Content filtering options
-
@scottalanmiller said in Content filtering options:
@jaredbusch said in Content filtering options:
@scottalanmiller said in Content filtering options:
We use PiHole. Not as comprehensive, but it's low cost and we can control it.
But PiHole is not designed to block all domains and only allow a whitelist.
For ONLY Whitelist, DansGuardian, then.
Does that do DNS filtering now?
-
@jaredbusch said in Content filtering options:
@scottalanmiller said in Content filtering options:
@jaredbusch said in Content filtering options:
@scottalanmiller said in Content filtering options:
We use PiHole. Not as comprehensive, but it's low cost and we can control it.
But PiHole is not designed to block all domains and only allow a whitelist.
For ONLY Whitelist, DansGuardian, then.
Does that do DNS filtering now?
No, but it does whitelist content filtering, which is what he had asked for. You could point it to a DNS filtering service for an additional layer, of course.
-
Webroot DNS on the endpoints?
-
DNSFilter and Censornet are products I have used.
-
-
@smitherick said in Content filtering options:
Webroot DNS on the endpoints?
Interesting... I'll have to check into that. We already run Webroot endpoint AV.
-
You can use dnsmasq to achieve what you want. It will block all requests except the domains you choose. You have to add the following to your dnsmasq.conf file.
bogus-priv domain-needed no-resolv # blocks the usage of your resolv.conf file and hosts files, and only allows upstream servers set in this file. # Whitelist - will forward dns request to the following domains server=/mangolassi.it/1.1.1.1 # Dns to which to forward the allowed request
-
@romo that looks pretty easy, but we need at least 3 different levels of filtering that can be applied to users or groups.
-
@rojoloco that does change the complexity of the solution then.
Crazy idea, if you have any sort of configuration management tool, you could still do one vm, 3 dnsmasq containers and push manual dns settings via the config-management tool to your users to their respective dns server.
-
@romo said in Content filtering options:
@rojoloco that does change the complexity of the solution then.
Crazy idea, if you have any sort of configuration management tool, you could still do one vm, 3 dnsmasq containers and push manual dns settings via the config-management tool to your users to their respective dns server.
Looking only at hosted solutions, we have no extraneous hardware at that site and it's a 100% windows shop.
-
Can you get away with forcing them all to use Internet Explorer? Is that a realistic option?
Or are you 100% set on a paid hosted DNS solution?
-
@obsolesce said in Content filtering options:
Can you get away with forcing them all to use Internet Explorer? Is that a realistic option?
Or are you 100% set on a paid hosted DNS solution?
They have to use multiple browsers for the testing they do. I'm not necessarily set on a DNS solution, but that seems like it would provide some protection from malicious sites in addition to being able to block time wasters. Hosted and easy to manage are the main goals (hard to fix hardware in India from Atlanta).
-
@rojoloco said in Content filtering options:
@obsolesce said in Content filtering options:
Can you get away with forcing them all to use Internet Explorer? Is that a realistic option?
Or are you 100% set on a paid hosted DNS solution?
They have to use multiple browsers for the testing they do. I'm not necessarily set on a DNS solution, but that seems like it would provide some protection from malicious sites in addition to being able to block time wasters. Hosted and easy to manage are the main goals (hard to fix hardware in India from Atlanta).
Going the DNS route, what's your plan?
Change the DNS servers on each PC there, and on the edge firewall or whatever you have there?
-
@obsolesce pretty much. They have a Cisco firewall on site, I can gpo the rest, they are part of our domain. If it works well, we will likely use it in our office once our subscription for websense expires. What a clunky POS.
-
A proxy server like Squid Proxy would be so perfect for this, especially with whitelisting... but since you can't have anything there...
Just use the best cheapest DNS filtering service you find... I seen a bunch listed above like DNSFilter.com.
See if any of them have any trials and pick the one that is the easiest to manage that works the best.
-
@obsolesce said in Content filtering options:
A proxy server like Squid Proxy would be so perfect for this, especially with whitelisting... but since you can have anything there...
Just use the best cheapest DNS filtering service you find... I seen a bunch listed above like DNSFilter.com.
See if any of them have any trials and pick the one that is the easiest to manage that works the best.
I'm going to hit up a couple of them after lunch with my list of questions. So far, DNSFilter and Strongarm are top of the short list. Thanks to everyone for the suggestions, evaluation phase is coming soon.
-
@rojoloco said in Content filtering options:
@smitherick said in Content filtering options:
Webroot DNS on the endpoints?
Interesting... I'll have to check into that. We already run Webroot endpoint AV.
Should make it easy to deploy or test. I have it deployed with a few folks.
-
@smitherick said in Content filtering options:
@rojoloco said in Content filtering options:
@smitherick said in Content filtering options:
Webroot DNS on the endpoints?
Interesting... I'll have to check into that. We already run Webroot endpoint AV.
Should make it easy to deploy or test. I have it deployed with a few folks.
I have webroot av and was curious about how well the DNS feature would work. My main concern is if there is a way for it to recognize internal AD DNS vs external DNS requests. If I have devices that are domain-joined and are remote on or off the VPN or they come to the office and connect to the WiFi, how does it deal with internal name resolution?
-
NxFilter is a decent content filter. The pricing is reasonable as well. It allows you to filter by authentication tokens, ip addresses, or username via ldap. They also have a couple additional tools to help prevent the running of certain applications.
-