Using Firewall Profiles to force OpenDNS

  • 5
  • Idea
  • Updated 5 years ago
We use OpenDNS Enterprise as a content filter and this works great with Aerohive. Our DHCP server serves out OpenDNS. I then use the Aerohive firewall policies to block DNS if they try to use anything but the ones from OpenDNS. This keeps folks from trying to manually switch to Google DNS to bypass the filters.
Photo of Bradley Chambers

Bradley Chambers, Champ

  • 302 Posts
  • 53 Reply Likes

Posted 6 years ago

  • 5
Photo of Adam Conway

Adam Conway

  • 101 Posts
  • 55 Reply Likes
Good idea Bradley. Enforcing this at the edge also prevents students from using local proxies :)
Photo of Nick Lowe

Nick Lowe, Official Rep

  • 2491 Posts
  • 451 Reply Likes
Personally, I would NAK this idea as I do not think that it is a good one to deploy outside of small establishments with limited requirements. I would certainly never use it in education.

A service that attempts to implement filtering at the DNS level is not particularly useful due to its inherent limitations.

Content filtering is done so at completely the wrong level of abstraction - it is is not granular enough... filtering is on a per-domain basis, it cannot filter services accessed by IP directly and it cannot filter based on content.

It is relatively trivial to set up a tunnelling mechanism to circumvent the superficial protection that it provides.
Photo of Bradley Chambers

Bradley Chambers, Champ

  • 302 Posts
  • 53 Reply Likes
Nick,

Thanks for the comments. I've used it for a few years in our school and it works perfect (in fact it's much better than our Sonicwall is at content filtering). I've also talked to a lot of other organizations who are doing it as well. We've also recently deployed their Umbrella service for around 30 of our users for content filtering when off our network. I'm not trying to start a flame war, but simply say that it has/is working for people in real deployments.
Photo of Nick Lowe

Nick Lowe, Official Rep

  • 2491 Posts
  • 451 Reply Likes
Hi Bradley,

Oh me neither! I mean to be purely dispassionately technical, certainly not inflammatory. :)

On a technical level, to me, OpenDNS is a suboptimal solution because of the way it works. Doing filtering at the DNS level is all kinds of wrong as it lacks granularity and is easily circumvented. In geek speak, it's a layering violation.

For example, perform a DNS lookup for a domain that you're interested in that is blocked via a Web site that offers that service, add the IP and domain to your hosts file. Voila! You're around the filter.

And because it can only filter on a per-domain basis, you easily run the risk of blocking genuine, desirable content because somewhere else on the domain there is content that is deemed unacceptable. You're often forced in to a compromise situation therefore where you're damned if you do, and damned if you don't.

If a solution like that is fine for your needs, then great! It is definitely not for me for the reasons above.

The fact that many people may be doing something one way does not make it a good solution, that's an argument routed in appeal to authority fallacy. There are strong technical reasons why it's a poor thing to implement.

Nick
Photo of Adam Conway

Adam Conway

  • 101 Posts
  • 55 Reply Likes
If I may, I probably sit somewhere in the middle here - OpenDNS has it's plusses and minuses. Yes, it is over-broad because it looks at everything before the "/" and nothing after in the URL which can be problematic for websites like Wikipedia and Google - but for many this works, also without careful network planning it is easy to circumvent, but on the other hand if you manage your hosts and/or network well it can be locked down pretty well. On the plus side, OpenDNS is easy, inexpensive and works outside of your network (a huge plus in my opinion) especially in the US where we are proxy averse (not getting into that discussion though).

I think as IT people we make decisions based upon importance, cost, etc and I think that there are places where OpenDNS makes sense. In many networks the goal isn't to make it impossible to circumvent, rather the importance is to provide a safety net for people's surfing that is consistent with the values of the organization and, of course, regulatory requirements.

In the end we have lots of customers that choose OpenDNS with their eyes wide open to its benefits and limitations, however we also have a lot of others that chose a more rich content security system like WebSense or Barracuda
Photo of Nick Lowe

Nick Lowe, Official Rep

  • 2491 Posts
  • 451 Reply Likes
Hi Adam,

I was talking mainly about educational environments where minors will be using the service and where a duty of care exists. (In such environments, it it normally expected that a technically sound solution be deployed.)

In response to your comment about proxies, you can, of course, filter at the default gateway making any filtering transparent to clients. This is a vastly stronger technical solution and is the gold standard here as you get to inspect the traffic. (The days of manual proxy settings, PAC scripts and WPAD should be long gone for all of us!)

I agree that OpenDNS is often a good compromise solution outside of a managed environment, but definitely do not see it as being a desirable solution inside of one as there are better solutions available that are technically sound in their architecture.

If budget is the limitation, then OK, that is an environmentally specific judgement call that has to be made, but lets be clear, it is a compromise at the expense of the quality, integrity and completeness of the solution. The poor man's choice, so to speak. (I would argue that funding priorities are dubious at best if a proper solution cannot be sourced for use inside a campus network.)

I do not see that solutions that filter at the DNS level fit well in environments where BYOD happens as you will not usually be locking those hosts down as they are outside of administrative auspices and you usually will not know if and when they do circumvent the protection due to how it is implemented.

(I would further muse that I hope that OpenDNS does not meet regulatory requirements for filtering in educational environments as that would, to me, just engender questions about the poor quality of those regulations and the need to improve them!)

Regards,

Nick
Photo of Adam Conway

Adam Conway

  • 101 Posts
  • 55 Reply Likes
Hi Nick,
I agree with much of what you say, but it is based on the premise that in a school the content must be blocked at all costs, which is not always the case with schools - As you can imagine, I talk to many schools in a week all over the world and I see surprising diversity of opinions about content filtering. While over half would agree with you, there are many others that take different approaches.

An extreme case, I know of a California high-school who uses an honor code to manage it and does zero filtering but records all traffic. They don't take federal funds, so they can get away with this. The IT director, who is quite sophisticated, tells me he hasn't had a problem yet, and I trust him to know. I think there is greater diversity of approaches than you would think - that said, I don't know all of the regulations worldwide and you may be under a different regulatory requirement.

As far as transparent solutions, I am right there with you... If I were trying to block 100%, I would probably go the same path.
Photo of Nick Lowe

Nick Lowe, Official Rep

  • 2491 Posts
  • 451 Reply Likes
Hmm... For me, the premise is a weaker one - that Internet use must be accurately auditable and accountable, which a DNS based solution is definitely not.

In your example, how would you record all traffic and accurately account it to users if your only filtering solution is based on DNS lookups?

It is not just about blocking content, therefore, although I do personally think such capability is important where minors are involved and you are responsible for providing the connection. (As you accurately point out, the need for this is a subjective point. My thoughts are that it fades with increasing maturity.)
Photo of Adam Conway

Adam Conway

  • 101 Posts
  • 55 Reply Likes
Usually recording are different than content security. Systems like "Big Brother" just operate transparently, and you only use it when you need forensics. It is not uncommon for organizations to do this.
Photo of Nick Lowe

Nick Lowe, Official Rep

  • 2491 Posts
  • 451 Reply Likes
You need the capability to accurately inspect content, which you can then log if you so choose, to be able to filter it properly. My point was you can do neither with a DNS filtering solution such as OpenDNS so it is poorly suited for either use case.