Want to win a PS4? Go Premium and enter to win our High-Tech Treats giveaway. Enter to Win


Website content filtering at different level

Posted on 2016-08-11
Medium Priority
Last Modified: 2016-09-02
I need to block a few websites, and I assume I can do this by different ways:
1. Firewall
I have a sonicwall, but no subscription for the content filtering. Other people seem to be successful without subscription, but I am missing something. I cannot add this to a Zone.

2. DNS
Is this possible when you only have a windows internal DNS, and all the request for website access are transferred to a ISP DNS?

3. Proxy Server
No experience here. Do I designate a machine for this? I have a windows 7 machine that only works as quickbooks server.
Maybe setup squid on linux? Can I take a old PC to do this, or do I need a good machine?
Question by:Member_2_7970390
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions

Assisted Solution

by:Laroy Shtotland
Laroy Shtotland earned 1000 total points
ID: 41752430
LVL 10

Accepted Solution

pfrancois earned 1000 total points
ID: 41756591
The three approaches will work.

1. Firewall:

a) If you know the IP addresses fo the few websites you want to block, you can just block the traffic according to these rules on the sonicwall, and if you have access to these features:
source IP: any
source port: any
destination IP: IP address you want to block
destination port: 80 (for http) or 443 (for https)

b) if you don't have access to these settings of the firewall, but still have access to the modem, try to block the traffic on the modem.

There is a problem with this method: if the IP address of the website is changing, you have to modify manually the IP address to block. Controling this is a hassle. I do not encourage you to follow this methos.

2. You can rely upon an external DNS server for banning some websites. The feature you need is customized blacklist, i.e. a list of all the websites you want to exclude.

Your Windows internal DNS server will have to be configured to use the DNS servers of securedns.dnsbycomodo.com ( and or those of dyn.com ( and as external DNS server, not the the DNS settings provided by your ISP. With a webinterface, you can customize your blacklist on one of these DNS providers. They give a free account. I hope they will not oblige you within some time to get a payed account. OpenDNS (http://www.opendns.com) offers also free services to implement blacklists.

3. The proxy server was the classical solution some years ago. Setting up a Linux machine with squid was a very strong solution and was working very good on old computers. For speeding up the installation process, you can even choose some Linux distribution having squid installed by default, like IPCop.The problem of an older computer is that the network interface cards (you need at least two NIC for IPCop) are sometimes too slow (10 Mbps, 100 Mbps) for the current modems going much faster (1Gbps and more). This solution risks to slow down the speed of the Internet. However, not always because if case your NICs are fast enough, you can configure IPCop to work as an Internet Accelerator because of its proxy caching features.

My advice: choose solution #2. OpenDNS has my preference, but you can try with dyn.com or dnsbycomodo.com.
LVL 26

Expert Comment

by:Blue Street Tech
ID: 41759143
Hi Member_2_7970390,

I'd recommend doing this on the Firewall but here are my comments on your questions.

At the Firewall: I definitely wouldn't block via Access Rules but rather via CFS policy - its more intuitive, comprehensive and can be applied in a more granular fashion such as by user, group, IP/IP range, etc.

At DNS: IMO opendns is the best option but this can be circumvented, DNS spoofing & poisoning tactics.

At the Proxy: Proxy are still valid in certain scenarios but again as a security standard and trend filtering this at the Firewall is where the industry is at.

Let me know if you have any other questions!

Author Comment

ID: 41759615
Hi, all,
Thank you very much for all your comments!!

1. I was able to do it in Sonic Wall with Access Rules. I don't have a subscription so I cannot use CFS policy - too bad.

2. I think what I need to do is to select these dyn/docomo dns as the "forwarded" in my internal DNS server. Not sure how they work internally to personalize the blacklist, but I am totally ignorant on this.

3. Interesting that people are not doing this any more, Probably the internet connection is fast enough, and not much benefit from "caching." Linux distribution with built-in Squid sounds good.
LVL 26

Expert Comment

by:Blue Street Tech
ID: 41761791
I would highly recommend purchasing CGSS (Comprehensive Gateway Security Suite) for anyone who remotely cares about security and protecting your network. In fact we don't buy a SonicWALL without it...its a default IMO. CGSS includes 24/7 support, gateway: Antivirus, Antispyware, CFS (Premium Content Filtering Service), Geo-IP Filtering, Botnet Filtering, Application Control, SSL Control, and SSL-DPI services (I may be forgetting a few - its well worth it though). The threat landscape of today is ever-changing and ever-evolving. Just a running DPI (Deep Packet Inspection) is not enough.

Additionally, by implementing this in Access Rules is not content filtering - there is not intuitive or intelligent about it...but rather just a whitelist/blacklist that can easily be circumvented by spoofing, DNS poisoning and so on.

Depending on the DNS service you select they will guide you on how to setup their product. My only reservation about filtering from the DNS side is that it is easily circumvented by changing or writing a hack to change the machine's DNS either directly or by proxy.

Let me know if you have any other questions!

Featured Post

Looking for the Wi-Fi vendor that's right for you?

We know how difficult it can be to evaluate Wi-Fi vendors, so we created this helpful Wi-Fi Buyer's Guide to help you find the Wi-Fi vendor that's right for your business! Download the guide and get started on our checklist today!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

The Need In an Active Directory enviroment, the PDC emulator provide time synchronization for the domain. This is important since Active Directory uses Kerberos for authentication.  By default, if the time difference between systems is off by more …
Are you one of those front-line IT Service Desk staff fielding calls, replying to emails, all-the-while working to resolve end-user technological nightmares? I am! That's why I have put together this brief overview of tools and techniques I use in o…
If you're a developer or IT admin, you’re probably tasked with managing multiple websites, servers, applications, and levels of security on a daily basis. While this can be extremely time consuming, it can also be frustrating when systems aren't wor…
Michael from AdRem Software explains how to view the most utilized and worst performing nodes in your network, by accessing the Top Charts view in NetCrunch network monitor (https://www.adremsoft.com/). Top Charts is a view in which you can set seve…
Suggested Courses

610 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question