time-based website blocking

Comments

17 comments

  • Avatar
    rotblitz

    OpenDNS has nothing to do with websites or connections but is a DNS service.

    Duplicate of https://support.opendns.com/entries/26854350-Add-a-time-limiter-on-domains

  • Avatar
    toufou73

    the proposal here is not duplicate to the link mentioned: the request in the link asks for an elapsed time: as from the moment I start using a site, close it after 15min. This is, to my point of view impossible. However, here the proposal is to use a time window, which is perfectly feasible: we can say that at night a / all categories or white/black lists are blocked. It is far from being impossible to do but would require some development; if I was at OpenDNS I would develop it, but for VIP / Business only.

  • Avatar
    samsyst

    This one overlaps with https://support.opendns.com/entries/52001550-Time-based-filtering. I would like to have that too, but somehow OpenDNS says there's some technical difficulty.

  • Avatar
    toufou73

    I see one drawback / limitation however: if the DNS resolution is done during the allowed time window and doesn't need to be refreshed afterwards, the site will remain "available" until it has to query the DNS again; but I don't think it is a big concern in the vast majority of situations.

  • Avatar
    mattwilson9090

    @toufou73 That limitation is exactly the reason that a DNS service can't be relied upon for time based blocking. Due to caching at various levels (including on the local machine, possibly a local DNS server or router, ISP caching, plus various kinds of browser caching, plus the variability of DNS expiration times that are set by the domain owner, but the DNS provider) there is no way to ensure that the blocking is consistently applied, and no company wants to provide a service that won't consistently do as advertised. That is why this why time based blocking needs to occur at the local level, either on the router, or perhaps in conjunction with locally installed software.

  • Avatar
    samsyst

    It would still help if OpenDNS implements time based policies. No need to worry about local caching. Best case is it works as intended, worst case is local cache send stale DNS info instead of relaying to OpenDNS, which is not worse than it is now.

    Bottom line is, if OpenDNS offers time based filtering, local cache can be controlled to make it work.

  • Avatar
    mattwilson9090

    So you think that a company should offer a feature to a service that won't work reliably or consistently, and would require manual intervention to make it work that it beyond the comfort or skill level of many of the users who use their free home based product? Not to mention the problems that small businesses who use their pay products are going to have chasing down DNS caches to clear them, especially if they don't a full-time IT staff but rather an IT consultant who charges them by the hour.

    Yes, much of that can be automated by scripts, but before running those scripts someone has to recognize that it's necessary to run them, which is not always a sure thing since it's likely the permission going to the "blocked" domains wants to circumvent restrictions anyway, and then scripts would need to be created that would cover the entire environment.

    So will you volunteer your time to help handle all the additional support tickets and complaints on this forum when OpenDNS isn't blocking things that people should be blocked? There are already enough complaints of that on this forum as a result of people not flushing their caches. There will be a lot more if unpredictable time based blocking is added to the mix.

  • Avatar
    toufou73

    my 2cents proposal: use the same client, or a different one, than the DNS Updater to flush the cache. it would imply however

    1/ that the flush would happen something like once an hour (more regularly would imply more DNS requests, and then more traffic at OpenDNS)

    2/ that the time based filtering can only be based on hours not minutes (but who would ask for minutes ?)

    3/ that the client must be deployed to take effect (which is probably valid for personal account but not for a business one)

    4/ time-based option must only be explicitly enabled by the user, and a disclaimer should be added mentioning that it will only work in conjunction with the client and that a few minutes delay might be needed

    but you're right by saying that it will probably open more tickets, that's why I mentioned for me it should not be a service available through free accounts.

    (PS: if I recognise that it can be very helpful for some persons, I don't have personally a need for it)

  • Avatar
    mattwilson9090

    The DNS Updater cannot be used for flushing the cache since there should only be one running per network, if one is even needed. It would require a "flushing" client for Windows, OSX, multiple linux flavors, Android, iOS, Windows Phone, and likely other operating systems.

