OpenDNS Forums
The official support and discussion site of OpenDNS
Support
K-12 Forums
Categories
- Administrative
- Adult site blocking
- DNS-O-Matic / dynamic IPs
- Domain blocking
- Domain Name System (DNS) troubles
- Mobile instructions
- OpenDNS services
- Proxies, accelerators, and more
- Router instructions
- Satellite
- Shortcuts
- Wishlists and feature requests
-
Feeds
Vanilla 1.1.4 is a product of Lussumo. More Information: Documentation, Community Support.
This discussion has been inactive for longer than 30 days, and is thus closed.
-
Ok, I was trying to combat people trying to get around the block by monitoing dns activity and then trying sites they tried to see if their blocked, tons of proxies, seems like new ones every day. i was thinking, atleast if i can keep most of them blocked, i should keep everyone out. I was thinking that browsing by ip rarely works right esepcially since myspace, etc, makes tons of dns calls to other systems (content servers) which mess it up with ip only.
But then i was thinking, i missed a major flaw, is it really as easy as someone going to http://ipadddresofproxy? If the proxy is a main server (non shared) they will get on every time.
i use cisco fw (acl) but its a pain to add tons of ips to it. i dont even know how many you can start adding before the router starts slowing down, it already runs at constant 10-30% average cpu.
so is it really that easy (i havent tried it yet) -
- CommentAuthorLarry Gilbert
- CommentTimeMar 11th 2008 edited
Yes and no.
Yes, if you have no other restrictions on your network, using an IP address in a URL bypasses the DNS lookup and can permit access. It won't work in all cases because many Web servers serve multiple "virtual hosts," so they won't bring up the correct site if the domain name is missing. But it will work in enough cases to be a problem.
No, it's not a flaw because it's not OpenDNS's job to implement your security policy, it's your job. (No offense.)
So if you really need to restrict people from doing an end-around like that, you will have to take additional measures within your own network. For example, set up a Web proxy server, have your router send all traffic from restricted workstations through that, then configure that proxy server to reject URLs with IP addresses. Be prepared to keep an additional whitelist on the proxy server to allow specific IP addresses, because you will find some "legit" sites still use them for whatever reason.Thankful People: alexandermeier, bill fumerola, jazzsax3, sparko -
- CommentAuthorLuiz Fellipe Carneiro
- CommentTimeMar 11th 2008
Mike;
If you have too much problems with your users trying and trying to brake your rules, I think is time to use more powerful tools to enforce the security, like a transparent proxy for example.
Or make some administrative measures... Some time ago, before I use OpenDNS, I played cat and mouse with 2 users that liked to look at porn during work times. I blocked all porn they see a day before, and the next day they find another unblocked sites. After a week doing this, I got all the logs for the 2 guys to the human resources. Some time ago, a guy also found a proxy to access orkut. This time he was almost fired, because people at HR judge using a proxy is equal to a active way to sabotage the network.Thankful People: sparko -
On your firewall allow the 2 open dns ip addresses for dns resolution the block udp any any eq 53 and tcp any any eq 53 (just to be sure) to all other sites. They will only be able to utilize the dns resolvers to open dns and if they try to change their dns resolution it will be blocked.
-
larry, hiperion, afeind, thanks all so much for some great info.
larry: yes i know its not a flaw, i meant a flaw in my thinking ,not in opendns. a flaw in me not realizing how easy it is. i know that it has not to be a virtual host thats waht i meant by proxy server (not shared). all they have to do is find 1 single proxy server that can be accessed via ip and then they are home free.
being that my cisco router is my only source of firewall, i think implementing this with acl would be ridiculous, id have to add tons of denies and would never know all the ips. which brings me to the other one of your suggestions, proxy servers...
i am looking into clark connect and squid. i have linux boxes, i am thinking a web proxy is the way to go, i can block way more that way and use opendns as a secondary or complement the proxy. what does transparent mean? how is that different than a regular proxy?
afeind: yes i already plan on doing that, i plan on setting it to log only for a while to make sure i didnt incorrectly manually configure some hosts a while back, and have them break, i will monitor it for a week and then once i get them all fixed, i will block it (except for my dns server of course) but this solution does not help with them using an ip address of a proxy.
btw: if any of you notice anyone using babelfish alot, they may be using it at as a proxy, if you set it to translate an english page from like german to english it will proxy the site for you but not change anything (since its already english) pretty funny it can be used like that. (not what they had in mind) -
Also, in addition, regarding proxies, there are new ones that come out every day, many of them, they get emailed to people or put on lists, so its impossible to block them, if i use the proxy server you guys have recommended, could i completely block al all proxy sites through a proxy server? like does it have the ability to detect them (not by dns)Thankful People: sparko
-
- CommentAuthorforwardemphasis
- CommentTimeMar 12th 2008
Well any firewall using content filtering (such as dansguardian) will basically "scan" the page and look for predefined words/images, and assigns the page a score, if its above a certain limit (ie the page has the word proxy, bypass etc listed on it a number of times) the site gets blocked. So not totally relying on lists, and keeping you on step ahead.Thankful People: sparko -
If you need this level of control, a commercial solution would be better. AFAIK, all of the main filter products have proxy lists that are blocked.
-
OpenDNS blocks proxies, and the listings are updated at least daily. Doesn't mean we don't want to continue getting better about the lists, and Domain Tagging is a place you can help.
DNS doesn't "see" the webpage, so we're not detecting them that way.
If you scan webpages, you are slowing your network. With DNS, you don't. -
pencoyd: my only concern is that domain tagging seems to take at least a couple of days to get enough votes and then be reviewed, if new proxy sites are mailed to the user every single day, its tough to keep up.
-
pencoyd: that is fantastic, that would be great.
-
What about https proxies? Which category should be blocked?
-
- CommentAuthorwhosthatrandom
- CommentTimeMay 13th 2008
IMO, there is very little you can do to stop users from using proxies to get around blocks put in place by any filtering service. You have probably heard of the anti-filtering/anti-censorship website Peacefire. It allows people to subscribe to a mailing list that sends out web addresses of freshly created proxies. I am subscribed to it because my school's filters can sometimes be too harsh (for example, they filter out blogspot.com because of the fact that "gspot" is contained in the URL, and any mention of the word "pic" renders a page inaccessable). From my experience, said proxies take a few days to be blocked by the school's admins. Nonetheless, subscribing to the same mailing list and blocking new proxies individually as they come out would be an effective measure, one that I expect my school's admins do, albeit not very effectively. -
You could sign up at peacefire. Then parse the new proxies straight into the firewall as soon as it arrived. Thank goodness I am not your schools admin :)
1 to 15 of 15
This discussion has been inactive for longer than 30 days, and is thus closed.
