The guys at OpenDNS made an interesting announcement yesterday. They’re building a community authored directory of web sites to enhance their DNS-based web filtering service. OpenDNS is a free DNS service that anybody can use simply by changing their computer’s DNS settings.

This is how a DNS-based filtering service works. You change your network settings (typically the one’s served up dynamically by your DHCP server) to use the DNS servers from OpenDNS. When a user types playboy.com into the address bar, the web browser attempts to find the IP address for playboy.com using DNS. But the OpenDNS servers don’t return the real IP address for playboy. Instead they return the IP address of a server that sends the user a block page. Hey presto, the user is blocked. Frankly, it’s brilliant in its simplicity. And the community categorization approach is extra brilliant.

A DNS-based filtering solution is great at snuffing out inadvertent browsing of bad web content. When my five-year-old uses our home computer and starts clicking around on stuff, I’d like to simply prevent him from accidentally viewing nasty sites that might come back in a Google search. A DNS-based approach will absolutely solve this problem.

But my five-year-old is not what I would call a determined attacker.

(more…)

… so I’m going to make the case that you should simply be blocking them en masse. But first, a little background.

Dynamic Addressing by ISPs

Internet Service Providers (ISPs) own blocks of contiguous IP addresses (aka “netblocks”) that they in turn assign to the computers that connect to the Internet through their service. When you sign up for DSL, Cable or even dial-up service and connect your computer to the Internet, the ISP assigns your computer an IP address from within a netblock it owns.

Some ISPs provide static IP services, where your computer keeps the same IP address all the time. But the vast majority of home computers are signed up for less expensive dynamic IP services, where your computer gets a new address each time it connects to the Internet. The address is often different every time you connect. But it’s always from within the same netblock.

This allows the ISP to sign up more customers than IP addresses it owns, kind of like how a bank is allowed to loan out money it doesn’t actually have in the vault. Since only a percentage of the ISP’s customers are connected at any give time, this works fine.

How to tell if an IP is in one of these Netblocks

My personal DSL provider is DSLExtreme. When my home computer connects to the Internet (actually, it’s my router), it’s always assigned an address in the netblock 72.25.123.0/24, which includes a range of IPs from 72.25.123.0 to 72.25.123.255.

(more…)

We have just released the latest version of our core web filtering appliance - version 2.0.10 of the R3000. General availability of the patch is set for January 7th, but you can contact Tech Support and request it today if you like. We’re going GA after the Holidays to reduce the load on Tech Support, which always sees a spike in activity after a major patch release (despite our best efforts).

There is lots of great stuff in this release. However, in this post I’m going to focus on the changes that affect how we handle proxies: improvements in our HTTPS filtering and pattern-based blocking. I’m going to cover:

• Block page on a pattern block
• New options that enhance HTTPS Medium and tame HTTPS High
• Whitelist feature for pattern detection

Let’s take a look at the details.

(more…)