Block sites that are not that are not present in your database

Comments

117 comments

  • Avatar
    bizztim

    Matt...  Whitelist on a per site basis?  Or can you whitelist on a per group basis as this would work too.

    0
    Comment actions Permalink
  • Avatar
    mattwilson9090

    Whitelist on a per domain basis, since OpenDNS is a DNS service it only sees DNS lookups, it know nothing about sites, only domain.

    By groups I assume you mean categories. I'm still using OpenDNS Enterprise where I can't whitelist categories, but I don't know about VIP Home or any of the other paid home products. Whitelisting by categories would be easier, but if not, at least with the pay products you'll get 50 whitelist slots to work with instead of the 25 you get with the free products. Plus, with the pay products you do have the ability to use a bypass code, so it would be easier to manage a whitelist only environment if the whole idea behind this is to keep kids off of sites you don't want them seeing.

    0
    Comment actions Permalink
  • Avatar
    rotblitz

    "Whitelist on a per site basis?  Or can you whitelist on a per group basis as this would work too."

    This depends on your definition of "site" or "group".  These terms are not part of the Domain Name System (DNS), but only zones, domains and subdomains are.

    For example, if you whitelist (or blacklist) google.com, then this domain (zone) name and all its subdomain names and aliases (CNAME) are affected.  Would this be "site" level or "group" level?  I would call it zone level at the best.

    0
    Comment actions Permalink
  • Avatar
    bizztim

    My apologies.  I should have said from a content filtering point of View.  So Can I block everything and just open up those items I choose within Content filtering.

    0
    Comment actions Permalink
  • Avatar
    hanny1234
    I think the problem we are trying to solve is block those sites that nobody wants their kids on but they change their domain urls frequently to avoid getting categorized by filtering sites. The only way to do that is to block uncategorized sites.
    0
    Comment actions Permalink
  • Avatar
    picardfamily

    Yes, that is correct. I have the VIP service and using the whitelist is not a great option for every day use.

    0
    Comment actions Permalink
  • Avatar
    rotblitz
    Having an option to block uncategorized domains whould not be a "great option for every day use" either. You can't imagine how many uncategized domains there are, but essential for websites to work, so many people would come to here again to complain about domains still not being categorized...
    1
    Comment actions Permalink
  • Avatar
    picardfamily

    If people are going to complain about domains not being categorized, then they don't have to use the option. It should not be checked by default. Just an option to use it would be nice.

    0
    Comment actions Permalink
  • Avatar
    bizztim

    It is interesting your argument rotblitz and don't get me wrong I understand it!  I work for a big company and Unclassified websites are blocked.  If we have an issue with that we can have Mcafee Classify it or we can have our internal IT security department whitelist it.  Most people searching items do not usually have an issue with this and you would not encounter an unclassified website too often.  Again if you do though it is only a matter of someone saying HEY I don't think that should be blocked and then asking the Admin to whitelist it.

    I certainly hope OpenDNS is looking at this thread and is in process of creating an option for this.  Even if it is apart of the Home VIP....

    1
    Comment actions Permalink
  • Avatar
    mattwilson9090

    @hanny1234 I think that's the problem you are trying to solve. Most here don't seem to be that narrow or specific in what they are looking for. They seem to want to block all uncategorized sites, regardless of if they are video sites or rapidly changing their domain names.

    @picardfamily That doesn't mean that people who chose to block uncategorized sites wouldn't complain about the problems it causes, or wouldn't start screaming here and on other sites how OpenDNS "broke" the internet for them. My years of experience in supporting IT and other technical products tells me that for a number of reasons people would check it, have no clue what they were doing, then complain about the problems and demand that others fix whatever is screwed up with OpenDNS. They'd insist that there were no problems with their configuration, and that whatever the fix was it would have to include blocking uncategorized domains still "work" for them.

