Sanity check - DNS Filtering on WAN

stacksofplates

This post is deleted!

Deleted74295

@stacksofplates said in Sanity check - DNS Filtering on WAN:

@Breffni-Potter said in Sanity check - DNS Filtering on WAN:

@stacksofplates said

Unless I set up an SSH tunnel and a listener to forward UDP packets to whatever port I want. The only thing stopping you at that point is, well nothing. However, that's not trivial.

What if we block 22 on the WAN?

I'll use a different port. You would have to block every port period.

Yes but it'll block someone who is reading a ham fisted guide off the internet.

Dashrender

One of the ways he said you could by pass it is by using the IP address specifically. While this isn't great, in some cases it will work.

Do you control all of the devices that use your WAN? or are there private devices there too? Private devices could use proxies that are reached through IP address instead of DNS, then the proxy will accept all DNS requests and on they go.

Like @stacksofplates SSH example, proxies can be on any port, so unless you're blocking all outbound traffic, you're going to have a hard time someone not bypassing it if they want to.

Oh and speaking about corporate vs non corporate machines - Chrome will install on Windows without local admin - I wonder, does it still always respect the windows networking settings on Proxies/DNS servers, etc? if not, then this is easier than I thought - i.e. doesn't require a non corporate device on the network.

Deleted74295

Let's make it clear, this is assuming no corporate management or endpoint on the devices. The only place you are allowed to make changes is the LAN or WAN. Not the client machines.

stacksofplates

@Dashrender said in Sanity check - DNS Filtering on WAN:

Oh and speaking about corporate vs non corporate machines - Chrome will install on Windows without local admin - I wonder, does it still always respect the windows networking settings on Proxies/DNS servers, etc? if not, then this is easier than I thought - i.e. doesn't require a non corporate device on the network.

It uses the internet options. Which makes it even easier. You don't need to do like I said before (fifo devices). Just use a dynamic ssh tunnel and tell Chrome to use the local port as a SOCKS proxy and you can just go wherever you want.

But again, we are talking about normal office workers. They don't know how any of that works.

Dashrender

@Breffni-Potter said in Sanity check - DNS Filtering on WAN:

Let's make it clear, this is assuming no corporate management or endpoint on the devices. The only place you are allowed to make changes is the LAN or WAN. Not the client machines.

Well, in that case, you are pretty screwed against someone who wants to get around almost anything you put in place.

Example, I bring in my home laptop, I know a proxy on the internet's IP address, I set my PC to use that proxy, now I can do anything I want webwise.

You'd be playing a constant game of cat and mouse blocking Proxy IPs to prevent this.

Also I could VPN to my home connection (or any of the VPN solutions available for purchase) and then surf through that.

stacksofplates

@Dashrender said in Sanity check - DNS Filtering on WAN:

@Breffni-Potter said in Sanity check - DNS Filtering on WAN:

Let's make it clear, this is assuming no corporate management or endpoint on the devices. The only place you are allowed to make changes is the LAN or WAN. Not the client machines.

Well, in that case, you are pretty screwed against someone who wants to get around almost anything you put in place.

Example, I bring in my home laptop, I know a proxy on the internet's IP address, I set my PC to use that proxy, now I can do anything I want webwise.

You'd be playing a constant game of cat and mouse blocking Proxy IPs to prevent this.

Also I could VPN to my home connection (or any of the VPN solutions available for purchase) and then surf through that.

Right. The scary thing is you can go the other way also. SSH -R gives me remote tunnels. So now, I set up a remote tunnel between port 22 on my machine and port 1022 at home. Now anything at home has direct connection to my machine at work. I still need to authenticate, but any virus on the home network now has a direct channel to a machine on your office LAN.

scottalanmiller

@Breffni-Potter said in Sanity check - DNS Filtering on WAN:

Let's make it clear, this is assuming no corporate management or endpoint on the devices. The only place you are allowed to make changes is the LAN or WAN. Not the client machines.

Essentially nothing that you can do, then. Whitelisting is the only reliable option.

Romo

@scottalanmiller said in Sanity check - DNS Filtering on WAN:

@Breffni-Potter said in Sanity check - DNS Filtering on WAN:

Let's make it clear, this is assuming no corporate management or endpoint on the devices. The only place you are allowed to make changes is the LAN or WAN. Not the client machines.

Essentially nothing that you can do, then. Whitelisting is the only reliable option.

@Breffni-Potter I've used your proposed setup and it does work, especially for regular users.

Egress filtering, only ports 80 and 443 were enabled for users all other needed ports where only enabled per specific request and of course port 53 was only open for my internal dns server. The filtering service provides the ability for disabling Proxy/Anonymizer sites so that basically takes care of 99% of the users trying to bypass your content filtering.

Of course technical users if truly motivated will bypass the solution tunneling through 80 or 443.

scottalanmiller

@Romo said in Sanity check - DNS Filtering on WAN:

Of course technical users if truly motivated will bypass the solution tunneling through 80 or 443.

technical.... or anyone who takes the time to ask someone technical.