Using DNS to block access to unwanted websites on your network.

Why block sites from your network?

Some businesses need to protect themselves from sexual harassment suits, so certain sites need to be blocked.  Just because they have a no harassment policy does not mean ALL employees are going to obey it.  Trust me, I work with some of these boneheads.  Companies also attempt to block time wasting on the computers as well.  They have the right, and some exercise it, to monitor net traffic on their network, but sometimes it’s just easier and cheaper to block certain websites.

I read a post one day where a man was allowing his daughter and deadbeat son-in-law to live in his attached apartment while the son-in-law supposedly was looking for a job.  He allowed them to use his wireless Internet connection since the son-in-law claimed it was necessary in finding a job.  The father was suspicious of the Internet activities so as the Internet provider for his daughter and son-in-law, he wanted a way in which he could limit certain activities.

Categories

Parents too may feel the need to block certain sites for obvious reasons, but then they may want to also be more specific in what’s blocked.

There are several options available.

One option is a little more involved and I hope to be able to play with it and post my experience here.  That would involve setting up a proxy server such as squid, and then setting up either SquidGuard or DansGuardian to block unwanted content.

Another option would work for windows and mac users.  That would be NetNanny.  The basic Family Pack Special at the time of this writing is under $60 for 3 Windows PCs for a year.  I’ve looked at it a while back and is quite configureable.  If you want to spend the money, this looks like a great option.  But we’ll see if we can find anything cheaper that fits the bill.

The one we’re going to look at today is OpenDNS.  Can you say “FREE“?  Okay, why are we waiting?  No, I am not paid by OpenDNS, but for a freebie, it is definitely worth interrogating.

The nice thing about OpenDNS is that it replaces your current DNS servers, so what operating system you use is a non issue.  Also, if you want your router to provide DNS listing, you’re covered there as well.  Nifty, I must say.   So, how does this work?  What do I need to do?  After reading these steps and you decide this is an option you wish to explore, go to OpenDNS, of course, and create an account.

How does OpenDNS work?

Just to recap from my post on Dynamic DNS, when you ask for a website through your browser, your computer does not know where to get it from, so it asks a DNS server, for example, where technopotomus.com resides.  The DNS server then tells your computer the IP address of the requested URL and then your computer makes a request for a web page from that particular IP address it was given.

Does it matter what DNS server you use?  Mostly yes, sometimes no.  Or is it the other way around?  Anyway, the closer to you that your DNS server is, the faster the response to your request will be.  Also, most DNS servers are constantly being updated with the IP addresses of all the domains on the Internet.  So normally, you’d want the DNS server that your Internet provider provides for you.  This is normally given to your computer or router automatically through DHCP as it also grabs its dynamic IP address.

Identification through IP address.

If now, you change your DNS server to OpenDNS’ servers, will everything work okay?  NO.  How will they be able to differentiate your requests from mine?  By your IP address.  This provides a dilemma, considering most people use dynamic IP addresses.  It changes anytime they reconnect to their Internet provider.  Even if you have a broadband connection and never disconnect, you still run that risk.  The power in your area could experience a momentary hit, causing your router to be powered off  long enough to have to reconnect, thereby getting a new assigned dynamic IP.

How do we fix this?  Dynamic DNS.  Even if you are not interested in a domain name to connect to your computer or network, it is necessary in order to use OpenDNS.  Why?  Because they said so!!  That’s why!  Oh . . . wait, no that’s not why.  It’s so when your IP address changes, your computer or router logs into your Dynamic DNS service, therefore updating with them what YOUR IP address is at any given moment (except for that moment the power went out for a minute and your computer/router logged back on to the net).  That service can be setup to then update your IP address with OpenDNS.  NOW they know your IP address. And NOW they know who is making the request for a specific web site.

Okay.  Do we have that all cleared up now?   Good.  Let’s move on.

All your base are belong to us.

Networks

What does that mean?  Okay, wikipedia has the answer to this one.  Let me rephrase that.   Now that OpenDNS knows what your IP address is, their DNS server can then give you the IP addresses of the sites and only the sites that you desire per your settings.

Even if you have more than one IP address, you can add it and configure different settings for any computers using that address.  It is quite configurable I must say.  This opens up a larger number of possible scenarios.

Create a Shortcut

Another nice customization they offer is that of shortcuts.  Let’s say you have a URL that you go to alot, but it’s a long one to type.  Say for instance TECHNOPOTOMUS.COM.  Now that’s too many letters for your tired fingers and of course you don’t know how to user bookmarks in your browser, right?   Okay, sarcasm aside, this is still a cool little feature.  Instead of typing in the URL you want, you pre configure a shorter version, say in this instance: TECH.   Now all you have to do is type in TECH in your brower and click send, hit enter, do whatever it is you desire to send those bits in a blazing flash to the DNS server so that you can recieve your data at light speed.

