Sanity check - DNS Filtering on WAN


  • Banned

    Content filtering, for good or bad reasons, people want it.

    Toying this as an idea. You have your third party DNS filtering service which blocks the non productive or evil websites. You block port 53 on the outbound UNLESS it resolves to your DNS filtering service.

    Cheap to implement, no intercepting of HTTPS traffic needed and it should be fast as a DNS query takes no time.

    The internal DNS for servers and AD remains unchanged and you set the DNS resolver to the filtering service.

    Is there anything technically dumb I'm missing here?



  • I would be concerned with the availability of the DNS Service. . . But why not just install a content filter at the edge and be done with it?

    And manage it like anything else.


  • Banned

    @DustinB3403 said in Sanity check - DNS Filtering on WAN:

    I would be concerned with the availability of the DNS Service. . . But why not just install a content filter at the edge and be done with it?

    And manage it like anything else.

    Because we never improve our methods if we always do what we've done before. 🙂

    A product like a USG is brilliant but it has no grunt for content filtering. So we could add another edge device and increase the cost/complexity of a simple setup but why do we need to do that?



  • @Breffni-Potter said in Sanity check - DNS Filtering on WAN:

    @DustinB3403 said in Sanity check - DNS Filtering on WAN:

    I would be concerned with the availability of the DNS Service. . . But why not just install a content filter at the edge and be done with it?

    And manage it like anything else.

    Because we never improve our methods if we always do what we've done before. 🙂

    I suppose. . . but look at it from this thought.

    If you have a central content filter, which can be managed (like avast) you get the same functionality of an edge device, without the hardware to manage.

    Of course if anything slips through, you also have limited capability to point a finger at the exact problem.

    Something like this could work. . . of course you'd probably hit issues with VPN connections etc. . . Say from business to business(client side corporate VPNs)


  • Banned

    But I can't install Avast onto Ipads and various other gadgets, so what is my solution?


  • Banned

    @DustinB3403 said

    Something like this could work. . . of course you'd probably hit issues with VPN connections etc. . . Say from business to business(client side corporate VPNs)

    How so?



  • @Breffni-Potter said in Sanity check - DNS Filtering on WAN:

    But I can't install Avast onto Ipads and various other gadgets, so what is my solution?

    Well you'd have to have a way to have an internal dns point to an external content filter / dns.

    So DC1 points to CF1(with ingrain content filtering)

    From the content filter you'd have to apply rules for what to allow and deny. It's still a edge device, just not on your edge.


  • Banned

    @DustinB3403 said

    From the content filter you'd have to apply rules for what to allow and deny. It's still a edge device, just not on your edge.

    But Avast is an endpoint client software? How is it an edge device?



  • @Breffni-Potter said in Sanity check - DNS Filtering on WAN:

    @DustinB3403 said

    Something like this could work. . . of course you'd probably hit issues with VPN connections etc. . . Say from business to business(client side corporate VPNs)

    How so?

    So for example, we get client equipment to use for business needs. But to be useful it needs to connect to our clients VPN.
    If that vpn address is blacklisted on the CF, you'd never connect.

    You'd have to be able to make address exclusions for the services you want.



  • @Breffni-Potter said in Sanity check - DNS Filtering on WAN:

    @DustinB3403 said

    From the content filter you'd have to apply rules for what to allow and deny. It's still a edge device, just not on your edge.

    But Avast is an endpoint client software? How is it an edge device?

    I was just using Avast as a very generic "we don't run the software in house solution" Don't use it literally.



  • @Breffni-Potter said in Sanity check - DNS Filtering on WAN:

    Is there anything technically dumb I'm missing here?

    DNSSEC may be a problem



  • @Breffni-Potter said in Sanity check - DNS Filtering on WAN:

    Content filtering, for good or bad reasons, people want it.

    Toying this as an idea. You have your third party DNS filtering service which blocks the non productive or evil websites. You block port 53 on the outbound UNLESS it resolves to your DNS filtering service.

