Geekzone: technology news, blogs, forums
Welcome Guest.
You haven't logged in yet. If you don't have an account you can register now.

1874 posts

Uber Geek
+1 received by user: 83


Topic # 22394 27-May-2008 11:19
Send private message

This isnt a thread asking for help, more of a thread offering a solution to a pesky problem i had, i had a domain blocking nightmare for a few months and i didnt know how i was going to get around it. I made this thread in hope that it may help someone out there, it seems simple upon reading but at the time i was stumped and managed to pull all this together.

Background info:
I am an administrator of a small network of about 20 laptops in a high school boarding house, the manager came to me asking how we could block bebo, facebook, youtube etc (for bandwidth and privacy reasons). Installing ISA clients etc on these laptops wasnt feasible, in fact installing any software wasnt going to work because its there own private laptops and they would unisntall it.

Windows server 2000
Kerio winroute 6.4 - set to transparent proxy, which is also the dhcp server.
3com OfficeConnect ADSL Wireless 11g Firewall Router - 3CRWDR101A-75

At first I set about it pretty naivley, in just the router. Which gives your 20 slots to put in url/keywords to block. Which in itself is quite usefull. So i put bebo youtube etc in there, if they goto  they get blocked, if they google bebo it gets blocked because the word bebo appears in the url. However i soon found that the students were more crafty than i had originally thought, along came the proxy sites which let them bypass this url block, before i knew it the 20 slots were full and i couldnt block the thousands of proxy sites they were using, and thats where it stayed for about a month, i was stuck.
One day i stumbled accross (what a marvellous free service). Basically you point your dns to opendns, you set the filters (a group of websites, such as adult websites, video sharing etc), if you try and goto a blocked website it wont resolve and instead it will show a page stating that you have been blocked. I set social networking sites, porn, warez, and proxy sites to be blocked, all was well.. well atleast for a few days, until i found 2 problems.

1. that students were using random dns servers, and not using opendns.
2. the block page was giving to much away, upon getting the block page it told you that opendns had blocked the page, it was only a matter of time before someone stumbled into the forums and found a way around the block, either by using another dns server or even resolving the ip address manually and adding it to a hosts file.
3. ip address was changing to often and the supplied opendns ip updater tool didnt seem to work, which stopped all website blocking until i manually updated the ip on there website

1. In kerio winroute i set a firewall rule to allow dns to opendns servers and to deny any others, so now kerio handles all dns requests and forwards it through opendns, (the hosts file trick will get around this however)
2. i blocked the word opendns in the router, now they get the routers block page instead of opendns's, pretty crafty really.. now they dont know how im blocking these sites and the solution is no longer a couple of clicks away.
3.Setup homing beacon to automaticaly update my ip adress on opendns servers.

So in conclusion i have a fairly bullet proof domain blocking system, using no software on clients machines. It blocks thousands of websites, video sharing, every porn website i tried was blocked, torrent trackers have been blocked (a very convient way of stopping torrent abuse i might add! i also put .torrent into the url block of the router which stops them from downloading torrent files to begin with, also have .mp3 .avi etc in url block, a pretty crude way of stopping file downloads from http websites such as rapidshare but it works!), and best of all it gets updated daily, thousands of sites are getting added to there database (it passed 1 million websites earlier this month)

This is a pretty long post i didnt mean for it to get this bloated! and im sure ive forgotten some things, if u have any questions, ask away!

Create new topic
1335 posts

Uber Geek
+1 received by user: 159


  Reply # 133562 27-May-2008 13:53
Send private message

Interesting solution.

However, as there are 10s of billions of webpages out there, I don't believe that any type of 'per page / site' blocking will ever be particularly effective in the long term.  Websites change & are added way too often.

I have recently implemented the exellent (& free) 'Dan's Guardian' Linux based web filter running on Ubuntu.  I thought it would take me days to setup, but it was all done in a few hours thanks to the excellent step by step tutorials around for non-Linux guys like me!

In another life (a few jobs ago) I worked for a Polytechnic and we tested a whole heap of commercial web filtering products.  All of them failed miserably, some were so bad you may as well just block every 2nd site!!  However, after almost giving up, we found Dan's Guardian and it passed with flying colours!!  We only had to make a few minor adjustments to the blocking rules and it was ROCK SOLID!!

Basically the difference between DG and all other web filters out there is that DG is the only one that filters based on word context and weighting.  This means that regardless of the website or page or method used to access, the filtering is always active and relevant.  It works very well.

As I have DG running in a VMWare Server (free) environment, I'd be happy to plunk the VM on a CD and send it to you if you want to give it a go (hell, you can probably even download it from me!).

Create new topic

Twitter »

Follow us to receive Twitter updates when new discussions are posted in our forums:

Follow us to receive Twitter updates when news items and blogs are posted in our frontpage:

Follow us to receive Twitter updates when tech item prices are listed in our price comparison site:

News »

Samsung itroduces Galaxy Note8
Posted 24-Aug-2017 08:50

How Oppo shakes New Zealand’s phone market
Posted 22-Aug-2017 18:32

Recognition for top small business advisors
Posted 22-Aug-2017 17:23

OPPO R11 dual 20MP camera phone debuts in New Zealand
Posted 22-Aug-2017 15:45

Intel introduces new 8th Generation processors
Posted 21-Aug-2017 19:02

Trend Micro launches Home Network Security
Posted 21-Aug-2017 18:38

Avondale College students at top of Microsoft Office Specialist World Championship
Posted 21-Aug-2017 14:11

Garmin introduces inReach SE+ and inReach Explorer+
Posted 21-Aug-2017 14:05

Public Wi-Fi plus cloud file sharing
Posted 18-Aug-2017 11:20

D-Link NZ launches professional Wireless AC Wave 2 Access Point for businesses
Posted 17-Aug-2017 19:25

Garmin introduces the Rino 700 five-watt two-way handheld radio
Posted 17-Aug-2017 19:04

Garmin announces the Foretrex 601 and Foretrex 701 Ballistic Edition for outdoor and tactical use
Posted 17-Aug-2017 19:02

Brightstar announces new distribution partnership with Samsung Knox platform in Australia
Posted 17-Aug-2017 17:07

Free gig-enabled WiFi network extends across Dunedin
Posted 17-Aug-2017 17:04

Samsung expands with connect Gear S3 Frontier
Posted 17-Aug-2017 15:55

Geekzone Live »

Try automatic live updates from Geekzone directly in your browser, without refreshing the page, with Geekzone Live now.

Are you subscribed to our RSS feed? You can download the latest headlines and summaries from our stories directly to your computer or smartphone by using a feed reader.

Alternatively, you can receive a daily email with Geekzone updates.