Managing and Reporting

Manage your account

Now that you have everything all set up, you can enjoy being able to see that it’s working.  Of course, one way is to try to access a site that should deny you access.  You should get a page from OpenDNS telling you why the page was denied.  That is if everything is setup right.  Of course don’t test it out by visiting a site you don’t want the kids to see while they’re standing there.  Just in case you forgot to change your DNS servers.   Oh yeah, we didn’t get to that did we?  In a minute.

Top Domain List

With your account all setup, you can access the dashboard to manage your account and check stats.  The stats can show you all the web traffic from you network including what was blocked.  What’s nice is being able to specify a range of days, type of domain and then filter what you want your report to display.

Action

Once that’s done, you can go through the list and click on action for a particular URL to either block it in the future, or unblock it if the site was originally blocked and you desire it not to be.  It’s these individual exceptions that are nice to have easy access to.

Configuring your DNS servers.

Normally, as was mentioned earlier, your computer or router gets the DNS server information automatically through DHCP.  However, if you are using different DNS servers than what your ISP wants to assign to you, you’ll need to configure them on your device manually.

LINUX – Yeah, this is easy.  Change the nameservers listed in your /etc/resolv.conf file to your new OpenDNS DNS server addresses.

DNS settings

Windows – Access the properties for your network card, be it wired or wireless, then click on Internet Protocol in the list of items your connection uses, then click on the properties button.  At the bottom of this new panel you should have an option to obtain your DNS server addresses automatically or you can set them yourself.  Are you reading ahead?  No?  Then how did you know I was going to tell you to click on the “Use the following DNS server addresses” option?   You are one smart cookie.  Okay, then configure the addresses, smarty.

Mac –  Mmmm, sorry, as nice as Macs are, my exposure to them is about every six months.  Just long enough to be reminded that I don’t know my way around one very well.  I’ll bet if you don’t know how to change your DNS settings on your Mac, you could find information on the Internet.  Oops, I guess this page is on the internet.  Okay, elsewhere on the Interntet.  One day I will have a Mac and you can teach me.

Linksys setup

Linksys Router –  Okay, I only have information for Linksys Routers.  Mainly because it’s the more common one out there.  If your router is a different brand, you too should be able to find the info you look for by searching Google.  However, you may be able to find it easy enough on your own.  Now on the Linksys main setup page, there should be settings toware the bottom for entering in your DNS server addresses.  Wow, could it be any harder?

Summing up.

OpenDNS does allow you to make exceptions to the rules.  So if you wanted to block ALL blogs, except this one, you would select blogs in your categories to block, but then at the bottom of the page add whatever exceptions you want.

I have experienced a site that should not have come through.  This is possible seeing as how someone has to maintain the database and it will not be 100% perfect.  But I do know it’s more thorough than a business hiring someone to sift through a gazillion web pages to determine what category they belong to.  If you do hit a site that should’ve been blocked, OpenDNS provides a means to enter that in so that others can benefit from your find.  You can search for sites and see what category they fit into, if any.

Keep in mind though, they are a free service and you can expect to get what you pay for.  However I do believe here you’re getting alot more.

They do though have this little quip on their site.  Read into it however you wish.

Note: Domain blocking is not intended to be a category blocking service, like phishing or adult site blocking. It’s intended to give you pinpoint control over what’s on your network.

Hackers!!

Hackers are trying to get in.

Not to alarm anyone, but if you didn’t know already, unscrupulous individuals are trying to get into your system every day.  Most people are protected by their routers and firewall software.   These allow traffic to come into your device ONLY if you have initiated a connection to the remote device from within your own network or computer.

Fair enough.  But for someone who wants to play with their network from remote locations, herein lies the problem.  In order to connect to my Linux box from anywhere outside of my home, I first have to direct port 22 (for SSH) in  my router to my linux.  Now I can have access.  But so can anyone else who attempts a connection to my IP address.  Likely they have a script running that methodically runs down IP addresses, trying to get a response.  Now when they hit my IP address with SSH, instead of the standard no response, they get a LOGIN: prompt.  Now they know it’s something worth trying to access.  The next script starts trying standard login names, then when it hits a upon a valid name, it then goes through the passwords.  Here’s what it looked like last night.

This is a small excerpt from my /var/log/auth.log (grep -i failed /var/log/auth.log)

As you can see, they were using standard names alphabetically.  They did way more than that, using standard usernames like “user, sysadmin, admin, guest, matrix, neo, trinity” and so on.  The lesson learned here is that any usernames on your system should not be dictionary words.  Too easy to guess.  Make it something you can remember, but somewhat resembles a secure password (numbers, big & small letters).

iftop

How did I know someone was hitting my box?  Pure luck.  I figured people were trying before, but did not realize to what extent.  I also wonder how many of these script kiddies had hit my box before?