    Cheap to implement, no intercepting of HTTPS traffic needed and it should be fast as a DNS query takes no time.

    The internal DNS for servers and AD remains unchanged and you set the DNS resolver to the filtering service.

    Is there anything technically dumb I'm missing here?

    Unless I'm missing something that makes this special, isn't this the standard way of handling this?



  • @DustinB3403 said in Sanity check - DNS Filtering on WAN:

    I would be concerned with the availability of the DNS Service. . . But why not just install a content filter at the edge and be done with it?

    And manage it like anything else.

    Content filters are stupid and do not honestly work worth a shit.



  • @scottalanmiller said in Sanity check - DNS Filtering on WAN:

    @Breffni-Potter said in Sanity check - DNS Filtering on WAN:

    Content filtering, for good or bad reasons, people want it.

    Toying this as an idea. You have your third party DNS filtering service which blocks the non productive or evil websites. You block port 53 on the outbound UNLESS it resolves to your DNS filtering service.

    Cheap to implement, no intercepting of HTTPS traffic needed and it should be fast as a DNS query takes no time.

    The internal DNS for servers and AD remains unchanged and you set the DNS resolver to the filtering service.

    Is there anything technically dumb I'm missing here?

    Unless I'm missing something that makes this special, isn't this the standard way of handling this?

    It is the standard method handling it via DNS, yes. The problem is that most people are still stuck in the mindset that they need to use proxies.

    The problem with proxies is encryption. As the web slowly encrypts itself, these mitm proxies fail to work as advertised.



  • @JaredBusch said in Sanity check - DNS Filtering on WAN:

    @DustinB3403 said in Sanity check - DNS Filtering on WAN:

    I would be concerned with the availability of the DNS Service. . . But why not just install a content filter at the edge and be done with it?

    And manage it like anything else.

    Content filters are stupid and do not honestly work worht a shit.

    I don't completely disagree, most need way to much fine tuning and constant adjustment. But what other solution would you recommend for @Breffni-Potter ?



  • @DustinB3403 said in Sanity check - DNS Filtering on WAN:

    @JaredBusch said in Sanity check - DNS Filtering on WAN:

    @DustinB3403 said in Sanity check - DNS Filtering on WAN:

    I would be concerned with the availability of the DNS Service. . . But why not just install a content filter at the edge and be done with it?

    And manage it like anything else.

    Content filters are stupid and do not honestly work worht a shit.

    I don't completely disagree, most need way to much fine tuning and constant adjustment. But what other solution would you recommend for @Breffni-Potter ?

    None. he has the right solution. DNS level.



  • @JaredBusch said in Sanity check - DNS Filtering on WAN:

    @DustinB3403 said in Sanity check - DNS Filtering on WAN:

    @JaredBusch said in Sanity check - DNS Filtering on WAN:

    @DustinB3403 said in Sanity check - DNS Filtering on WAN:

    I would be concerned with the availability of the DNS Service. . . But why not just install a content filter at the edge and be done with it?

    And manage it like anything else.

    Content filters are stupid and do not honestly work worht a shit.

    I don't completely disagree, most need way to much fine tuning and constant adjustment. But what other solution would you recommend for @Breffni-Potter ?

    None. he has the right solution. DNS level.

    He simply wants to apply content filtering at an external DNS provider.

    @Breffni-Potter said in Sanity check - DNS Filtering on WAN:

    Toying this as an idea. You have your third party DNS filtering service which blocks the non productive or evil websites. You block port 53 on the outbound UNLESS it resolves to your DNS filtering service.

    I don't see how this is any better than an actual content filter. DNS Denial would simply stop the traffic from hitting the destination.

    Maybe I need to see it in practice, but I just don't see how well it would work. . .



