Disable ALL public web proxies

Discussion in 'Tomato Firmware' started by jersully, Sep 11, 2008.

  1. jersully

    jersully LI Guru Member

    I've been searching for a way to disable all public web proxies on my home network. I've searched for ways to do it on the client computer (XP Home - without 3rd party software that can be disabled) and for ways to do it with Tomato.

    I've read a couple of threads that mention IPchains, but I'm not getting it. Am I on the right track or is there a better way? If this is the way to go, can someone kindly point me to a primer or How-To?
  2. gregg098

    gregg098 LI Guru Member

    You could try out Open DNS. Theres an option to block proxy/anonymizer sites. Just add the Open DNS ip addresses to your DNS server entries, make sure you CHECK "Intercept DNS port" under Advanced->DHCP/DNS, and then sign up on the Open DNS website. There are a ton of content filtering options and as long as that intercept checkmark is there, theres no easy way around it. The only possible downside is if a particular proxy site hasnt been picked up by opendns yet.
  3. digerat1

    digerat1 Addicted to LI Member

    Windows 95/98/Me
  4. kevanj

    kevanj LI Guru Member

    And the point????

    since the vast majority (I'd venture to guess 100%) of internet DNS Servers for use by the public (either public such as OpenDNS or ISP maintained) are listening on port 53, this information seems superfluous....unless you happen to know the 'alternate' port a given DNS server might be listening on....
  5. jersully

    jersully LI Guru Member

    I'm using this, but if he manages to find a valid IP for a proxy server he could circumvent that, correct? Don't web proxies use the proxy server for DNS or would it continue to use his PC's DNS server.
  6. RonWessels

    RonWessels Network Guru Member

    HTML service and DNS service are two completely unrelated things (from a server viewpoint). There is no way that an HTTP proxy can affect the DNS server being used, just like there is no way an HTTP proxy can affect what gets opened when a ".doc" file is double-clicked.

    The checkbox for "Intercept DNS port" means that, even if he manually sets a DNS server on his machine (*), the router will intercept the DNS requests and re-route them to the OpenDNS servers.

    (*) The only thing he could do would be to find a DNS server that operates on a port other than 53. It would require the registry tweak that digerat1 posted to get Windows to use a DNS server on a port other than 53 as well.
  7. jersully

    jersully LI Guru Member

    This came from OpenDNS support.

    If you find an IP address of a proxy/anonymizer site - and go to it - then all DNS requests would be made via that proxy site while you are on that specific site. There's not much we can do on our end since we are unable to block IP addresses, only domain names.​

    I'm using OpenDNS and the router is intercepting all DNS requests. Unless I can find a way to drop proxy packets with IP tables, or install additional software on his PC, then I'm stuck. OpenDNS does make it hard to web-search for an anonymous proxy, but all he'd really have to do is phone a friend to get one.

    FWIW, I watch his PC activities as closely as I can with the PC in his room, and I do spot-check his PC as well. Thus far I've seen no indication that he's circumvented any of my network settings or other precautions, and have made it clear to him that if he does then he loses the computer.
  8. RonWessels

    RonWessels Network Guru Member

    Ah, I see what they mean.

    Let's say that your son (I assume) finds a proxy that is not currently covered by the OpenDNS blocking. He then makes a request for a web page via the proxy. Only the text of the web page address is passed to the proxy, and the proxy itself performs the domain->IP translation via its DNS settings. However, and this is the point I was making, if the following day OpenDNS now blocks the proxy, he will not be able to use it anymore.

    Given you are trying to identify and block proxy sites, you are using a blacklist (block these sites) rather than whitelist (allow only these sites) approach. And that approach always has the issue of new sites that have not yet been identified and added to the block list.
  9. gregg098

    gregg098 LI Guru Member

    Open DNS does have a good statistics page when signed up. Id enable this and check it out every now and then. Im pretty sure it shows individual web sites. I played with it once a long time ago. You could at least spot check these.
  10. jersully

    jersully LI Guru Member

    Correct, however if he plugs the proxy server's IP address into his browser configuration he'll never hit up OpenDNS for resolution. It wouldn't matter whether OpenDNS ever blocks it, or even if they've been blocking it all along.

    I've never used Wireshark (Ethereal) or read any packet dumps before, but surely there is something in the web browser's proxy packet that I could snoop for and dump. Looks like I'm going to get my feet wet.
  11. jersully

    jersully LI Guru Member

    Yes, their statistics page is pretty cool. However, as a DNS provider only they can only log what DNS queries have been made. Any web browsing (or proxying) done by IP will be under their radar.

    Not that I'm complaining about OpenDNS. I'm very happy with them and I urge everyone (at least everyone in the US and western Europe) to try them out. I do wish they were a DDNS provider though, and can't figure out why they're not when they already offer a DDNS updater service.
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice