Tag Archives: Domain Name System

Basic Theory for Home Content Filtering

15 Tuesday Apr 2014

Posted by in Posts by the Geek

Leave a comment

Tags

, , , , , , , , , , , ,

So I promised a good friend I’d get back on the blogging horse and finally cover this topic.  I must confess, Pooky and I were on a roll in blogging.  Then the holidays kicked in, and with it little flu germies ran rampant through the home like cloaked nerds at a Star Wars convention.  Let’s recap some of the key technologies that got us to this point:

IP Addresses

ipaddressSimply stated, any computer that wants to talk to another computer needs to use an IP Address.  An IP Address is the binary name for that computer.  Never forget the secret to the Internet: When you go to a website, you are actually looking at files on another computer somewhere in the world, which you accessed by its IP Address.

DNS

This was one of my favorite blog posts, the romantic fireside scene fills me with teh lulz.  That’s a fancy nerd way of saying it makes me lol.  Oh man, sorry, how about this – it milk were in my mouth, it would squirt out my nose.  DNS is done by some computers on the Internet that translate friendly names to IP Addresses.  If you type http://www.google.com into your web browser, your computer uses DNS to determine that Google has an IP Address 74.125.228.103.  Your computer then loads the website from that IP Address.  All that takes place within a few milliseconds – Pretty impressive.

Four Main Methods to Content Filteringcontent filtering

  1. At the client: content filtering software like K9 or Net Nanny is installed on the computer and allows everything that you have not specifically blocked.  This can cause lots of false positives when it blocks legitimate traffic.  For example, K9 loves to attack Minecraft traffic, causing no end of grief for my kids.  I’m not a fan of this method, I’ll explain why in more detail later on.
  2. At the proxy: a proxy server is a computer that stands for or represents another computer on the Internet.  On a computer network, you would connect to the proxy server and the proxy would connect to the Internet for you.  The proxy would pass on “good” traffic and drop “bad” traffic.  Most companies use this approach with a dedicated content filter appliance such as Websense.  We can get similar functionality out of our home router, for free, using key word blocking.
  3. At the gateway: using access lists (a list that determines whether or not you can access something), you can filter requests before they leave or return to your network.  This could be done on your router, assuming that functionality is built into your router.  I have a Verizon Fios router, which has this built in.  I also have a Netgear router, which also has this feature built in.  I’d wager that most home routers have this functionality – but when in doubt, google it.
  4. In the cloud: your computer attempts to connect to something out on the Internet (the cloud), and is routed through a proxy or guardian that determines whether or not the traffic comes back to you.  This would include using OpenDNS – you send your DNS requests (hey OpenDNS – what is the IP for google.com?) and if the website you want an IP for fits a category that you have designated to block, OpenDNS redirects you to a “this site has been blocked” page.

You could put all your eggs in one basket, then crash and burn if that one method fails.  I personally recommend combining at least two, if not three methods.  Each method has its own pros and cons, and ways to circumvent.  From my own experience, most companies utilize a proxy, and most home users utilize locally installed software.  I will say that I’m not a fan of the locally installed software.  You have to install filtering software on every single device, but software isn’t always available FOR every single device.  Do you have a web enabled television or video game console?  Good luck with blocking that.  Little Billy’s best friend Barry comes over to visit and connects his iPod to your wireless? He has free reign.  Little Suzie boots from a parasite drive, and can get anywhere on the Internet.

thumbdriveSorry, I should define that one – A parasite drive is a bootable thumb drive or CD/DVD that runs an Operating System on top of your existing hardware, like a deer tick latched onto a young buck.  It uses all your hardware while bypassing your locally installed Operating System – and without running any software you may have installed to filter content.  This sneaky tactic was used to great effect by Edward Snowden to avoid online detection by the government who desperately wants to hang him out to dry for leaking all their nasty monitoring secrets.

So anyhow, this is a short post about the theory behind home content filtering.  Next up – step by step directions on how to make it happen, starting with how to set up and tweak OpenDNS like a boss.

