URL filtering (manual)

mbox (HSG/CMG/HSA) supports URL filtering based on DNS blacklist/whitelist, and allows administrator to configure list of URLs to permit or deny. We can configure a manual list via CLI, or integrate with SafeDNS for category based URL filtering.

There are several ways to filter URLs accesses:

  1. Use firewall content filtering to deny/permit by strings, containing specific URI. This method is least recommended and is very prompt to false alarms. Refer to this section for more details on string filtering.

  2. Use web proxy to permit/deny by domain. eg. "proxy-access 10 permit domain playboy.com". This method is effective, but only available in HSG/CMG. Running web proxy service on mbox also causes a lot more additional processing overheads. Refer to this section for more details on web proxy.

  3. Use DNS reject/resolve features. This is the simplest and most effective way for URL filtering and logging. In this method, mbox acts as a DNS proxy server, intercepts client DNS requests, and determines if the requested destination DNS resolution should be denied (reject) or permitted (resolve). It works well for both http and https websites.

  4. Use SafeDNS for category based DNS filter. SafeDNS records a total of more than 100 million websites and groups them into different categories, so that we can easily choose to permit/deny URL accesses by categories. This simple option requires mbox (HSG/CMG/HSA) to point to SafeDNS name-server as our upstream name-server, then administrator can login to SafeDNS dashboard to configure filtering policies. There's a small subscription cost for this option, but it is an ideal balance between costs and functionality for most SME enterprises. We will cover this feature in a separate document.

  5. Use Menlo Security for category based URL filtering and web isolation. This is the ultimate web security solution but comes with higher subscription cost. Please see more details on this feature here.

This document will focus on using mbox DNS reject/resolve feature (#3) for URL filtering and logging.

URL blacklisting (deny some URL, permit all others)

URL blacklisting is basically to deny/disallow certain URL accesses only and permit everything else. To achieve URL blacklisting, we simply need to configure DNS reject for this target domain. DNS reject is an extension of our DNS rewrite feature to "spoof" target domain/URL DNS resolution to a fake IP 0.0.0.0, therefore denied.

All other DNS requests are passed to upstream name-server for normal resolution (therefore permitted).

CONFIGURATION STEPS

  1. Configure upstream DNS name-server (usually ISP name servers or the famous google name servers, 8.8.8.8 and 8.8.4.4)

ip name-server 8.8.8.8 8.8.4.4

  1. Configure firewall rules to force intercept user DNS traffic. Since now mbox is working as a DNS server for users, we need to intercept all users DNS queries and determine allow or disallow

firewall-dnat 99 redirect inbound eth1 udp dport 53 rdport 53 remark "intercepts client DNS requests"firewall-input 99 permit inbound eth1 tcp dport 53 remarks "permit access to local DNS service"

  1. Configure DNS/URL reject to deny target domains/URLs.

ip host hotmail.com reject

NOTE: if we define a domain here, the sub-domain URLs will also be blocked. For example, if we block yahoo.com, all other subdomain URLs (eg. xxx.yahoo.com) will be blocked. If you just want to block a particular URL only, try to be as specific as possible

  1. Enable URL logging.

    • The URL logging here is really DNS query logging. By default, mbox logs all DNS query requests. Because each URL access request triggers a DNS request first, so DNS query logging is a good equivalent to URL logging (without the full URI details of course).

    • Then we configure mbox to be a log client sending query logs to a log collector for reporting, either external log server or log locally (HSG only).

CONFIGURATION EXAMPLES

In this configuration guide, we configure HSG for DNS filtering and also use it as a syslog server. Refer to this section for details on mbox logging.

hostname mbox!interface eth 0 description "Connection to WAN/Internet" enable ip address dhcp!interface eth 1 description "Connection to LAN switch" enable ip address 10.1.1.1/24 dhcp-server description "Configure mbox to assign IP to internal users" dns 10.1.1.1 range 10.1.1.10 10.1.1.100!ip host splash.ransnet.com 2.1.2.1 rewriteip host macc.ransnet.com 2.1.2.1 rewriteip host hotmail.com rejectip host playboy.com rejectip host yahoo.com reject!ip name-server 8.8.8.8 8.8.4.4!firewall-dnat 10 redirect all udp dport 53 src 192.168.0.0/16 rdport 53!firewall-input 10 permit inbound eth1 udp src 10.1.1.0/24 dport 53 remark "permit DNS query"!firewall-access 10 permit outbound eth0 remark "permit all outbound access"!firewall-snat 10 overload outbound eth0 remark "hide all internal private IP to WAN interface IP"!security log-server log-input 10 accept tag unbound log-input 11 accept msg mboxfw data-lifetime 3 start!

