Chrome extension windscribe totally bypasses opendns

Comments

6 comments

  • Avatar
    rotblitz (Edited )

    Are you aware that OpenDNS can block domains only, not any other objects like apps? You had to block the WindScribe domains with OpenDNS or their IP addresses and ports on the router to block it.

    0
    Comment actions Permalink
  • Avatar
    ppons

    Hello, and thanks a lot to help me. I am aware that there are ways to manually block WindScribe, but there are hundreds of VPNs out there easy to use. And how can I know which VPN my kid is using? I have no clue. WindScribe is my VPN of choice, but my kid may be smart enough to try out another VPN as a way around OpenDNS parental controls.

    Is there no way to block all VPN services altogether with OPenDNS? I thought that checking "proxy / anonymizer" in OpenDNS would exactly do this -  stop the use of VPN. But it does not.

    If bypassing the parental controls of OpenDNS is as easy as installing a VPN extension to the browser (does not even require Windows admin rights), then what use is OpenDNS parental controls? 

    I hope that I am missing something and that there is an obvious solution that I am missing.

     

    0
    Comment actions Permalink
  • Avatar
    ppons

    Funny enough, when I look at my stats of blocked domains, I can see at the top of the list http://ext-start.windscribe.com and http://api.windscribe.com and http://assets.windscribe.com

    So OpenDNS is detecting windscribe, however WindScribe might have a backdoor because I could manage with the VPN service to find my way to sites normally filtered out by OpenDNS.

    More specifically, during my tests,

    ext-start.windscribe.com was called 15 times and blocked 13 times

    api.windscribe.com was called 15 times and blocked 13 times

    assets.windscribe.com was called 5 times and blocked 3 times

     

    Any clue?

     

    0
    Comment actions Permalink
  • Avatar
    rotblitz (Edited )

    "I thought that checking "proxy / anonymizer" in OpenDNS would exactly do this -  stop the use of VPN."

    No, again, OpenDNS blocks domains only, not anything else.  If you checked the Proxy/Anonymizer category, then domains being categorized this way are being blocked by OpenDNS.  Also, OpenDNS just blocks A and AAAA records, not any other record types.  The WindScribe domains may have been queried for other record types like TXT, SRV and the likes.

    "So OpenDNS is detecting windscribe, however WindScribe might have a backdoor because I could manage with the VPN service to find my way to sites normally filtered out by OpenDNS."

    As soon as a VPN connection is established, the VPN uses its own DNS, not the DNS you configured (OpenDNS).  This is not a backdoor, but intended and normal behaviour of a VPN connection.

    "what use is OpenDNS parental controls?"

    As supposed, it blocks access to domains as a recursive DNS service can.  A DNS service cannot block apps, devices, images, videos, cars or boats.  Read more about what DNS is to understand the technical background.

    "And how can I know which VPN my kid is using?"

    This is the wrong question.  Start with providing your child with a regular user account, never with an admin account.  This measure will prevent him/her to install most circumvention tools and also prevent him/her from changing the network settings.  Further, block the usual VPN ports and protocols (often UDP) and maybe also IP address ranges with outgoing firewall rules on the router.

    Search the internet for such measures, it is full of suggestions.  A DNS service like OpenDNS is not able to do all of this for you.  They can cover only the DNS side of things.  And last but not least: not everything in life can be solved by technical measures.  You may need to think and apply other methods too.

    0
    Comment actions Permalink
  • Avatar
    ppons

    Hi,

    Thanks a lot for your answer that helps me understand better how this whole thing works.

    You give very good advice that admin rights should never be given on the kids's device... However, is revoking Admin Rights enough? No. After all these days, it is easy to boot a PC from a USB stick running a Linux OS or any other portable OS...

    Even on a Windows platform with no admin rights, it is easy to use VPN. I have chrome as a portable app, with the windscribe extension, when I use it on my company laptop, I can connect the WindScribe VPN through its Chrome extension, without problem form the office. I do not have admin rights on my work laptop.

    I agree that when the VPN tunnel is established, then there is nothing that OpenDNS can do, and the VPN uses its own DNS service. Point taken. However, I was hoping that during the establishment of the VPN tunnel, OpenDNS would detect connections to WindScribe servers/domains and block these attempts, therefore preventing the establishment of the tunnel. After all, the domain that OpenDNS seems to block the most for me is the windscribe domain, and I don't connect myself to windscribe.com. So it means that OpenDNS is trying to block repetitive requests, that surely have to do with the VPN trying to establish a tunnel.

    Finally all this boils down to: how can I prevent my kids from establishing a VPN connection? I don't want to disable VPN on ALL my house PCs, just my kids PC, and I want to keep things simple, without having to install anything on my kid's device (this is the beauty with my home router pointing to OpenDNS... nothing to do at the client level). Not as straight forward as I though it would be to use OpenDNS to block my kids from accessing dangerous sites.

    FYI here are the port forwarding rules on my router. Of course all IPsec ports are open, and I do not want to shut them down.

     

     

    0
    Comment actions Permalink
  • Avatar
    rotblitz

    "After all these days, it is easy to boot a PC from a USB stick running a Linux OS or any other portable OS..."

    Disable the USB sockets in the BIOS of the device, or remove the driver being used for USB sticks if the USB sockets are being used otherwise, e.g. for keyboard or mouse.

    "Even on a Windows platform with no admin rights, it is easy to use VPN."

    Only as a browser plug-in/add-on, not for fully featured VPN clients. For browser extensions restrictions see 
    https://www.startpage.com/do/dsearch?query=prevent+users+from+installing+vpn+browser+extensions&cat=web&pl=opensearch&language=english

    "I was hoping that during the establishment of the VPN tunnel, OpenDNS would detect connections to WindScribe servers/domains and block these attempts, therefore preventing the establishment of the tunnel."

    It could be that WindScribe doesn't use domain names (and therefore DNS) only, but also IP addressing which does not involve DNS, to establish connections.  You would have to run a sniffer like Wireshark to see what the VPN client really does.

    "FYI here are the port forwarding rules on my router."

    No, not the port forwarding rules which are for incoming connections only.  You would have to set up outbound firewall rules, often called access rules.  I cannot really help with this, because I have a totally different router.  But I can do it on it.  Beside other things, I use it to block port 53 (DNS) passthrough, so that only the router's IPv4 and IPv6 addresses are accepted, preventing from using a different DNS service (from OpenDNS) on certain end user devices.  I also use it to outbound block known VPN ports/protocols/addresses for certain end user devices.

    0
    Comment actions Permalink

Please sign in to leave a comment.