OpenDNS and CleanBrowsing | DNS Content Filtering

What is DNS Content Filtering?

A DNS Based Content Filtering service can prevent certain websites from loading on your network.  Most services can filter by specific categories like malware, phishing, pornography, etc.  Unlike some content filtering which can introduce security risks, DNS filtering does not intercept traffic between you and the website you’re visiting.  It doesn’t require installing any software on your computer or device making it one of the safest ways to filter web content.

Using ClearBrowsing's DNS Service a typoed domains returns a code showing the domain does not exist
Google’s DNS server returns the IP address of the phishing site, while CleanBrowsing returns NXDOMAIN

If you you accidentally typo a popular domain (such as typing .cm instead of .com) it would normally take you to a phishing site.  A DNS filtering service would block your computer by returning an NXDOMAIN (domain does not exist) instead of the IP address effectively blocking the website from loading.  The same technique can be used to prevent any undesirable category such as malware, pornography, adware, etc. from loading on your network.

The other benefit of using a DNS filtering service is it can force certain search and media services (like Google and YouTube) into safe mode preventing anyone using your network from even seeing adult content in their search results.

Why Should I use One?

It’s not only a wise way to protect yourself from malware and temptation, but also when letting guests on your WiFi network–you don’t have to worry (as much) about what they’re doing, and also a good idea when you start letting kids online.  DNS filtering doesn’t take the place of parenting, and anyone with a little technical skill can bypass it, but it may help prevent your family and anyone using your network from accidentally stumbling across bad sites.  If it prevents one cryptolocker infection it’s worth it.

I think families, churches, home networks, small businesses, organizations, schools, large enterprises, and governments could benefit from DNS filtering.   You may not want to go overboard blocking content about illegal drugs and gambling, but at the very least you probably don’t want malware on your network!

Two DNS Filtering Services

I use two DNS content filtering providers services:  OpenDNS and CleanBrowsing.  Both have simple instructions to get started so I won’t repeat that here.  Both are free, work well, and my decision to use one or the other on a particular network just depends on the situation–although in most cases either would be fine.  It’s nice to have multiple options.

OpenDNS

OpenDNS Logo

OpenDNS has been around since 2006 and was acquired by Cisco in 2014.  It offers several free plans and some paid options as well:

  • OpenDNS Family Shield (Free).  Very simple–just set your router’s DNS servers to 208.67.222.123 and 208.67.220.123 and it’s pre-configured to block malicious and adult content.
  • OpenDNS Home (Free).  For more advanced control, allows for granular category filtering as seen in the screenshots below.  If your ISP has a dynamic IP you will need to use a DDNS client to update OpenDNS with your public IP.  Below are some screenshots to show the granularity:

OpenDNS Filtering Categories

OpenDNS Filtering Security Categories

  • OpenDNS Home VIP ($20/year) — Very affordable and adds the ability to white-list specific domains if they’re on the block list.
  • Cisco Umbrella — For businesses and larger enterprises.

CleanBrowsing

CleanBrowsing Logo

CleanBrowsing is a fairly new service, starting in February of 2017.

It offers three easy free filtering plans and 2 paid plains:

  • Security Filter (Free) – Set your router’s DNS to 185.228.168.9 and 185.228.169.9 to only block malicious domains (phishing and malware).
  • Adult Filter (Free)– Set DNS to 185.228.168.10 and 185.228.169.11 to block Adult domains, set search engines to safe mode (also includes the security filter).
  • Family Filter (Free)– Set DNS to 185.228.168.168 and 185.228.169.168 to block access to VPN domains that could be used to bypass filters, mixed content sites (like Reddit), and sets YouTube to safe mode (includes Adult and Security filters as well).
  • Basic Plan ($5/month) allows you to setup custom filtering categories and whitelist and blacklist specific domains.
  • Professional ($9/month) targeting small networks (less than 2,000 devices, for more than that you can get a custom quote).

CleanBrowsing DNS Filtering Map

OpenDNS and CleanBrowsing Comparison

OpenDNS has been around the longest, but CleanBrowsing is leading in innovation (note that my comparison is on the free or low priced consumer service, not the enterprise service from each provider):

OpenDNS advantages

  • Free account allows more control of specific categories
  • Blocked domains get redirected to page saying why page is blocked (better end user understanding of what’s going on than an NXDOMAIN for most people)
  • Been Around Longer.  More mature.

