How to block VPN Apps?

Comments

9 comments

  • Avatar
    rotblitz

    As always in any such cases:

    The app makes (fully) use of DNS:
    Add the related domain names to your "always block" list at the dashboard.
    Your OpenDNS stats may help you to find the related domains.

    The app does not (only) make use of DNS:
    You block the related ports, protocols and/or IP address ranges on your router.
    Search the internet for "block <appname>" to usually find hints and instructions about how to do this.

    Because of the everchanging internet world I cannot imagine to add something like this as a feature in OpenDNS, especially because OpenDNS cannot help if the apps do not work based on DNS.

    0
    Comment actions Permalink
  • Avatar
    newsogn

    can you go into more details about ports blocking. I want to set up my router so that I have to go through the OpenDNS server and unable to get through with a VPN. is this possible?

    0
    Comment actions Permalink
  • Avatar
    jlefebre

    Is this a home setup or business scenario?

     

    I would advise blocking any DNS requests that do not go to the OpenDNS servers - this will block the majority of attempts to bypass OpenDNS. I would also suggest creating a scheduled report for Proxy/Anonymizers daily so you can see if someone is looking into bypassing.

     

    Blocking DNS requests that aren't destined to OpenDNS servers would look similar to this:

     

    allow port 53 > 208.67.222.222

    allow port 53 > 208.67.220.220

    deny port 53 > any

     

    Also, having the roaming client on machines helps block this type of issue as it intercepts DNS requests 

    1
    Comment actions Permalink
  • Avatar
    hrekmos

    for android users, try blocking play.google.com on the router or OpenDNS. prevents downloading apps from the playstore. For Apple users, guess can block the app store

    0
    Comment actions Permalink
  • Avatar
    rotblitz

    Not a good idea.  The devices may miss important security updates then. :(

    0
    Comment actions Permalink
  • Avatar
    magdiel1975 (Edited )

    Well, 

    I believe OpenDns is doing something about this because a lot of the vpns I use stop connecting to the internet a few months ago... as soon as I stop using OpenDns servers, they connect...so I guess OpenDns is blocking the connection to some of the vpn apps, which in a way is good for us parents.

    Kids are using vpn apps to bypass any parental controls at the router level and I am so glad a lot of them now will not even connect.

    I know VPNs are not a bad thing, but most kids are using them to bypass any parental controls at home and at school.

    installing vpn app in the browser does not require the Admin password, so any standard user can install it and use it.

    I always thought it would be great for OpenDns to add vpn connections to their "Proxy Anonymizer" list...maybe that's what they are doing?.. I really hope so.

    0
    Comment actions Permalink
  • Avatar
    rajindersaini (Edited )

    I have checked Proxy Anonymizer. This does not block X-VPN. My kid is using X-VPN on his android phone. How do I find out which DNS and port are used by X-VPN on android?  Please help me. 

    0
    Comment actions Permalink
  • Avatar
    rotblitz (Edited )

    I guess you have read and understood my explanation above.  And you are right, the challenge is to find out if an app uses DNS at all, and if so, what domains are being used.  And also the protocol/ports may need to be identified.  If you don't have a network sniffer (e.g. on the router or in form of an Android app) which can log and measure this, then you can search the internet, or you can refer to the author of the app.  That's all you can do.

    No matter what, if the device always uses OpenDNS, and if the app makes use of DNS, then you are guaranteed to find the related domain names in your OpenDNS stats although you may not be able to relate the domains with the app.

    Searching the internet reveals something like this:

    X-VPN uses a range of different ports to connect (including Port 21 & 25) unfortunately this range changes quite often. Therefore, you need to have a locked down firewall to successfully block this. You should only have ports open that are absolutely required, and then have a rule at the bottom of the table to reject/drop all other traffic.

    Further, you should block the domains xvpn.io (this is included in the category) and x-vpn.io with OpenDNS.

    0
    Comment actions Permalink
  • Avatar
    rajindersaini

    Thank you rotblitz for the help.

    0
    Comment actions Permalink

Please sign in to leave a comment.