The guys at OpenDNS made an interesting announcement yesterday. They’re building a community authored directory of web sites to enhance their DNS-based web filtering service. OpenDNS is a free DNS service that anybody can use simply by changing their computer’s DNS settings.

This is how a DNS-based filtering service works. You change your network settings (typically the one’s served up dynamically by your DHCP server) to use the DNS servers from OpenDNS. When a user types playboy.com into the address bar, the web browser attempts to find the IP address for playboy.com using DNS. But the OpenDNS servers don’t return the real IP address for playboy. Instead they return the IP address of a server that sends the user a block page. Hey presto, the user is blocked. Frankly, it’s brilliant in its simplicity. And the community categorization approach is extra brilliant.

A DNS-based filtering solution is great at snuffing out inadvertent browsing of bad web content. When my five-year-old uses our home computer and starts clicking around on stuff, I’d like to simply prevent him from accidentally viewing nasty sites that might come back in a Google search. A DNS-based approach will absolutely solve this problem.

But my five-year-old is not what I would call a determined attacker.

That’s the term used by professionals in the security community to describe an individual who possesses the time, energy and skills required to subvert security. The hypothetical question posed to differentiate the simple, 80% security solutions from real, bulletproof solutions is: “Will this be effective in the face of a determined attacker?”

In the web filtering world, the most determined attackers are technology savvy 17-year-olds using laptops provided by their schools. They have the skills, the time, and they almost always have no fear of punishment (unless you actively enforce your AUP - and even then they might view suspension as a vacation). This makes them formidable adversaries.

They will circumvent DNS-based filtering using any of these methods:

(1) Web-browsing by IP. This is the dead simple technique of typing the IP address of a site into your browser’s address bar instead of the host name. Since there’s no DNS query involved, the user can view web content without ever running it past the DNS-based filter. In practice, this rarely works, as most web sites, even if they let you see the content by IP, will serve HTML with links to the domain. So you’d have to go through the painful and time consuming process of rebuilding each link you want to navigate with the IP swapped out for the host name.

But some sites, like MySpace and Playboy, serve their entire site by IP (surprise!). Often they’ll do this from IPs that are not used in the name resolution of their main sites. They obviously do this to circumvent filtering, since these sites are often targeted by users of filters.

(2) Anonymous proxies installed on home computers. These are almost always accessed directly by IP. As I’ve talked about many times before in this blog, the most effective way to combat these is with packet signatures, which is what 8e6 does.

(3) Proxy clients that intentionally don’t use the host’s internal DNS. Sophisticated proxy clients know that this is a filtering method and don’t rely on local name resolution. Proxies in this class include Ultrasurf, FreeGate and GPass. This is a common architecture for proxies designed to work behind the Great Firewall of China, since the government can decide what resolves in China and what doesn’t.

Other thoughts:

One other large limitation of DNS-based filtering is an inability to filter based on URL path. How do you handle the thousand or so porn groups on groups.yahoo.com? With DNS-based filtering all you can do is blackhole the entire site.

This would be an unfair post if I didn’t mention this: One advantage to DNS-based filtering is that you get a chance to deal with HTTPS sites before anything gets encrypted! Secure proxies like dongtaiwang.com, circumventor.com and proxify.com are stopped cold at the DNS-level. At the gateway, your web filtering solution has to chase down the certificate, which is very effective, but a little more time consuming and error prone.

Ultimately, I think a DNS-based filtering solution is an excellent compliment to a gateway-based filtering solution. There’s no reason why you can’t use them both at the same time.

Tags: DNS, Proxies, web filtering

This entry was posted on Wednesday, February 20th, 2008 at 7:12 pm and is filed under Product Stuff, Security Best Practices. You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.