• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 147
  • Last Modified:

Website content filtering at different level

I need to block a few websites, and I assume I can do this by different ways:
1. Firewall
I have a sonicwall, but no subscription for the content filtering. Other people seem to be successful without subscription, but I am missing something. I cannot add this to a Zone.

2. DNS
Is this possible when you only have a windows internal DNS, and all the request for website access are transferred to a ISP DNS?

3. Proxy Server
No experience here. Do I designate a machine for this? I have a windows 7 machine that only works as quickbooks server.
Maybe setup squid on linux? Can I take a old PC to do this, or do I need a good machine?
2 Solutions
Laroy ShtotlandIT Security ConsultantCommented:
Pierre FrançoisSenior consultantCommented:
The three approaches will work.

1. Firewall:

a) If you know the IP addresses fo the few websites you want to block, you can just block the traffic according to these rules on the sonicwall, and if you have access to these features:
source IP: any
source port: any
destination IP: IP address you want to block
destination port: 80 (for http) or 443 (for https)

b) if you don't have access to these settings of the firewall, but still have access to the modem, try to block the traffic on the modem.

There is a problem with this method: if the IP address of the website is changing, you have to modify manually the IP address to block. Controling this is a hassle. I do not encourage you to follow this methos.

2. You can rely upon an external DNS server for banning some websites. The feature you need is customized blacklist, i.e. a list of all the websites you want to exclude.

Your Windows internal DNS server will have to be configured to use the DNS servers of securedns.dnsbycomodo.com ( and or those of dyn.com ( and as external DNS server, not the the DNS settings provided by your ISP. With a webinterface, you can customize your blacklist on one of these DNS providers. They give a free account. I hope they will not oblige you within some time to get a payed account. OpenDNS (http://www.opendns.com) offers also free services to implement blacklists.

3. The proxy server was the classical solution some years ago. Setting up a Linux machine with squid was a very strong solution and was working very good on old computers. For speeding up the installation process, you can even choose some Linux distribution having squid installed by default, like IPCop.The problem of an older computer is that the network interface cards (you need at least two NIC for IPCop) are sometimes too slow (10 Mbps, 100 Mbps) for the current modems going much faster (1Gbps and more). This solution risks to slow down the speed of the Internet. However, not always because if case your NICs are fast enough, you can configure IPCop to work as an Internet Accelerator because of its proxy caching features.

My advice: choose solution #2. OpenDNS has my preference, but you can try with dyn.com or dnsbycomodo.com.
Blue Street TechLast KnightCommented:
Hi Member_2_7970390,

I'd recommend doing this on the Firewall but here are my comments on your questions.

At the Firewall: I definitely wouldn't block via Access Rules but rather via CFS policy - its more intuitive, comprehensive and can be applied in a more granular fashion such as by user, group, IP/IP range, etc.

At DNS: IMO opendns is the best option but this can be circumvented, DNS spoofing & poisoning tactics.

At the Proxy: Proxy are still valid in certain scenarios but again as a security standard and trend filtering this at the Firewall is where the industry is at.

Let me know if you have any other questions!
Member_2_7970390Author Commented:
Hi, all,
Thank you very much for all your comments!!

1. I was able to do it in Sonic Wall with Access Rules. I don't have a subscription so I cannot use CFS policy - too bad.

2. I think what I need to do is to select these dyn/docomo dns as the "forwarded" in my internal DNS server. Not sure how they work internally to personalize the blacklist, but I am totally ignorant on this.

3. Interesting that people are not doing this any more, Probably the internet connection is fast enough, and not much benefit from "caching." Linux distribution with built-in Squid sounds good.
Blue Street TechLast KnightCommented:
I would highly recommend purchasing CGSS (Comprehensive Gateway Security Suite) for anyone who remotely cares about security and protecting your network. In fact we don't buy a SonicWALL without it...its a default IMO. CGSS includes 24/7 support, gateway: Antivirus, Antispyware, CFS (Premium Content Filtering Service), Geo-IP Filtering, Botnet Filtering, Application Control, SSL Control, and SSL-DPI services (I may be forgetting a few - its well worth it though). The threat landscape of today is ever-changing and ever-evolving. Just a running DPI (Deep Packet Inspection) is not enough.

Additionally, by implementing this in Access Rules is not content filtering - there is not intuitive or intelligent about it...but rather just a whitelist/blacklist that can easily be circumvented by spoofing, DNS poisoning and so on.

Depending on the DNS service you select they will guide you on how to setup their product. My only reservation about filtering from the DNS side is that it is easily circumvented by changing or writing a hack to change the machine's DNS either directly or by proxy.

Let me know if you have any other questions!
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

Featured Post

Cloud Class® Course: Microsoft Office 2010

This course will introduce you to the interfaces and features of Microsoft Office 2010 Word, Excel, PowerPoint, Outlook, and Access. You will learn about the features that are shared between all products in the Office suite, as well as the new features that are product specific.

Tackle projects and never again get stuck behind a technical roadblock.
Join Now