Content filtering options
-
@dustinb3403 meh. I've had way more stupid assignments in other "IT" jobs before. Should be basically set-and-forget after whitelisting customer websites. One thing our overseas workers do not do is whine about stuff like filtered internet... that's a huge positive.
-
@dustinb3403 said in Content filtering options:
I've not used this but Privoxy might work well enough.
https://www.privoxy.org/
https://www.pcmech.com/article/build-web-content-filter-using-linux-privoxy/Way too much complexity. They want simplicity (so do I, since I'll be managing it). A hosted DNS service is ideal.
-
What do you have at the site already?
Many firewall devices have this stuff built in now.
I could block anything by category or even strings 'cricket' 'viagra' stuff like that. Any traffic passing through the interface out to the web gets inspected.
Any requests that use these words get blocked with a warning in the browser and logged.
Not quite the same as a dns filtering though. -
You might look at Clouflare. They have a free option and are hosted. I use them on my websites so been a while since I set them up but I think you can do some filtering and white listing.
-
@momurda said in Content filtering options:
What do you have at the site already?
Many firewall devices have this stuff built in now.
I could block anything by category or even strings 'cricket' 'viagra' stuff like that. Any traffic passing through the interface out to the web gets inspected.
Any requests that use these words get blocked with a warning in the browser and logged.
Not quite the same as a dns filtering though.No, firewalls do not have that. Those are UTM devices. But that is a totally different discussion.
Also there is no way for most of those devices to block anything HTTPS unless you let the UTM perform MitM on your SSL. This generally causes more problems than it solves.
-
@momurda said in Content filtering options:
What do you have at the site already?
Many firewall devices have this stuff built in now.
I could block anything by category or even strings 'cricket' 'viagra' stuff like that. Any traffic passing through the interface out to the web gets inspected.
Any requests that use these words get blocked with a warning in the browser and logged.
Not quite the same as a dns filtering though.There is a crappy Cisco ASA firewall there. Yuck.
-
Oh that is too bad.
-
We use PiHole. Not as comprehensive, but it's low cost and we can control it.
-
@scottalanmiller said in Content filtering options:
We use PiHole. Not as comprehensive, but it's low cost and we can control it.
But PiHole is not designed to block all domains and only allow a whitelist.
-
@jaredbusch said in Content filtering options:
@scottalanmiller said in Content filtering options:
We use PiHole. Not as comprehensive, but it's low cost and we can control it.
But PiHole is not designed to block all domains and only allow a whitelist.
For ONLY Whitelist, DansGuardian, then.
-
@scottalanmiller said in Content filtering options:
@jaredbusch said in Content filtering options:
@scottalanmiller said in Content filtering options:
We use PiHole. Not as comprehensive, but it's low cost and we can control it.
But PiHole is not designed to block all domains and only allow a whitelist.
For ONLY Whitelist, DansGuardian, then.
Does that do DNS filtering now?
-
@jaredbusch said in Content filtering options:
@scottalanmiller said in Content filtering options:
@jaredbusch said in Content filtering options:
@scottalanmiller said in Content filtering options:
We use PiHole. Not as comprehensive, but it's low cost and we can control it.
But PiHole is not designed to block all domains and only allow a whitelist.
For ONLY Whitelist, DansGuardian, then.
Does that do DNS filtering now?
No, but it does whitelist content filtering, which is what he had asked for. You could point it to a DNS filtering service for an additional layer, of course.
-
Webroot DNS on the endpoints?
-
DNSFilter and Censornet are products I have used.
-
-
@smitherick said in Content filtering options:
Webroot DNS on the endpoints?
Interesting... I'll have to check into that. We already run Webroot endpoint AV.
-
You can use dnsmasq to achieve what you want. It will block all requests except the domains you choose. You have to add the following to your dnsmasq.conf file.
bogus-priv domain-needed no-resolv # blocks the usage of your resolv.conf file and hosts files, and only allows upstream servers set in this file. # Whitelist - will forward dns request to the following domains server=/mangolassi.it/1.1.1.1 # Dns to which to forward the allowed request
-
@romo that looks pretty easy, but we need at least 3 different levels of filtering that can be applied to users or groups.
-
@rojoloco that does change the complexity of the solution then.
Crazy idea, if you have any sort of configuration management tool, you could still do one vm, 3 dnsmasq containers and push manual dns settings via the config-management tool to your users to their respective dns server.
-
@romo said in Content filtering options:
@rojoloco that does change the complexity of the solution then.
Crazy idea, if you have any sort of configuration management tool, you could still do one vm, 3 dnsmasq containers and push manual dns settings via the config-management tool to your users to their respective dns server.
Looking only at hosted solutions, we have no extraneous hardware at that site and it's a 100% windows shop.