    It's not enough to deploy a client to flush the cache on local devices such as PC's, tablets, and smartphones. You'll also have to flush the cache on the router because more than likely DHCP on the router is handing itself out as the DNS server, and then forwarding requests on to OpenDNS. That cache will need to be flushed as well. Not to mention caches on such things as smartTV's, AppleTV's Tivo's, and all sorts of other "non-PC" devices that access the internet.

    Remember, the free home version and most paid versions of OpenDNS are intended to support the network as a whole, without the use of clients or apps to make it work. Time based filtering will require something running on all devices on the network, requiring the entire service and how it works to become device oriented, not network oriented.

    Honestly, I don't see the upside in OpenDNS basically rearranging their entire service to offer something on a free service (yes, I know you said you'd pay for it, but most people want this added to the free service) that will not work consistently or reliably for their users, and will increase the number of service requests they receive on a service that they make no revenue on anyway. This might be possible with some offerings of the Umbrella service that have an optional client, but you'd still have the issue of needing a client for every possible device that is to be protected on a network.

    In addition, a time based offering is already available on the Netgear routers with LPC.

    None of this is saying that it wouldn't be very useful for some people, it's outlining the technical (and to a lesser extent) business reasons why doing so would be very difficult or impossible to offer.

  • Avatar
    chicagojoe

    Time-based or scheduled DNS policies are needed. Worrying about different caching mechanisms (device or network level) affecting the ability for this to work is the same 'worry' about OpenDNS working effectively in the first place. If they aren't overly concerned with a caching mechanism for the standard service, why should they be worried about it on a scheduled basis?

    And if the problem is lack of control, fine. What about the Umbrella service? What about the Umbrella client on the device? You now have complete control over where DNS queries come from and where they go to. No more caching issues. Implement time-based or scheduled DNS policies now. I want different policies depending on time of day ('work' policies during the business day, and 'non-work' policies during non-business day, etc.).

  • Avatar
    mattwilson9090

    Are you demanding this for the free home OpenDNS product, or Umbrella?

    DNS by design uses caches throughout it's entire infrastructure, from requesting device to authoritative DNS server. No one is "concerned" about that caching because that's precisely how DNS is supposed to work. Those caches are also the reason that DNS cannot work on a scheduled basis without literally redesigning the entire internet, or installing client software on every device.

    There is no problem as you define it, or lack of control either. The technology simply does not work this way. It *might* be possible to utilize Umbrella in this way, if every device had a client installed on it that checked back with OpenDNS for every lookup, but that would break DNS for many businesses that use (and need) their own DNS server for their own internal networks to work properly. Those businesses might be able to use the virtual appliance that's available from OpenDNS Umbrella for that purpose, but I have no idea how well it could work with scheduled lookups.

    Regardless, none of this would matter if the DNS lookup was already done *before* a scheduled policy would change. The local device would already have the address resolution it needed, and will go on happily accessing a website that was supposed to "blocked" at a certain time, or continue to deny access to a site that is now supposed to be "allowed". For these and other reasons the best and least disruptive way for scheduled blocking of sites or domains is best done at the local router level, which literally controls all outbound and inbound traffic and doesn't have to rely on DNS and it's caches (at whatever level) to perform blocking. Any other method is going to be spotty at best unless very intrusive software is installed that completely bypasses normal DNS or the entire DNS system is rewritten for the entire world.

  • Avatar
    chicagojoe

    @mattwilson9090 Yes, though I'm hardly demanding: this is the 'idea bank' I'm offering an idea.

    I see that it could be done for either OpenDNS or Umbrella or both.

    With the free OpenDNS (or even with the OpenDNS Home VIP [10/2015]) I have the ability to set different filters and add and remove domains whenever I choose. I'm hardly bombarded with caveats and warnings about how 'DNS by design uses caches throughout it's entire infrastructure... The local device already has the address resolution, and will go on happily accessing a website [until the cache ages out]'. I understand all of that. I am currently accepting of that. The same limitations and caveats apply whether I log in to the OpenDNS dashboard and do it manually or whether they instituted a mechanism for scheduling policies.  I just don't want to have to log in to the OpenDNS dashboard at 0800 and change policies and then log in at 1800 and change policies again. I they want to not offer that at the free level and make that a paid feature I think is perfectly reasonable. If they offer a limited version of scheduling for Home VIP, say you can have two policies for the identified Home network and a schedule that flips them (like 'daytime policy' from 0700-1800 and 'nighttime policy' from 1800-0700), I think would be adequate. And for Umbrella Prosumer, you can have device-level policies (but, as is currently, you don't get network coverage). That would be my current ideal situation.

    Again, everything you list as a concern about why it can't be done are the same concerns and limitations that anyone currently using OpenDNS has agreed to live with. I just want policy updates to be automated. If they don't find a way to do it, someone else will. DNS filtering is no substitute for other more in-depth DPI and other filtering mechanism — it's the poor-mans filter. But, filtering DNS, even given the caching that happens at the network or device level, does a pretty good job of breaking obtrusive applications given all the different kinds of activity that's embedded in a web page or application. (I'm fairly certain that with the recent acquisition that we're likely to see the phasing out of consumer services anyhow, given the history of the acquiring company's ability to successfully manage consumer services) Anyhow, my point is, I think they're missing an easy feature that would be low on the list of complexity to implement and they could easily add that to a paid service or make it another value-add for a tier of paid service. Add in an API that can be used to remotely manage with other tools, and you've got a good SMB-enterprise feature.

  • Avatar
    mattwilson9090

    No, time based scheduling cannot be done for the free OpenDNS product. That's what I just explained to you. Unless of course you somehow want to force the entire planet to use an entirely new form of DNS that doesn't exist. Scheduled changes would be pointless since DNS entries would still exist in the local device, possibly in a local DNS server, the router, and perhaps in caches maintained by the ISP or other upstream services. Every single one of those entries from the device up to OpenDNS own servers must be cleared of the previous entry, or changes at OpenDNS end of things won't be received. If OpenDNS implemented this scheduling feature without somehow being able to flush or update those caches then they would get all sorts of complaints that scheduled filtering doesn't work. This would apply to any DNS based product, not just OpenDNS.

    It *might* be possible with Umbrella, though I'm not certain of all the potential complications, and it would certainly require software to be installed on every device that is using Umbrella. It would also have to sidestep all intervening DNS servers and caches. It might be possible with some sort of local device or appliance that covers an entire network and has it's own direct connection to OpenDNS, but that wouldn't do a think for mobile devices that are on a different network somewhere. Since the only OpenDNS product that has any sort of "agent" that works with filtering features is Umbrella (and even then it doesn't touch the local cache) it would need to be added to Umbrella, not some modified form of VIP, which doesn't even have an agent available for it. People would also be wanting more than two different policies that swap daily. They would want granularity to control it by day, and probably even change settings multiple times a day.

    What I'm talking about are not limitations that people have "agreed to live with". They are limitations of the basic technology of the internet and how it works. The only way that someone else can make this work is to redesign the internet or to create their own software that intercepts all DNS calls and completely bypasses DNS as we know it. Unless some sort of "proxy" is created and installed on the network, an agent would have to be installed on every device to be filtered: PC's (whether Windows, Mac, *nix, or some other OS), tablets, smartphones, smartTV's, Tivo, etc). There are services out there that do that kind of thing, but they aren't very widespread, and don't have the same broad base of appeal to multiple market segments that OpenDNS does. They also aren't free products, and are generally at least 2 to 3 times as expensive as OpenDNS Prosumer.

    This is not an "easy feature" to implement. It is an impossible feature to implement without local software intercepting DNS, or something like a router that does the work (and guess what, there's already one that does that). Just look at your list of easy things they'd have to accomplish to do this, additional tiers of service, an API for remote management. None of that is easy, low in complexity, or cheap.