Every now and then when I’m logged into my linux box, I like to just play around to keep myself in practice of some of the many tools there are, like ipcalc and such.  One of the tools I’ve installed is iftop. It’s much like top, but for network interfaces.  I have a second network card on my box connected to my Cisco router.  The port on that router mirrors all the other ports so that it can see ALL the traffic on my network.  The benefit of this is when I run iftop on this interface, I can see ALL my traffic, not just the data specific to that IP address.  It’s great too for working with WireShark.

(sudo iftop -p -B -i eth1)  (iftop does not come with linux, you must install it)

I can see devices on my network communicating with each other.  Nagios on my linux box polling devices, websites being delivered to another PC on my home network, the router looking for other routers, etc.   What I did see last night though was a URL that did not look right.  It ended with a .gr, not the usual .com, .net, .org and was not on my local network.

I performed a whois on that sucker and found it was from Greece.  The University of Patras in Greece.   Ahhhhh, it figures.  Kid goes to college, takes some computer science cources, learns all about computers, networking and so on.  Now he figures he can make his own little scripts to access networks around the world.  And he is probably successful at times.  Not this time.  I found him.

Now that I see him, what to do?  Well, since I’ve a Cisco router and the know-how.  I create an ACL (access control list) to block him.   I could have blocked just his address, but was not sure if he’d just get another one somehow and try again, so I wanted to block the whole country.  My friend Sean had recently created a perl script that will create an ACL for you to include EVERY ip range for the country of your choice.  Perfect.  I ran this sucker and WOW, Greece had 180 IP ranges.  Weird enough, none of them included my hackers address ( I mean the University of Greece).  We’ll work on that later.  So I applied the new ACL, including a range for the university and applied it to my Interface.

As you can see by the last few lines of my ACL, that after it was applied (BTW, my /var/log/auth.log automatically stopped logging because now he could not get through) I still had 4,677 hits from him.  But he was stopped at the router.

That last line was to make sure anyone else (myself especially) could get through.   Okay, so that does not stop the others.  We’ll get to that soon.  But in the mean time, this particular misfit is denied.

Yes, I need to block out the world and yet still let myself in.   So now I’ll create a smaller ACL that denies everyone except my local region.  This being because I may want to get in from different places, i.e. my parents, work, coffee shops, etc.

So a smaller and complete ACL is shown below.

I changed the real IP addresses for display purposes.  The first 3 lines permit access from 2 major ISPs in my geographical area.  Line 90 allows DNS queries to succeed.  Line 91 allows FTP connections (I’d rather not as it’s not too secure, but I have a couple websites that the hosting companies don’t seem to care too much about the security).  Line 92 allows PING to work.  It’s nice to be able to ping a website and get a response just to know certain things are working while I’m troubleshooting.  Then line 100 allows anything that I’ve initated to come through.  So if I want to access a web page hosted at the University of Greece, I can.  But their students cannot enter my domain.

Take a look at that last line that denies everyone else, there’s 16 matches.  I have these logged, as you can see.  From the log I found hits from China, France and Poland.  All within a few hours.

Log Entry:
Apr 28 23:55:57.064:  list 2100 denied tcp 83.16.20.98 –   Connection attempt from Poland.

More to come

Now this does not totally protect me.  I am still vulnerable from my local area, but for a limited time.  Sean has offered me access to his secure network that will allow me to do one thing and one thing only from there, to connect to my network.  Now he has a static IP address, so my ACL can then be written to allow an un-established connection from the outside from that particular IP address only.

Another safeguard is IPTABLES.  I have briefly toyed with this firewall option built into Linux that is very flexible.  Supposedly one can set it up to allow a set number of failed login attempts before it disables that particular IP address for a set amount of time.  This would seriously slow down script kiddies and others.  However if I were to mistype my password that number of times, I could lock myself out for some time as well.  Oh well, guess I better slow down on my typing.

Vanity Plate

Take a Break

Okay, I’m going to take a break at this moment from the regularly non-scheduled blogging of Networking and Linux to share something still Linux related.  My new vanity plate.

I’ve always toyed with the idea of getting a vanity plate, but I did not want something too ordinary or obvious.  I wanted something unique, yet still relevant to something a portion of society could relate to or understand.  I did have a few ideas, but they were taken, such as 127001, which would be the IP address 127.0.0.1 which is the localhost or loopback IP address translating basically to “this device”.

Well I recieved my plates in the mail yesterday.

My Vanity Plate

SUDO MV.  For those new to Linux, SUDO is the command given to allow superuser (root) privileges to do whatever it is that regular users do not have access to.  It could be configuring system files, to modifying another users files.  It’s the SUPER USER.  The MV is “move”.  So as my car traverses the data bus known as the highway (not informational nor super) it is being moved by the Super User.  Oh yeah!!

