Block sites that are not that are not present in your database
I do not know if it's a good idea, and if you can accomplish with a DNS service. I think, for FamilyShield DNS, it is important to block sites that are not already marked. Therefore it seems appropriate to block sites that are not present in your database.
Thanks and sorry for my bad english
-
What do you mean that "OpenDNS has access to all registered domains" and how do they have this access?
How can OpenDNS automatically tag new domains? What is the mechanism for this capability?
Not all domains are associated with a website, so how are the supposed to do this word search on all new domains?
How is OpenDNS supposed to "look to see" if a login is required for a specific website, and how does that automatically make that website a portal. I have to sign in to my webmail. Does that mean it's domain should be reclassified as a portal?
How are links to other domains supposed to provide an initial categorization for a domain? Do you think that all links from a particular website only point to websites whose domain is categorized the same as the site you are linking from? Didn't you already say that this is supposed to be done by searching webpages or looking for a login form?
-
@mattwilson9090,
1) OpenDNS is a domain name server, but does not (in general) hosts domain names. Instead it forwards requests towards root name servers and caches results. In this way, it has access to all registered domain names.
2) Any domain name request that is not tagged or categorised in OpenDNS database is, by my definition, a new domain name. By 'new' I mean an uncategorised domain name which is what OP was requesting (I may have caused confusion by using 'new' instead of 'uncategorised').
3) True. In this case, no initial categorisation can be made based on site words.
4) OpenDNS has this definition for a portal: "Sites that offer gateways to the Internet as a whole, often including bundled services on their own site."
https://community.opendns.com/domaintagging/categories
So, I got that wrong. Thanks.
5) Again, I was suggesting a way to establish an initial categorisation for review. If this does not work then forget my idea.
-
The only way this feature will ever be added is by keeping it as simple as possible. Currently sites are categorized by OpenDNS into one of several types, plus uncategorized. OpenDNS allows you to mark each type as blocked or unblocked. Currently uncategorized is never blocked. The proposed feature has two elements:
1. There is a new selection somewhere that says whether uncategorized is blocked or not.
2. This new selection defaults to UNBLOCKED for backwards-compatibility and to address various miscellaneous concerns.
This feature is available in several commercial filtering products. None of OpenDNS's products, free or not, have this feature. For typical family use, this is a relevant and (for me) serious omission.
Thanks.
-
1) OpenDNS does not host *ANY* domain names (with the possible exception of the domain names that the company owns and uses). It is essentially a recursive DNS services with many additional features layered on top of that, features that can generally be lumped together as security or filtering services. What you describe is how *all* recursive DNS servers work, namely, they receive a request to resolve a DNS request, and forward that request to another server, until they reach a server that satisfies the request from cache or is the authoritative server for that domain. This has absolutely nothing to do with categorizing domains, either manually or automatically. It's just how the internet works.
2) As for your suggestion about tagging "new" or "uncategorized" domains in the manner you described, have you read the entirety of this and related threads and actually understood all the problems inherent in such tagging and blocking? Do you understand how many tech support issues, complaints, accusations, and bad reviews that ignorant people turning on such a feature would cause for OpenDNS?
3) Then what is the point since only a small fraction of domains could be categorized in this manner?
5) An initial categorization done this way, especially since you didn't offer any explanation of how this is supposed to work, or why you think it would work, is often going to be wrong. Initial, but wrong things, when there are literally millions of things to be looked at, often become permanent and no one ever goes back to review them. This would actually cause far more problems than it would solve by having domains not categorized at all. Especially since you want several different mechanisms to provide all of these initial categorizations.
-
@howfamily OpenDNS does not categorize sites, pages, content, or anything else. It only categorizes domain names. There is a huge difference there. Also, there is no "uncategorized" category. A domain is either categorized or it isn't. If it isn't it doesn't somehow end up in an uncategorized listing that can be manipulated somehow. Also, categories can only be blacklisted, they cannot be whitelisted. Whitelisting is only available for individual domains, such as if you want to block the search engine category, but then allow the domain for the specific search engine(s) that you want to allow on your network.
I don't know what other commercial products you are referring to, and especially not if some of them are hardware, software or cloud based (OpenDNS is cloud based). But if you feel this is enough of an omission you are always free to use those competitors products. Of course, you would have to pay for those products, whereas you can get OpenDNS free for home and family use.
I don't see this being a feature that OpenDNS will ever add to their free product. The feature set for the free product has been established for years, basic DNS based filtering and security, and any new features are being added in paid products. As it is, I don't see OpenDNS ever adding this type of filtering to any of their products, no matter how much an individual may be willing to pay for it.
