DNS Parental Filtering - Jaco du Toit.
A few weeks ago, I received a question from a concerned parent. The parent informed me that they are very concerned about what their kids are doing on the Internet, since it is becoming more of a requirement for children to do schoolwork online. To exacerbate the problem, the parents are either not at home to oversee what the children are doing or they themselves are stuck in front of a computer working from home.
Is there something that can be done that can minimise the risk that children may fall into a trap of navigating to pornographic web sites?
This question made me investigate DNS filtering as an option again.
What is DNS?
DNS stands for Domain Name Services. DNS is responsible for resolving web addresses to IP addresses. This is like what we do when we phone someone using a smartphone. When we need to phone someone, we need their telephone number. We can save a telephone number and assign it to a contact. In the future, all we do is that we can find the contact on our phone and call the contact. The hone book service on our phone will then use the telephone number assigned to the contact to make the actual phone call. The same process happens when we browser the Internet.
DNS takes the name that we type into the web browser and then ensures that it gets the IP address assigned to that specific name’s web site. To this resolving our computer contacts a DNS server, which effectively resolved the name on our behalf. The process is a bit more complicated and involve things like root-lookups and recursive and authoritative-calls. This article will not go into all this detail, suffice to say that our computers require the help of a DNS server.
DNS configuration
Our computers identify a DNS server through their IP address. Our computers need the IP address of at least one DNS server before the computer will communicate successfully on the Internet. The IP address of the DNS server is normally supplied to our computer automatically when we connect to a network.
Another thing that may be useful to understand is that on a typical home WiFi network, the WiFi router acts as the DNS server for that specific network. For the DNS service on the WiFi router to function, the WiFi router also requires at least one IP address of a DNS server. The WiFi router normally gets the IP address automatically from the Internet Service Provider.
We thus have two levels of DNS lookups that can happen on a home network. Our computers will contact the DNS service on the WiFi router and the WiFi router in turn will contact a DNS service on the Internet somewhere.
What is DNS Filtering?
There are certain companies and organisations that keeps lists of various Internet sites. Some of these sites may be categorised into pornographic sites or may have proven that these sites contain malware. Other categories may also be created, such as sites for gambling, hate speech and many more.
The organisations that provide DNS filtering services allow computers to do DNS lookups against their DNS servers. Depending on which of their DNS servers you use, certain category of sites will not resolve their IP addresses. This means that if we use an organisations DNS server that helps filter pornographic sites, then when our computer tries to resolve the IP address of a pornographic site, that the DNS server will just not respond with an IP address.
Where do we start?
A simple web search will reveal many organisations that provide DNS filtering services. Many of these organisations will have both a free option and paid option. As can be expected the free options limit specific functionality where the paid options provide more features that might be more useful depending on your requirements. In many cases the free options are good enough for a typical household.
Once you have found a number of these organisations then you need to decide which one you would like to use. Some of the things to consider are:
- Which categories of sites can be filtered and are these the categories I am interested in? If you are only interested in filtering pornographic sites then most companies will provide this. There are however others that can provide protection against malware as well.
- Consider pornographic content through search engines or streaming services like YouTube. Some sites will also filter search results that may contain pornographic images or ensure that no mature YouTube content will be returned.
- Look at their privacy policy. When you use the DNS services from these organisations your DNS lookups are NOT private. That means that every address of every site your computers connect to, is known by that organisation. Even though they cannot see the data transferred between your computer and the Internet, they know all the areas of the Internet you and your family visit. Consider what that organisation does with this information. Do they log and share this information with other parties, or don’t they share? Even better, do they not track at all.
How to implement.
Each DNS filter solution will provide you with at least two DNS server IP addresses that you need to configure. You now have two options to implement this. Both these options are normally done on the WiFi router. It should be noted that most of the solutions that you will find, will have documentation on how to make the necessary changes on the WiFi router, Android, Apple, or Windows devices. This article assumes you are using a WiFi router and as such you will have the following two options.
- Change the IP addresses of the DNS server on your WiFi router. This is the preferred option. In this instance you change the configuration in such a way so that the DNS service running on the WiFi router, will make use of the DNS server at the DNS filtering organisation. This means that the WiFi router will resolve names on behalf of the devices on your network, but only return results if they are not within a specific filter category
- Change the IP addresses of the DNS server on each of your home devices. This option is also configured on the WiFi router, but the automatic IP address configuration that each of your devices get, will be modified so that the devices will directly go to the DNS filter organisation, instead of asking the WiFi router to resolve on your behalf. This is not the most ideal solution because we lose some of the caching functionality that the DNS service on the WiFi router has.
Are we now safe?
There is no silver bullet for cyber security. DNS filtering provides only one level of protection, but does not negate other security measures, such as Anti-Virus software and responsible email behaviour. It is also not that difficult to bypass the DNS filtering option because a tech-savvy teen may manually change their device’s IP configuration to use open DNS servers and not the DNS filtering servers.
You should also remember that DNS filtering services do require that you surrender some of your rights to privacy. These solutions also does not negate any responsibilities parents have towards their children to teach and inform them about cyber safety.