Yes, it’s the little things in life that add up to something big.

To illustrate the point of SUDO a little more I’ve attached a comic from xkcd that was some of the inspiration for my choice of plates.

And that is how things take place in Linux.  There are times I try to run a command or edit a file and I’m denied.  It is then I need to use SUDO.

Tip: If you type a long command and are denied due to needing superuser ability, type “sudo !!“.  The double exclamation points insert the last command.  Try it, you’ll like it.

How can Dynamic DNS help you?

What is DNS? (domain name system)

Let me put it in terms most people can relate to.  The phone book.  When you want to call someone who’s phone number you don’t have, you grab the white pages (or yellow if it’s a business) and then you find their name and listed phone number.  You now have a number to call and so then you dial it on your phone.  In the world of networks, the internet being the biggest, connections are made by IP addresses, not the URL (i.e. technopotomus.com).

With DNS, it’s all taken care of for you.  Your computer is programmed with a DNS server either statically or dynamically when when it obtains its temporary IP address.  Now when you enter a web address that your computer does not know the IP for, it asks the DNS server what the IP address is for the URL you requested.  It then will tell your computer the number and your browser then uses that IP address to communicate with the web server.  Much like a 411 operator can connect your call after you ask for someones number.

The benefit of this to you and I is that we don’t have to remember the IP address for google.com, ubuntu.com or technopotomus.com.  We just have to remember their name, and that’s alot easier.  Especially when devices start using IPV6, you do NOT want to remember those numbers.

What is dynamic DNS?

Now if you want to connect to your home network from work, your buddies house or wherever else you have an internet connection, how are you going to do that?  Most people do not have a static IP address for their home internet connection.  Why?  Because your ISP has a pool of addresses and when your computer or your router logs into the internet with your local provider, it gives your device a temporary IP address and then when you disconnect, the IP address goes back into the pool.  The next time you connect, your IP address is likely to be different from the last time.  For most people, this is no big deal.  It’s been that way for some time without many people knowing, or caring, just so long as they can surf the net.

Again, how are you going to connect to your home network from work?  Dynamic DNS!!

How Dynamic DNS can be of help to you.

If you have your own domain name, this can work.  If you don’t, this can still work.

Keep in mind now there is a slew of Dynamic DNS providers.  Most of them provide this service for free.  Hey what could be better than that?  I suppose if they paid us to use their service, that would be better, but lets keep things on the side of reality here.  Most new household routers also provide a spot where you can enter your Dynamic DNS information (after you’ve signed up with a provider).  If you don’t have a router that will accommodate, or you’d rather not use a router for whatever reasons, you can install a small client on your computer which will do the same thing for you.

How to get service.

DynDNS is just one service.  I am using them as a sample only because that’s a service I have used an am familiar with them.  I imagine the others will be as simple to setup and use.  Once you create an account, you get to chose from a variety of domain names such as blogdns.com, dnsalias.com, hobby-site.com, is-a-geek.com and many, many others.  You then chose your 3rd level name to append to the front of your choice (if it’s available).  So imagine choosing birdhouses.hobby-site.com, then you can refer to your network as such.  And if you chose to setup a web server, you can give this URL out to direct traffic to your website.

Your next step is to enter your login name, password and your new hostname into your router.   If you chose to use an IP update client for your computer, make sure the service you chose has a client for your operating system.  DynDNS has a client for Linux, MacOS and Windows.

How does it work?

Once you have completed your configuration, go make a sandwich or two and eat them.  It will take some time to update.

The process now is that your router or client will periodically connect to your DDNS service with username and password.  When this happens, it grabs your IP address from the packets and now assigns your hostname with your IP address.  (don’t worry if your client is on a machine behind a router, the DDNS service will still obtain your public IP address)

Once the update is complete, requests for birdhouses.hobby-site.com will route to your IP address.  Keep in mind though, that if you try to connect TO your public IP address FROM your public IP address, it will not work. Apparently routers don’t like to try to send out requests for something that it knows is NOT OUT THERE.  I found that out when my DDNS service did not work, then I gave it one last try from work  and it was working.

Be Careful.

Keep in mind now, that if you publish your hostname, it will be more noticeable to others, perhaps people wanting to compromise your network.  Be careful what you put on there, and what security measures you need to take to keep things secure.  If you log into your computer, be sure not to use TELNET.  It sends everything in clear text, so if you log into your computer remotely, anyone using a packet sniffer that comes upon your transmission will see your IP address, username and password.  Wow, now you’ve got a big problem.  To avoid that, use Secure Shell (SSH).  One such client is putty.  You will however have to make sure that you have an SSH server installed on the device you plan to connect to.

So when your IP address changes, for whatever reason, you’ll never be out of your system or users denied access to your website.   As your IP address is Dynamic, so will your Domain.  Cheers.