Traditionally, it has been difficult to block unwanted traffic that is initiated behind an Internet gateway. This is completely understandable considering that a traditional consumer, prosumer, and SMB gateways take an allow all, block some approach. This means that workarounds just need to find one protocol, destination or port that isn’t blocked, and bingo! Your egress channel is now unrestricted using that open hole.
What we are demonstrating here, though, is the opposite. A zero trust model works like this: block all, allow some. This idea of whitelisting is far from new. However, a practical and convenient way to do so has been the challenge. We would like to share with you how we implement a practical solution:
The DTTS (Don’t Talk To Strangers) is currently available for an early adopter group. If you’re interested, kindly contact us via support.
For those familiar with the great service from our OpenDNS friends, a common question we get is “How are you different from OpenDNS?”
Well, we don’t compete with them. Assuming you also like them, our service complements theirs! In fact, quite a number of our subscribers are OpenDNS subscribers as we integrate quite well as you’ll see if you try it out, including a native built-in OpenDNS Updater so you don’t need to run your dynamic IP updater on any other device.
There are many other differences though, here’s a partial list that most often applies:
Deterministic answers – apply different DNS policies to different devices. For example:
IoT devices for example, need a very limited whitelist
Guest iOS devices may just want obviously-bad content blocked
CFO money transfer devices need a very limited whitelist only to the bank in use
Whitelisting is our specialty
Start with nothing, add what you need
Cloud-based web crawler searches and identifies dependencies and threat intelligence to allow only what is safe
Domain-joined devices do not need to use Active Directory’s DNS servers:
Our rainbow (or re-direct) lists feature AD domain redirection to AD so that all non-AD queries are never sent to AD DNS.
Benefit #1 is that your Active Directory DNS servers can now experience a high-level of protection by having strict egress control
Benefit #2 is that your devices can experience different treatment from others (appropriate policy based on use case)
A live log for complete visibility of DNS queries (and their answers) that occur on your network
Tight integration with firewall rules disallows the easiest of DNS filtering circumvention:
This also hijacks the hijackers – if you have malware that changes your DNS servers to 184.108.40.206, for example, DNSthingy hijacks the DNS queries and answers them by the policy/rule set applied to the device
If you use the “No Internet” rule, it’s more than just a DNS firewall. All traffic is blocked while maintaining internal visibility. Perfect for a NAS or devices that should never have egress access at all (a simple way to stop exfiltration).
Importantly, we do not offer public resolver services at all. DNSthingy has a focus in the on-premise space where layer 2 (mac address) can be followed for IP address changes, etc. This is how we are completely different and yet integrates with OpenDNS (and other cloud public resolvers, for that matter). We also appreciate the security that DNSSEC and DNScrypt bring to Internet security, so those are included and dashboard switches for you to enable are coming shortly.
Thanks for reading, we have much more coming to our blog in the next few days!
Our newest firmware (3.1.4) supports our largest feature upgrade yet! Most of it you will experience in the Internet experience itself as well as the dashboard, as you learn about the new capabilities that you asked for, such as:
Brand new tool at http://mytools.management/ which is available from any computer or device on your network
Automated way to check a website for dependencies so when you have a whitelisted device asking to whitelist eBay.com for example, the system crawls it for dependencies and shows you which ones are safe and which ones aren’t
Auto-whitelisting allows for automatic approval of unblock requests provided that
the domain has a positive reputation
no known threats hosted on the domain
is not categorized as adult content
(more than 90% of unblock requests will be auto-approved with this method)
Don’t Talk To Strangers (DTTS) new feature is included in the firmware itself; watch our blog for more details coming shortly
“Last seen online” option coming back soon to your dashboard; your firmware will now include the required software to offer this
Automatic tagging of discovered devices by Operating System coming soon; your firmware will now include the required software to offer this also
Business-grade platforms now include additional per-interface features; a DNS listener for each VLAN
Watch for new plans available soon to take advantage of these features now available in your firmware
We are very excited about all of these new features in our production firmware scheduled to be released at your router’s next update cycle:
DNSthingy now supports authoritative entries, allowing you to use a name instead of IP for internal (or external) resources.
Device discovery has been changed from ARP broadcasts to enrollment on “first-seen” basis from the perspective of receiving a DNS request.
Unknown devices including queries from foreign subnets including internal vlans not locally-connected, are now treated with your default ruleset.
A new utility is included to support future NVRAM migrations (on ASUS routers only).
The feature to allow remote support has been improved (previously it required some additional manual steps which are no longer required).
DNScrypt support is included in firmware, and will be introduced in the dashboard very soon.
Many more bug fixes and stability improvements.
It is also worth noting that ClearOS marketplace subscribers will be updated automatically as long as you’re auto-updating/upgrading your ClearOS software. pfSense subscribers will need to visit your Packages section and confirm your update/upgrade.
In the context of web resources to allow or block, the traditional approach has been to block the bad. That’s blacklisting. It is the ideology of allow everything, block some.
Whitelisting, on the other hand is the opposite ideology: block everything, allow some.