    @bizztim I'm sure that at least one person from OpenDNS is reading this thread. I'm not sure if any of them have responded to this or similar threads, but I'm sure that one of the first thoughts they have is the potential, if not likely, nightmare support scenario that this would create for them. Personally speaking, for such a broadbased userbase as OpenDNS has I wouldn't implement it. The potential downside of a black eye from something like that is far more likely than the downside of not implementing it for what are likely a relative handful of users, many of whom don't even pay for the service.

    Besides which, OpenDNS does already have an option in place, whitelist only with bypass page and the option to send a message to admins to whitelist additional domain as they are encountered. Of course that option does require paying for the service.

    0
    Comment actions Permalink
  • Avatar
    howfamily

    As written above, when using "Custom" filtering there should be an "Uncategorized" button, Then EVERY domain lookup is controlled by at least one (hopefully exactly one) of the buttons. The Uncategorized button is normally not checked and thus you are using the other buttons to build a blacklist by category. If you check Uncategorized to block uncategorized sites, then you are in effect using the other buttons to build a whitelist by category. This is easy to understand and this additional behavior would not apply unless Uncategorized were checked.  Please add this -- I would buy VIP Home if it had it, but apparently it doesn't either. Thanks!

    0
    Comment actions Permalink
  • Avatar
    hanny1234
    I agree. I would also pay extra. It is frustrating that sites can change extensions and names to avoid being categorized and it makes parent controls useless. This is the only solution.
    1
    Comment actions Permalink
  • Avatar
    mattwilson9090

    @howfamily and @hanny1234 You both say that you would pay extra for this, so what are you paying for now? If you get one of the pay products, most likely VIP Home or Umbrella Prosumer (since I assume you are home users), you have a "whitelist" only option as well as the option to use a bypass account or code.

    If you do that you'll be getting the same functionality that most everyone else in this thread is asking for, and OpenDNS won't have to provide support to people using the free product that will result when people choose to block "uncategorized" and start screaming that OpenDNS "broke the internet". I can certainly understand OpenDNS not wanting to support something like that in a *basic* product that they are already giving away for free.

    0
    Comment actions Permalink
  • Avatar
    ereedy

    I have been watching this thread for 18 months now, and I'm getting a bit frustrated with the nay-sayers who assume we all  must be a bunch of ignorant fools. Whitelisting is not the same at all, unless you expect me to whitelist a tens of thousands of commonly-used domains and all of the alternate domain names that are necessary to support them. I alone can't do that, but thanks to OpenDNS and the OpenDNS community, the data already exists. I don't want my family to only see a few hand-picked websites. I want them to have access to the vast majority of sites on the Internet. What I don't want them to have access to is rogue sites that are frequently used for phishing attacks. I also don't want them finding new and creative porn sites that pop up weekly and have yet to be included in filters.

    I work at a federal agency with over 5,000 workstations and our IT Security team considers our "Unidentified Sites" filter to be absolutely essential to our Internet security. Yes, probably once a day I run into a site I can't immediately access. It isn't a huge deal. If I really need access I request that it be reviewed and it is available within 24 hours.

    This isn't some bizarre, foolish, request. It is available as a standard feature in at least two different enterprise-class firewalls that have been used here at my office to manage IT security. Having the OPTION to add it to my filter preferences would greatly increase the utility of the OpenDNS service.

    1
    Comment actions Permalink
  • Avatar
    howfamily

    Wow,  @mattwilson9090 completely misses the point. First, the core of what I want is to specify what happens to sites not on any list -- in my case, I want to block them. I'm OK with that being non-default behavior I have to request.  According to @picardfamily, the VIP Home service does NOT do this,  and the individual domain whitelisting is not a substitute.  It's true I haven't looked into Umbrella of any kind, so I'll do that now. Just to repeat, here's what I want: Accept/Block each of the ~60 categories as I see fit (already supported), block all sites not categorized (only "accept" is supported), then individually accept/block a few sites to fix categorization mistakes/slowness (already supported).  A moment's thought will show that this "new feature" doesn't complicate categorization at all, which would be a problem for OpenDNS.  Thanks.

