I have a dream…



  • … and it's possible that someone has a solution to my dream that I've overlooked. If so, kindly point me in the general direction and I'll wander that way.

    So, I used to use Squid v2/v3 as a way to cache and content filter my outbound traffic for users. Management says they don't want Facebook, I block facebook.com, and problem solved. Then Facebook started routing all of their traffic over HTTPS, which Squid v2 did not handle. Squid v3 comes to the rescue with SSL options, but configuring this is very, very tedious.

    Then I started using a very well known DNS provider that allows content filtering. One IP address per account was free, and they would do categorical blocking, and all was well again. I'd block facebook at that level, and since no DNS resolution would occur, this resolved the problem by and large, other than the occasional marketing person that legitimately needed access to Facebook for the marketing campaigns. Again, generally not an issue to solve, and this did the job.

    Said company stopped offering these free accounts a few years ago. And started charging for their services. Crazily. Like, $17 per user per month kind of crazy.

    I started back down the path of Squid, this time with SquidGuard and categorical blocking, but again the SSL traffic becomes fun and there have been a slew of other odd problems with it as well.

    What I'd really like is the ability to take the categorical database created for Squid/SquidGuard/Dans Guardian and apply it to a DNS server with something like MySQL running on the back end. When someone makes a request for a website, we check it against the database. No record in the database = forward out to the upstream DNS server. Record in the database sends you down the path of seeing if this person's IP address or LDAP username query allows them access to that website. If so, allow access. If not, block page.

    I thought I found this in DNS Blacklist, but it appears to be gone. Then I thought I found it in DNS Fowarder / DNS Resolver, but so far I haven't found a workable solution.

    Can someone point me in the right direction, if there is a "right direction?"


  • Moderator

    You can block Facebook (and others) with pfBlockerNG, using the IPs collected from Hurricane Electric. Some sites like Youtube are hard to block via IP as they are so woven into other Google IPs.

    You can also add a DNS Host overide to block DNS resolution, but that can be bypassed if the user goes to these sites with the IP address. So having both is a good solution.

    http://bgp.he.net/search?search[search]=facebook&commit=Search

    The list can be automatically downloaded and parsed once per week using the "html" format in pfBNG and set to block Outbound Access to Facebook.

    The upcoming pfBNG v2.0 will have DNSBL Domain Name Blocking integration via Unbound Resolver also…



  • What service were you using before?



  • @kejianshi:

    What service were you using before?

    That would be OpenDNS. Umbrella Enterprise is $16-$18 per user per month.



  • I use DynDNS Internet Guide to provide categories of filtering. At the moment that is only $US20/year for 10 addresses (10 different public IPs from where DNS queries originate).
    http://dyn.com/labs/dyn-internet-guide/
    Seems cheap and reasonable at avoiding the common unwanted content.



  • Yeah - And 100 computers behind pfsense is only 1 of the 9….