-
Let's not make this unnecessarily complicated. Currently, when a domain name passes through OpenDNS, it uses a sort of database to categorize it into one of about 60 categories. The user has the option to indicate whether each category should be blocked or not. The proposal is that, AFTER categorization, we improve the block/no-block decision. Instead of applying the user's preferences only to the categorized domain names, and allow all uncategorized domain names to be unblocked, we add one more selection choice for uncategorized domain names. When the current categorization returns "uncategorized", this new choice selection would determine whether the uncategorized domain name is blocked or not, rather than always unblocked. That's it. Now, I don't have the list of all filtering products that include this feature, but I know they exist, for my employee uses one. I suspect Barracuda also supplies this feature. The feature is useful to me, it can default to OFF to avoid bothering anyone, it is available in competing products, and it is not currently available in any OpenDNS product the last time I checked. I would suggest they add it -- it is a very small change indeed that would be useful to many I suspect. As you can see, the behavior of this new uncategorized selection is the same as the previous category selections. You could view this feature as blacklisting uncategorized domain names, if you want (when it is enabled by the user). Thanks.
-
What is being made unnecessarily complicated? You had some factual errors in your posting. I pointed them out, and explained how things actually work.
Also, OpenDNS does not use a database of any sort (sort of) or not when a domain name passes through it (what does pass through it even mean) to categorize domains. It is a manual process, usually done by people "nominating" and voting on categorization, which is eventually finalized by a person, but there also ways that OpenDNS employees can bypass that and set a categorization.
I'm well aware of that the original proposal in this thread was. I'm also aware of what some others have tried to turn this proposal is.
Again, there is no categorization of "uncategorized". A domain is either categorized or not. There is no separate "uncategorized" category that can be worked with.
What you are describing is a pure whitelist function, whereby everything is blocked unless the domain is either explicitly whitelisted, or the category selected is whitelisted (that's what happens when you select specific categories to block and then block everything else that does not belong to a category). I perfectly well understand that. I also understand the potential and likely problems with such a system, especially with so many users of the free product who really do not understand how the internet works.
As for other services, Baracuda is a hardware and software based service. Completely different from OpenDNS, and not something I've worked with lately as they aren't in the market spaces I work in. Like I said, you are always free to use them if you'd like. However, OpenDNS has decided, and stated elsewhere that this is one of many suggestions that they will not implement. Since this is a free product, you are always welcome to use another free product that provides the features and services that you want.
This feature is a very small change in concept, however it is a *huge* change in functionality, and attendant support issues. But no, the behavior of this uncategorized selection is not the same as the previous category selections. It is a fundamental change in how things work, and essentially transforms blacklist selections into a whitelist only service (though only for those who choose, wisely or not, to turn it on).
-
Actually, I thought you were correcting one of today's other posters, who made a complex proposal about (auto?) categorization. I will repeat what I'm talking about for clarity.
Currently OpenDNS has a table that takes the customer's IP address and returns info like (name, email, block/no-block for 60 categories).
This would change to (name, email, block/no-block for 60 categories, block/no-block for stuff not falling into previous categories). There would be an addition to the web GUI customers see to update the final field. This new final field would default to no-block, which would yield the current behavior.
There would be no change to OpenDNS's current categorization process at all. Accessing the store of information that indicates the category of each domain name would not change, nor would the information (domain name, category) in it change either.
The second and final thing that WOULD change is when a customer's DNS queries go through the OpenDNS server. Previously we had:
if (domain not known) then NO BLOCK else if domain's category not marked as block in user's IP's info then NO BLOCK else BLOCK
The first "NO BLOCK" above would be changed to "if user's IP's new field is NO BLOCK then NO BLOCK else BLOCK".
That's it. If you don't ask for the new feature, you are not affected by it. It defaults to Off.
The current functionality can be viewed as whitelist or blacklist if you ignore uncategorized. If you pay attention to categorized, OpenDNS provides a blacklist by category. It is true that turning on this new feature means you get a whitelist by category. This "change" applies only to those who request it.
Thanks
-
@howfamily No, I was correcting the errors in your own post, hence why I put the @howfamily at the beginning. Especially when you talked about OpenDNS filtering sites. That is a fundamental misunderstanding of how this service works. OpenDNS only cares about domain names, nothing else.
I already understand what you are talking about. Repeating it over and over won't change the nature of what you are asking for, or make your inaccurate statements of how OpenDNS works suddenly true.