    0
    Comment actions Permalink
  • Avatar
    howfamily

    I just looked at the Umbrella options, and they offer "Whitelist-only", but the whitelist contains only domains, not categories. Thus, to my knowledge, none of OpenDNS's services can do what we're asking for, regardless of pay level.

    0
    Comment actions Permalink
  • Avatar
    bridaus

    I can't see how this could hurt.  If I'm smart enough to check off the "block uncategorized sites" and one of the kids whines at me that all these sites are blocked, I'll simply uncheck it, attempt to categorize it, or tell them to go pound sand.  I won't cancel OpenDNS because it takes one more positive step towards giving me control.  The arguments against this option are silly.  Whitelist argument is even sillier, I use OpenDNS because it's categorization makes it useful.  Whitelist is not an option for this use case.

    0
    Comment actions Permalink
  • Avatar
    toufou73

    I'm new to OpenDNS and I like it so far, but from what I have seen till now this is the big missing stuff ! This must be off course something the user can enable / disable and the error message must be clear (even better would be the option to have a link in the error message to the possibility to propose the site in a category). It fully depends why you are using categories and how critical the web access is for you but if it is to protect your children or to simply protect your pc from security threats, blocking the uncategorized is a must. Moreover the more people would block the uncategorized, the more the community will submit proposals for categorization of new sites. I only see advantages of having it: simple to implement @OpenDNS; it remains a choice for the user, and finally it will motivate the community to participate more in categorisation

    0
    Comment actions Permalink
  • Avatar
    hachieguy

    I'm new to OpenDNS as well and like this idea.  As stated previously, it should be an option with it turned off as default.  The admin page could easily have the option to submit a suggested category, submit for tagging AND add to the admins personal white list.  All fun stuff a computer could easily handle.

    0
    Comment actions Permalink
  • Avatar
    trillyuk

    I too like the sound of this idea. By now most "main" sites would have a category and its those that don't I would be interested in seeing who is trying to access it and for what. If its OK then can always add it to the whitelist.

    I would have thought OpenDNS would be able to generate some stats on sites with no category and if the idea was adopted make those stats available via the dashboard so at an account level you can see how many sites are visited prior to switching. This would enable an informed decision about your web usage and what settings are most appropriate.

    0
    Comment actions Permalink
  • Avatar
    bais.chinuch.filter

    Simply put, without the option to block all uncategorised sites OpenDNS cannot be used as a reliable filter. I would not allow my kids to used sucha filter as it is very unreliable, there are many unsavory sites that have not yet been categorised.

    Additionally an option to block all and allow white list only would be greatly appreciated.  

    0
    Comment actions Permalink
  • Avatar
    mattwilson9090

    This topic has been discussed ad nauseum so I'm not going to try to repeat anything. Basically if you don't like the feature set the FREE service offers you can always use another FREE service.

    However, one thing I will repeat that has also been stated ad nauseum. There is already an option to block all and white list only the domain that you want to allow. It's contained within the OpenDNS VIP pay product. At least then when you claim that OpenDNS "broke the internet" you'll be paying for some of the support time you'll be eating up because blocking that many domains en masse is going to seriously restrict your ability to access anything on the internet.

    0
    Comment actions Permalink
  • Avatar
    toufou73

    @mattwilson9090: it has been discussed ad nauseaum, but you still miss the point: the request is not to go for a per domain whitelist-only mode which is indeed available in the VIP and Umbrella Prosumer options (and which, to my point of view is useless) but for a per category whitelist-only mode, which does not exist, except probably in the Umbrella for business. It is therefore not a question of free or not, but to request a feature which doesn't exist at all. I would personally understand that we have to pay to use it and would be happy to go for VIP account if it was there.

