locking down network



  • I am currently using opendns as a net nanny for the network. I was wondering does the Unbiquti er-3 lite have the capability of locking down the network?

    or what else can I put in place beside open dns. Cause I have to cherry pick certain sites



  • @mroth911 said in locking down network:

    I am currently using opendns as a net nanny for the network. I was wondering does the Unbiquti er-3 lite have the capability of locking down the network?

    or what else can I put in place beside open dns. Cause I have to cherry pick certain sites

    So you want to block all but a select few sites?

    Use OpenDNS is the first step, and blocking DNS queries from anything other than your router is the second. Any router should be able to do this. You're already halfway there.



  • So open dns does give you an option like. for instance apple store. I want to be able to get to that. but if I select p2p it blocks everyone



  • @mroth911 said in locking down network:

    So open dns does give you an option like. for instance apple store. I want to be able to get to that. but if I select p2p it blocks everyone

    This is where we start talking about why are you using technology to solve a people problem. Clicking that p2p block probably does block p2p things, all of them, which includes legitimate things like the Apple Store.

    I'm not 100% sure about OpenDNS, I think they have other tools besides just blocking by IP now.

    The only other option is to whitelist on a local DNS server. Don't, just, don't. Unless it's like 1 website with 1 possible IP address.



  • If your set of sites you're dropping is very low then you could just put in a DNS record on your on-premise DNS server (assuming you have one). For example if you don't want people to be able to get to myshoppingsite.com then you could create a CNAME record on your server that sets myshoppingsite.com to send all traffic company.com.

    I would strongly recommend against using this method if you need to handle more than 10 sites.



  • First of all, OpenDNS is not a business service.

    Second, content filtering does not belong on your edge routing device.

    Third, the only good content filtering is one you don’t mess with. I would just go with a Pi-Hole at default settings, add in porn blocking, then blacklist a few sites if required.

    Anything more than that is too much.



  • The pi-hole is it hard to setup. and , does it have a gui interface or web interface



  • @mroth911 said in locking down network:

    The pi-hole is it hard to setup. and , does it have a gui interface or web interface

    It has a web interface, and was simple for me to install. Basically, pick your favorite linux distribution, and run the install script as root. https://github.com/pi-hole/pi-hole/#one-step-automated-install

    You can take a look at the one running my home lab at https://pihole.travisdh1.net/admin The admin interface offers a lot of extra features once you log in. I think I've used it once to add @JaredBusch's porn block list.



  • @Kelly said in locking down network:

    If your set of sites you're dropping is very low then you could just put in a DNS record on your on-premise DNS server (assuming you have one). For example if you don't want people to be able to get to myshoppingsite.com then you could create a CNAME record on your server that sets myshoppingsite.com to send all traffic company.com.

    I would strongly recommend against using this method if you need to handle more than 10 sites.

    Just for completeness - a CNAME alone wouldn't work here. You'd need to create a root SOA on your internal DNS for myshoppingsite.com, then under that create a CNAME that points to your other site.



  • @mroth911 said in locking down network:

    The pi-hole is it hard to setup. and , does it have a gui interface or web interface

    Very low key install, @JaredBusch the porn block list here

    https://mangolassi.it/topic/16905/add-porn-blocking-to-your-pi-hole/15
    Managing through the Web interface is simple as well.



  • @mroth911 said in locking down network:

    The pi-hole is it hard to setup. and , does it have a gui interface or web interface

    It's one of the easiest things to set up ever. It's line one command. Easier than just about anything I know. And yes, it's all super easy GUI.





  • @Dashrender said in locking down network:

    @Kelly said in locking down network:

    If your set of sites you're dropping is very low then you could just put in a DNS record on your on-premise DNS server (assuming you have one). For example if you don't want people to be able to get to myshoppingsite.com then you could create a CNAME record on your server that sets myshoppingsite.com to send all traffic company.com.

    I would strongly recommend against using this method if you need to handle more than 10 sites.

    Just for completeness - a CNAME alone wouldn't work here. You'd need to create a root SOA on your internal DNS for myshoppingsite.com, then under that create a CNAME that points to your other site.

    I've been out of hands on work for a little while, but why would you need the SOA for this to work? Unless the workstation has it cached wouldn't the CNAME handle it? Not arguing, trying to understand.



  • @Kelly said in locking down network:

    @Dashrender said in locking down network:

    @Kelly said in locking down network:

    If your set of sites you're dropping is very low then you could just put in a DNS record on your on-premise DNS server (assuming you have one). For example if you don't want people to be able to get to myshoppingsite.com then you could create a CNAME record on your server that sets myshoppingsite.com to send all traffic company.com.

    I would strongly recommend against using this method if you need to handle more than 10 sites.

    Just for completeness - a CNAME alone wouldn't work here. You'd need to create a root SOA on your internal DNS for myshoppingsite.com, then under that create a CNAME that points to your other site.