  • @DustinB3403 said in Sanity check - DNS Filtering on WAN:

    @JaredBusch said in Sanity check - DNS Filtering on WAN:

    @DustinB3403 said in Sanity check - DNS Filtering on WAN:

    @JaredBusch said in Sanity check - DNS Filtering on WAN:

    @DustinB3403 said in Sanity check - DNS Filtering on WAN:

    I would be concerned with the availability of the DNS Service. . . But why not just install a content filter at the edge and be done with it?

    And manage it like anything else.

    Content filters are stupid and do not honestly work worht a shit.

    I don't completely disagree, most need way to much fine tuning and constant adjustment. But what other solution would you recommend for @Breffni-Potter ?

    None. he has the right solution. DNS level.

    He simply wants to apply content filtering at an external DNS provider.

    @Breffni-Potter said in Sanity check - DNS Filtering on WAN:

    Toying this as an idea. You have your third party DNS filtering service which blocks the non productive or evil websites. You block port 53 on the outbound UNLESS it resolves to your DNS filtering service.

    I don't see how this is any better than an actual content filter. DNS Denial would simply stop the traffic from hitting the destination.

    Maybe I need to see it in practice, but I just don't see how well it would work. . .

    Umm, you have a clear misunderstanding for how DNS filtering works.

    1. User requests porn.com
    2. System looks at internal DNS cache and finds no answer.
    3. System calls to DNS server 1 and say hey man I need some porn.com
    4. DNS server 1 looks at its DNS cache and finds no answer.
    5. DNS server 1 looks at its forward lookup source of MyFilteredDNS.com
      • (maybe I should buy that and start a service)
    6. MyFilteredDNS checks its rules and sends back newp not gonna get it in the form of an IP address that contains your blocked notice.
    7. DNS Server 1 gets the IP back and passes it back to System
    8. System gets the IP and sends the browser on its way to the bitch you be denied page..

    Compared to a content filter, that reads http header info and sometimes even page content. Huge difference in functionality.



  • @JaredBusch thanks for the explanation, it helps to understand it.

    I am aware that content filtering literally checks the content and even has whitelist / blacklist for sites to allow/block.

    With DNS Filtering wouldn't this essentially be the same thing, just without the content checking? just a DNS lookup to determine if that dns entry is allowed or not and proceed from there?



  • @DustinB3403 said in Sanity check - DNS Filtering on WAN:

    @JaredBusch thanks for the explanation, it helps to understand it.

    I am aware that content filtering literally checks the content and even has whitelist / blacklist for sites to allow/block.

    With DNS Filtering wouldn't this essentially be the same thing, just without the content checking? just a DNS lookup to determine if that dns entry is allowed or not and proceed from there?

    Sort of, but remember DNS is not required. So there are trivial bypasses to DNS filtering in many cases.



  • @DustinB3403 said in Sanity check - DNS Filtering on WAN:

    @JaredBusch thanks for the explanation, it helps to understand it.

    I am aware that content filtering literally checks the content and even has whitelist / blacklist for sites to allow/block.

    With DNS Filtering wouldn't this essentially be the same thing, just without the content checking? just a DNS lookup to determine if that dns entry is allowed or not and proceed from there?

    The end result is the same, a block page alert, but the task to get there is way different.



  • @scottalanmiller said in Sanity check - DNS Filtering on WAN:

    @DustinB3403 said in Sanity check - DNS Filtering on WAN:

    @JaredBusch thanks for the explanation, it helps to understand it.

    I am aware that content filtering literally checks the content and even has whitelist / blacklist for sites to allow/block.

    With DNS Filtering wouldn't this essentially be the same thing, just without the content checking? just a DNS lookup to determine if that dns entry is allowed or not and proceed from there?

    Sort of, but remember DNS is not required. So these are trivial to bypasses DNS filtering in many cases.

    Corrected?



  • @scottalanmiller said in Sanity check - DNS Filtering on WAN:

    @DustinB3403 said in Sanity check - DNS Filtering on WAN:

    @JaredBusch thanks for the explanation, it helps to understand it.