    0
    Comment actions Permalink
  • Avatar
    picardfamily

    Yes, I agree with @toufou73, We are just asking for a feature that does not exist and for it to be an option for those of us that would like to use it. I have VIP and using just the whitelist is not a good solution, because you would have to list every site that you want to allow. Where as using the category feature it is easier. I have been using OpenDNS for over 10 years and this is the one piece that it lacks.

    0
    Comment actions Permalink
  • Avatar
    ereedy

    @mattwilson9090: Please don't make harsh comments when you don't know what you are talking about. As I've said before, I know exactly how restrictive this would be since I deal with it daily at work. Like I've said before, I work in a Federal agency with over 4,000 users and we utilize a firewall with this feature. Once or twice a day I'll click on an obscure domain (say the personal domain of the blog of a friend) and I'll get a notification that says (quoted from the actual error page):

    Based on your corporate access policies, access to this web site ( http://www.t*****s.net/ ) has been blocked because the web category "Uncategorized URLs" is not allowed.
    If you believe this page has been misclassified, use the Site Review Request link to report this misclassification. Request Categorization

    It is a slight pain but I am willing to live with it. This feature is implemented in many business level firewalls. I have been a VIP customer in the past and I am willing to pay for the feature now.

    0
    Comment actions Permalink
  • Avatar
    yajeec

    +1

    0
    Comment actions Permalink
  • Avatar
    wongfow

    Personally this would be a great help. Users are always finding new proxies to get around any blocks so an unclassified/unlisted category would resolve this.

    0
    Comment actions Permalink
  • Avatar
    dfagan1036

    I've been an IT security professional in the financial industry for 20 years.  This is now considered a best-practice setting for security in business and home users would benefit as well.  Its shocking how really un-impactful this change is to most users.  Every now and then we have to categorize someone's Orthodontist's website, but that's the biggest pitfall we've seen.  I would really like to see this as an option that users can select if they want.  I would use it at home today if available to me.

    0
    Comment actions Permalink
  • Avatar
    derson

    Blocking uncategorized or newly created domains is a best practice used by most governments and large companies; granted, this is usually performed at the web proxy and not directly through DNS.  OpenDNS Umbrella supports the NoTag/CatNone/NoCat/UnCat process through the Investigate API.   https://enforcement-api.readme.io/docs/domain-acceptance-process  --  "Is the status of the domain uncategorized? A domain is considered uncategorized when the OpenDNS Investigate API returns a score of 0. If a domain is uncategorized, it is added to the OpenDNS customer’s block list."

    While this 33 month old suggestion is not extreme, I understand the concern of many that it may not work as expected because the way that OpenDNS categorizes web pages using us humans: https://community.opendns.com/domaintagging/   This is very different from many other proxy providers like BlueCoat/K9 & WebSense who use racks of computers to auto-categorize everything they see and change categories very rapidly.  With only 3.2M / 10.4M submitted tags decided, there are probably 100M additional domains tagged automatically within Umbrella or stuck in the untagged bucket.

    I believe offering Uncategorized as a bucket for individual users to use when customizing their individual category whitelist should be an option, and while it may not work for some people, I believe my family will be happy with the 3.2M+ domains already categorized.  The current method of redirecting to http://block.opendns.com works well & my family often contacts me because of those blocks.  The existing page could be updated to include information on the risks of new & uncategorized sites along with a link to the community domain tagging page.  The side benefit is that the community of taggers may grow.

    0
    Comment actions Permalink
  • Avatar
    philcolbourn

    OpenDNS has access to all registered domains.

    OpenDNS can automaticaly tag new domains as Uncategorised/New.

    OpenDNS could run a word search on some top-level pages of new domain to provide an initial categorisation for review.

    OpenDNS could look to see if a login is required and tag domain as a portal.

    OpenDNS could look at links on pages to other domains that are already tagged to provide an initial categorisation for review.

    0
    Comment actions Permalink

Please sign in to leave a comment.