    I've been out of hands on work for a little while, but why would you need the SOA for this to work? Unless the workstation has it cached wouldn't the CNAME handle it? Not arguing, trying to understand.

    DNS won't respond with the CNAME unless the DNS server is the owner of the domain itself. So maybe not an SOA specifically, but a (can't think of the term) secondary DNS to a SOA but still authoritative.

    Another way to look at it is - if you want to block advertisingsite.com and the hostname is one.advertisingsite.com - where would you put that CNAME to make this work?



  • @Kelly said in locking down network:

    @Dashrender said in locking down network:

    @Kelly said in locking down network:

    If your set of sites you're dropping is very low then you could just put in a DNS record on your on-premise DNS server (assuming you have one). For example if you don't want people to be able to get to myshoppingsite.com then you could create a CNAME record on your server that sets myshoppingsite.com to send all traffic company.com.

    I would strongly recommend against using this method if you need to handle more than 10 sites.

    Just for completeness - a CNAME alone wouldn't work here. You'd need to create a root SOA on your internal DNS for myshoppingsite.com, then under that create a CNAME that points to your other site.

    I've been out of hands on work for a little while, but why would you need the SOA for this to work? Unless the workstation has it cached wouldn't the CNAME handle it? Not arguing, trying to understand.

    Unless i'm missing something, last I knew you could only create a CNAME for a domain for which you had an SOA already. I don't believe that you can make an arbitrary CNAME in Windows DNS. Because it has to go in a Zone that is managed on the server. Maybe I'm missing something, but I think Dash is correct.



  • @scottalanmiller said in locking down network:

    @Kelly said in locking down network:

    @Dashrender said in locking down network:

    @Kelly said in locking down network:

    If your set of sites you're dropping is very low then you could just put in a DNS record on your on-premise DNS server (assuming you have one). For example if you don't want people to be able to get to myshoppingsite.com then you could create a CNAME record on your server that sets myshoppingsite.com to send all traffic company.com.

    I would strongly recommend against using this method if you need to handle more than 10 sites.

    Just for completeness - a CNAME alone wouldn't work here. You'd need to create a root SOA on your internal DNS for myshoppingsite.com, then under that create a CNAME that points to your other site.

    I've been out of hands on work for a little while, but why would you need the SOA for this to work? Unless the workstation has it cached wouldn't the CNAME handle it? Not arguing, trying to understand.

    Unless i'm missing something, last I knew you could only create a CNAME for a domain for which you had an SOA already. I don't believe that you can make an arbitrary CNAME in Windows DNS. Because it has to go in a Zone that is managed on the server. Maybe I'm missing something, but I think Dash is correct.

    Will, say, Fedora DNS allow you to create a CNAME for a zone it doesn't control?



  • @Dashrender said in locking down network:

    @scottalanmiller said in locking down network:

    @Kelly said in locking down network:

    @Dashrender said in locking down network:

    @Kelly said in locking down network:

    If your set of sites you're dropping is very low then you could just put in a DNS record on your on-premise DNS server (assuming you have one). For example if you don't want people to be able to get to myshoppingsite.com then you could create a CNAME record on your server that sets myshoppingsite.com to send all traffic company.com.

    I would strongly recommend against using this method if you need to handle more than 10 sites.

    Just for completeness - a CNAME alone wouldn't work here. You'd need to create a root SOA on your internal DNS for myshoppingsite.com, then under that create a CNAME that points to your other site.

    I've been out of hands on work for a little while, but why would you need the SOA for this to work? Unless the workstation has it cached wouldn't the CNAME handle it? Not arguing, trying to understand.

    Unless i'm missing something, last I knew you could only create a CNAME for a domain for which you had an SOA already. I don't believe that you can make an arbitrary CNAME in Windows DNS. Because it has to go in a Zone that is managed on the server. Maybe I'm missing something, but I think Dash is correct.

    Will, say, Fedora DNS allow you to create a CNAME for a zone it doesn't control?

    There is no such thing as "Fedora DNS"

    Choose a DNS server type and then ask the question.
    The two most common (that I know of) are bind and dnsmasq.



  • @Dashrender said in locking down network:

    @scottalanmiller said in locking down network:

    @Kelly said in locking down network:

    @Dashrender said in locking down network:

    @Kelly said in locking down network:

    If your set of sites you're dropping is very low then you could just put in a DNS record on your on-premise DNS server (assuming you have one). For example if you don't want people to be able to get to myshoppingsite.com then you could create a CNAME record on your server that sets myshoppingsite.com to send all traffic company.com.

    I would strongly recommend against using this method if you need to handle more than 10 sites.

    Just for completeness - a CNAME alone wouldn't work here. You'd need to create a root SOA on your internal DNS for myshoppingsite.com, then under that create a CNAME that points to your other site.