    I am aware that content filtering literally checks the content and even has whitelist / blacklist for sites to allow/block.

    With DNS Filtering wouldn't this essentially be the same thing, just without the content checking? just a DNS lookup to determine if that dns entry is allowed or not and proceed from there?

    Sort of, but remember DNS is not required. So there are trivial bypasses to DNS filtering in many cases.

    Bypassing DNS != Bypassing DNS Filtering

    DNS filtering is completely non trivial to bypass.
    Bypassing DNS is fairly easy but still far from trivial.
    But if filtering is in place, how do you get the real IP to begin with?
    Let's say you bring it with you.
    Then once you know the IP address, just go try to load most website without a working DNS service on your computer.
    It will not work as intended.
    Because damned near every website out there is part of a farm of website or contain tons of code and lookups.
    Those will all fail unless you know each of those IP addresses also.
    Then some are behind things like reverse proxies and without a header will not load the real site either.



  • @JaredBusch said in Sanity check - DNS Filtering on WAN:

    @scottalanmiller said in Sanity check - DNS Filtering on WAN:

    @DustinB3403 said in Sanity check - DNS Filtering on WAN:

    @JaredBusch thanks for the explanation, it helps to understand it.

    I am aware that content filtering literally checks the content and even has whitelist / blacklist for sites to allow/block.

    With DNS Filtering wouldn't this essentially be the same thing, just without the content checking? just a DNS lookup to determine if that dns entry is allowed or not and proceed from there?

    Sort of, but remember DNS is not required. So there are trivial bypasses to DNS filtering in many cases.

    DNS filtering is completely non trivial to bypass.
    Bypassing DNS is fairly easy but still far from trivial.
    But if filtering is in place, how do you get the real IP to begin with?
    Let's say you bring it with you.
    Then once you know the IP address, just go try to load most website without a working DNS service on your computer.
    It will not work as intended.
    Because damned near every website out there is part of a farm of website or contain tons of code and lookups.
    Those will all fail unless you know each of those IP addresses also.
    Then some are behind things like reverse proxies and without a header will not load the real site either.

    I've worked at plenty of places that use DNS filtering as well as full on content filtering and in both cases, bypassing was pretty trivial. Now you can combine lots of different things and make it pretty tough. But just DNS filtering, I've had people bypass that so trivially it wouldn't even be called effort.



  • @scottalanmiller said in Sanity check - DNS Filtering on WAN:

    @JaredBusch said in Sanity check - DNS Filtering on WAN:

    @scottalanmiller said in Sanity check - DNS Filtering on WAN:

    @DustinB3403 said in Sanity check - DNS Filtering on WAN:

    @JaredBusch thanks for the explanation, it helps to understand it.

    I am aware that content filtering literally checks the content and even has whitelist / blacklist for sites to allow/block.

    With DNS Filtering wouldn't this essentially be the same thing, just without the content checking? just a DNS lookup to determine if that dns entry is allowed or not and proceed from there?

    Sort of, but remember DNS is not required. So there are trivial bypasses to DNS filtering in many cases.

    DNS filtering is completely non trivial to bypass.
    Bypassing DNS is fairly easy but still far from trivial.
    But if filtering is in place, how do you get the real IP to begin with?
    Let's say you bring it with you.
    Then once you know the IP address, just go try to load most website without a working DNS service on your computer.
    It will not work as intended.
    Because damned near every website out there is part of a farm of website or contain tons of code and lookups.
    Those will all fail unless you know each of those IP addresses also.
    Then some are behind things like reverse proxies and without a header will not load the real site either.

    I've worked at plenty of places that use DNS filtering as well as full on content filtering and in both cases, bypassing was pretty trivial. Now you can combine lots of different things and make it pretty tough. But just DNS filtering, I've had people bypass that so trivially it wouldn't even be called effort.

    Trivial means trivial to the masses.

