Tuesday, April 15, 2008

Free Internet Filter (and open & fast dns server)

Lets face it, you can have a 100Mbps link to the WWW but it makes a huge performance (speed) impact if you have crappy DNS servers. This could mean DNS servers that are easily poisoned, DNS servers that are slow and DNS servers that are unreliable. For instance this afternoon, i was using Jaring's infamous 192.228.128.20 and 161.142.2.17, i had problems accessing HP's driver download site, quickly i realized this could be a DNS related issues cause IP based accesses seem fast (doh)..so, i googled a little and found this...www.opendns.com

This pretty nifty site provides two DNS addresses, 208.67.222.222 and 208.67.220.220. These two IPs are publicly routable and available for immediate use. With some lame tests i found these DNS servers respond in about millisecond faster than time it takes to respond from TMNut's 202.188.0.133 and 202.188.1.5 servers. If that's not convincing enough to churn, read on.

Goody bag
OD gives you an option (purely optional) to create an account. What can we do with that account? Well, simply, use DNS facilities to do addresses filtering, yup, you got it, a free DNS based filtering (phishing, pharming, porn filter - i will certainly omit the last filter factor :P ). Any organization could also use this especially if you use a fixed IP address.

If you don't have fixed IPs like me, their software provides dynamic IP such as the dyndns fellas. OpenDns has a facility called DNS-O-Matic which integrates common dynamic DNS providers and OpenDNS's filtering mechanism. Instructions and how-to is very clearly available on their www.opendns.com web site.

So, once you've sorted out your IPs and which network you belong, you can
go about the business of filtering! There are over 50 predefined categories filters and custom categories you can work with. Also, you could block based on domain names. More cooler, is the typo correction. People in a rush to get their groove on may mistype domain names and end up in some phishing scam site. Worry not my friend, this pretty lil thing again does the trick to help resolve incorrectly requested fields e.g. http://highsecurity.blogspot.cm will be "fixed" to http://www.highsecurity.blogspot.com. Neat!.

Lastly, this tool gives you reports! Yes, finding why your internet line is super chugged, bloodsucking websites such as Friendster and Facebook could be the culprits, then disable them. Yes, you can receive lifelong curses and odd stares while walking to the pantry but saves you the much precious bandwidth. Also, if you think that there's issues with the cache responses, you can choose to clear it right from their website.

You can have exceptions, this can be mitigated by using the whitelist feature that will then bypass all rules and settings that you have in the categories, individual domain and other possible false positive or exceptional sites you may wish to allow you users to browse to. Cool.

So, this will solve my content filtering issues?
Well, yea, sorta, users can however browse using IP addresses or change to another DNS server on their local TCP-IP settings. To mitigate this, implement an application layer firewall that will disallow access by using IP and direct DNS queries.

What about other protocols other than web based? Well, yea, other protocols when using names may work (not tried em all) but the fundamental is that, when name is resolved by IP in opendns.com servers, it will filter which is allowed and which is not. Only then, this tool will work. Novice users may truly be pissed... :D

What you need to be aware of using 3rd party DNS servers?
They could monitor your activity for statistical purposes or etc (god knows whatelse they will do with your data). If you are an organization which value privacy of users accessing the WWW, be aware of the possible consequences.
Post a Comment