DNS Filtering services...such as DNSFilter/Umbrella/etc...vs UTM....

YeOldeStonecat

YeOldeStonecat

Well-Known Member
Reaction score
6,691
Location
Englewood Florida
I've always preferred UTMs at the edge to do the heavy work for filtering. For our managed networks, Untangle works great, it's our preferred choice. Get the SSL inspector on all computers via group policy and things work well.

We don't deal with networks for "one-off" clients, but we had an inquiry from a multi location gym. They got one of those big scary "cease and desist" emails from their ISP, that Disney notified them of movies being P2P/torrented from one of the gyms locations.

So they inquired about putting up a network monitoring system that would prevent this.

I'd normally put Untangle in...and of course the SSL inspector on computers. But it's a gym, so every day, hundreds of revolving smart phones, tablets, etc. Can't do the SSL on them. Or who knows, could have been an employee on one of the office computers.

I know I can "tarpit" suspected p2p/torrent traffic with Untangle...to make it nearly impossible to use. If you go "block" it, users simply try adjusting ports and eventually get around the firewall.

And I'd plan on putting Unifi switches and APs in place...and putting a "guest" bandwidth policy in for something like 2x megs max per user.

So I'm wondering about those DNS services...sometimes I see "talk" about network filtering shifting from UTM appliances, to DNS services. Wondering if I'm behind the times sticking to UTMs.
 
Technically Untangle's WebFilter is a DNS filter.

There is however a massive rub... DNS filters are VERY DIFFICULT to get granular with. If you can get away with a single policy set per job site, DNS filters are easy. If you want to be able to flag specific machines and push them into different policies you have to have a mechanism to do that. This means an agent on the endpoint if you're on a DNS filter, which obviously won't fly with BYOD.

Untangle lets you forego the agent requirement because the agent is the router, and now you can choose policy based on all the usual network level identifiers. The DNS filters cannot do this because they simply do not operate in this space.

You're not behind the times, you're just not doing your job incredibly badly. Far too many MSPs are owned by sales people and it shows! I use DNSFilter myself, but I also use Untangle. The former is vastly less expensive than the latter, but it also doesn't afford much in the way of flexibility. So again if the site fits into that tiny box, use the tiny tool. For everything else, there's the UTM.
 
I can't see people's phones doing torrent work. And what else would a member bring to a gym? If there's a violation it has to be an employee. Either they allow them to bring in their own laptops for the free WiFi or they have installed stuff on the PCs. Need to lockdown the latter and advise the owners to stop any practice of employees bringing devices other than phones in the building.
 
@nlinecomputers You've never seen a jail broken phone... Yes, phones can and do torrent stuff all the time. Especially when you're working with rando's in a public space where they're going to be there for an hour.

There's no point in stopping the employees from BYOD, when the customers will be BYOD. The reality and risk is identical.
 
Sky-Knight said:
@nlinecomputers You've never seen a jail broken phone... Yes, phones can and do torrent stuff all the time. Especially when you're working with rando's in a public space where they're going to be there for an hour.

There's no point in stopping the employees from BYOD, when the customers will be BYOD. The reality and risk is identical.
Click to expand...
I know what one is but honestly, I have never encountered outside of tech forums users who root or jailbreak phones. Yes, they are out there but it is very rare. Especially today. It was more common 10 years ago. Not so much now. I no longer root my phones, it breaks too much useful stuff for little advantage anymore.
 
nlinecomputers said:
I know what one is but honestly, I have never encountered outside of tech forums users who root or jailbreak phones. Yes, they are out there but it is very rare. Especially today. It was more common 10 years ago. Not so much now. I no longer root my phones, it breaks too much useful stuff for little advantage anymore.
Click to expand...

It is rare, but the rare events are what trigger those cease and desist letters.
 
Many people use sites to just watch and not download content, it is powered in many cases by some p2p or other tech whereas as you watch you share back out.
Plus the copyright owners will still find out.
The programs to do this are not hard to find and can be installed on a phone from the legit stores. Also can be watched in a browser.
Why do you think VPN's are pushed to regular users so much.
 