This infographic is not controversial in nature, but there are legitimate reasons why whitelisting has not gained traction. However, let’s examine a few real-life examples where the trend towards whitelisting is succeeding.
While criticism over a curated AppStore has never stopped, the end result is undeniably a safer mobile app ecosystem for the normal user.
“AppLocker contains new capabilities and extensions that allow you to create rules to allow or deny applications from running based on unique identities of files and to specify which users or groups can run those applications.”
Essentially, this is an accepted and recommended solution that whitelists executable applications in business versions of Windows, and many systems administrators literally use this approach insted of anti-virus protection, with great success!
It is only logical that DNS-based whitelisting for Internet-based resources would also be filtered using a whitelist method. It has not been widely deployed in the past due to the onboarding effort. This is where DNSthingy helps with the whitelist ecosystem including DNSthingy Whitelist Assistant Google Chrome Extension, real-time logging visibility, Whitelist Subscriptions (for sites with dependencies such as YouTube, Google, Facebook, etc.), learning mode for businesses who deploy in passive mode for 60-90 days in order to gain an organic whitelist suitable for their own enterprise.
So if you’ve wanted to give whitelisting a try, now there’s a simple and free way to try it out!
Posted June 27, 2016
by David Redekop
SafeSearch filters the display of explicit search results in images, videos, and text.
We’re glad to be able to offer an expanded version of our Forced SafeSearch feature. Forced SafeSearch uses the network-level enforcement method offered by Bing and Google. Here’s how the feature looks on the dashboard with a simple ON/OFF button:
This setting is now on by default for new subscribers and new Blacklist rulesets. This was much requested as iOS’s Siri uses Bing exclusively.
Why we believe Forced SafeSearch is better
It is important to note that this feature is notlocking SafeSearch as utilized in the past for school/home environments. Locking and other proxy methods previously in use, could easily bypass SafeSearch by using https (SSL) instead of http. Locking SafeSearch into the browser is easily bypassed with a new private/incognito window.
The combination of network-level forced SafeSearch and alternate DNS attempts being blocked (also a default with DNSthingy in router mode) makes circumvention much more difficult.
Our new Ruleset feature looks like this, and is available for any ruleset type, blacklist or whitelist:
No YouTube account login required. YouTube offers opt-in restriction mode by logged-in accounts, which can easily be circumvented by launching a different browser, or by using new incognito/private window. However, when this setting is used on a DNSthingy service, it cannot be bypassed. Attempts to do so will look like this:
Restricted Mode is enabled by your network administrator.
Here’s an example of a common YouTube search today and how the results vary by filtering level options:
Searching "Miley Cyrus"
(some filtered out)
~95% filtered out!
In addition, both moderate and strict modes filter out comments which is most often requested by our subscriber to suppressed regardless of filtering levels. The comment section will state this:
Restricted Mode has hidden comments for this video.
You might also notice that no matter what the YouTube account settings are at, your DNSthingy is considered a network-level enforcement option, so it overrides your YouTube account.
When using network-level enforcement of filtering options, it doesn’t matter how YouTube is watched, as all of these are covered:
YouTube app on mobile
YouTube via browser on mobile
YouTube via desktop browser
YouTube via incognito/private window
YouTube embedded on a website/blog post
And finally, you can set different rulesets for different devices. Our solution is the only one in existence that can offer network-level enforcement options with different settings per device or group of devices. Here’s how our subscribers typically use it:
Forced YouTube Safety Mode
Off (with optional account-level opt-in, but note it is easy to circumvent)
Children 12 and under
Strict (or, if necessary, it can be blocked entirely on a blacklist)
We’ve had some great feedback from early adopters and are thrilled to make this available to all of our subscribers.
DNSthingy services are now available as a preview release that can be installed on pfSense® software from ESF.
Minimimum system requirement is simply any existing pfSense® installation version 2.3+. pfSense® is a platform chosen by many seasoned IT veterans that focus on managed gateways for a variety of business sectors. Based on FreeBSD, this platform’s strength is in its stability and subscription-free operating system. While DNSthingy is subscription-based, it is still a fit based on the high number of requests over the past while to offer our services on this platform.
For a preview-release installation and a free evaluation, simply contact our support team. We are looking in particular for more multi-WAN environments as well as usage of several VLANs with restrictive/hardened environments.
pfSense® is a registered trademark owned by Electric Sheep Fencing LLC and is used herein with permission.
More information as to pfSense® can be found at www.pfsense.org.
Did you know you can schedule your Internet access rules?
Here’s a screenshot of a sample schedule in use by one of our homeschoolers, designed to minimize distractions during the schooldays, while providing entertainment and social media access in specific times of the day:
You can completely customize it your own. Here are some typical use cases:
Your small business likes to keep staff focused on specific tasks during specific hours. Create a ruleset and a schedule that whitelists only required services for required times.
While the office is closed, no Internet access is required except for services such as operating system updates and online backups. Create a schedule that these are the only services allowed during closed hours.
Not sure what your Internet-of-Things devices are doing? Schedule them to be online only when they’re in use.
Here’s a short 3-minute video to give you an alternate example: