RansNet devices support URL filtering based on DNS blacklist/whitelist, and allows administrator to configure list of domains or FQDN to permit or deny. We can configure a list via CLI, or integrate with RansNet cloud DNS for category based URL filtering.
There are several ways to filter URLs accesses:
Use DNS reject/resolve features. This is the simplest and most effective way for URL filtering and logging. In this method, mbox acts as a DNS proxy server, intercepts client DNS requests, and determines if the requested destination DNS resolution should be denied (reject) or permitted (resolve). It works well for both http and https websites.
Use firewall object-group with FQDN. This requires setting up object-group to include a list of Fully Qualified Domain Name (FQDN), and use firewall-access/deny rules to permit/deny access to the destination.
Use cloud DNS for category based DNS filter. RansNet cloud DNS records a total of more than 100 million websites and groups them into different categories, so that we can easily choose to permit/deny URL accesses by categories. This simple option requires the on-premise device to point to RansNet DNS server as upstream name-server, then administrator can login to DNS filtering dashboard to configure filtering policies. There's a small subscription cost for this option, but it is an ideal balance between costs and functionality for most SME enterprises. We will cover this feature in a separate document.
NOTE:
After apply config, please wait for a few seconds before testing.
If the testing PC accessed/tested the URL before, please clear browser cache and reboot your testing PC (flush off DNS cache) before trying
DNS filtering may not be effective for some modern browsers which use DNS-over-HTTPS (DoH). To verify if the router blacklisting/whitelisting works, use nslookup command in your command prompt. To disable DoH in chrome,
URL blacklisting is basically to deny/disallow DNS requests for some URLs only and permit everything else. To achieve URL blacklisting, we simply need to configure DNS reject for this target domain. DNS reject is an extension of our DNS rewrite feature to "spoof" target domain/URL DNS resolution to a fake IP 0.0.0.0 (therefore denied). All other DNS requests are passed to upstream name-server for normal resolution (default permitted).
CONFIGURATION STEPS
Configure upstream DNS name-server (usually ISP name servers or the famous google name servers, 8.8.8.8 and 8.8.4.4)
Configure firewall rules to force intercept user DNS traffic.
Configure DNS reject to deny target domains/URLs.
NOTE: if we define a domain here, the sub-domain URLs will also be blocked. For example, if we block yahoo.com, all other subdomain URLs (eg. xxx.yahoo.com) will be blocked. If you just want to block a specific subdomain URL only, please configure a Fully Qualified Domain Name (FQDN).
Enable URL logging.
The URL logging here is really DNS query logging. By default, mbox logs all DNS query requests. Because each URL access request triggers a DNS request first, so DNS query logging is a good equivalent to URL logging (without the full URI details of course).
Then we configure mbox to be a log client sending query logs to a log collector for reporting, either external log server or log locally (HSG only).
CONFIGURATION EXAMPLES
In this configuration guide, we configure HSG for DNS filtering and also use it as a syslog server.
!interface eth 0 description "Connection to WAN/Internet" enable ip address dhcp!interface eth 1 description "Connection to LAN switch" enable ip address 10.1.1.1/24 dhcp-server description "Configure mbox to assign IP to internal users" dns 10.1.1.1 range 10.1.1.10 10.1.1.100!ip host splash.ransnet.com 2.1.2.1 rewriteip host macc.ransnet.com 2.1.2.1 rewriteip host hotmail.com rejectip host playboy.com rejectip host yahoo.com reject!ip name-server 8.8.8.8 8.8.4.4!firewall-dnat 10 redirect all udp dport 53 src 192.168.0.0/16 rdport 53!firewall-input 10 permit inbound eth1 udp src 10.1.1.0/24 dport 53 remark "permit DNS query"!firewall-access 10 permit outbound eth0 remark "permit all outbound access"!firewall-snat 10 overload outbound eth0 remark "hide all internal private IP to WAN interface IP"!security log-server log-input 10 accept tag unbound log-input 11 accept msg mboxfw start!Verify the configuration by trying to connect to the blocked sites and other non-blocked sites. You will not be able to browse the sites in the blocked list and should have no problem accessing to other sites.