A Tale of Two Brothers

29 Tuesday Oct 2013

Posted by in Posts by the Geek

Leave a comment

Tags

, , , , , , ,

ataleoftwobrothers

Today we’ll learn about two brothers: TCP and UDP.  Chances are, you have never heard of these guys.  Remember in a previous blog, we talked about how computers communicate with each other on a network: an IP Address (leaving off the other network protocols like Appletalk, IPX, and similar irrelevant inhabitants on the Isle of Misfit Protocols).  On your Windows computer, deep in the bowels of your network settings, it lists how your computer will talk to other computers.

tcpip002To see this yourself, click Start, search for NCPA.CPL, then press enter on your keyboard.  This will send you to the Network Control Panel Applet where all your cool Network stuff is set up.  Right click one of your Network adapters, and select Properties.  Now you can see all the protocols and what not that you actually are using to communicate with other computers.  Pretty hefty stuff, right?  And there, in all its glory, is our golden Wonka ticket: Internet Protocol Version 4 (TCP/IPv4).  Select that bugger, and click Properties.

tcpip001Pretty unimpressive, eh?  Chances are, it’s set to get everything from DHCP.  That meaning that your computer yells at the top of its lungs like a fussy toddler at naptime “I WANT TO LOOK AT LOLCATS!!!!1111” and some other device on your network (most likely your virtual Hagrid router) will give your computer an IP Address, Subnet Mask, Default Gateway, DNS servers, and other fun stuff we don’t really need to get into right now.  Your router is acting as a DHCP server – it hands out network information so computers can talk to each other.  It’s a rather kind thing to do.

So anyhow, we know all about IP Addresses, which use the IP protocol.  But what on earth is that other part?  TCP?  Eh?  What’s that?

Juggling for Fun and Profit

squirrelHow many of you can juggle several things at once?  Do you trip while trying to walk and chew gum?  Can you multitask?  I sometimes can, but often I…. SQUIRREL!

So your computer can obviously multitask, doing several things at once.  One way your computer accomplishes this is by using ports.

Let’s go back in time to an earlier blog post analogy about your home network being a castle, and the Virtual Hagrid router being the big strong gateway to the outside world.  Now let’s take that analogy a tad deeper: that big strong gateway has 65,535 little keyholes on it, each numbered from 1 to 65,535.  And let’s say that only specific keys fit in each keyhole.  You want to surf the web?  That picture of LOLCATS can only come back inside your castle in keyhole number 80.  In fact, all web surfing can ever only come in that keyhole.  You want to do a DNS lookup to determine that google.com is actually 74.125.228.70?  That name query can only come back into your castle through keyhole number 53.  And so on, and so forth.

keyholeNow I’ll geek out on you.  Those keyholes in your castle door are called ports.  And specific kinds of traffic (called packets) come in on certain ports.  They always come in on those specific ports, it’s a universal standard.  There is a group of geeks who determined in RFC 6335 that port 80 would henceforth and forevermore be dedicated for HTTP Web traffic.  Oh you’re fancy shmancy and use your computer for encrypted web surfing when you go to your bank’s website?  Well encrypted web traffic (HTTPS) rides port 443.  DNS name lookups?  That is port 53.  And the list goes on and on and on.

Now here is where it gets a smidge complicated: for each keyhole port, there are two possible keys, belonging to two brothers.  We’ll start with the first brother.

The Respectable Responsible Brother

happypacket

Our first brother is the Albus Dumbledore of the packet family.  We’ll call him TCP.  TCP seems to care an awful lot about his packets getting where they are supposed to go, in the correct order, and in a timely fashion.  If something doesn’t seem to be just right, TCP follows up to make sure it’s done.  His packets are delivered on the proper port number and he follows up to make sure they got there.  If they weren’t delivered on time, he sends them again and again until he receives word that they got there.  Sure the packets take a little longer as you have to reply to every single one that they were received, and have to wait for undelivered packets to be sent again.  But you are in good hands with the Albus Dumbledore of the packet world.