CleanBrowsing advantages

  • Security – Supports DNSSEC (prevents forgery of DNS results …some ISPs have been known to hijack DNS results).  Also supports DNSCrypt, DNS over HTTPS, and DNS over TLS.
  • Blocked domains return an NXDOMAIN (better practice than redirecting for technical/security folks)
  • Privacy Policy: CleanBrowsing States it does not log requests
  • Better Test Results on Adult content filtering: blocked 100% of adult content on a Porn Filter test by Nykolas Z (OpenDNS blocked 89%).
  • Much better Test Results Blocking Phishing Sites: CleanBrowsing blocked 100% of phishing sites on 3 out of 4 tests beating out OpenDNS in every area.  On the real-time test it allowed 1 out of 12 sites through, however OpenDNS only blocked 2 out of 12 sites.

Both OpenDNS and CleanBrowsing have very fast DNS resolution rates (probably faster than your ISP), with CleanBrowsing resolving slightly faster for me but within milliseconds of each other.  I think either service is worth using.

I have made a covenant with my eyes.
How then could I look at a young woman? — Job 31:1 CSB

 

DNS Hijacked? Slow? Setup Unbound on pfSense

Why Is It Slow?

When you request a website, say, b3n.org, your computer needs the IP address.  So it sends out packets through your router/firewall, your modem, and out to your ISPs DNS Servers.  Your ISP’s DNS server will probably have it cached, if not it queries the authoritative (starting with the Root Name Servers) recursively to find out what the authoritative DNS servers are and then queries those DNS servers.  It gets the IP address, and sends it back to your computer.  Your computer can then query the server IP for b3n.org.  Any latency along this process will result in delays.  If you ever type in a url in the address bar and nothing happens for a few hundred milliseconds and then suddenly the website starts to load this is likely the problem.

Typical DNS Lookup Path

Is Your DNS Hijacked by Your ISP?

It’s pretty easy for ISPs to hijack DNS queries.  A small number of ISPs (Comcast, CenturyLink, Time Warner, Cox, Rogers, Charter, Verizon, Sprint, T-Mobile, Frontier, etc.) have been caught doing exactly that.  Want to know why?  Advertising revenue.  When you misspell a domain some ISPs, instead of returning an NXDOMAIN (does not exist) like any RFC compliant DNS server it will resolve the domain anyway, point it at a page they control, and advertise to you!  This is a really bad idea.  But there is a way to prevent your ISP from doing this…

Using Google’s Nameservers

If you’re not tech savvy using 8.8.8.8 and 8.8.4.4 is probably better than your ISPs nameservers.  It won’t hurt, and will probably help, but it may not help… it’s very trivial for an ISP to route those IPs to their own servers and some do.

Even if your ISP is pure goodness and would never do that, someone could setup a rogue DNS server posing as theirs and intercept all your DNS traffic.

The only solution is to query the Root name servers for authoritative DNS servers and use DNSSEC.  Cut out any 3rd party DNS provider and run your own DNS server locally.

Setup an Unbound Server on pfSense

pfSense Unbound Lookups

Unbound is a high performance caching DNS server.  Unbound queries recursively authoritative DNS servers directly, completely bypassing your ISP.  It uses DNSSEC to make sure your queries haven’t been tampered with.  And best of all, it caches DNS results locally (like your ISP would) but since it’s on your own network, the cached DNS queries are local!

You can setup a local FreeBSD server and run Unbound on it, but if you’re already using a router like pfSense or OPNsense you can setup an Unbound server in a few clicks.

Open up pfSense, first make sure the forwarder under Services, DNS Forwarder, is disabled.  Slowness warning: if you are running a low query lookup network such as on your home network having the forwarder disabled may cause lookups to be slower because you’re having to traverse the DNS servers regularly to get results… this can sometimes take a second or two and result in DNS timeouts while it’s trying to traverse the DNS nameservers.  If you find that unbound performance is slow I’d suggest turning on forwarding mode which will use the DNS servers specified in pfSense under system, general setup.  In this case I’d recommend pointing them at 8.8.8.8 and 8.8.4.4.  If you run with forwarding enabled you should verify that your ISP is not hijacking your DNS results, if they are you should switch ISPs.

  • Go to Services, DNS Resolver.
  • Enable the DNS Resolver
  • Select the Network interfaces that you want Unbound to listen on (do not select ALL, you’ll definitly want to select LAN).
  • System Domain Local Zone Type: Transparent
  • Enable DNSSEC Support
  • Do NOT enable Forwarding Mode
  • You can also choose to register DHCP addresses in the DNS Resolver which is very handy if you’re using pfSense to manage DHCP.

pfSense Unbound

  • Under System, General Setup
  • Make sure all DNS Server fields are empty.  DNS Server Override and
  • Disable DNS Forwarder should be unchecked.

pfSense General Setup

Finally, Under Services, DHCP Server, set your DNS Server to your pfSense’s LAN IP.  As your DHCP clients renew their lease they’ll start using pfSense for DNS.

As far as performance if you have low latency to your ISPs DNS you probably won’t notice anything.  But if you’re on a high latency connection  with 70ms pings like I am, this makes a big difference.