    I can name a number of ways to get around it. But I am not part of the masses in this regard. I am an IT professional.



  • @JaredBusch said in Sanity check - DNS Filtering on WAN:

    @scottalanmiller said in Sanity check - DNS Filtering on WAN:

    @JaredBusch said in Sanity check - DNS Filtering on WAN:

    @scottalanmiller said in Sanity check - DNS Filtering on WAN:

    @DustinB3403 said in Sanity check - DNS Filtering on WAN:

    @JaredBusch thanks for the explanation, it helps to understand it.

    I am aware that content filtering literally checks the content and even has whitelist / blacklist for sites to allow/block.

    With DNS Filtering wouldn't this essentially be the same thing, just without the content checking? just a DNS lookup to determine if that dns entry is allowed or not and proceed from there?

    Sort of, but remember DNS is not required. So there are trivial bypasses to DNS filtering in many cases.

    DNS filtering is completely non trivial to bypass.
    Bypassing DNS is fairly easy but still far from trivial.
    But if filtering is in place, how do you get the real IP to begin with?
    Let's say you bring it with you.
    Then once you know the IP address, just go try to load most website without a working DNS service on your computer.
    It will not work as intended.
    Because damned near every website out there is part of a farm of website or contain tons of code and lookups.
    Those will all fail unless you know each of those IP addresses also.
    Then some are behind things like reverse proxies and without a header will not load the real site either.

    I've worked at plenty of places that use DNS filtering as well as full on content filtering and in both cases, bypassing was pretty trivial. Now you can combine lots of different things and make it pretty tough. But just DNS filtering, I've had people bypass that so trivially it wouldn't even be called effort.

    Trivial means trivial to the masses.

    I can name a number of ways to get around it. But I am not part of the masses in this regard. I am an IT professional.

    Well the goal is to block employees and I'm talking about employees that were being blocked working around it without even thinking twice. Sure, it will stop some people, but how many of the ones that you want to stop will it stop? What's the point in blocking if it only blocks a few. And the issue was always... the moment someone knew how to get around it, even those for whom it would be hard to figure out were around it, too.



  • For example, do a Google that even a non-technical person can and would do (from home, of course, or on their phone) and the first hit is this for getting to what is easily the top non-porn site being blocked...

    https://www.techperiod.com/how-to-access-blocked-facebook-website-in-office-college-and-school/



  • @scottalanmiller said in Sanity check - DNS Filtering on WAN:

    For example, do a Google that even a non-technical person can and would do (from home, of course, or on their phone) and the first hit is this for getting to what is easily the top non-porn site being blocked...

    https://www.techperiod.com/how-to-access-blocked-facebook-website-in-office-college-and-school/

    That was my thought as well DNS filtering is a joke to bypass by its self. "Proper" content filtering with DNS filtering would work well, but is very cumbersome to manage.

    At least with the examples of either being used. Dans Guardian, Sonic Walls etc.


  • Banned

    I asked a technical question, with a proposed suggestion on, if I do XYZ, what are the pitfalls. Vauge comments such as "trivial" to get around are really not helpful or suggestions to put in the traditional UTM boxes.

    The UTMS are stupid, expensive and insanely easy to bypass, they also open the can of worms of decryption of HTTPs traffic.

    If nobody could send out DNS requests via the WAN unless it's to the DNS filter, How is it trivial to bypass whilst using the same WAN connection.

    Let's hear specifics rather than vagaries please.


  • Banned

    @scottalanmiller said in Sanity check - DNS Filtering on WAN:

    For example, do a Google that even a non-technical person can and would do (from home, of course, or on their phone) and the first hit is this for getting to what is easily the top non-porn site being blocked...

    https://www.techperiod.com/how-to-access-blocked-facebook-website-in-office-college-and-school/

    Most of those get blocked by DNS filtering at the WAN,The only thing on that list that would work in this case is using their 3G connection as a WAN.


Log in to reply