Web filter https

kejianshi · Feb 15, 2015, 1:41 AM

I'd make a "best effort" to filter DNS without breaking internet as squid is so efficient at doing.

People need to realize that unless you get into white listing, which I don't recommend, you can't have good internet and 100% censorship.

drick78 · Feb 15, 2015, 1:49 AM

I know I can't have 100% censorhsip. Right now we are using Untangle (free version) and it is working out fine for the web filter. I did look into the openDNS solution, but they want lots of $$ for about 800 users even though we are a non-profit organization.

Ideally, I would like to just block all https versions of sites that are currently listed in the blacklist I installed. Is that somehow possible? This would be a good enough solution for us that would not cost a ton of $$.

Derelict · Feb 15, 2015, 2:13 AM

The world is changing. Get used to it. You can't filter HTTPS other than DNS or IP address filtering. Nobody can, no matter what they charge.

kejianshi · Feb 15, 2015, 3:19 AM

HEHE - They want a ton of money?

They offer a free service, as does others.

So, lets say your pfsense uses opendns for resolution and filtering (for free).

Then you force all DNS requests on port 53 to hit your pfsense box for DNS.

Your pfsense is caching DNS requests and there will be a ton of overlap in the requests even with hundreds of users.

So as far as opendns is concerned, your pfsense box is one single user, not hundreds.

Try it.

drick78 · Feb 15, 2015, 5:13 AM

interesting idea. How would I force all DNS 53 to go to the pfsense machine? I guess I thought they already were with having DHCP turned on, and in transparent proxy mode. I'm guessing by your response there is something more to it than that.

Thank you all for your help on this issue too. Network / routing is not my strong suit.

kejianshi · Feb 15, 2015, 5:55 AM

First of all, I'd bet you are not getting better than 6% cache hit with squid. So, not a bandwidth saver. Plus it either misses HTTPS altogether or breaks it.

So, for me at least, a year of using it taught me its better not to use it.

Its for the most part a completely unnecessary layer of latency and complexity.

Derelict · Feb 15, 2015, 6:30 AM

@drick78:

interesting idea. How would I force all DNS 53 to go to the pfsense machine? I guess I thought they already were with having DHCP turned on, and in transparent proxy mode. I'm guessing by your response there is something more to it than that.

Thank you all for your help on this issue too. Network / routing is not my strong suit.

Like the attached.

Note that if this becomes widespread, all the VPN providers will start offering DNS on alternate ports, the client software will catch up, and you'll be playing whack-a-mole again.

![Screen Shot 2015-02-14 at 10.24.45 PM.png](/public/imported_attachments/1/Screen Shot 2015-02-14 at 10.24.45 PM.png)
![Screen Shot 2015-02-14 at 10.24.45 PM.png_thumb](/public/imported_attachments/1/Screen Shot 2015-02-14 at 10.24.45 PM.png_thumb)

marcelloc · Feb 15, 2015, 10:58 AM

The is a java tool that does dns filtering by acls and/or blacklists but I can't remember the name right now.

SSL filtering works fine but need manual install of ca certificate on devices.

I guess wpad is not that simple on mobile devices too.

Cino · Feb 15, 2015, 4:14 PM

@marcelloc:

I guess wpad is not that simple on mobile devices too.

I know it doesn't work with android out of the box, but you can set the proxy serve. iPhones tho can, you have to select auto in the proxy config for the wifi connection

drick78 · Feb 16, 2015, 3:51 PM

After reading all the wonderful replies and discussing it with the church board member I have been working with, we have decided that since most people with phones have their own data plans, the filtering here is not really that useful, so we will stick with the standard blacklist and not go any more complex than that. If someone really wants to get to such websites, they can anyways, so why complicate the setup when it is easily bypassed.

Derelict · Feb 16, 2015, 5:59 PM

^ Amen

Though wasn't there a case way back when against AOL or Prodigy or someone that basically said, "If you attempt to protect your users by filtering content and something slips through you're liable but if you make no attempt there is no expectation of protection on the user's part so you're not liable for the content served?" Or something like that?

jimp · Feb 23, 2015, 2:48 PM

@Derelict:

Though wasn't there a case way back when against AOL or Prodigy or someone that basically said, "If you attempt to protect your users by filtering content and something slips through you're liable but if you make no attempt there is no expectation of protection on the user's part so you're not liable for the content served?" Or something like that?

I'm no lawyer (obviously), but you may be thinking of what is now typically called "common carrier" status, which generally only applies to ISPs and the like.

kejianshi · Feb 23, 2015, 4:37 PM

I have also found that my networks work better when I'm not the one trying to cripple them (-: