How to block VPN Apps?
There are so many apps (free and paid) that allow iPhone/iPad/Android users to install a VPN profile on their phones and browse the internet bypassing the OpenDNS settings I have put in place, rendering OpenDNS totally useless.
Please add this feature to OpenDNS so we are able to block VPN apps or services or websites
Apps like betternet, tunnelbear, hotspotshield etc how to block them?
-
As always in any such cases:
The app makes (fully) use of DNS:
Add the related domain names to your "always block" list at the dashboard.
Your OpenDNS stats may help you to find the related domains.The app does not (only) make use of DNS:
You block the related ports, protocols and/or IP address ranges on your router.
Search the internet for "block <appname>" to usually find hints and instructions about how to do this.Because of the everchanging internet world I cannot imagine to add something like this as a feature in OpenDNS, especially because OpenDNS cannot help if the apps do not work based on DNS.
-
Is this a home setup or business scenario?
I would advise blocking any DNS requests that do not go to the OpenDNS servers - this will block the majority of attempts to bypass OpenDNS. I would also suggest creating a scheduled report for Proxy/Anonymizers daily so you can see if someone is looking into bypassing.
Blocking DNS requests that aren't destined to OpenDNS servers would look similar to this:
allow port 53 > 208.67.222.222
allow port 53 > 208.67.220.220
deny port 53 > any
Also, having the roaming client on machines helps block this type of issue as it intercepts DNS requests
-
Well,
I believe OpenDns is doing something about this because a lot of the vpns I use stop connecting to the internet a few months ago... as soon as I stop using OpenDns servers, they connect...so I guess OpenDns is blocking the connection to some of the vpn apps, which in a way is good for us parents.
Kids are using vpn apps to bypass any parental controls at the router level and I am so glad a lot of them now will not even connect.
I know VPNs are not a bad thing, but most kids are using them to bypass any parental controls at home and at school.
installing vpn app in the browser does not require the Admin password, so any standard user can install it and use it.
I always thought it would be great for OpenDns to add vpn connections to their "Proxy Anonymizer" list...maybe that's what they are doing?.. I really hope so.
-
I guess you have read and understood my explanation above. And you are right, the challenge is to find out if an app uses DNS at all, and if so, what domains are being used. And also the protocol/ports may need to be identified. If you don't have a network sniffer (e.g. on the router or in form of an Android app) which can log and measure this, then you can search the internet, or you can refer to the author of the app. That's all you can do.
No matter what, if the device always uses OpenDNS, and if the app makes use of DNS, then you are guaranteed to find the related domain names in your OpenDNS stats although you may not be able to relate the domains with the app.
Searching the internet reveals something like this:
X-VPN uses a range of different ports to connect (including Port 21 & 25) unfortunately this range changes quite often. Therefore, you need to have a locked down firewall to successfully block this. You should only have ports open that are absolutely required, and then have a rule at the bottom of the table to reject/drop all other traffic.
Further, you should block the domains xvpn.io (this is included in the category) and x-vpn.io with OpenDNS.
Please sign in to leave a comment.
Comments
9 comments