Website content filtering at different level

Posted on 2016-08-11
Last Modified: 2016-09-02
I need to block a few websites, and I assume I can do this by different ways:
1. Firewall
I have a sonicwall, but no subscription for the content filtering. Other people seem to be successful without subscription, but I am missing something. I cannot add this to a Zone.

2. DNS
Is this possible when you only have a windows internal DNS, and all the request for website access are transferred to a ISP DNS?

3. Proxy Server
No experience here. Do I designate a machine for this? I have a windows 7 machine that only works as quickbooks server.
Maybe setup squid on linux? Can I take a old PC to do this, or do I need a good machine?
Question by:Member_2_7970390
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions

Assisted Solution

by:Laroy Shtotland
Laroy Shtotland earned 250 total points
ID: 41752430
LVL 10

Accepted Solution

pfrancois earned 250 total points
ID: 41756591
The three approaches will work.

1. Firewall:

a) If you know the IP addresses fo the few websites you want to block, you can just block the traffic according to these rules on the sonicwall, and if you have access to these features:
source IP: any
source port: any
destination IP: IP address you want to block
destination port: 80 (for http) or 443 (for https)

b) if you don't have access to these settings of the firewall, but still have access to the modem, try to block the traffic on the modem.

There is a problem with this method: if the IP address of the website is changing, you have to modify manually the IP address to block. Controling this is a hassle. I do not encourage you to follow this methos.

2. You can rely upon an external DNS server for banning some websites. The feature you need is customized blacklist, i.e. a list of all the websites you want to exclude.

Your Windows internal DNS server will have to be configured to use the DNS servers of ( and or those of ( and as external DNS server, not the the DNS settings provided by your ISP. With a webinterface, you can customize your blacklist on one of these DNS providers. They give a free account. I hope they will not oblige you within some time to get a payed account. OpenDNS ( offers also free services to implement blacklists.

3. The proxy server was the classical solution some years ago. Setting up a Linux machine with squid was a very strong solution and was working very good on old computers. For speeding up the installation process, you can even choose some Linux distribution having squid installed by default, like IPCop.The problem of an older computer is that the network interface cards (you need at least two NIC for IPCop) are sometimes too slow (10 Mbps, 100 Mbps) for the current modems going much faster (1Gbps and more). This solution risks to slow down the speed of the Internet. However, not always because if case your NICs are fast enough, you can configure IPCop to work as an Internet Accelerator because of its proxy caching features.

My advice: choose solution #2. OpenDNS has my preference, but you can try with or
LVL 25

Expert Comment

by:Diverse IT
ID: 41759143
Hi Member_2_7970390,

I'd recommend doing this on the Firewall but here are my comments on your questions.

At the Firewall: I definitely wouldn't block via Access Rules but rather via CFS policy - its more intuitive, comprehensive and can be applied in a more granular fashion such as by user, group, IP/IP range, etc.

At DNS: IMO opendns is the best option but this can be circumvented, DNS spoofing & poisoning tactics.

At the Proxy: Proxy are still valid in certain scenarios but again as a security standard and trend filtering this at the Firewall is where the industry is at.

Let me know if you have any other questions!

Author Comment

ID: 41759615
Hi, all,
Thank you very much for all your comments!!

1. I was able to do it in Sonic Wall with Access Rules. I don't have a subscription so I cannot use CFS policy - too bad.

2. I think what I need to do is to select these dyn/docomo dns as the "forwarded" in my internal DNS server. Not sure how they work internally to personalize the blacklist, but I am totally ignorant on this.

3. Interesting that people are not doing this any more, Probably the internet connection is fast enough, and not much benefit from "caching." Linux distribution with built-in Squid sounds good.
LVL 25

Expert Comment

by:Diverse IT
ID: 41761791
I would highly recommend purchasing CGSS (Comprehensive Gateway Security Suite) for anyone who remotely cares about security and protecting your network. In fact we don't buy a SonicWALL without it...its a default IMO. CGSS includes 24/7 support, gateway: Antivirus, Antispyware, CFS (Premium Content Filtering Service), Geo-IP Filtering, Botnet Filtering, Application Control, SSL Control, and SSL-DPI services (I may be forgetting a few - its well worth it though). The threat landscape of today is ever-changing and ever-evolving. Just a running DPI (Deep Packet Inspection) is not enough.

Additionally, by implementing this in Access Rules is not content filtering - there is not intuitive or intelligent about it...but rather just a whitelist/blacklist that can easily be circumvented by spoofing, DNS poisoning and so on.

Depending on the DNS service you select they will guide you on how to setup their product. My only reservation about filtering from the DNS side is that it is easily circumvented by changing or writing a hack to change the machine's DNS either directly or by proxy.

Let me know if you have any other questions!

Featured Post

Defend Your Organization from The Greatest Threats

Looking to fill the gaps in your security? Bring together information from the network, endpoint and threat intelligence feeds to really see what's happening in your organization. Join the WatchGuardians in their adventures fighting cyber crime!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
DHCP Server not issuing IP Address 7 75
IKEv2 on Palo Alto Networks 5050 FW 2 35
Network status says no internet, but this is incorrect 1 64
Greetings, Experts! First let me state that this website is top notch. I thoroughly enjoy the community that is shared here; those seeking help and those willing to sacrifice their time to help. It is fantastic. I am writing this article at th…
Imagine you have a shopping list of items you need to get at the grocery store. You have two options: A. Take one trip to the grocery store and get everything you need for the week, or B. Take multiple trips, buying an item at a time, to achieve t…
Finds all prime numbers in a range requested and places them in a public primes() array. I've demostrated a template size of 30 (2 * 3 * 5) but larger templates can be built such 210  (2 * 3 * 5 * 7) or 2310  (2 * 3 * 5 * 7 * 11). The larger templa…
Are you ready to implement Active Directory best practices without reading 300+ pages? You're in luck. In this webinar hosted by Skyport Systems, you gain insight into Microsoft's latest comprehensive guide, with tips on the best and easiest way…

739 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question