The Deadbeat Dunderheaded Brother

udp no care

Our second brother is the Aberforth Dumbledore of the packet family.  We’ll call him UDP.  UDP doesn’t give a flying left handed goat poo about whether or not you got his packets; he just sends them off and goes about his business once they are gone.  If you don’t get them, oh well.  You probably didn’t need them anyway and if you did need them, well tough.  If you did get the blue key packets, they came in quickly.  You didn’t even have to respond that they were delivered.  They just show up, or if they don’t, oh well.  That makes for a faster delivery, though there is no guarantee you actually get them.

So now let’s bring it together – we have a bunch of ports on the castle door, and certain kinds of packets can only come into certain numbered ports.  TCP packets come into specific port numbers, and the sender follows up to make sure you got them before sending you more.  UDP packets come into specific port numbers, and they either show up or they don’t.

ackTo use a big fancy twelve-dollar nerd word, TCP packets are considered connection-oriented, meaning there is a guaranteed receipt and the sender retransmits them if you don’t acknowledge their receipt.  Behind the scenes, there are funny words like “SYN” and “ACK” that instantly conjure up images of Bill the Cat.  It’s pretty comical until you realize you’re talking about packet data, then you come back to earth and feel sad inside that you are such a nerd.

The twelve-dollar nerd word for UDP packets is connection-less, meaning there is no verification of receipt.  They either show up or they don’t.  As such, they are faster packets without all the verifications.

Why On Earth Do We Even Care?

Let’s keep in mind that our ultimate goal is security and content filtering, so let’s boil this one down a bit.  It’s simplistic to say that to gain access to our castle, one must make it across the moat and through the front gate.  The reality is, that front gate has its own security, and only certain kinds of traffic can come in certain little holes in the gate.  If you come up the front door and say you are Web Traffic on TCP Port 80, you MUST come in that specific port.  This is to our advantage – we can then watch that port very closely, and monitor it more severely than we would other ports.  We could even just block up that port so nothing gets through.  And wait for it:

keysKey Concept

We can instruct our Virtual Hagrid Router to only allow certain traffic in on that port, while blocking other traffic that we don’t want.

I cannot understate the importance of this concept.  We’ll go much deeper into this soon, I promise.  But let’s get practical on this – we could only allow Web Traffic (TCP Port 80) from certain websites that we determine as “good”.  And we can then say that all other traffic gets tossed into the moat where nasty green crocodiles gnash their pointy teeth.

Or let’s use another fancy term we covered in a previous blog: we could only allow UDP port 23 DNS traffic back into our castle if it comes from a specific DNS server like OpenDNS, and all other DNS traffic winds up in the moat.

opendns

OK, Professor Plum, what is OpenDNS?

Ah glad you asked.  OpenDNS is a free service that allows the filtering of DNS traffic based on content.  You could use OpenDNS to only allow DNS lookups that are considered “safe” while dropping any traffic determined “adult” or “gambling” or “hacking” (though why would we want to!?).  OpenDNS is one of our main ninja weapons to keep our homes safe.  And on that cliffhanger of a concept, I’ll close.  Coming soon: more on OpenDNS, as well as how to play around in your Router without blowing crap up.

DNS Wizardry for Muggles

16 Wednesday Oct 2013

Posted by in Posts by the Geek

2 Comments

Tags

, , , , , , , , , ,

fireplaceThe fireplace crackled and popped, embers fading to hues of dark orange.  They sat together on the couch, his arms around her protectively, her head lying across his chest.  He savored the smell of her fruity hair, the gentleness of her warm affection soaking into his very pores.  The children had fallen asleep hours earlier, a miracle beyond hope.  Some sappy Hallmark Movie Channel flick was winding down on the television.  They would pay for this indulgence in the morning, when the alarm clock beat down upon their ears, signifying another lurch to the grind of life.  But as for now, the still silence of pure bliss washed over them both like the gentle rains of May.