    If you want to schedule your OpenDNS filtering today your best option is to get a Netgear router with LPC. There really is no other option.

    Anything else, well quite simply, OpenDNS employees have stated multiple times that this isn't something that they offer, something that they don't intend to offer, and then point you to LPC if you want scheduled filtering. If you want scheduling, look there.

  • Avatar
    chicagojoe

    @mattwilson9090

    I don't think we're getting anywhere. You keep writing exactly the same thing — you're note even trying to explain is differently.

    But, I'm game. Let me just ask a couple of questions.

    What is the purpose of being able to log in to the OpenDNS dashboard and change a policy? Is it thought that any policy changes will take days to take affect? Hours? Minutes? Are there published guidelines based on their own research, OS-vendor published information or data collected from their users?

    It's not only possible with Umbrella it is exactly one of the things that Umbrella is being sold to do: block callbacks. How could you possibly do callback blocking if DNS caching on the local host were so problematic? I don't know if you're an employee but, you are representing yourself as an authority on the subject so, you tell me how Umbrella can live up to it's promise if this is such a big problem because I don't understand. And, yes, that's pretty much how Umbrella works: you can run your network against it, and you can install client side applications on computers and mobile devices as well. OpenDNS Home VIP is $19.95/yr for your network. Policies are predefined. Umbrella Prosumer (1-5 users) is $20/user/year for up to 3 devices. So, you can use OpenDNS for free and give broad coverage to a small network and use Umbrella for a few devices that might be problematic for $20/year. Seems pretty low in complexity and cheap to me.

    Also, they already have multiple tiers of service (which addresses my point of giving people granularity based on what they're willing to pay), and already support several other APIs for managing DNS updates — some they didn't even write (dynDNS, DNS-O-Matic, PhishTank) — and they provide a method of updating policies and entities via a web interface so, yeah, that's another API (https-based HTML API).

    Oh, and you're right, if I want scheduling, I will look elsewhere. And one of the first places is to my own end where I can automate changing policies through macros or scripting.

    But thanks for participating in this exercise. I guess we have different ideas of what an 'idea bank' is or how it should work. My understanding is that it's a place for users to make suggestions to OpenDNS as to what kinds of features they would like to see. I didn't know that it was also self-governed by other users who would come in and hijack the thread by demanding it was impossible to do. I'm pretty sure I'm not the only one who is interested in this (do a search of the 'idea bank' with TIME or SCHEDULE and see how many hits have how many votes.)

  • Avatar
    mattwilson9090

    You are like a 3 year old who thinks if they keep repeating the same question, worded slightly differently each time they'll eventually get the answer you want.

    It's clear that you will conflate technical terms for one thing into sounding like another so that you can advance your argument and lay semantic traps for those foolish enough to engage you in discussion with you, all to advance your premise that what you want is easy and should be delivered to you now. I've already given you the answers of how the technology works, and given you a potential way to get what you want. I have better things to do with my time so have fun and I'm not going to play this game with you any longer.

    And just so you know, this entire forum is a DISCUSSION forum. That means anyone can comment on any post in here, to engage it however they'd like. I've done so. The fact that you ignore how the technology works in favor of your rainbow colored unicorns doesn't mean that I or anyone else can't comment. Commenting, on topic, is not hijacking.

    The bottom line is OpenDNS has stated multiple times that they do not offer time based service and do not intend to do so, and then directs those who want it to Netgear with LPC.

  • Avatar
    lightning_monkey
    +1
  • Avatar
    rotblitz

    @lightning_monkey 
    Not sure why you say "+1".  Did you vote for the idea above?  This does not make sense, because OpenDNS have partnered with Netgear to make this feature happen.  So it is already there, and OpenDNS certainly will do nothing and will not invent the wheel from anew again...

Please sign in to leave a comment.