    I've been out of hands on work for a little while, but why would you need the SOA for this to work? Unless the workstation has it cached wouldn't the CNAME handle it? Not arguing, trying to understand.

    Unless i'm missing something, last I knew you could only create a CNAME for a domain for which you had an SOA already. I don't believe that you can make an arbitrary CNAME in Windows DNS. Because it has to go in a Zone that is managed on the server. Maybe I'm missing something, but I think Dash is correct.

    Will, say, Fedora DNS allow you to create a CNAME for a zone it doesn't control?

    Do you mean BIND?



  • And the answer is yes. How do you think Cloudflare works.

    MS requires all kinds of stupid things because of AD.



  • @scottalanmiller said in locking down network:

    @Dashrender said in locking down network:

    @scottalanmiller said in locking down network:

    @Kelly said in locking down network:

    @Dashrender said in locking down network:

    @Kelly said in locking down network:

    If your set of sites you're dropping is very low then you could just put in a DNS record on your on-premise DNS server (assuming you have one). For example if you don't want people to be able to get to myshoppingsite.com then you could create a CNAME record on your server that sets myshoppingsite.com to send all traffic company.com.

    I would strongly recommend against using this method if you need to handle more than 10 sites.

    Just for completeness - a CNAME alone wouldn't work here. You'd need to create a root SOA on your internal DNS for myshoppingsite.com, then under that create a CNAME that points to your other site.

    I've been out of hands on work for a little while, but why would you need the SOA for this to work? Unless the workstation has it cached wouldn't the CNAME handle it? Not arguing, trying to understand.

    Unless i'm missing something, last I knew you could only create a CNAME for a domain for which you had an SOA already. I don't believe that you can make an arbitrary CNAME in Windows DNS. Because it has to go in a Zone that is managed on the server. Maybe I'm missing something, but I think Dash is correct.

    Will, say, Fedora DNS allow you to create a CNAME for a zone it doesn't control?

    Do you mean BIND?

    Well - as JB pointed out - I didn't know the names - BIND or dnsmasq - do either?



  • @JaredBusch said in locking down network:

    And the answer is yes. How do you think Cloudflare works.

    MS requires all kinds of stupid things because of AD.

    I don't understand this - Cloudflare is the DNS host for most of those it's protecting, if not all.... Soooo not sure where you're getting at?



  • so basically I am helping with my church/School , they need to connect to apple/android store. youtube. but social media sites locked down and p2p networks and anything inappropriate for k-12.

    So OpenDNS is doing the trick for now., However there is no cherry picking, and certain users need the ability to connect to facebook as well. Posting via webpage what is going on in school etc.

    Thats the situation at hand.

    They received a letter that someone on the network was downloading from BitTorrent. and it broke digital media anti-piracy law. etc. So they are naturally freaking out.

    This is something I want to setup and walk away.. I am just doing this to help them.



  • @mroth911 said in locking down network:

    so basically I am helping with my church/School , they need to connect to apple/android store. youtube. but social media sites locked down and p2p networks and anything inappropriate for k-12.

    So OpenDNS is doing the trick for now., However there is no cherry picking, and certain users need the ability to connect to facebook as well. Posting via webpage what is going on in school etc.

    Thats the situation at hand.

    They received a letter that someone on the network was downloading from BitTorrent. and it broke digital media anti-piracy law. etc. So they are naturally freaking out.

    This is something I want to setup and walk away.. I am just doing this to help them.

    Once you have set up pi-hole, go to this site:
    https://github.com/StevenBlack/hosts#list-of-all-hosts-file-variants

    He provides list of social media sites to block.

    If you must you either setup squid and squidguard and then use Shalla Blacklist to block whatever sites you preferred.
    http://www.shallalist.de/categories.html

    And If a web gui is necessary, pfSense makes it pretty easy to configure.
    https://www.netgate.com/docs/pfsense/cache-proxy/squidguard-package.html



  • @mroth911 said in locking down network:

    Thats the situation at hand.

    This is something I want to setup and walk away.. I am just doing this to help them.

    If only it was possible...



  • @mroth911 said in locking down network:

    so basically I am helping with my church/School , they need to connect to apple/android store. youtube. but social media sites locked down and p2p networks and anything inappropriate for k-12.

    So OpenDNS is doing the trick for now., However there is no cherry picking, and certain users need the ability to connect to facebook as well. Posting via webpage what is going on in school etc.

    Thats the situation at hand.

    They received a letter that someone on the network was downloading from BitTorrent. and it broke digital media anti-piracy law. etc. So they are naturally freaking out.

    This is something I want to setup and walk away.. I am just doing this to help them.

    Blocking Bittorrent without an application level firewall isn't that easy. Talking to the tracker happens via DNS, but talking to the other clients normally is just via IP address.

    You could block all non needed outbound ports - but again, I think Bittorrent can work over port 80 and 443, so not really that helpful.