And no, OpenDNS does not take a customer's IP address and return the information you describe. It receives a DNS request, and returns an IP address for a specific domain name. It *always* return an IP address, whether or not someone is a "customer" with a registration on the dashboard. Sometimes that IP address corresponds to a webpage hosted by OpenDNS for blocked results, other times it's the "published" IP address for the domain in question. It doesn't return any name, email, block/no-block, or any other information, only an IP address.
None of that changes that what you are asking for, i.e., some manner to block uncategorized domains, would turn a blacklist system into what is effectively a whitelist only system. With all the attendant advantages and disadvantages of such as system. Whether or not it would be an opt in feature that's still a *huge* change for OpenDNS to support, especially on a free product. This is not at all the "minor" change that you are trying to imply that it is.
-
cobalt-phoenix is correct that we have to wait for OpenDNS. I spoke with them directly a year or two ago and they didn't even seem to understand why people would ask for this. (Many of us have already presented arguments above.) Even if they did understand, they would then need to decide if they want to do it or not.
I was not implying that this is a simple change, I was directly saying it is a simple technical change. It is correct I didn't address the support issues. Only OpenDNS can measure their magnitude and decide if it's worth it or not to them. I imagine support issues could be (at least somewhat) contained by how the extra choice is presented on the webpage that already has the other block/no-block choices for the 60 categories. I'm certainly OK with making the new option hard to get to, or having warnings, etc. I suspect the naive view of "uncategorized" as simply a final catch-all category would be easier to understand and support than our more "sophisticated" view that this new option can change a blacklist into a whitelist.
Finally, I did not say OpenDNS returned that info. I said (something functioning as) a table inside OpenDNS did during internal operations. That's all. In the future I will restrict my descriptions to externally-visible behavior to avoid this confusion.
Thanks
-
How do you know that this is even a simple technical change? Do you have access to OpenDNS code base? The only thing that anyone can say for certain about simplicity regarding this is that the concept itself is simple. The implementation and ongoing support, especially ongoing support will likely be problematic. I have no idea how significant the coding changes themselves will be without access to the underlying code and how things are structure.
There is no question about it, this change *will* change the functionality from being a blacklist service to a whitelist service. Regardless, people will select this because they think it's "more secure" or "safer" without understanding the implications, and how many things on the internet will be broken since many of the non-website support services will no longer work and it will take some digging to figure out why. In the meantime people will be screaming, in this forum and other places, about how OpenDNS is "breaking the internet". There will also likely be accusations of censorship, government collusion and anything else that the ignorant do when they just choose things without understanding them. It would be especially bad with the free service and the many home users who barely understand what a router does, let alone how the internet works, especially when it comes to relationships between domains and websites, and who absolutely do not understand that the worldwide web is only a portion of the internet.
Actually, with the word choices you used you were saying that OpenDNS returned that info. More than once in your recent posts you have come off as extremely ignorant of how things work, yet you are using those statements of how things work to support adding this feature. If you don't want to present your words as being misleading at best, wrong at worst, you need to take better care of how you are writing.
-
I was attempting to make comments and descriptions about technical issues. I made the mistake of describing some of these in terms of non-observable behavior, which I already acknowledged. I left the support issues to OpenDNS to decide. In fact, they will decide everything, won't they? Please follow my example of avoiding irrelevant descriptions of posters here. Since we've now all acknowledged we have the same understanding of this topic, I hope we're done. Thanks.
-
LOL. When discussing technical issues it's usually best not to describe *as fact* things that you don't know anything about, especially behind the scenes things. As for describing posters, I have been only responding to technical descriptions here, and characterizing your own words and posts (and those of others). I have not commented on anything outside of that, including your qualities as a person. It's an open forum, anything you post here is fair game, especially if it's wrong or inaccurate. If you don't want someone to respond to it, especially critically, then don't post it. And no, I don't think we all have the same understanding of this topic, especially the technical issues, and so long as I see wrong or misleading things posted here I'll respond to them if I have the time or inclination to do so.
-
I should probably start a new thread encouraging forum members to ease up and be helpful. Let's not discourage others from joining the community because we feel the need to nit-pick and attack every idea that we disagree with. I completely understand that we need to explain the difference between HTTP and DNS to some newbies, but that can be done gently. For the rest of us that understand the difference between a site and a domain, let's translate in our own heads and not attack ideas that are technically plausible. I'm certain the real developers are smart enough to do the same. It doesn't take a paragraph to state that you don't like an idea due to supportability concerns... LOL, but apparently I needed one to say, "Oh, behave," in my best Austin Powers voice! -
@Derson; thanks, I do agree. Unfortunately only a very few but active negativists is enough to brake the motivation of people to bring ideas. If the idea is realistic or not is another question, however techies (or people who believe they are...) could sometimes be surprised how some ideas from newbies can be bright but not always explained correctly.
