If someone wants to access specific contents, they usually will find a loophole to do so. That does not mean that parents should not restrict access to those sites as best as they can. This article takes a look at some of the options provided. Now, all of those solutions are solutions for a single computer system, or a small network of computers. They do not prevent a child from visiting a friend’s house to view all the contents that are blocked at home. And they do not block contents that are already on the PC or transferred to the PC from mobile devices, hard drives or DVDs.

DNS Providers With Filtering Options

The domain name system (DNS) is used to “translate” web addresses into IP addresses. This is usually done by the Internet Service Provider, with the option to switch to another provider. Users who switch providers usually do that for one of the following reasons:

• Censorship on part of the ISP
• Faster DNS lookups
• Filtering options and other additional features

One of the DNS providers that offers filtering is Open DNS. There are others that offer similar services, just search on Bing or another search engine for them. Users who create a free account at the Open DNS website can configure the filtering options in detail.

web content filtering

Here it is possible to select one of the preconfigured filtering levels (e.g. High for blocking 26 different site categories from adult themed over tasteless to P2P file sharing and drugs). There is also a custom option that gives the user the option to define the categories that should be filtered out automatically.

Filtering means that sites that fall into those categories will not be displayed to the computer user. Filters are only as good as their detection algorithms, and it can happen that sites slip past them. Parents who find out about those sites can add them to the filtering list manually to block them in the future.

block pornographic websites

A user visiting one of those websites will see a message like the one shown in the screenshot above. Open DNS is offering a special service that they call FamilyShield. It is basically a custom filtering configuration that blocks adult sites, anonymizers and proxies, phishing and malware sites.

Verdict: Efficient filtering options that work on all devices configured to use the new DNS provider, but difficulty to configure for non-tech-savvy computer users.

Google Safe Search Filtering

Google is the most popular search engine in the world. Google, and other search engines like Bing, offer so called safe search filters to filter out search results that are deemed inappropriate. Google by default applies moderate filtering to search results. Moderate means that the search engine filters out explicit images. This can be changed to strict filtering to filter text and images from the search results, or no filtering for users who prefer to see all results regardless of their nature.

safe search settings in Google Search Settings

Google recently has added an option to lock the safe search filtering settings. Once done an image is shown on all Google pages indicating that safe search filtering is active.

Verdict: The settings are relatively effective, but very easy to bypass. All it takes is to switch to another search engine, Internet browser, or clear the cookies of the standard browser to reset the safe search filtering settings. Good additional option but to weak as the standalone filtering option.

Browser add-ons

Browser add-ons are another option to block pornographic websites. Firefox users can for instance install Foxfilter, a filtering add-on that automatically scans every page load and determines whether the page needs to be blocked or not. Blocked pages are indicated to the user.

content filter

The settings offer options to add websites to a whitelist, in case they get blocked but should not be. Other add-ons and plugins that fall into this category are Censure Block or Christian Anti-Porn for Firefox, Kid Safe for Chrome (which only displays a warning but does not block) or Simple Profanity Filter.

Like settings for specific search engines, browser add-ons are limited to their environment. If a user switches to another browser, then nothing can be done about it.

Parent Control, Filtering Applications

Most parental control applications come at a cost. There are a few free solutions available, like Untangle which basically is a security software with a web filtering component. Still, most tools are commercial in nature and therefor not included in this review. Several commercial security suites also come with parental controls to block specific types of websites.

Verdict: Applications often block contents on a system wide level, as long as they are running on the user’s account as well. There are still options to circumvent applications, for instance by booting from a Linux Live CD or connecting another system to the router directly.

Misc blocking options

Block Porn with Proxy Auto Configuration Files [link], very technical in nature, and limited to the browser the proxy is configured in.

How To Block Porn Pictures And Images With SafeSquid Proxy Server [link], aimed at system administrators and not end users.

Verdict

Blocking porn with DNS filtering appears to the most effective option for most environments. It has to be noted that this is effective, but not fool proof either. Children with enough determination and time will eventually find a way to bypass the restrictions, if they are determined to do so.

Let us know in the comments if you know of another free option to block porn and other contents on the internet.

