Scheduled blocking of specific sites e.g. Youtube
This has been brought up and dismissed several times, but I want to bring it back up again. I would like to be able to schedule the time that certain app categories are blocked (e.g. no social media or video sharing during the day).
The previous responses were very dismissive. Why would we want to do this? With at home teaching mandated by COVID-19, it would be a huge help to remove the distraction of allowing kids to have youtube on a toggle to their school.
Yes, I could technically go buy a Netgear router and then use it's parental controls, but given that I have a configurable DNS, that seems to actually be the right place to do this: in software. Yes, I would happily pay for that service as well.
Best wishes and thanks
-
Of course the reasons are technical ones. It's software, after all. It can be changed to do nearly anything and this is well within the range of possibilities. If a site can be blocked entirely then it certainly can be blocked within a set range of hours. It's a very valid request, +1 the OP.
-
@ flyboy13: They are totally different processes!
Nintendo Switch or Sony Playstation, use the OS of the equipment to schedule and deny access to DNS records, that is, they are resources of the equipment.
DNS services are the answers that Global Servers give to equipment (ex: OpenDNS) about the "location" of Websites and these records cannot be changed in a matter of seconds, but hours or even days.
And if OpenDNS is likely to do so, the results could be unpredictable because many of these responses are present in the memories of the equipment that make these requests and may not comply with the updates received in a timely manner.
In my opinion, it is a wrong strategy to pass this burden on to OpenDNS Servers, when this has more to do with engineering on equipment or local networks. -
A brilliant explanation!
-
Thank you for that explanation. I realize that the processes are not the same. The point I was trying to make without getting into it too much was that if Sony and Nintendo can do this, then Cisco can certainly do it. I'm pretty familiar with the ins and outs of DNS records, being a network admin myself. I wouldn't expect the DNS records to change, that's not what we're asking for.
Currently, we can enable and disable categories on our accounts through Cisco Umbrella category blocking, correct? I can turn video sharing sites on and off for example. Right now, I have to do this manually. This does not involve any DNS record changes as far as I know. It only enables and disables this category for me. All that would be needed would be the ability to turn this on and off on a schedule. At 3:00 pm, for my account, the system automatically enables this category for me. At 8:30 pm, it would automatically disable, etc. This process takes up to 3 minutes right now. Nearly instantaneous. Am I missing something?
Right now there is no software out there that takes care of this as far as I know. Perhaps there is? I was toying with the idea of installing a Raspberry Pi to accomplish this task, but that would cost me money and I'm not sure it's possible with the software available anyway, couldn't find anything in the documentation.
Thanks for your input.
-
Am I missing something?
Yes. You miss the TTL values of the DNS records determining how long record information is being cached throughout the DNS hierarchy, and you miss your local caches, the system's local resolver cache and the browser cache. (As network admin you should be pretty familiar with any of those.) These external and internal caches are generally your enemies when performing settings changes, because they simply ignore and sabotage your settings changes, regardless of automatic or manual. And there is most likely no software in the world which could cover all these areas, especially not the external ones.
Again, meaningful settings switching can be done with local equipment only, else the results are unpredictable.
-
@rotblitz
Are you capable of posting without taking a jab at someone? I've been on this forum for two days and all I've seen from you is hopeless negativity.
As I said in my post, I'm not expecting the DNS records to change. I'm expecting the sites to be blocked as in firewall blocking. Is that not how the Cisco Umbrella works?
-
Sorry, I cannot find a personal jab at anyone. You should review your impression, else I (and likely everyone else) will stop answering to you.
And no, this is not how Umbrella works. They have no influence on any of these cachings. The results remain unpredictable. It's the same as with any other DNS service, including OpenDNS. A recursive DNS service cannot cover this.
"I'm expecting the sites to be blocked as in firewall blocking."
Yes, a firewall is local equipment. You can do this with local equipment. And Umbrella is a recursive DNS service, not a firewall.
-
rotblitz
"(As network admin you should be pretty familiar with any of those.)" My apologies, I took this as a sarcastic insult, my bad.
Thank you for the explanation, I believe I get it now. I guess what I don't get is what happens in the background when I enable/disable a category. I assumed it was somehow blocking it, not changing the DNS record. But that would make no sense because the machines on my network are just doing a DNS lookup, the traffic's not actually passing through OpenDNS.
-
"I guess what I don't get is what happens in the background when I enable/disable a category."
I can tell you. You reconfigure your dashboard settings for all domains belonging to this category to no longer provide their real IP addresses when your network queries them, but an OpenDNS/Umbrella address (hit-block.opendns.com) is returned instead. So in fact, it is something like "changing the DNS record", at least from your individual view, not from the general view.
That means, as long as your browser or OS or OpenDNS/Umbrella "thinks" that the previous DNS query result is still fine, so a new DNS query is not needed, and the result is taken from a previous query, then the settings change appears as not taking effect, although the category (of domains) is enabled/disabled for blocking at your dashboard. This is the unpredictable results thing.
"the machines on my network are just doing a DNS lookup, the traffic's not actually passing through OpenDNS."
Absolutely correct. DNS is the phone book of the internet, not the phone lines. OpenDNS/Umbrella have no influence on the actual traffic. (Not fully true. If you install the client agent for Windows or Mac in conjunction with certain Umbrella services, then there may be also a VPN tunnel involved also controlling the actual traffic. But this software again counts as local equipment.)
-
Thank you again for taking the time to explain this. I completely understood the unpredictable results thing from the get-go, but I wasn't thinking it through all the way.