As the credits crawled across the screen, she turned her head towards him.  In the combined glow of the fire and the television, her eyes sparkled over a contented smile.  She breathed a deep sigh and snuggled in closer yet.  In that magic moment, she whispered “I love you, 17.172.224.47.”  As he leaned in closer for the kiss, he murmured “And I love you, 206.190.36.45.”  Their lips touched; the world around them faded away like the morning fog.  Life was complete.


My thirteen-year old editor has already rolled her eyes, a good sign that this blog post is off to a great start.

As an American citizen, each one of us has what is known as a Social Security Number.  When was the last time you went up to your coworker and said “excuse me, 412-87-1564, could you please pass the red stapler?”  I’m wagering seven dollars this hasn’t happened in recent history to any of us.  We could of course do this if we memorized everyone’s SSN – but it’s much easier to communicate with each other using a name.

Likewise, each networked computer has an IP Address.  We know computers are certainly content in communicating with each other using these IP Addresses in Binary – but us average humanoids need something a little more user friendly.  We need names like Google, Microsoft, Apple.  We need a technical mediator between IP Addresses and names.


Enter DNS

dns

OK so that sounded infinitely cooler than I intended.  If you’re conjuring up some Chuck Norris-esque device that roundhouse kicks IP Addresses into submission, you’re in for a disappointment.

DNS stands for Domain Name Service, and a DNS server has the single job of translating names to IP Addresses.  Let’s take our romantic love story of fireplace chick flicks above.  Cliff Notes: The moral of that story was to outline the need for meaningful names, rather than sterile numerical identification.  Our romantic interests in the story above can be determined using a simple tool that we already know about – the PING tool.

The +3 Network Tool of Supreme Resolution

Did you know PING can do much more than just yell HEY ARE YOU HERE?  There are command line switches that you can place after the command PING to make it do lots of other cool stuff.  By default PING sends four ECHO packets, waiting for the coveted ECHO REPLY to come back.  But if you enter PING –T followed by the target, it will keep pinging the target forever (or until you hold down the CONTROL key on your keyboard, then press the letter C).  That is a command line switch.

To see all of the PING options, type PING -? to view them all.  Yeah, that’s right – all three of you who actually just did that, you earned some l33t points.  For the rest of you, I’ll cut to the chase.  Let’s take one of the IP Addresses above and crank it through our PING tool from a command line (you do remember how to get a command line, don’t you?), using the switch –a:

C:\Users\thegeek>ping -a 17.172.224.47
Pinging st11p01ww-apple.apple.com [17.172.224.47] with 32 bytes of data:
Request timed out.
Request timed out.
Request timed out.
Request timed out.
 
Ping statistics for 17.172.224.47:
Packets: Sent = 4, Received = 0, Lost = 4 (100% loss)

Our first of the starstruck lovers is a public IP Address for Apple.  As a side note, don’t panic that we got a Request timed out message.  The resolution still took place, their computer just doesn’t want to talk to us.  And the second address?

C:\Users\thegeek>ping -a 206.190.36.45
Pinging ir1.fp.vip.gq1.yahoo.com [206.190.36.45] with 32 bytes of data:
Reply from 206.190.36.45: bytes=32 time=178ms TTL=51
Reply from 206.190.36.45: bytes=32 time=105ms TTL=51
Reply from 206.190.36.45: bytes=32 time=99ms TTL=51
Reply from 206.190.36.45: bytes=32 time=96ms TTL=51
 
Ping statistics for 206.190.36.45:
    Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
    Minimum = 96ms, Maximum = 178ms, Average = 119ms

It’s owned by Yahoo. And it doesn’t mind taking the time to respond to our PING requests.  How polite.

