DNS filtering Church project
-
Hello be all blessed.
Our church has a small project to install a DNS server in the cloud to filter out harmful content on the internet and protect our children. The idea is that every member of our church can use these DNS from anywhere in the world. We want to filter content by ip address, domains and specific channels inside youtube (those who promote bulimia or suicide) without full blocking YouTube wich makes no sense.
We do not want to do this with any external service provider. Do you think pfsense is the right tool to achieve this task? We are about 100,000 members around the world and have an annual budget of about $20,000.
Thanks in advance.
-
It is possible to do that using DNS-BL in the pfBlocker package. The actual success of the filter would be dependent on the lists you use. Filtering specific youtube channels is probably not going to be achievable using a DNS based filtering system.
There are other projects specifically created for this purpose. Pi-Hole etc.
Steve
-
@hmijares said in DNS filtering Church project:
We are about 100,000 members around the world
I agree with @stephenw10 , but I would like to add the following
It's very difficult to filter content within Youtube itself ...
Blocking ads is just - solved, but filtering video content separately with NGFW is not easy.Read the following links, it may help:
https://forum.netgate.com/topic/137341/new-user-filter-youtube-pfsense
https://ieeexplore.ieee.org/abstract/document/8977017/figures#figuresbtw:
Separately, it’s much better resolved, I know it doesn’t help because there are a lot of endpoints...https://support.google.com/youtubekids/answer/6172308?hl=en
-
here are a few i've used in the past:
https://adguard.com/en/adguard-dns/overview.html
nextdns.io is what i currently use on my network to block websites and of course adshttps://cleanbrowsing.org/
not in any order
-
@DaddyGo Hi thanks for your kind answer we already have a group of volunteers designated to block these youtube channels. We know specifically what we want to block and we already have the list of channels to be blocked. We are just trying to understand how to do it.
-
@bcruze Hi thanks for you kind answer. Those are third party services we want something that we can deploy ourself.
-
@hmijares said in DNS filtering Church project:
We are just trying to understand how to do it.
Hi,
A suitable package is pfBlockerNG-devel, so far the thing is simple because you just need to install it from the package list
the rest are already more complicated, as you have to search for suitable lists, find the topics to be blocked, e.g. (ad block):
https://jasonhill.co.uk/pfsense/ytadblock.txt
https://raw.githubusercontent.com/anudeepND/youtubeadsblacklist/master/domainlist.txtapply such lists to your themes....
PfBlockerNG- devel can block based on DNSBL and Ipv6 and IPv4 and GEOIP
btw:
Unbound resolver is required!
-
@hmijares said in DNS filtering Church project:
Those are third party services we want something that we can deploy ourself.
You definitely need a third party hosted DNS server or root DNS servers...
DNS has to come from somewhere (like TLD or third party CloudFlare )@bcruze recommends pre-filtered free DNS providers because Unbound can be set up on these servers by default.
++++edit:
by supplementing these filtered DNS third party servers with pfBlockerNG you can get even better results -
@DaddyGo Can I deploy my own DNS server using pfsense and filter content? I'm a Linux guy but I don't want to use Linux for this project I feel Linux has become too popular and I don't trust it's security anymore.
-
@hmijares It sounds like you are attempting more than offering a service to those who want to experience a curated version of the internet. You can throw as much money, people and technology at this as you want and you will not get very far enforcing a subset of available content.
You're not going to be the great firewall of China, even for those who want a curated experience.
Best case outcome is you may be able to restrict some amount of unwanted content. You're still going to have to deal with the content that gets past your block-list.
You will get a much better return on your effort creating materials to help guide the discussions within families concerning online content, responsible use and what to do when you, inevitably, stumble upon some unwanted content.
-
@hmijares said in DNS filtering Church project:
Can I deploy my own DNS server using pfsense and filter content?
Of course yes = Unbound, but this is more we call it a resolver...
The world gets its DNS from the root servers....
(https://www.iana.org/domains/root/servers)Your Unbound (in pfSense package) resolver must also receive DNS data from a higher level depending on the setting, I recommend CloudFlare as it uses DoT with DNSSEC and also has filtered lists specifically for child protection.
f.e.:
https://www.cloudflare.com/learning/access-management/what-is-dns-filtering/ -
@jwj said in DNS filtering Church project:
You're not going to be the great firewall of China, even for those who want a curated experience.
I note, the firewall you are talking about is not perfect either.
It is more restrictive than a filter and thus simpler...Don’t to scare your prospective colleague, let’s experience a little DNS work
Otherwise you’re right, if everything could be clearly filtered, there would be no content to restrict...
Hard.... -
@DaddyGo I'm guessing here, but I think there is a 100% chance that I would not agree with the motivation behind this effort. That said, I still don't want to see good money wasted.
A lot of 10 year olds know how to change the dns server their device uses.
Using the internet in China is not unlike using it at work. You're inside a controlled environment. Church member or not connecting from home is not a controlled environment and trying to control it is a bit ridiculous.
-
How many users do you actually anticipate using this service?
If it's anything even close to 100K you probably want to look at something specialising in DNS and not a router/firewall that happens to include DNS.
Steve
-
@jwj Believe it or not, there are still children with good and old fashion moral values that would not be able to go against their parents' will.
-
@hmijares Agreed! In that case some open, honest, discussion at the dinner table will have a much greater positive result than a DNS server. I want you to be successful, really!
-
@jwj If you want to discuss discuss the moral implications of this project we can take it somewhere else but I'm here to consult about the technical aspects of it.
-
The problem with trying to filter phones is, they have no need of the wifi to surf the net.. Why would some kid bored in church not just use the phones data plan to surf whatever they want.
Are you trying to create a filtering service that works outside your network.. Say for example where the kids parents could select this dns filtering from their home network?
If so you are trying to reinvent the wheel - there are many a service you can already use that do this..
-
@hmijares And the technical aspects of it are you are running uphill against the wind trying to use technology. Teen suicide and eating disorders based on an unhealthy body image are not technology issues.
I'm trying to help you not waste time and money. I do wish you the best. I will say this one last thing: Technology has never been a substitute for personal responsibility.
-
@johnpoz This is more about filtering the content for 5 years old kids conected to their tablet 24X7 when they are at home. But we want to be the one who chose wich content. We are aware that from certain age they are smart enough to overcome any blocking.
