Block web nslookup, web dns lookup, web whois sites!
I was trying to figure out if openDNS has a blocking category to match all web nslookup and web whois sites out there, but to my surprise, I found no such category... Blocking DNS lookup sites is critical!
The problem: Let's suppose we have enabled web filtering for the category "WEAPONS". A user can visit (for example) www.dnsqueries.com and resolve a DNS name like www.guns.com to its IP address, 184.169.174.45. Then he can very easily enter this IP address in his browser, instead of www.guns.com. The browser will override the dns query, and will visit directly http://184.169.174.45/. The page will load and the result is that the user will access a website which normally should have been filtered!
Solution: There must be added a "WEB DNS LOOKUP/WHOIS" category, and be populated with some dozens of the most popular DNS lookup sites like: network-tools.com, www.webdnstools.com, www.zoneedit.com, dnsqueries.com, etc. Furthermore, this category should be enabled by default, or at least be strongly recommended, when an administrator enables web filtering even for a single category.
-
There are much more possibilities to find out an IP address for a domain, not just via these web tools. Therefore all of this is not worth the efforts.
And this is beyond the scope and feasibility of OpenDNS content filtering. When entering an IP address, OpenDNS is not queried, so cannot block at all. You can easily prevent users from using IP addresses locally. Also, using IP addresses is not really a convenient way for circumvention. Most websites do not display content at all or redirect to their domain name which is again controlled by OpenDNS.
-
As rotblitz said, using the IP address as a way to circumvent DNS is not very effective. Depending on how the web server is configured you either won't get anything or the page will only partially load. At some point while browing a site it's almost guaranteed that the domain is going to be reference again, requiring a DNS lookup, which means OpenDNS will control things again.
@cris_Zamora What you describe is not a hole in OpenDNS or any or DNS services functionality. Adding a domain name and IP address to the hosts file is one of several things that would prevent a computer from doing a DNS lookup because it's not needed, so OpenDNS would not have a chance to block that domain.
A website isn't even needed to do an nslookup, it's baked into the operating. And if your operating system doesn't already have whois installed it's a trivial matter to install software locally that does that as well.
If you want to prevent people from modifying their hosts file or other system level settings like that you need to stop them from running the computer with full administrator permissions. Doing that will reduce or elminiate entirely a whole host of security vulnerabilities that have nothing to do with DNS as well. In short, if you want to restrict in any manner what someone can do on their computer you must ensure that they are running with user level permissions, not administrator permissions.
Please sign in to leave a comment.
Comments
3 comments