Archives

All posts for the month August, 2018

BACKGROUND

There are a number of products out there which use different methods for filtering content.  Because my home network is very customized, many of the consumer products out there don’t offer the flexibility I need as a parent without “dumbifying” my network.  I have invested a great deal of time and some money on setting up and using second hand enterprise network gear from Cisco and Ubiquiti and I did not want to sacrifice all that.  My requirements for a solution were:

  • had to be impossible to circumvent
  • had to be effective at blocking undesireable traffic, yet be flexible enough for “adult” needs
  • had to fit my network topology and environment
  • had to be secure
  • had to be easy to manage

THE SOLUTION

Because my network is built using mostly Cisco enterprise gear (router and switches), I had a lot of flexibility.  I created something I like to call “Jailed DNS”.  Jailed DNS is where you prevent local network devices from using another DNS resolver outside the network.  For those who don’t know what DNS is, I will refer you to this resource which gives a basic understanding of what DNS is, and how it is used as part of the fundamental internet machinery.  In my implementation here, the intent was to provide a local DNS server on my network that would be responsible for all internet lookups.  Here is a basic diagram of my home network (click for larger view).  You will see that the network is broken up into several zones (known as vlans).   These vlans operate as discreet internal networks that have their own subnets and host groupings.   There are many advantages to partitioning a network in this way:

  • Limit broadcast traffic within a physical switch
  • Apply different network policies to different groups of devices
  • Isolate sensitive devices from the rest of the network (control & automation)

 

In this example, you can see restricted and unrestricted areas of the network.  When devices on the unrestricted network talk to the local DNS server (DNS Jail), their query is forwarded to a public DNS server like 1.1.1.1.  This DNS server does not discriminate any queries sent to it and will refer devices to the requested resources.  Devices on the other restricted areas of the network, will query the local DNS Jail, and the DNS Jail will know to forward lookup requests to OpenDNS.  OpenDNS is configured to block a few things:

  • Undesired content categories (ie. porn, BitTorrent, etc)
  • Security scam related sites (phishing, scam, hacking, etc)
  • Blacklisted domains (ie. YouTube, Roblox, etc)
  • Anything else I would rather my kids or guests not visit

In order for a DNS Jail to work effectively, you have to have the ability to prevent local devices from using external DNS servers, or it won’t work.   I achieved this in my Cisco Router’s IOS settings by creating the following in my internet ACL (Access Control List): 

This setting does two things:  1) it prevents DNS requests from leaving the network and going out on to the internet   and 2) it allows ONLY the DNS Jail server (10.0.1.10) in this case, to be the ONLY host allowed to send queries outside the network (DNS Recursion and Forwarding).   This is one of the most important steps.   Many routers have settings to do this – consult your router’s docs.

Once this was completed, I had to create two “views” on the DNS Jail server.  The views define how the server responds based on the source network subnet of the requesting device.   This is how the DNS Jail is able to decide to forward requests to 1.1.1.1  or to OpenDNS for content restriction.   Here, you can see how I configured my DNS Jail, which is a copy of BIND9 (DNS Server) running on my network (click for a larger view).  You can see all the subnets of the “Area51” view that are for unrestricted devices, and the “Majic12” view that contain the restricted subnets.   Oh!  and look at that magic statement in there: forwarders {} where I declare the IP addresses of the OpenDNS servers which will receive forwarded requests and do the content filtering magic.

 

Once this is all done, I startup BIND on my network and it starts processing DNS requests for my networks immediately.  If we try to go to a “bad” destination from a restricted endpoint, we will see the page denying the request!  If we are on the unrestricted part of the network, we are allowed through!  YAY!  Of course no filtering solution is perfect, but if there is a false positive, then the denial page gives the user the opportunity to have the page unblocked with the network owner’s approval.

If we head on over to OpenDNS, you’ll see a nice dashboard which also lets you setup many content filtering categories & websites.   The dashboard will also have tools for you to review settings and most visited and blocked traffic.   It’s FREE and it’s pure magic!   This parental control solution is quite effective and can be setup with a small investment of time.  Over the long run of usage, it will pay you back by making it easy to manage internet content for your family or small business.