Received one of those C&D letters many years ago. I stupidly, as we all know hindsight is 20/20, gave my land lady's daughter and son-in-law credentials to my guest wifi since my land lady didn't have Internet. It took several months before I received the letter, so I'm betting that it take a lot more than a one off to trigger that event. I'd be surprised if it's some mobile device(s) that been jail broken. Yes they do happen but to be honest they are rare in the general population. First thing I'd look at would be the sites themselves. The letters should have specific address(es) mentioned. Another common way is to use adjacent free wifi for this. Are there apartments, homes, etc nearby. I'd also check the business itself. Most, if not all, are streaming content. Not just to the individual machines but also to wall mounted TV's. I setup a new exercise place some 10 years ago. His wasn't a chain so I had to figure out everything. The machines were easy since they just had to connect to the vendor. It's the multiple TV's with different content that was difficult.
 
Markverhyden said:
Received one of those C&D letters many years ago. I stupidly, as we all know hindsight is 20/20, gave my land lady's daughter and son-in-law credentials to my guest wifi since my land lady didn't have Internet. It took several months before I received the letter, so I'm betting that it take a lot more than a one off to trigger that event. I'd be surprised if it's some mobile device(s) that been jail broken. Yes they do happen but to be honest they are rare in the general population. First thing I'd look at would be the sites themselves. The letters should have specific address(es) mentioned. Another common way is to use adjacent free wifi for this. Are there apartments, homes, etc nearby. I'd also check the business itself. Most, if not all, are streaming content. Not just to the individual machines but also to wall mounted TV's. I setup a new exercise place some 10 years ago. His wasn't a chain so I had to figure out everything. The machines were easy since they just had to connect to the vendor. It's the multiple TV's with different content that was difficult.
Click to expand...
This raises a valid point. If they offer free WiFi to the members they need to setup the router to lockout a MAC address after 2 hours. That will let people come in and do their workouts but limit anyone trying to piggyback. Forcing clients to use a signup page login with membership ID will also knock that down.
 
I've never used a premium DNS filtering service so this may be completely untrue but aren't they stupid easy to bypass? User sets DNS server statically to 8.8.8.8 on their device = filtering bypassed entirely.

In a corporate environment thats not a problem. Set policies and restrictions against it. But you can't do that to public devices on a guest wifi.
 
Block port 53 except for your the IP address of your DNS server usually the router firewall itself but sometimes you have a separate device for that.
 
And then it's bypassed by DNS over HTTPs.

You need an SSL aware UTM to enforce the use of a DNS filter.

Which brings us full circle, @YeOldeStonecat You need an Untangle to enforce the use of a DNS Filter! LOL
 
YeOldeStonecat said:

Better firewalls can limit outbound DNS to...what you set it to....and block anything else (or...redirect it to what you want to)
Click to expand...

And yet, if you carefully read the article you linked, they all but admitted that a browser configured correctly will bypass DNSFilter via DNS over HTTPs.

Untangle's Threat Prevention module is one of the few things on the market I'm aware of that can control this behavior. All someone has to do is install Firefox and configure it to forcibly use a specific DNS server over HTTPs and POOF... no more DNS filters.

Untangle's inspection of actual TCP sessions means control is applied, doesn't matter where the client resolves or what it resolves or HOW it resolves.

UTMs are still the best, but DNS filters might be good enough... depends on your goals. DOH is a HUGE hole in DNS based security systems.
 
YeOldeStonecat said:
...but for a gym with guests....I won't be able to install the SSL certificate on each guest client to enforce it....sorta a....stuck in an endless loop here....
Click to expand...
Incorrect, because once again Threat Prevention controls DoH and DoT traffic, it does so via IP reputation alone and doesn't require SSL inspection. As I said, it's the only thing I know of that does this in the price brackets we work with.

*Note* I do not have SSL Inspector active anywhere in production, I don't use the module, I don't believe in the module. SSL MITM is a bad idea IMHO, never going to do it unless it's a reverse proxy load balancer.

Still, for a public wifi? I'd do DNS filtration too. I'm not driving this point home to talk you out of DNS Filter, because for a public hotspot it's the best bang for your buck. I'm just pointing out the hole in that process that you need to know about before you roll it everywhere.

DNS Filter is really good at preventing malware on devices in your control, but it's near useless in a public setting if someone wants to bypass it. But it is enough to show due diligence, which is all you require for a Gym.
 
Last edited:
I've not dug too much into Threat Prevention, only to lax it 1x step since it was quite over aggressive. But I'm poking around now looking to where you'd leverage this to block outbound DNS except for...whatever you designate.
 
You must log in or register to reply here.
Back
Top