CC TLD and Geo filtering
Be able to block sites by originating country, both by the TLD in the URL and by resolved IP address (like a .com TLD that comes back from an IP block registered to a .cn entity).
-
Did you know that you can block domains by TLD already? E.g. adding cn to the "always block" list would block all DNS queries for domains under this TLD.
Also, IP address blocks are not registered to a TLD or a TLD specific "entity", but to ISPs and network carriers, so this is simply not possible, especially not for a recursive DNS service like OpenDNS. A recursive DNS service does not have information about who has what IP addresses assigned and has no reason to know about it. And even if it would be possible, if I hosted my website with a Chinese webhoster, you most likely wouldn't want to have it blocked. And there may be lots of Chinese people having their website hosted with a webhoster in other countries like the USA. How would you catch those? Not at all!
You may be able to block IP address ranges on your router though if it supports this.
-
rotblitz-
Again, good info, but....
TLDs need to be in an obvious drop-down or list box somewhere, not secret sauce. I'm talking about Enterprise Umbrella and Investigate features.
I wholeheartedly disagree with your statements about the inability to see and take action on addresses resolved by reverse lookup that go to countries outside of the established corporate standards. We see like 80 Billion DNS requests a day and cover something like 75% of the Internet. OpenDNS is a massive security platform... way, way more than just a recursive DNS provider. So yes, we can tell when a .com or other CC TLD is being hosted on an IP that doesn't correspond to its country of origin.
The majority of paying, enterprise users have specific requirements that the average home user does not. In your case, if you did register a .com domain and put it on a Chinese webhoster, then yes, they would need it blocked. Not picking on China, but US and EU laws (Patriot/Freedom Act, Safe Harbor, German Data Privacy Law, etc...) have very strict restrictions for certain types of data and what countries they may reside in.
I am fortunate enough to have an ASA with Firepower Services in my home, so I already have the most sophisticated geo-based filtering on the market today, never mind what I'm running for routers. That's not the point... this is a feature my customers and partners are requesting so they can more effectively implement split-tunneling from their branches with the ODNS Branch Router connector and for mobile clients when they're roaming.
Please sign in to leave a comment.
Comments
3 comments