Trusted
Background info:
I am an administrator of a small network of about 20 laptops in a high school boarding house, the manager came to me asking how we could block bebo, facebook, youtube etc (for bandwidth and privacy reasons). Installing ISA clients etc on these laptops wasnt feasible, in fact installing any software wasnt going to work because its there own private laptops and they would unisntall it.
Equipment:
Windows server 2000
Kerio winroute 6.4 - set to transparent proxy, which is also the dhcp server.
3com OfficeConnect ADSL Wireless 11g Firewall Router - 3CRWDR101A-75
At first I set about it pretty naivley, in just the router. Which gives your 20 slots to put in url/keywords to block. Which in itself is quite usefull. So i put bebo youtube etc in there, if they goto bebo.com they get blocked, if they google bebo it gets blocked because the word bebo appears in the url. However i soon found that the students were more crafty than i had originally thought, along came the proxy sites which let them bypass this url block, before i knew it the 20 slots were full and i couldnt block the thousands of proxy sites they were using, and thats where it stayed for about a month, i was stuck.
One day i stumbled accross www.opendns.com (what a marvellous free service). Basically you point your dns to opendns, you set the filters (a group of websites, such as adult websites, video sharing etc), if you try and goto a blocked website it wont resolve and instead it will show a page stating that you have been blocked. I set social networking sites, porn, warez, and proxy sites to be blocked, all was well.. well atleast for a few days, until i found 2 problems.
1. that students were using random dns servers, and not using opendns.
2. the block page was giving to much away, upon getting the block page it told you that opendns had blocked the page, it was only a matter of time before someone stumbled into the forums and found a way around the block, either by using another dns server or even resolving the ip address manually and adding it to a hosts file.
3. ip address was changing to often and the supplied opendns ip updater tool didnt seem to work, which stopped all website blocking until i manually updated the ip on there website
Solutions:
1. In kerio winroute i set a firewall rule to allow dns to opendns servers and to deny any others, so now kerio handles all dns requests and forwards it through opendns, (the hosts file trick will get around this however)
2. i blocked the word opendns in the router, now they get the routers block page instead of opendns's, pretty crafty really.. now they dont know how im blocking these sites and the solution is no longer a couple of clicks away.
3.Setup homing beacon to automaticaly update my ip adress on opendns servers.
So in conclusion i have a fairly bullet proof domain blocking system, using no software on clients machines. It blocks thousands of websites, video sharing, every porn website i tried was blocked, torrent trackers have been blocked (a very convient way of stopping torrent abuse i might add! i also put .torrent into the url block of the router which stops them from downloading torrent files to begin with, also have .mp3 .avi etc in url block, a pretty crude way of stopping file downloads from http websites such as rapidshare but it works!), and best of all it gets updated daily, thousands of sites are getting added to there database (it passed 1 million websites earlier this month)
This is a pretty long post i didnt mean for it to get this bloated! and im sure ive forgotten some things, if u have any questions, ask away!