Once above is configured, connect your PC to the LAN port (either to eth1 or to a switch connected to eth1). Verify the configuration by trying to connect to the blocked sites and other non-blocked sites. You will not be able to browse the sites in the blocked list and should have no problem accessing to other sites. For HSG, login to mbox GUI, check live logs, you will see the URL live logs.

URL whitelisting (allow some URL, block all others)

URL whitelisting is "opposite" to blacklisting. Basically, you want to allow certain URL access only, and everything else should be blocked. To achieve this objective, we will use a combination of mbox DNS reject and resolve features.

  • DNS reject denies DNS requests. So we simply need to configure "ip host . reject" to deny all.

  • DNS resolve permits the target domains/URLs by telling mbox to resolve these domains/URLs normally through upstream name-server.

CONFIGURATION STEPS

  1. Configure upstream DNS name-server (usually ISP name servers or the famous google name servers, 8.8.8.8 and 8.8.4.4)

ip name-server 8.8.8.8 8.8.4.4

  1. Configure firewall rules to force intercept user DNS traffic. Since now mbox is working as a DNS server for users, we need to intercept all users DNS queries and determine allow or disallow

firewall-dnat 99 redirect inbound eth1 udp dport 53 rdport 53 remark "intercepts client DNS requests"firewall-input 99 permit inbound eth1 tcp dport 53 remark "permit access to local DNS service"

  1. Configure DNS/URL rewrite to deny all others (just put a . to denote all)

ip host . reject

  1. Configure DNS/URL resolve to permit target domains/URLs only

ip host google.com resolve

NOTE: if we define a domain here, the sub-domain URLs will also be blocked. For example, if we block yahoo.com, all other subdomain URLs (eg. xxx.yahoo.com) will be blocked. If you just want to block a particular URL only, try to be as specific as possible

CONFIGURATION EXAMPLES

In the config example, we will permit facebook, whatsapp and some google services only, and deny everything else. Below shows a snip of the config.

!ip host . rejectip host akamai.net resolveip host akamaihd.net resolveip host akamaized.net resolveip host facebook.com resolveip host facebook.net resolveip host fbcdn.net resolve ip host gmail.com resolveip host dns.google resolveip host google-analytics.com resolveip host google.com resolve ip host google.com.sg resolveip host googleadservices.com resolveip host googleapis.com resolveip host googlesyndication.com resolveip host googletagservices.com resolveip host googleusercontent.com resolveip host googlevideo.com resolveip host gstatic.com resolveip host youtube.com resolveip host gvt1.com resolveip host gvt2.com resolve ip host gvt3.com resolve ip host whatsapp.com resolveip host whatsapp.net resolve!

As you can see from above, configuring whitelisting is a lot harder than blacklisting, because some sites or services require more than one domains. Eg. accessing to facebook will require permitting several domains.

  • In actual deployment, for some well-known services, you can google search what are the domains you must whitelist in order to permit their access

  • However, if some intended domain/URL access is still denied, it's because not all the related/embedded domains are permitted (denied by mbox). You can use tcpdump to sniff on the LAN interface to find out what are the additional associated/linked domains you need to permit.

Try to be "specific" with tcpdump so that you don't get overwhelmed with the amount of output in a live network. In below example, we use tcpdump to find out DNS (udp/53) resolution results only for user source IP 192.168.1.252 (your testing PC IP), so that we can find out which sites (DNS requests) are blocked (DNS returned 0.0.0.0). Then we can add them to resolve list if they're meant to be permitted.

