Internet filtering on iPad / DNS lookups

I would like to prevent access to adult websites on iPads by filtering them out. How can I stop people if they know the websites IP ?

Allow me to explain a bit further.

I have set up OpenDNS's Family Shield as the default DNS provider for my home network and forced all DNS connections to go through it by blocking outbound UDP/TCP traffic on port 53 on my router. Now I am looking for a way to block any attempt to access websites by typing their IP addresses directly, which makes the DNS config useless. Would this be possible ?

Note :

OpenDNS is set to Family Shield which, as the name suggests, filters adult content and connections to proxies. I do not have a spare computer at home on which I could install something like Untangle. I do not want to block internet access, but block that which is unwanted : the one that would be blocked by Family Shield and that the user would manage to access because they know the website's IP.

Ismael Lemhadri

Posted 2013-03-15T16:54:01.930

Reputation: 49

3Um isn't that how the internet works. DNS just gets an IP address everything after that is done by IP address. – Brad Patton – 2013-03-15T16:56:05.707

1Plus, if you're just trying to prevent internet access for users on the inside of your network, you can always leave the default gateway blank on the inidividual machines, or set your DHCP up that way. – Chad Harrison – 2013-03-15T17:01:37.557

1What you want is not possible. – Ramhound – 2013-03-15T17:03:47.207

1Why would you want to force a DNS lookup if you already have the IP address? – Der Hochstapler – 2013-03-15T17:10:39.020

@Ramhound: it is very much possible to block certain addresses. – Ярослав Рахматуллин – 2013-03-15T17:10:41.197

http://meta.stackexchange.com/questions/66377/what-is-the-xy-problem – Der Hochstapler – 2013-03-15T17:19:28.667

Your updated version is much better. I even think it deserves a +1 – Scott Chamberlain – 2013-03-15T17:27:31.350

1I don't think what you want is possible. If I understand correctly you want to force every request to go through OpenDNS's DNS filtering service, which is great. However, after a device uses DNS to lookup an IP, there isn't an easy way for a firewall to determine if a request to that IP had a matching DNS query or if it was just typed into the browser/client application. – heavyd – 2013-03-15T17:31:49.250

@heavyd it is possible, he will need to set up a proxy server before the gateway (or in the gateway if his router supports ddwrt) that can subscribe to an blacklist that lists IP's for it's filtering. – Scott Chamberlain – 2013-03-15T17:35:12.353

I do have the possibility to set up dd-wrt on my router ! Does this offer a solution to my problem ? – Ismael Lemhadri – 2013-03-15T17:37:13.360

@momo1729 I think so, but I don't know how to set it up personally. Hopefully you will get a answer that explains how to set it up. – Scott Chamberlain – 2013-03-15T17:37:58.933

@ScottChamberlain, agreed a proxy will work, but that also obviates the need for OpenDNS, other than adding an additional layer of protection. – heavyd – 2013-03-15T17:38:23.360

I would like to add that anyone who would think of browsing directly to an IP to circumvent OpenDNS, is probably capable of defeating most other obstacles suggested here. – Marcks Thomas – 2013-03-15T17:41:33.907

@MarcksThomas I was thinking the same thing. These people would have to have some serious motivation to use a different device in order to look up an IP address and go back and type it in on the iPad. Risk mitigation not risk elimination. – user142485 – 2013-03-15T19:34:36.823

Answers

DNS servers only provide a mapping of a name to an IP address.

You're looking to block users who already have a remote IP address from reaching a server, meaning the step that the DNS server would have done is already completed.

The level of filtering you're asking for will need to be done with a proxy server or similar, where requests to IP addresses will fail.

This solution also falls apart in that many legitimate sites will uses IP addresses.

What you really need is a true proxy server, and then to subscribe to some blacklist, and block access to those sites. dd-wrt won't do this (as far as I know). You can manually block sites, but you'd have to add an iptables rule for each site, and you'd be playing a never ending game of cat-n-mouse. That's why you'd want to subscribe to some blacklist, or use dd-wrt to redirect all traffic through a proxy.

As @ScottChamberlain has mentioned in the comments, if you have a high end router, you can try and install dd-wrt, then install a squid plugin on it, and finally subscribe to a blacklist (which you would need to download and the import into squid regularly; you could probably do this via a cron job with a simple script).

Dansguardian and squidguard streamline this last step by providing auto-updating blacklists, but I don't believe either can run in dd-wrt.

In most cases, the processing demands for going through such a blacklist (which can have over 2m entries) are too much for home routers, which is why people end up using separate computers for this, or commercial services. In fact, I have never heard of any router which can run a full solution as outlined above - that doesn't mean the hardware doesn't exist, just that I haven't seen any references to such hardware, and generally just see references to saying that you need to use separate computers to achieve the level of filtering you're attempting.

ernie

Posted 2013-03-15T16:54:01.930

Reputation: 5 938

Do you think this can be implemented on a router with dd-wrt ? Remember, we're talking at the home level... – Ismael Lemhadri – 2013-03-15T17:32:54.333

@momo1729 I don't believe so. Updated answer with some more details. – ernie – 2013-03-15T17:41:13.570

@ernie dd-wrt has a whole plugin system that can add features, some of which are true proxy servers (for example squid2 and squid3 are both available)

– Scott Chamberlain – 2013-03-15T17:41:56.653

@ScottChamberlain there's plenty of plugins, but as far as I know, none of them provide the ability to subscribe to a blacklist, so using dd-wrt to point to a transparent web proxy is probably the best solution - you just need a proxy to point to.

– ernie – 2013-03-15T17:44:10.620

@ernie as I said, if your router is powerful enough you can run a squid server *on the router itself*.

– Scott Chamberlain – 2013-03-15T17:46:01.577

@ScottChamberlain right, but again, squid in an of itself won't do the blacklisting, and you'll need to update it manually. You'd really need something like Dansguardian (built on squid), but most routers can't run this. Quote from that thread: "...even the "fastest" routers with 128MB ram are not powerful enough"

– ernie – 2013-03-15T17:47:28.603

yes, or subscribe to a blacklist ACL

– Scott Chamberlain – 2013-03-15T17:50:07.063

You can configure a firewall, either on the router on on the iPad devices. Configure the firewall to drop packets to and from the undesired IP addresses.

I would put a firewall distro of GNU/Linux on your spare computer, or even a BSD firewall. Then force all internet traffic through that. Alternatively you could visit the dd-wrt router database and see if your current router is supported.

Firewall-OS distributions:

Ярослав Рахматуллин

Posted 2013-03-15T16:54:01.930

Reputation: 9 076

@momo, reword your question to your REAL question "I would like to prevent access to adult websites by filtering them out, how can I stop people if they know the websites IP and don't go through somthing like OpenDNS's Family Sheild?" – Scott Chamberlain – 2013-03-15T17:22:49.453

That's it, and most specifically on Ipads, because I have good filtering on the PCs already. Should I open a new subject for that ? – Ismael Lemhadri – 2013-03-15T17:24:12.320

No, I would just edit your orignal post, and make somthing similar to what I wrote as the very first thing you say, you can leave your old text if you want, but make your real goal clear at the top of the question. – Scott Chamberlain – 2013-03-15T17:25:00.103