DNS filtering and logging

mbox supports manual (or static) URL filtering, which allows administrator to manually specify list of URLs that they want to disallow user access.

There are 3 ways to block user access to specific URLs:

  1. Use firewall content filtering to block by string containing specific URI. This method sometimes cause false alarms (eg. the string may appear in a web page content then the whole page is blocked). Refer to this section for more details on string filtering.
  2. Use web proxy to permit/deny by domain. eg. "proxy-access 10 permit domain playboy.com". This method is effective, but since web proxy only works for http browsing so it's not useful for https traffic. Refer to this section for more details on web proxy. Running proxy service on mbox also causes a lot more additional processing overheads.
  3. Use DNS re-write features. DNS re-write is the simplest and most effective way for URL blocking and logging. In this mode, mbox acts as a DNS server to end users, intercepts DNS requests, rewrites/spoofs with fake addresses for the URLs that we want to block. It passes legitimate requests to upstream name servers and logs all requests for reporting purposes. DNS re-write is also used for other purposes (refer to more details here).

This section will focus on using mbox DNS rewrite feature for URL filtering and logging. We will use our earlier basic working scenario and turn on URL filtering and logging. The original working scenario is here.

In this configuration guide, we will perform below tasks:

  1. Enable DNS rewrite
    • configure a upstream name-server (usually ISP name servers or the famous google name servers, 8.8.8.8 and 8.8.4.4)
    • enable DNS rewrite with a "rewrite" option. eg. "ip name-server 8.8.8.8 8.8.4.4 rewrite"
  2. Configure URL blocking. Just rewrite target DNS request to a fake IP so that the IP resolved to user is unreachable (therefore blocked).
    • configured using "ip host <target-domain> <fake-ip> rewrite".
    • Note if we define a domain here, the sub-domain URLs will also be blocked. For example, if we block yahoo.com, all other subdomain URLs (eg. xxx.yahoo.com) will be blocked. So try to be as specific as possible if we just want to block a particular URL only.
    • All other DNS requests are passed to upstream name-server for resolution and returned back to users with the original resolution results.
  3. Assign mbox LAN IP as users DNS server in DHCP scope config.
    • For CMG, It is configured under command "dhcp-server", "dns x.x.x.x"
    • For HSG, it is configured inside hotspot instance, under command "security hotspot xx", "client-dhcp-dns <lanip>"
  4. Configure firewall-input rules. Since now mbox is working as a DNS server for users, all users DNS queries are sent to mbox LAN IP, and we need to open firewall-input rules to permit access (udp/53).
    • use "firewall-input xx " command to permit udp/53
    • we must define the user/client source subnet in the firewall-input rules. DO NOT PERMIT ALL!! If we permit all, when mbox is directly connected to Internet, it will be used by hackers for DNS attacks.
  5. Enable URL logging.
    • The URL logging here is really DNS query logging. By default, once DNS rewrite is turned on, mbox logs all DNS query requests. Because each URL access request triggers a DNS request first, so DNS query logging is effectively equivalent to URL logging.
    • Then we configure mbox to be a log client sending query logs to a log collector for reporting, either external log server or log to mbox locally (configure mbox as a log-server as well). In this configuration guide, we will configure mbox as a syslog server. Refer to this section for details on mbox logging.

NOTE: URL logging/blocking feature works for both CMG and HSG. In this guide we will use CMG as an example. For HSG, we just need need to make sure the client-dhcp-dns server (under "security hotspot xx") is pointing to hotspot server IP address.

SAMPLE CONFIGURATIONS

-----------------!hostname mbox!interface eth 0description "Connection to WAN/Internet"enableip address dhcp!interface eth 1description "Connection to LAN switch"enableip address 10.1.1.1/24!configure mbox LAN IP as DNS in DHCP scopedhcp-server description "Configure mbox to assign IP to internal users" dns 10.1.1.1 range 10.1.1.10 10.1.1.100!ip dhcp-server start!!block URL domain by "rewrite" to a fake IPip host hotmail.com 127.0.0.1 rewrite ip host playboy.com 127.0.0.1 rewrite ip host yahoo.com 127.0.0.1 rewrite!!enable DNS rewriteip name-server 8.8.8.8 8.8.4.4 rewrite!!redirect all DNS queries to internal DNS server for re-writefirewall-dnat 10 redirect all udp dport 53 src 192.168.0.0/16 rdport 53!firewall-input 10 permit inbound eth1 udp src 10.1.1.0/24 dport 53 remark "permit DNS query"!firewall-access 10 permit outbound eth0 remark "permit all outbound access"!firewall-snat 10 overload outbound eth0 remark "hide all internal private IP to WAN interface IP"!!enable URL logging on local log serversecurity log-server log-input 10 accept tag unbound data-lifetime 30 start!-------------

Once above is configured, connect your PC to the LAN port (either to eth1 or to a switch connected to eth1). Verify the configuration by trying to connect to the blocked sites and other non-blocked sites. You will not be able to browse the sites in the blocked list and should have no problem accessing to other sites.

Login to mbox GUI, check live logs, you will see the URL live logs.

NOTE: above methods discussed blocking/filtering DNS queries, and whatever not explicitly configured will be permitted as per normal DNS resolutoins.

If you want to whitelist, eg. only permit certain domains, you can use firewall content filtering feature, eg. below is an example of "whitelisting" google, yahoo, zaobao.

!firewall-access 00 permit all udp dport 53 string yahoo remark whitelist-dnsfirewall-access 01 permit all udp dport 53 string google remark whitelist-dnsfirewall-access 02 permit all udp dport 53 string zaobao remark whitelist-dnsfirewall-access 97 deny all udp dport 53 remark "deny other dns query"firewall-access 98 permit outbound eth0!