Unfortunately, I can't install the client because my kids are using school issued iPads. This leaves parents in a jam, because I can't just block "youtube.com" on my router. As you pointed out, there are a hundred URLs/IPs that YouTube is using. Using OpenDNS seemed like an easy fix, but for scheduling, it's not.
In any case, I agree with you guys, this shouldn't be the responsibility of OpenDNS and so I'm removing my vote for this idea.
Sorry again for jumping down your throat.
-
"I can't install the client because my kids are using school issued iPads."
That's not the only reason why you cannot install the client. This client is for certain services only, like Umbrella Prosumer and Cisco AnyConnect, not for the standard versions of Umbrella or OpenDNS. You would have to explicitly subscribe to one of those paid services.
Another reason is that this client is available for Windows and Mac only, not so for iOS (i.e. iPhone or iPad). So even if you subscribed to such a service, you couldn't use it for your kids' school devices.
-
Does anyone know if there is a paid solution (hardware, software, service) to block YouTube on a schedule? I searched quite a bit and couldn't find. We can't completely live without it (shocking) but would really like to be able to block it during certain time of the day, however much it costs.
Fios gateway has a very simple interface to specify just that but it doesn't work and Verizon support has no clue.
-
@chengen
There are much more search results about how to scheduled block YouTube or other websites.
-
chengen
As you may have realized, blocking domains/IPs with routers is very limited, especially when it comes to youtube because there are so many URLs and IPs associated with youtube, even more since Google took over. I'm going to try installing a Raspberry Pi running Pihole. I'm not sure how technical you are, but it's something you can look into. Below is a link to a reddit post where someone wrote a script to enable and disable blocking rules on a schedule. I'm going to try this and let you know how it goes. My Pi should be here this weekend.
https://www.reddit.com/r/pihole/comments/a5p5zm/enable_disable_block_lists_on_a_schedule/
-
flyboy13
Thank you for the information. Is this pihole an utility only on Raspberry Pi? Do I have to somehow use a Raspberry Pi as my router to block websites? You said youtube has many URLs and IPs. Do I have to find all of them and create a list for pihole?
I am technical enough to follow instructions but conceptually I don't know how this would work.
Also what puzzles me the most is, most routers have the url blocking functions as rotblitz mentioned. However, the one I tried (Fios gateway) just does not work at all. I read somewhere they can only block http sites not https sites and my test seems to somewhat confirm that. I was able to block a couple http sites but I couldn't block youtube.com no matter what I try. Very frustrating and Verizon support really has no clue. They sent me another one which didn't work either.
I don't want to spend money buying routers that won't do the job but I definitely will pay for a solution that actually works.
-
chengen
Yes, Pihole is free software written for the Raspberry Pi but I understand you can also run it on a Linux server as it's Linux based. The Raspberry Pi will work in conjunction with your router to filter and report on traffic. You may be able to buy one with wifi capabilities to replace your router, but I'm not going that route (no pun intended). I spent $100 on Amazon for a kit which includes a case with fan, cables, power supply, and sim card with OS pre-installed. It's basically a mini Linux machine. You will have to download Pihole and install it on the Pi yourself using a USB stick.
Routers are not going to block youtube effectively in my opinion. You can't just block youtube.com. It won't work. With Pihole you can create your own block lists or download one that somebody else has created. It's not going to be 100% foolproof, but it does work. You can also run reports on usage which most routers don't do very well.
Another option is NxFilter which also runs on the Pi. I'm not sure if these options will be good for you, I guess you will have to decide. I don't expect to just plug it in and go. It will take research and tinkering.
Here's another article which may help you...
https://digimoot.wordpress.com/2020/07/13/pihole-use-as-a-parental-filter/
-
Take a look on https://meetcircle.com/ . The control is also extensive to devices out of your wifi network, I mean it also be able to control the screen time/filter using celullar coverage, no just wifi.
-
flyboy13, not sure why you're giving up on this idea. I can appreciate all the technical reasons cited about why this is supposedly a "bad thing" to do, but as far as my kid's Chromebook is concerned when I add something to the OpenDNS block list it's immediately blocked. Conversely, when I unblock it immediately appears unblocked. Apparently none of the devices in the chain between his typing fingers and OpenDNS is caching whatever the "old" DNS query result was.
THIS IS ALL I NEED. I'm not asking for perfection here. If something happens to cache a DNS record query result then so be it but in practical terms I have yet to experience this. So, if instead of turning the blocked domains on and off manually there was a schedule to do so then that would be GREAT.
-
Ohpendeeeness, agreed, and honestly the arguments against offering this seem to confuse CISCO's definition of the problem with the actual functionality that people are asking for.
Right now CISCO sells a service that allows customers to manually block or allow certain sites or categories of sites.
We've seen a number of technical arguments trying to explain why this cannot be done on a schedule.
I have about 22 years of networking experience, and honestly, the reasons given are complete nonsense given that anything that applies to the manual scheduling also applies to automated scheduling.
Yes, in theory caching could mean that the changes are instantaneous. So what? That is also true of manual changes. Yes, in theory the changes might conflict with more advanced weirdness on the local network. Also true of manual. We don't care.
Bottom line is that what CISCO is hearing is that there is a market need to put a basic scheduler on the tool that already does this and a large percentage of Open DNS customers are manually doing what you claim is impossible on your platform at least twice a day during COVID.
Your product is pretty good, but having to do it manually sucks. You can care, or not, but don't claim that it's impossible. As customers, we'll move to whatever platform cares about this as soon as one is available.
Please sign in to leave a comment.
Comments
28 comments