DNS filtering Church project



  • Hello be all blessed.

    Our church has a small project to install a DNS server in the cloud to filter out harmful content on the internet and protect our children. The idea is that every member of our church can use these DNS from anywhere in the world. We want to filter content by ip address, domains and specific channels inside youtube (those who promote bulimia or suicide) without full blocking YouTube wich makes no sense.

    We do not want to do this with any external service provider. Do you think pfsense is the right tool to achieve this task? We are about 100,000 members around the world and have an annual budget of about $20,000.

    Thanks in advance.


  • Netgate Administrator

    It is possible to do that using DNS-BL in the pfBlocker package. The actual success of the filter would be dependent on the lists you use. Filtering specific youtube channels is probably not going to be achievable using a DNS based filtering system.

    There are other projects specifically created for this purpose. Pi-Hole etc.

    Steve



  • @hmijares said in DNS filtering Church project:

    We are about 100,000 members around the world

    I agree with @stephenw10 , but I would like to add the following

    It's very difficult to filter content within Youtube itself ...
    Blocking ads is just - solved, but filtering video content separately with NGFW is not easy.

    Read the following links, it may help:
    https://forum.netgate.com/topic/137341/new-user-filter-youtube-pfsense
    https://ieeexplore.ieee.org/abstract/document/8977017/figures#figures

    btw:
    Separately, it’s much better resolved, I know it doesn’t help because there are a lot of endpoints...

    https://support.google.com/youtubekids/answer/6172308?hl=en



  • here are a few i've used in the past:
    https://adguard.com/en/adguard-dns/overview.html
    nextdns.io is what i currently use on my network to block websites and of course ads

    https://cleanbrowsing.org/

    not in any order



  • @DaddyGo Hi thanks for your kind answer we already have a group of volunteers designated to block these youtube channels. We know specifically what we want to block and we already have the list of channels to be blocked. We are just trying to understand how to do it.



  • @bcruze Hi thanks for you kind answer. Those are third party services we want something that we can deploy ourself.



  • @hmijares said in DNS filtering Church project:

    We are just trying to understand how to do it.

    Hi,

    A suitable package is pfBlockerNG-devel, so far the thing is simple because you just need to install it from the package list

    the rest are already more complicated, as you have to search for suitable lists, find the topics to be blocked, e.g. (ad block):
    https://jasonhill.co.uk/pfsense/ytadblock.txt
    https://raw.githubusercontent.com/anudeepND/youtubeadsblacklist/master/domainlist.txt

    apply such lists to your themes....😉

    PfBlockerNG- devel can block based on DNSBL and Ipv6 and IPv4 and GEOIP

    e90b141d-4989-4971-a16d-610903c7b0fb-image.png

    btw:

    Unbound resolver is required!



  • @hmijares said in DNS filtering Church project:

    Those are third party services we want something that we can deploy ourself.

    You definitely need a third party hosted DNS server or root DNS servers...
    DNS has to come from somewhere (like TLD or third party CloudFlare )

    @bcruze recommends pre-filtered free DNS providers because Unbound can be set up on these servers by default.

    ++++edit:
    by supplementing these filtered DNS third party servers with pfBlockerNG you can get even better results



  • @DaddyGo Can I deploy my own DNS server using pfsense and filter content? I'm a Linux guy but I don't want to use Linux for this project I feel Linux has become too popular and I don't trust it's security anymore.



  • @hmijares It sounds like you are attempting more than offering a service to those who want to experience a curated version of the internet. You can throw as much money, people and technology at this as you want and you will not get very far enforcing a subset of available content.

    You're not going to be the great firewall of China, even for those who want a curated experience.

    Best case outcome is you may be able to restrict some amount of unwanted content. You're still going to have to deal with the content that gets past your block-list.

    You will get a much better return on your effort creating materials to help guide the discussions within families concerning online content, responsible use and what to do when you, inevitably, stumble upon some unwanted content.



  • @hmijares said in DNS filtering Church project:

    Can I deploy my own DNS server using pfsense and filter content?

    Of course yes = Unbound, but this is more we call it a resolver...
    The world gets its DNS from the root servers....
    (https://www.iana.org/domains/root/servers)

    Your Unbound (in pfSense package) resolver must also receive DNS data from a higher level depending on the setting, I recommend CloudFlare as it uses DoT with DNSSEC and also has filtered lists specifically for child protection.

    f.e.:
    https://www.cloudflare.com/learning/access-management/what-is-dns-filtering/



  • @jwj said in DNS filtering Church project:

    You're not going to be the great firewall of China, even for those who want a curated experience.

    I note, the firewall you are talking about is not perfect either.
    It is more restrictive than a filter and thus simpler...

    Don’t to scare your prospective colleague, let’s experience a little DNS work

    Otherwise you’re right, if everything could be clearly filtered, there would be no content to restrict...
    Hard.... 😉



  • @DaddyGo I'm guessing here, but I think there is a 100% chance that I would not agree with the motivation behind this effort. That said, I still don't want to see good money wasted.

    A lot of 10 year olds know how to change the dns server their device uses.

    Using the internet in China is not unlike using it at work. You're inside a controlled environment. Church member or not connecting from home is not a controlled environment and trying to control it is a bit ridiculous.


  • Netgate Administrator

    How many users do you actually anticipate using this service?

    If it's anything even close to 100K you probably want to look at something specialising in DNS and not a router/firewall that happens to include DNS.

    Steve



  • @jwj Believe it or not, there are still children with good and old fashion moral values that would not be able to go against their parents' will.



  • @hmijares Agreed! In that case some open, honest, discussion at the dinner table will have a much greater positive result than a DNS server. I want you to be successful, really!



  • @jwj If you want to discuss discuss the moral implications of this project we can take it somewhere else but I'm here to consult about the technical aspects of it.


  • LAYER 8 Global Moderator

    The problem with trying to filter phones is, they have no need of the wifi to surf the net.. Why would some kid bored in church not just use the phones data plan to surf whatever they want.

    Are you trying to create a filtering service that works outside your network.. Say for example where the kids parents could select this dns filtering from their home network?

    If so you are trying to reinvent the wheel - there are many a service you can already use that do this..



  • @hmijares And the technical aspects of it are you are running uphill against the wind trying to use technology. Teen suicide and eating disorders based on an unhealthy body image are not technology issues.

    I'm trying to help you not waste time and money. I do wish you the best. I will say this one last thing: Technology has never been a substitute for personal responsibility.



  • @johnpoz This is more about filtering the content for 5 years old kids conected to their tablet 24X7 when they are at home. But we want to be the one who chose wich content. We are aware that from certain age they are smart enough to overcome any blocking.



  • @johnpoz As you said there are many services that can do this but we want to do it ourself because we have very specific content that is not blocked by any paid service like certain YouTube channels wich promotes bulimia, suicide or those that are sexually suggestive without being pornographic. I am not going to name those channels in this way because it goes beyond the scope we want to deal with but I am sure you have seen the channels where some women perform vibrator or dildo performance tests without showing the device on camera. That kind of content is in YouTube and is legal because if you don't show the "thing" there is no problem for YouTube. That kind of content is what we want to block for children under 7 years old when they are using the wifi at home. There is nothing wrong with using a vibrator or dildo but there is a time in life for every experience.


  • Netgate Administrator

    As much as I like to use pfSense everywhere I can 😉 I'm going to suggest that this is not an application for which it's particularly well suited.

    Steve



  • @stephenw10 Anything you can recomend?



  • @hmijares said in DNS filtering Church project:

    There is nothing wrong with using a vibrator or dildo but there is a time in life for every experience.

    As the others write, this is really a thread mill fight...

    The things described above will help reduce your chances of browsing the wrong content, but it’s definitely primarily a function of human character and a good education.

    The pfSense can help a lot in prevention, but currently nothing provides a perfect solution.
    At least I don’t know that,......... I say you wouldn’t have that kind of content on the web......if there was a perfect solution to this...

    Plus, with our new browser horror, we’re going in an even worse direction, like DOH (insanity)



  • @DaddyGo This is exaclty what we are looking for to "reduce your chances of browsing the wrong content," you nail it


  • Netgate Administrator

    I would start out looking at Pi-Hole which is designed specifically for this but at a small scale. It may not be suitable directly.

    How many users do you expect at any one time? Do you need some sort of filtering so only members can access it?

    Steve



  • @DaddyGo And the fact that youtube is youtube. You can't really pick and chose. You get it all or get kids youtube if, and only if, you use that app. I think there is is more harm than good from trying to hide reality than from facing it squarely and developing the skills needed to exist in an imperfect world.



  • @jwj I have to said again I'm not here to discuss the moral but the technical aspect of the project. Moral is out of the scope of this consultation. So I'm going to kindly ask you to stop repliying to my posts as you are no adding any value to the technical aspect. Thanks in advance!



  • @hmijares Why can't you understand that you can't filter in the way you say you want to. Given that you must look to other ways to accomplish your objective.



  • @hmijares said in DNS filtering Church project:

    This is exaclty what we are looking for to "reduce your chances of browsing the wrong content," you nail it

    I suggest you get into it and try pfSense (pfBlockerNG-devel + Unbound (DoT + DNSSEC) + CloudFlare 1.1.1.3 + good BLKs)
    and we'll see....

    ++++edit:
    https://developers.cloudflare.com/1.1.1.1/1.1.1.1-for-families

    +++edit2:
    possibly an external Pi-Hole on Raspbery as the primary but external DNS provider for pfSense
    (note I don't like Pi-Hole)
    but it's worth a try, at least we can discuss which is better ...



  • Randomly chosen. This does seem to be buzz word compliant for what the OP wants.

    https://www.safedns.com/en/safe-internet-for-nonprofits/



  • @jwj Ok no problem in that but as an administrator you have to be able to separate you moral from the technical aspects of a question. I think this forum is for techical aspects of pfsense am I right? Your personal opinion about the moral aspects is not relevant and if you are an administrator you sould know that. I guess you job is to moderate about tech not philosophy.

    Have a good day and get yourself together bro if you want to moderte you need to separate your beliefs from your knowledge.



  • @DaddyGo I'll try thanks all for you kindness have a good day



  • @jwj said in DNS filtering Church project:

    Randomly chosen. This does seem to be buzz word compliant for what the OP wants.

    A lot of people and company do that, but it’s always suspicious to me because that’s when your DNS flows through them.
    I like to be relatively independent....

    Think of the AVAST scandal = the "real website feature "and sold the collected IPs
    Well, there is privacy too.



  • @hmijares said in DNS filtering Church project:

    I'll try thanks all for you kindness have a good day

    It was an interesting conversation, we look forward to seeing the results again if you feel like ...

    Have a good day. 😉



  • @DaddyGo Doesn't matter. He just wants a quick, easy, answer to his question. He can figure out what service he wants to dump money into and then spend all the rest of his time trying to play wack-a-mole for content he finds unacceptable. The internet is unacceptable to everyone in some way. Go off the grid is the only way to avoid that reality.



  • @jwj said in DNS filtering Church project:

    The internet is unacceptable to everyone in some way.

    That's a fact, but as a sysadmin we always have to meet a little bit for everyone.
    I just have to say it's hard ...😉



  • @DaddyGo Do you think, reading between the lines, that he would be better with a tightly curated whitelist? Might be the straightest line to what will be an imperfect solution no matter what.



  • @jwj said in DNS filtering Church project:

    Do you think, reading between the lines

    You see it's possible that it would work better ...
    To hide everything and then just let what you want to be visible ...

    but this cannot be applied to Youtube internal content, so it can only reduce the headache...

    let’s not forget also have a lot of serious content on Youtube (books, science, IT, etc.)



  • @DaddyGo Yeah, he's going to have to give up on youtube, at least for the youngest demographic in his user population. 5 year olds don't contextualize things. For the older ones he can't avoid the non-technical issues. It's a fools folly to think he can.

    He could also spend money on end-point filtering and just not even try to do it at the network level. If he is determined to spend money he could spend a lot of it doing that.


Log in to reply