URL whitelisting is "opposite" to blacklisting. Basically, you want to allow certain URL access only, and everything else should be blocked. To achieve this objective, we will use a combination of DNS reject and resolve features. Because mbox by default permits all DNS requests. So the approach is to deny first, and only resolve the permitted target ones.
DNS reject denies DNS requests. So we simply need to configure "ip host . reject" to deny all.
DNS resolve permits the target domains/URLs by telling mbox to resolve these domains/URLs normally through upstream name-server.
CONFIGURATION STEPS
Configure upstream DNS name-server (usually ISP name servers or the famous google name servers, 8.8.8.8 and 8.8.4.4)
Configure firewall rules to force intercept user DNS traffic. Since now mbox is working as a DNS server for users, we need to intercept all users DNS queries and determine allow or disallow
Configure DNS/URL rewrite to deny all others (just put a . to denote all)
Configure DNS/URL resolve to permit target domains/URLs only
NOTE: if we define a domain here, the sub-domain URLs will also be blocked. For example, if we block yahoo.com, all other subdomain URLs (eg. xxx.yahoo.com) will be blocked. If you just want to block a particular URL only, try to be as specific as possible
CONFIGURATION EXAMPLES
In the config example, we will permit facebook, whatsapp and some google services only, and deny everything else. Below shows a snip of the config.
!ip host . rejectip host akamai.net resolveip host akamaihd.net resolveip host akamaized.net resolveip host facebook.com resolveip host facebook.net resolveip host fbcdn.net resolve ip host gmail.com resolveip host dns.google resolveip host google-analytics.com resolveip host google.com resolve ip host google.com.sg resolveip host googleadservices.com resolveip host googleapis.com resolveip host googlesyndication.com resolveip host googletagservices.com resolveip host googleusercontent.com resolveip host googlevideo.com resolveip host gstatic.com resolveip host youtube.com resolveip host gvt1.com resolveip host gvt2.com resolve ip host gvt3.com resolve ip host whatsapp.com resolveip host whatsapp.net resolve!As you can see from above, configuring whitelisting is a lot harder than blacklisting, because some sites or services require more than one domains. Eg. accessing to facebook will require permitting several domains and FQDN.
In actual deployment, for some well-known services, you can google search what are the domains you must whitelist in order to permit their access
However, if some intended domain/URL access is still denied, it's because not all the related/embedded domains are permitted (denied by mbox). You can use tcpdump to sniff on the LAN interface to find out what are the additional associated/linked domains you need to permit.
Try to be "specific" with tcpdump so that you don't get overwhelmed with the amount of output in a live network. In below example, we use tcpdump to find out DNS (udp/53) resolution results only for user source IP 192.168.1.252 (your testing PC IP), so that we can find out which sites (DNS requests) are blocked (DNS returned 0.0.0.0). Then we can add them to resolve list if they're meant to be permitted.
mbox# tcpdump interface br-eth1 port 53 detail host 192.168.1.252tcpdump: listening on br-eth1, link-type EN10MB (Ethernet), capture size 65535 bytes17:14:11.538894 IP (tos 0x0, ttl 64, id 37878, offset 0, flags [DF], proto UDP (17), length 61) 192.168.1.252.45622 > 8.8.4.4.53: [udp sum ok] 3440+ A? ssl.gstatic.com. (33)17:14:11.541167 IP (tos 0x0, ttl 64, id 7645, offset 0, flags [DF], proto UDP (17), length 77) 8.8.4.4.53 > 192.168.1.252.45622: [bad udp cksum 0xcefa -> 0xa74a!] 3440* q: A? ssl.gstatic.com. 1/0/0 ssl.gstatic.com. [0s] A 0.0.0.0 (49)17:14:12.957045 IP (tos 0x0, ttl 64, id 38041, offset 0, flags [DF], proto UDP (17), length 51) 192.168.1.252.36793 > 8.8.4.4.53: [udp sum ok] 44262+ A? hp.co. (23)17:14:12.958626 IP (tos 0x0, ttl 64, id 38042, offset 0, flags [DF], proto UDP (17), length 51) 192.168.1.252.39748 > 8.8.4.4.53: [udp sum ok] 44842+ AAAA? hp.co. (23)17:14:12.959198 IP (tos 0x0, ttl 64, id 7713, offset 0, flags [DF], proto UDP (17), length 67) 8.8.4.4.53 > 192.168.1.252.36793: [bad udp cksum 0xcef0 -> 0x83ee!] 44262* q: A? hp.co. 1/0/0 hp.co. [0s] A 0.0.0.0 (39)17:14:12.961060 IP (tos 0x0, ttl 64, id 7714, offset 0, flags [DF], proto UDP (17), length 51) 8.8.4.4.53 > 192.168.1.252.39748: [bad udp cksum 0xcee0 -> 0x7200!] 44842 q: AAAA? hp.co. 0/0/0 (23)17:14:22.680010 IP (tos 0x0, ttl 64, id 38921, offset 0, flags [DF], proto UDP (17), length 58) 192.168.1.252.52046 > 8.8.4.4.53: [udp sum ok] 7032+ A? facebook.com. (30)17:14:22.680392 IP (tos 0x0, ttl 64, id 38922, offset 0, flags [DF], proto UDP (17), length 58) 192.168.1.252.38573 > 8.8.4.4.53: [udp sum ok] 15933+ AAAA? facebook.com. (30)17:14:22.681708 IP (tos 0x0, ttl 64, id 7909, offset 0, flags [DF], proto UDP (17), length 74) 8.8.4.4.53 > 192.168.1.252.52046: [bad udp cksum 0xcef7 -> 0x8a30!] 7032* q: A? facebook.com. 1/0/0 facebook.com. [0s] A 0.0.0.0 (46)17:14:22.682934 IP (tos 0x0, ttl 64, id 7910, offset 0, flags [DF], proto UDP (17), length 58) 8.8.4.4.53 > 192.168.1.252.38573: [bad udp cksum 0xcee7 -> 0x6025!] 15933 q: AAAA? facebook.com. 0/0/0 (30)17:14:27.090577 IP (tos 0x0, ttl 64, id 39703, offset 0, flags [DF], proto UDP (17), length 58) 192.168.1.252.46360 > 8.8.4.4.53: [udp sum ok] 15616+ A? facebook.com. (30)17:14:27.092309 IP (tos 0x0, ttl 64, id 7984, offset 0, flags [DF], proto UDP (17), length 74) 8.8.4.4.53 > 192.168.1.252.46360: [bad udp cksum 0xcef7 -> 0x7ede!] 15616* q: A? facebook.com. 1/0/0 facebook.com. [0s] A 0.0.0.0 (46)17:14:29.194367 IP (tos 0x0, ttl 64, id 40074, offset 0, flags [DF], proto UDP (17), length 56) 192.168.1.252.59345 > 8.8.4.4.53: [udp sum ok] 16574+ A? google.com. (28)17:14:29.194744 IP (tos 0x0, ttl 64, id 40075, offset 0, flags [DF], proto UDP (17), length 56) 192.168.1.252.59132 > 8.8.4.4.53: [udp sum ok] 21769+ AAAA? google.com. (28)17:14:29.196559 IP (tos 0x0, ttl 64, id 8143, offset 0, flags [DF], proto UDP (17), length 72) 8.8.4.4.53 > 192.168.1.252.59345: [bad udp cksum 0xcef5 -> 0xafc3!] 16574* q: A? google.com. 1/0/0 google.com. [0s] A 0.0.0.0 (44)17:14:29.197809 IP (tos 0x0, ttl 64, id 8144, offset 0, flags [DF], proto UDP (17), length 56) 8.8.4.4.53 > 192.168.1.252.59132: [bad udp cksum 0xcee5 -> 0x6066!] 21769 q: AAAA? google.com. 0/0/0 (28)^C16 packets captured16 packets received by filter0 packets dropped by kernelmbox#