNS server/forwarder. Or even intercept all DNS requests and aim them at your server.
Furthermore blocking using DNS is a rather poor way of doing things as users can easily enter the IP address of the site they are after (either directly or for virtual hosts by creating entries in their hosts file) - a better solution maybe to use a proxy server.
DucDigital : how can I setup the proxy server on the hardware above? I don't have access to individual computers, so i wonder if it's possible in router level...jdizzle : You can set up a transparent proxy server. Check out Squid (http://www.squid-cache.org/)PP : Users cannot "easily" enter the IP address of the site they are after. Those days are long gone. Sure, some webservers have one domain per IP address, but it is common now for web hosts to rely on "virtual hosting" that relies on domain name as part of the web request. Welcome to the world of HTTP/1.1 - didn't think that would bite you, did you?! Mwahahahaha...Jon Rhoades : @pp Thanks for the delightful comment - the majority of larger sites are on available by IP address, it's only smaller sites that are virtual hosted. It was also only meant to show the ineffectiveness of using DNS filtering. Users can access virtual hosted sites by adding entries to their hosts files.From Jon Rhoades -
On a typical consumer-grade firewall/router, you're probably out of luck.
If the router supports it, block outbound traffic with a destination port of 53 (both TCP and UDP) to addresses other than the name server(s) you're permitting.
See this thread on the Open DNS forums.
I looked on my WRT54G, and it supports site blocking by keyword or URL, but I did not see an option to restrict/permit on an IP-address basis -- it was by keyword or port # only.
DucDigital : So what do you suggest, is there anyway to implement a Proxy with any of this?PP : Time to set up a dedicated Linux server - buy a wireless Ethernet bridge for your customers, and use PPP to connect to your upstream provider with an internal ADSL card or an ADSL/Ethernet bridge. Now implement an iptables rule to rewrite incoming packets to port 53 to your own DNS server.AdamSwann : I *believe* OpenWrt and dd-wrt, which will run on a handful of consumer-grade firewalls, will support both inbound and outbound rules using, as PP suggested, iptables. Both of those sites have a good database of firewalls that are supported.From AdamSwann -
This is not going to work plain and simple. If you want to do site blocking that is not nontrivial to bypass the only solution is a proxy server. Note some higher end home "routers" have the option to block urls with these they have a config page where you can set a list of blocked urls. In this case the "router" simply does not send the request to the internet. in the case of proxy servers the machines must be forced to use the proxy and the settings locked down so that the user of the computer can not change them. Networking is simple enough to learn and guides to get around site blocking are a dime a dozen. For very serious content blocking companies and schools tend to use complex firewall rules along with software running on the computers to prevent access to "objectionable" content or virus / malware sites.
note: the quotes on router are because in this case the router is do much more the simply routing packets, it is acting as an outbound firewall as well.
DucDigital : thats exactly the case here, so by your answer, you mean that I have to set up on each computer to forward to a proxy server? Is it nessescary? since I think there could be other way around to work on network level, not application leveljoe : not really. You could invest in a content firewall that would inspect the contents that packets traveling on the network and block based on a set of rules. In greneral these are not considerd home products due to the cost and yearly subscriptions for the software license. There are some FOSS solutions they can work well but require a lot of configuration. Also tuning the configs to reduce false positive and false negative. However unless you can lock down the computers there are still ways to bypass this.From joe
0 comments:
Post a Comment