Want to protect your cyber security and still get fast solutions? Ask a secure question today.Go Premium


Website content filtering at different level

Posted on 2016-08-11
Medium Priority
Last Modified: 2016-09-02
I need to block a few websites, and I assume I can do this by different ways:
1. Firewall
I have a sonicwall, but no subscription for the content filtering. Other people seem to be successful without subscription, but I am missing something. I cannot add this to a Zone.

2. DNS
Is this possible when you only have a windows internal DNS, and all the request for website access are transferred to a ISP DNS?

3. Proxy Server
No experience here. Do I designate a machine for this? I have a windows 7 machine that only works as quickbooks server.
Maybe setup squid on linux? Can I take a old PC to do this, or do I need a good machine?
Question by:Member_2_7970390

Assisted Solution

by:Laroy Shtotland
Laroy Shtotland earned 1000 total points
ID: 41752430
LVL 10

Accepted Solution

Pierre François earned 1000 total points
ID: 41756591
The three approaches will work.

1. Firewall:

a) If you know the IP addresses fo the few websites you want to block, you can just block the traffic according to these rules on the sonicwall, and if you have access to these features:
source IP: any
source port: any
destination IP: IP address you want to block
destination port: 80 (for http) or 443 (for https)

b) if you don't have access to these settings of the firewall, but still have access to the modem, try to block the traffic on the modem.

There is a problem with this method: if the IP address of the website is changing, you have to modify manually the IP address to block. Controling this is a hassle. I do not encourage you to follow this methos.

2. You can rely upon an external DNS server for banning some websites. The feature you need is customized blacklist, i.e. a list of all the websites you want to exclude.

Your Windows internal DNS server will have to be configured to use the DNS servers of securedns.dnsbycomodo.com ( and or those of dyn.com ( and as external DNS server, not the the DNS settings provided by your ISP. With a webinterface, you can customize your blacklist on one of these DNS providers. They give a free account. I hope they will not oblige you within some time to get a payed account. OpenDNS (http://www.opendns.com) offers also free services to implement blacklists.

3. The proxy server was the classical solution some years ago. Setting up a Linux machine with squid was a very strong solution and was working very good on old computers. For speeding up the installation process, you can even choose some Linux distribution having squid installed by default, like IPCop.The problem of an older computer is that the network interface cards (you need at least two NIC for IPCop) are sometimes too slow (10 Mbps, 100 Mbps) for the current modems going much faster (1Gbps and more). This solution risks to slow down the speed of the Internet. However, not always because if case your NICs are fast enough, you can configure IPCop to work as an Internet Accelerator because of its proxy caching features.

My advice: choose solution #2. OpenDNS has my preference, but you can try with dyn.com or dnsbycomodo.com.
LVL 28

Expert Comment

by:Blue Street Tech
ID: 41759143
Hi Member_2_7970390,

I'd recommend doing this on the Firewall but here are my comments on your questions.

At the Firewall: I definitely wouldn't block via Access Rules but rather via CFS policy - its more intuitive, comprehensive and can be applied in a more granular fashion such as by user, group, IP/IP range, etc.

At DNS: IMO opendns is the best option but this can be circumvented, DNS spoofing & poisoning tactics.

At the Proxy: Proxy are still valid in certain scenarios but again as a security standard and trend filtering this at the Firewall is where the industry is at.

Let me know if you have any other questions!

Author Comment

ID: 41759615
Hi, all,
Thank you very much for all your comments!!

1. I was able to do it in Sonic Wall with Access Rules. I don't have a subscription so I cannot use CFS policy - too bad.

2. I think what I need to do is to select these dyn/docomo dns as the "forwarded" in my internal DNS server. Not sure how they work internally to personalize the blacklist, but I am totally ignorant on this.

3. Interesting that people are not doing this any more, Probably the internet connection is fast enough, and not much benefit from "caching." Linux distribution with built-in Squid sounds good.
LVL 28

Expert Comment

by:Blue Street Tech
ID: 41761791
I would highly recommend purchasing CGSS (Comprehensive Gateway Security Suite) for anyone who remotely cares about security and protecting your network. In fact we don't buy a SonicWALL without it...its a default IMO. CGSS includes 24/7 support, gateway: Antivirus, Antispyware, CFS (Premium Content Filtering Service), Geo-IP Filtering, Botnet Filtering, Application Control, SSL Control, and SSL-DPI services (I may be forgetting a few - its well worth it though). The threat landscape of today is ever-changing and ever-evolving. Just a running DPI (Deep Packet Inspection) is not enough.

Additionally, by implementing this in Access Rules is not content filtering - there is not intuitive or intelligent about it...but rather just a whitelist/blacklist that can easily be circumvented by spoofing, DNS poisoning and so on.

Depending on the DNS service you select they will guide you on how to setup their product. My only reservation about filtering from the DNS side is that it is easily circumvented by changing or writing a hack to change the machine's DNS either directly or by proxy.

Let me know if you have any other questions!

Featured Post

Free Tool: ZipGrep

ZipGrep is a utility that can list and search zip (.war, .ear, .jar, etc) archives for text patterns, without the need to extract the archive's contents.

One of a set of tools we're offering as a way to say thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

I found an issue or “bug” in the SonicOS platform (the firmware controlling SonicWALL security appliances) that has to do with renaming Default Service Objects, which then causes a portion of the system to become uncontrollable and unstable. BACK…
How to fix a SonicWall Gateway Anti-Virus firewall blocking automatic updates to apps like Windows, Adobe, Symantec, etc.
If you're a developer or IT admin, you’re probably tasked with managing multiple websites, servers, applications, and levels of security on a daily basis. While this can be extremely time consuming, it can also be frustrating when systems aren't wor…
Michael from AdRem Software explains how to view the most utilized and worst performing nodes in your network, by accessing the Top Charts view in NetCrunch network monitor (https://www.adremsoft.com/). Top Charts is a view in which you can set seve…
Suggested Courses

580 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question