mbox# tcpdump interface br-eth1 port 53 detail host 192.168.1.252tcpdump: listening on br-eth1, link-type EN10MB (Ethernet), capture size 65535 bytes17:14:11.538894 IP (tos 0x0, ttl 64, id 37878, offset 0, flags [DF], proto UDP (17), length 61) 192.168.1.252.45622 > 8.8.4.4.53: [udp sum ok] 3440+ A? ssl.gstatic.com. (33)17:14:11.541167 IP (tos 0x0, ttl 64, id 7645, offset 0, flags [DF], proto UDP (17), length 77) 8.8.4.4.53 > 192.168.1.252.45622: [bad udp cksum 0xcefa -> 0xa74a!] 3440* q: A? ssl.gstatic.com. 1/0/0 ssl.gstatic.com. [0s] A 0.0.0.0 (49)17:14:12.957045 IP (tos 0x0, ttl 64, id 38041, offset 0, flags [DF], proto UDP (17), length 51) 192.168.1.252.36793 > 8.8.4.4.53: [udp sum ok] 44262+ A? hp.co. (23)17:14:12.958626 IP (tos 0x0, ttl 64, id 38042, offset 0, flags [DF], proto UDP (17), length 51) 192.168.1.252.39748 > 8.8.4.4.53: [udp sum ok] 44842+ AAAA? hp.co. (23)17:14:12.959198 IP (tos 0x0, ttl 64, id 7713, offset 0, flags [DF], proto UDP (17), length 67) 8.8.4.4.53 > 192.168.1.252.36793: [bad udp cksum 0xcef0 -> 0x83ee!] 44262* q: A? hp.co. 1/0/0 hp.co. [0s] A 0.0.0.0 (39)17:14:12.961060 IP (tos 0x0, ttl 64, id 7714, offset 0, flags [DF], proto UDP (17), length 51) 8.8.4.4.53 > 192.168.1.252.39748: [bad udp cksum 0xcee0 -> 0x7200!] 44842 q: AAAA? hp.co. 0/0/0 (23)17:14:22.680010 IP (tos 0x0, ttl 64, id 38921, offset 0, flags [DF], proto UDP (17), length 58) 192.168.1.252.52046 > 8.8.4.4.53: [udp sum ok] 7032+ A? facebook.com. (30)17:14:22.680392 IP (tos 0x0, ttl 64, id 38922, offset 0, flags [DF], proto UDP (17), length 58) 192.168.1.252.38573 > 8.8.4.4.53: [udp sum ok] 15933+ AAAA? facebook.com. (30)17:14:22.681708 IP (tos 0x0, ttl 64, id 7909, offset 0, flags [DF], proto UDP (17), length 74) 8.8.4.4.53 > 192.168.1.252.52046: [bad udp cksum 0xcef7 -> 0x8a30!] 7032* q: A? facebook.com. 1/0/0 facebook.com. [0s] A 0.0.0.0 (46)17:14:22.682934 IP (tos 0x0, ttl 64, id 7910, offset 0, flags [DF], proto UDP (17), length 58) 8.8.4.4.53 > 192.168.1.252.38573: [bad udp cksum 0xcee7 -> 0x6025!] 15933 q: AAAA? facebook.com. 0/0/0 (30)17:14:27.090577 IP (tos 0x0, ttl 64, id 39703, offset 0, flags [DF], proto UDP (17), length 58) 192.168.1.252.46360 > 8.8.4.4.53: [udp sum ok] 15616+ A? facebook.com. (30)17:14:27.092309 IP (tos 0x0, ttl 64, id 7984, offset 0, flags [DF], proto UDP (17), length 74) 8.8.4.4.53 > 192.168.1.252.46360: [bad udp cksum 0xcef7 -> 0x7ede!] 15616* q: A? facebook.com. 1/0/0 facebook.com. [0s] A 0.0.0.0 (46)17:14:29.194367 IP (tos 0x0, ttl 64, id 40074, offset 0, flags [DF], proto UDP (17), length 56) 192.168.1.252.59345 > 8.8.4.4.53: [udp sum ok] 16574+ A? google.com. (28)17:14:29.194744 IP (tos 0x0, ttl 64, id 40075, offset 0, flags [DF], proto UDP (17), length 56) 192.168.1.252.59132 > 8.8.4.4.53: [udp sum ok] 21769+ AAAA? google.com. (28)17:14:29.196559 IP (tos 0x0, ttl 64, id 8143, offset 0, flags [DF], proto UDP (17), length 72) 8.8.4.4.53 > 192.168.1.252.59345: [bad udp cksum 0xcef5 -> 0xafc3!] 16574* q: A? google.com. 1/0/0 google.com. [0s] A 0.0.0.0 (44)17:14:29.197809 IP (tos 0x0, ttl 64, id 8144, offset 0, flags [DF], proto UDP (17), length 56) 8.8.4.4.53 > 192.168.1.252.59132: [bad udp cksum 0xcee5 -> 0x6066!] 21769 q: AAAA? google.com. 0/0/0 (28)^C16 packets captured16 packets received by filter0 packets dropped by kernelmbox#