PoweredLocal’s DNS based Firewall

Poweredlocal has been quietly building a DNS based firewall solution for its customers.

The eventual design of the solution is to be a configurable option for each client site that wishes to use the service. But today it is a global set of rules.

But let’s dig into a little bit. I’ll go into the technical and the non-technical. But let’s start with the why.

Why?

In essence, you might want to restrict traffic to a website or class of websites that are deemed inappropriate for your guests to use on your connection. I.e. if you run a family restaurant, or in-fact any place where members of the public use the internet. For example, pornography.

There are a few types of firewalls, but mostly it is something that is either hardware on-premises or via the cloud.

1Hardware works where you want to force all traffic to route through the firewall rules before it goes out or in from the internet. It’s a robust system that generally requires in-depth knowledge and controls form an IT department. We find that they tend to fall under the category of the dark-arts of IT magic.

We often run into problems where a site has an IT configured firewall that overly blocks access and ports causing the guest wifi authentication to fail.

2Cloud based, or DNS based is at the layer where the traffic turns website addresses into IP addresses. A translation service if you will. For example, our website http://www.poweredlocal.com translates to 104.31.64.116. This is a very simplified explanation that only deals with the surface level of how DNS works, but you get the concept.

So the way the internet works is that when you type in (for example) http://www.poweredlocal.com to your browser, a translation service over DNS is used. The translation services or DNS used is usually one of three things; provided by your Internet service provider, set as one of the many free services, set as a firewall solution.

Most commonly, the internet service provider gives you DNS settings on your modem, these tend to be the worst on two key measures — speed and privacy. On the speed matter, each DNS lookup, or that conversion from website name to IP address takes time, so the slower the service, the more time it takes for the user to load the website they are after. But we are talking fractions of a second in most cases here, not longer. So it’s not a terrible thing to worry about. Privacy is the other part. DNS providers have the option to log all the requests. For example, an ISP might choose to record some metadata about you, your device and what websites you are loading. Now to be fair they also use these services to run a sort of firewall themselves too — perhaps they will attempt to block malicious websites etc.

Commonly, users tend to leave the default settings of DNS and the more advanced users will set custom defaults to one of the few known free DNS servers for greater privacy (and speed).

The example below is my laptop. I run two possible network connections, WiFi and Wired network. The first example is my wired network where I have set four possible DNS servers in cascading order, the first two are the PoweredLocal Safe DNS servers and the next, 8.8.8.8 is Google’s free service and finally 1.1.1.1 is Cloudflare’s free service.

By default, we set all our routers to use Cloudflare’s free DNS server. We do this for speed and privacy. It’s the market leader right now.

But some customer’s want to have some more advanced controls. So we’ve started building our Safe DNS solution.

Architecture of the PoweredLocal Safe DNS

1. We use Microsoft Azure servers based in Australia. (this is really handy for speed and compliance)
2. We do not record or log any DNS transaction requests
3. We then use a subscription to the Squid Blacklist service for daily up-to-date definitions of sites to block.
4. We have some custom filters run on each daily update to clean some overly cautious restrictions. Like it thinks any youtube video that is marked as 13+ could be considered adult content, so it blocks them all by default, we use a script to not block these.
5. Once we check a DNS lookup against our restricted list, we either pass it through or block it. When we pass through, we use Cloudflare to translate and pass it over to the WiFi user.

Categories we block

+------------+-----------------------------------------------------+
|  Category  |                     Description                     |
+------------+-----------------------------------------------------+
| Blogspot X | Blogspot sites featuring porn and adult content.    |
| Chanology  | "Anonymous" message boards, porn trolling           |
| CP         | Alleged & suspected of potentially illegal content. |
| Cryptojack | Coinhive & other unauthorized miners                |
| Malicious  | Malicious, hijacked, ransomware, dangerous          |
| Piracy     | Piracy, File Sharing, P2p, Torrents, etc.           |
| Porn       | Porn domains, any adult, nudity or sexual content.  |
| Racism     | Racist, segregatory, supremecist & bigoted          |
| Terrorism  | Terrorist or extremist material.                    |
| Weapons    | Violence, weapons, firearms, guns, knives.          |
+------------+-----------------------------------------------------+

What will people see if they try and view a blocked site?

Here is an example of guns [.] com

Want to test it out?

Edit: We’ve had to hide the details of our DNS server as it was being abused by some.. so reach out to us if you want to demo it :)

Easy, figure out how to change your DNS servers on your wifi or LAN connection on your computer and use these DNS addresses as custom or to replace what you have;

• xx.xx.xx.xx (Australia Southeast)
• yy.yy.yy.yy (Australia East)

and try navigate to a site that would fall under the above categories like guns.com or porn.com.

Youtube also have a cool tool to test if your DNS is restricting access to some videos. You can test it by going to the tool both before and after updating DNS to see what it says.

Limitations:

There are a few limitations based on a the current fixed global rules system, like that we specifically don’t block things like gambling and tobacco.

As this is also a DNS based solution, there are easy ways around it. Just like I told you above that you can test the service by settings your DNS to our firewall DNS, you can also set your DNS to use Google’s 8.8.8.8 or Cloudflare’s 1.1.1.1 and bypass the firewall while connected to a guest WiFi router. But what you will find is that by using this solution, you are covering off a lot of bases and putting in a great effort to reduce unacceptable surfing and exposure on your guest wifi networks.

Running your own firewall?

That’s cool we get it. But please test onsite when you setup the firewall that our APs are still outputting the guest network. There can be some typical services and ports that are being blocked by default by your firewall that you will need to open up.

Services to pay attention to that may be outside the norm:

• CoovaChilli — maybe ports 3990 & 3799
• Tinyproxy — maybe 3128

Thanks for reading and if you found this article helpful or interesting, hold down that clap button so others may find this.