57 votes is indeed not a lot, but the most popular idea has 481 votes... is the idea bad then, or does it show how active (or demotivated ?) OpenDNS users are ? So let's go back to a positive approach for the best of OpenDNS... and of us ! ;-)
-
"57 votes is indeed not a lot"
It is not only not a lot, it is less than nothing, given the some 50 Millions of OpenDNS users. As you can clearly see, from a statistical perspective nobody really wants it, or better only 0.00000114% want it. For me this looks like *nobody*. Don't try to convince me to the contrary.
-
@cobalt-phoenix - You may not realize it, but the majority of users do not know about or care to get involved in the forums. But of those who DO get involved, this idea is the top 8th (or 6th depending on how you look at it) most popular idea.
Although I'm sure from your comment you still won't be convinced.
-
I'm an enterprise/umbrella customer. I deal with a dynamic and relatively complex corporate environment with on-site and traveling users. We have a family comprehensive security stack where we employ multiple technologies on-site and in the field to protect our users and data.
Without getting into the preceding argument (which isn't very productive), I can say I very much want a version of something like this. For example, on my NGFWs I have a "dynamic block list" which pulls from a text file of IPs/ranges hosted on a web server. All I have to do is update that file to update my dynamic block list which in turn is periodically processed by my NGFW. I think it would be great if our Umbrella service offered the option for me to have a dynamic block list of domains, or at least the ability to specify a RBL. This potential for abuse or false positives could be mitigated by classifying this list as "suspicious" thereby causing any access to go through the OpenDNS smart proxy (or give me the ability to specify the category and I'll deal with the positive/false positive issues via my own ops). This would allow me to extend the protections I have on-network to my devices that are off-network using Umbrella.
For example, abuse.ch has a great ransomware tracker at https://ransomwaretracker.abuse.ch/tracker/ They also have RBLs at https://ransomwaretracker.abuse.ch/blocklist/ While many of these domains are already on OpenDNS's radar, many are *not* based upon my unscientific searches of the list using Investigate (as of 20160510 17:10 EDT beverlyhillssilver.com is listed as distributing locky on abuse.ch but is listed as benign in Investigate). While the merits or validity of alternative lists can be argued ad nauseam, there is little argument to the benefit of an individual customer/user being able to dynamically and regularly update their own list of sites.
The ability to reference an external list that I maintain would be extremely valuable. I already do it with my NGFWs and would like to do it across my entire environment using Umbrella. I have a feeling I'm not the only enterprise user who would like this and I don't think there is much use in arguing who does and does not want it when the feature set is something that would enhance the product as a whole and make it comparable to other protective products. So get balk to talking about the idea proposed instead of basing people's opinions about the technical feasibility or perceived reception of the idea. Thanks.
-
@dmunroe All of this may be true, especially for an Umbrella user supporting an enterprise network. Unfortunately it isn't at all on topic. The topic of this thread is the ability of blocking *all* uncategorized domains. That's quite different from some sort of dynamic blacklist, especially if that list is accessing external sources.
Could you please post this idea in it's own thread, so that it can be voted on according to it's own merits, and leave this idea, and it's related voting, to be voted on separately?
-
I've been in the Information Security field for 14 years, and I cannot stress this enough. This needs to be implemented because as it was previously stated, it is a Security Best-Practice. I agree that it needs to be optional, instead of automatically included in the FamilyShield, but it really needs to be implemented. Every company that I have consulted for has seen dramatic reductions (usually between 75%-90%) in new malware infections by ensuring that this is implemented in some way. I was really hoping to simplify my home network (I'm on vacation so I can finally catch up on some much needed home infrastructure upgrades), but I have to keep my current transparent Proxy Server in place specifically to catch the Un-Categorized sites. Come on OpenDNS, lets get this right!
-
Having the ability to block unclassified domains would be one amazing option that OpenDNS is currently lacking. It is totally unfeasible to whitelist tens of thousands of perfectly acceptable domains, not to mention, they only allow up to 50. For example, if you search for "naked people," most of the things returned in that search will be blocked if your content filter is set up properly. However, many of those returned searches will still take you to domains that could be something like XRz57.com. This could be full of material that your content filter should block, yet misses, because this domain has not yet been categorized. If we have the ability to block all unclassified domains this would be included in that and would therefore be blocked. So, you would still have access to tons and tons of perfectly safe, categorized websites, while simply blocking everything that has not yet been categorized.
-
Here you can read why this is not available:
Please sign in to leave a comment.
Comments
117 comments