Bypass DNS
745 views
Skip to first unread message
jon ninety
Jul 23, 2013, 6:02:08 AM7/23/13
to nxfil...@googlegroups.com
Just a general question about DNS - if you know the IP of the site you're in regardless of nxfilter. To get an IP address there are hundreds of websites that do dns lookups for you - Is tehre anyway to block those sites to?
Jinhee
Jul 23, 2013, 6:54:04 AM7/23/13
to nxfil...@googlegroups.com
Firstly you need to block outgoing 53 port.
And then you need to block those sites on NxFilter if you know the sites.
In theory it's possible to access all the sites using just IP addresses.
But in reality one site has many links from other sites or the site itself.
It's almost impossible to use a website just based on IP address.
Jinhee
And then you need to block those sites on NxFilter if you know the sites.
In theory it's possible to access all the sites using just IP addresses.
But in reality one site has many links from other sites or the site itself.
It's almost impossible to use a website just based on IP address.
Jinhee
Jinhee
Jul 23, 2013, 7:14:07 AM7/23/13
to nxfil...@googlegroups.com
And plus most websites are working on virtual hosts.
Especially if it's a hosted website.
So you can't access those websites using IP addresses.
But you're not supposed to deal with IP experts here.
For ordinary users it's enough obstacle.
And it's not always enough using tech-way alone.
You need to have a disciplinary measure first whether it's in office or school.
If you go into an arm-race with people having IT knowledge you can never win.
Jinhee
Especially if it's a hosted website.
So you can't access those websites using IP addresses.
But you're not supposed to deal with IP experts here.
For ordinary users it's enough obstacle.
And it's not always enough using tech-way alone.
You need to have a disciplinary measure first whether it's in office or school.
If you go into an arm-race with people having IT knowledge you can never win.
Jinhee
jon ninety
Jul 23, 2013, 7:29:22 AM7/23/13
to nxfil...@googlegroups.com
Blocked outbound to allow only NXfilter on 53
too many sites almost every isp has a lookup tool
edit host file on clien then access all content on site thus bypassing nxfilter
agreed almost impossible - need many layers of defence
too many sites almost every isp has a lookup tool
edit host file on clien then access all content on site thus bypassing nxfilter
agreed almost impossible - need many layers of defence
Jinhee
Jul 23, 2013, 7:44:27 AM7/23/13
to nxfil...@googlegroups.com
Once I was thinking of hosts file trick.
But I think you still can block it if you use AD.
On GPO you can use logon script to overwrite hosts file to an empty one.
Anyway if it's hosts file you still can block it somehow.
Only it needs an extra work and I don't think it's needed.
Why would one try to view blocked sites going through all the difficulties.
He can view those sites when he gets home.
Jinhee
But I think you still can block it if you use AD.
On GPO you can use logon script to overwrite hosts file to an empty one.
Anyway if it's hosts file you still can block it somehow.
Only it needs an extra work and I don't think it's needed.
Why would one try to view blocked sites going through all the difficulties.
He can view those sites when he gets home.
Jinhee
jon ninety
Jul 24, 2013, 10:24:45 AM7/24/13
to nxfil...@googlegroups.com
Problem is many workers in remote sites with BOYD ... try to find ways to stop / filter browsing without using expensive enterprise filters - DNS sounds like the best option but will be a hard sell if staff can bypass it ... much to think about .. perhaps there's something we can enable on the gateway ....
Jinhee
Jul 24, 2013, 10:49:26 AM7/24/13
to nxfil...@googlegroups.com
In typical situation.
Users bring their laptops or some gadgets.
They need to use Internet.
They can use company wireless.
But the company wireless use DHCP.
They get an IP with DNS address to be pointing NxFilter.
They get filtered.
You'd better stop here.
Because you're not supposed to try to block advanced users having advanced IT knowledge.
But we can go on.
1. Some users trying to bypass it by changing DNS setup.
- They can't use other DNS coz outgoing 53 port blocked on your router or firewall.
2. Some users trying to access by typing IP address into browser.
- It's almost impossible coz there are many internal links in a site using domains.
- Most hosted sites are working on virtual hosts. You can't see nothing by typing IP for these sites.
3. If they're using hosts file having lots of domains.
- Use AD and GPO + logon scripts to clear it out.
I don't know what you're trying to do with NxFilter but it's enough obstacle for users.