We can get a name from an IP Address using PING… So what about going from name to IP Address?  Well it just so happens, that way is even easier.  To get an IP Address from a name, just ping it by name:

C:\Users\thegeek>ping google.com
Pinging google.com [74.125.228.33] with 32 bytes of data:
Reply from 74.125.228.33: bytes=32 time=17ms TTL=56
Reply from 74.125.228.33: bytes=32 time=17ms TTL=56
Reply from 74.125.228.33: bytes=32 time=16ms TTL=56
Reply from 74.125.228.33: bytes=32 time=17ms TTL=56
 
Ping statistics for 74.125.228.33:
    Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
    Minimum = 16ms, Maximum = 17ms, Average = 16ms
 

Notice that this particular Google server has an IP Address that is NOT listed on the RFC 1918 list of private IP Addresses.  This is a public IP Address, meaning it is not within your own little private network at home.  Or to use an earlier blog analogy, this IP Address is not on your little island.  To get there, traffic must go out your default gateway and into the cloud.

So now on to the deeper stuff

internetcloudDNS servers reside out in the cloud – the vaporous mire of the Internet.  Every time you open a web browser and type in google.com, your computer does a DNS lookup to figure out exactly who google.com is, by IP Address.  For giggles, you could open up a web browser and enter the IP Address and it would load in your browser.  Remember, computers care about IP Addresses, not names.  For your own local network, chances are your DNS server is most likely your default gateway / router.  And your router in turn gets its DNS server from your ISP.  Ultimately, a DNS lookup has to find a public server out on the Internet for up to date name resolution.

To view your DNS server(s), remember the IPCONFIG tool from before?   Using a command line switch with IPCONFIG of –all, we can see our DNS server(s):

C:\Users\thegeek>ipconfig -all
Ethernet adapter Local Area Connection:
   IPv4 Address. . . . . . . . . . . : 192.168.1.2(Preferred)
   Subnet Mask . . . . . . . . . . . : 255.255.255.0
   Lease Obtained. . . . . . . . . . : Tuesday, October 15, 2013 7:36:35 PM
   Lease Expires . . . . . . . . . . : Wednesday, October 16, 2013 7:36:35 PM
   Default Gateway . . . . . . . . . : 192.168.1.1
   DHCP Server . . . . . . . . . . . : 192.168.1.1
   DNS Servers . . . . . . . . . . . : 192.168.1.1

And there it is – DNS Server = 192.168.1.1.  That is also the same IP Address as my default gateway, the router.  My computer asks my router what Google is, and my router simply asks its own DNS server, which happens to be out on the Internet.  Ultimately someone figures out what IP Address is Google and I go there.  It’s like magic.

Here is why you care

As we wade deeper in the pool of security and content filtering (which is, after all, my eventual goal) you must understand how this works.  One key method to protecting your home network from filth flarn filth (to quote Bill Cosby) is to filter your Internet traffic by DNS.  You would be overly optimistic to have only one strategy; I personally utilize a three-fold approach in the Casa Del Geek.  I’ll go incredibly high level at this point, with the intention to go deeper into it in a later post.


keyconceptHere is a key concept:  If you control where your computers do name resolution (DNS), you can control where your computers can and cannot go on the Internet.

Now there are obvious flaws to this plan, which again I’ll go deeper into in a later post.  If I block your traffic using a service like OpenDNS that filters out garbage, you could simply change your DNS server to get around it.  That is why we also need to utilize Firewall rules on our router to only allow DNS traffic to the DNS servers we specify, and if you try utilizing a DNS server not on the allowed list, the traffic is drop kicked like a schoolyard kickball.  But I digress.  We haven’t covered the myriad cool things we can do with our router yet.  That’s also another post.  I promise, all these different pieces of the puzzle will come together.

A Reminder

CSLewisCS Lewis, in his masterpiece work Mere Christianity, started at the very beginning with basic concepts.  Key foundational topics like Good and Evil and the Nature of Man were covered first, in order to build the ground work to later introduce deeper topics like Sin, Faith, and Propitiation.  To quote Lewis (who actually quoted MacLaren), “the longer way around is the shorter way home.”  It will take us longer to get to our goal – but when we finally arrive, you’ll know what I’m talking about.  It’s easy enough to just click a checkbox and adjust a knob when I tell you to – but it’s better for both of us that you understand what you’re doing and why.