Results 1 to 6 of 6
  1. #1
    mha
    mha is offline
    Newbie
    Join Date
    Mar 2019
    Posts
    2

    Default Suggestion for improved blocking

    Hi.

    (sorry for chopping up the URLs in this post... your forum requires me to post 5 topics before allowing me to post links....)

    You are on your wiki writing the following;

    WARNING: With the increasing adoption of SSL ad blocker can do very little without SSL inspection, but running SSL inspection is not ideal for many organizations.
    Ref: ht tps :/ /wiki.untangle.com/index.php/Ad_Blocker#About_Ad_Blocker

    There is one other approach to this problem.

    If the firewall is monitoring the DNS queries made by devices behind the firewall and keep a cachetable of the query and response you can perform adblocking without intercepting SSL.

    Example; A client makes a request for ht tp s:/ /ads.myevilsite.net/campagin/abc123. The firewall will today see a TCP connection from the client to the resolved ip of ads.myevilsite.net. Especially with shared network resources on cloud hosting services blocking a single IP would be inaccurate.

    Though if the firewall monitored the DNS query for ads.myevilsite.net and the response and put it in a cache table it could then match the tcp/443 connection in this table to ads.myevilsite.net and hence drop it.

    This would not match specific regexps where the URI contains parts which determines whether it's ads/spam/malware or not. It would however allow for a quite significant amount of domains which can be referred to as ad serving sites. Still while keeping the user's SSL intact.

    This can happen pretty much in real time without significant degradation of performance.

  2. #2
    Master Untangler
    Join Date
    May 2008
    Posts
    952

    Default

    This sounds like what pi-hole does. Untangle uses many open source projects so it should be able to use that instead of reinventing the wheel. Depending on the license of course.
    https://github.com/pi-hole/pi-hole/blob/master/LICENSE

    Would be a nice addition and could allow dns over tls or similar. Might even help with ipv6.
    https://untanglengfirewall.featureup...5/dns-over-tls
    https://untanglengfirewall.featureup...ge-integration
    Last edited by donhwyo; 03-27-2019 at 08:06 AM.

  3. #3
    mha
    mha is offline
    Newbie
    Join Date
    Mar 2019
    Posts
    2

    Default

    Quote Originally Posted by donhwyo View Post
    This sounds like what pi-hole does. Untangle uses many open source projects so it should be able to use that instead of reinventing the wheel. Depending on the license of course.
    http s://g ithub.com/pi-hole/pi-hole/blob/master/LICENSE

    Would be a nice addition and could allow dns over tls or similar. Might even help with ipv6.
    ht tps:/ /untanglengfirewall.featureupvote.com/suggestions/14995/dns-over-tls
    htt ps:/ /untanglengfirewall.featureupvote.com/suggestions/32861/add-full-dnscrypt-package-integration
    Both yes and no I suppose.

    Pihole will not have in-line access for blocking a connection nor passively analyse the responses. This could also be used for the firewall's malware engine, anti-spam etcetera to improve accuracy. But it will of course be able to "blackhole" the connection as a second hand effect by returning 127.0.0.1 or NXDOMAIN for a bad domain.

    I think that it's more elegant for a firewall not to rely on DNS responses for blocking connections. It's a firewall, it has other means for doing so. And as such requiring it to be the DNS responder for this feature to work would be the easiest yet less elegant solution.

    I agree on DNSCrypt support as an option if you choose to let the firewall run the DNS service even though it's a bit separate usecase from my proposal.

  4. #4
    Untanglit
    Join Date
    Nov 2017
    Posts
    25

    Default

    Can pi-hole be install in the Untangle device then? This stops the device from having to make the external call for the DNS.

  5. #5
    Untangle Ninja sky-knight's Avatar
    Join Date
    Apr 2008
    Location
    Phoenix, AZ
    Posts
    23,528

    Default

    Webfilter already does this, and while it works it's at best a hack of a solution. There are buckets of reasons why you can't just stop everything going to a specific IP address, regardless of what may resolve to it. Primarily because there are many things that actually resolve to aforementioned address.

    Breaking into the SSL gives far greater control, and before you make that leap, you have SNI which is more granular still.

    DNS based filters just plain suck honestly. If you want one, then deploy one. But I wouldn't install PiHole on Untangle itself to get there.
    Rob Sandling, BS:SWE, MCP
    NexgenAppliances.com
    Phone: 866-794-8879 x201
    Email: support@nexgenappliances.com

  6. #6
    Newbie
    Join Date
    May 2018
    Posts
    1

    Default

    I was looking for the DNSCrypt function in Untangle. I'm replacing a Shibby Tomato router that had DNSCrypt support which I use with OpenDNS. I dont think it's NameTheISPHere's business to see what the DNS lookups are. I'd like to be able to have the option with Untangle. DNS over TLS to a preferred DNS provider may also be suitable but neither are available in Untangle currently.

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •  

SEO by vBSEO 3.6.0 PL2