For example I have enough knowledge for bypassing it.
I can write hosts file as well.
But what for?
To view some porn sites banned from company policy?
If I really want I can view those sites using my smartphone with 3G.
Why do you need to go through all the troubles.
With typical web-filter based on proxy.
You still can bypass filtering.
You can use some tool like Ultrasurf.
Having disciplinary measure would be the first.
And filtering tool like NxFilter is making your life easier because you don't need to watch them behind all the time.
But sometimes you have to look into what's going on.
Jinhee
Users bring their laptops or some gadgets.
They need to use Internet.
They can use company wireless.
But the company wireless use DHCP.
They get an IP with DNS address to be pointing NxFilter.
They get filtered.
You'd better stop here.
Because you're not supposed to try to block advanced users having advanced IT knowledge.
But we can go on.
1. Some users trying to bypass it by changing DNS setup.
- They can't use other DNS coz outgoing 53 port blocked on your router or firewall.
2. Some users trying to access by typing IP address into browser.
- It's almost impossible coz there are many internal links in a site using domains.
- Most hosted sites are working on virtual hosts. You can't see nothing by typing IP for these sites.
3. If they're using hosts file having lots of domains.
- Use AD and GPO + logon scripts to clear it out.
I don't know what you're trying to do with NxFilter but it's enough obstacle for users.
For example I have enough knowledge for bypassing it.
I can write hosts file as well.
But what for?
To view some porn sites banned from company policy?
If I really want I can view those sites using my smartphone with 3G.
Why do you need to go through all the troubles.
With typical web-filter based on proxy.
You still can bypass filtering.
You can use some tool like Ultrasurf.
Having disciplinary measure would be the first.
And filtering tool like NxFilter is making your life easier because you don't need to watch them behind all the time.
But sometimes you have to look into what's going on.
Jinhee
Jinhee
Jul 24, 2013, 11:00:08 AM7/24/13
to nxfil...@googlegroups.com
And plus there are many IT admins using hosts file to implement filtering.
What if users overwrite those hosts files?
But it's still an effective way of filtering in reality.
It's a surprise to find how many people using hosts file to block some sites on Google with the keyword 'facebook block hosts file'.
I don't know why these people updating, copying hosts file all the time.
They just don't know they can use NxFilter which is simple and easy and having all kinds of commercial feature.
And I also don't understand people using expensive web-filter.
I also have several years of experience in development of a commercial web-filter.
Just a trouble maker.
The only good thing was commercial URL-DB.
Maybe someday I can provide commercial DB option as well.
Jinhee
What if users overwrite those hosts files?
But it's still an effective way of filtering in reality.
It's a surprise to find how many people using hosts file to block some sites on Google with the keyword 'facebook block hosts file'.
I don't know why these people updating, copying hosts file all the time.
They just don't know they can use NxFilter which is simple and easy and having all kinds of commercial feature.
And I also don't understand people using expensive web-filter.
I also have several years of experience in development of a commercial web-filter.
Just a trouble maker.
The only good thing was commercial URL-DB.
Maybe someday I can provide commercial DB option as well.
Jinhee
jon ninety
Jul 24, 2013, 11:01:46 AM7/24/13
to nxfil...@googlegroups.com
Jinhee - Its not a question of why ... people do strange things and its not just about porn - it could be gambling or general timewasting or whatever - I agree NXfilter will cover us for 95% of all our users -- its the 5% - for me to sell this idea to management I need to cover all bases. But thanks for your detailed reply - I really appreciate your efforts.
cheers
Jon
cheers
Jon
Jinhee
Jul 24, 2013, 11:14:42 AM7/24/13
to nxfil...@googlegroups.com
To sell it to your management.
You need to tell them dns-filtering is an effective way being used widely.
The example would be OpenDNS.
NxFilter is using the same way and you have 100% of control.
Don't need to leak Internet usage info to 3rd party.
One shortfall is relatively smaller domain DB.
But it's beyond my limit.
This is a freeware.
Jinhee
You need to tell them dns-filtering is an effective way being used widely.
The example would be OpenDNS.
NxFilter is using the same way and you have 100% of control.
Don't need to leak Internet usage info to 3rd party.
One shortfall is relatively smaller domain DB.
But it's beyond my limit.
This is a freeware.
Jinhee
Reply all
Reply to author
Forward
0 new messages