I tried to get hold of Comodo to resolve the issue. First, I checked their forums to see if it was a general problem. Then, I looked under contact and found their support system. I created a support ticked and waited a good hour or so. After that I received an response, stating that “This site is parked, and doesn’t carry any useful content. The only content it has is advertisement links. Comodo Secure DNS blocks such sites”.

No mentioning of hacking or warez in the reply. Now Ghacks.net is a parked domain with nothing but advertisements. Great, I wonder what domain they did take a look at, definitely not mine as it is not a parked domain obviously. You would not be reading this otherwise.

So, I replied and after 12 hours, I’m still waiting for a response. To be honest, I have no idea how they can classify my site like this. I have a nagging feeling that some ******* webmasters or ****** of users have reported the site.

Brett notified me about the blocking of ghacks as well in an email. He mentioned that Comodo started blocking a large number of sites since yesterday, and believed that it was probably because of the name of the site.

It is weekend and it is likely that I won’t get a response before Monday, if I get any at all. For the meantime, I suggest you either ignore the message, or switch to Open DNS, which is a free excellent service. Their DNS server IPs are 208.67.222.222 and 208.67.220.220.

Another alternative is Google DNS, which uses the DNS servers 8.8.8.8 and 8.8.4.4.

Are you a webmaster with similar problems? Or a user who noticed that other sites are not accessible as well? Share your findings in the comments.

Update: My third email to feedback@comodo.com was answered quickly, and Ghacks does not seem to be blocked anymore by Comodo.

Most Internet users use their Internet Service Provider as the DNS provider, often without their knowledge. This may not always be the optimal solution depending on the provider’s infrastructure, network speed and handling of domain names that cannot be resolved as well as a country’s censorship implementations.

The last two aspects might need some clarification. Many IPSs display custom search pages if a domain name cannot be resolved. They do that to cash in on the user’s searches. This can be frustrating to the user who might want to prefer a different handling of those page requests.

Some countries use the domain name system to block access to web contents and other resources.

Using a different DNS provider can speed up domain lookup times, reduce web censorship and block custom error pages by the Internet providers.

Symantec is the latest company to enter the DNS provider market with Norton DNS which is currently offered as a public beta. The easiest way to use the settings is to change the DNS settings to: 198.153.192.1 and 198.153.194.1.

Symantec offers in depth instructions for Windows and Mac OS X on the official Norton DNS website.

Norton DNS promises the same advantages that Google offered when they introduced Google Public DNS back in December of 2009.

Norton DNS Public Beta offers you a faster, safer, and more reliable Internet experience.

The Norton DNS website and FAQ do not contain lots of information about how it is faster, safer and more reliable than the standard DNS provider. Norton seems to be using information from Norton Safeweb to block malicious site requests automatically. Similar services are offered by other DNS providers such as OPEN DNS as well.

Symantec seems to have plans to expand the product in the future naming parental controls in the FAQ as one of the planned features. It is likely that the service will get integrated into Symantec and Norton products once it comes out of beta.

The Internet Service Provider is usually the one that is providing the DNS servers to the customer. This happens more often than not automatically. There are however reasons to switch to other DNS servers with performance, privacy and censorship being three of the major reasons.

Censorship: Some countries use DNS to block access to websites. This is a weak block that can easily be bypassed by the user by entering the IP address of the website instead of its domain name.

Privacy: Many ISPs cash in on domain typing errors by displaying a custom error page to the user instead of the simple “page not found” error page.

Performance: Some ISPs offer DNS servers that are not optimized, slow and sometimes even unreachable.

Users who experience some of these difficulties can switch DNS servers. One of the most prominent free DNS providers was Open DNS which not only offers a fast independent DNS system but also additional optional values that include phishing and web content filters.

Google today announced that they have started offering public DNS servers as well. The system, called Google Public DNS, was designed to “make users’ web-surfing experiences faster, safer and more reliable”.

Speed: Resolver-side cache misses are one of the primary contributors to sluggish DNS responses. Clever caching techniques can help increase the speed of these responses. Google Public DNS implements prefetching: before the TTL on a record expires, we refresh the record continuously, asychronously and independently of user requests for a large number of popular domains. This allows Google Public DNS to serve many DNS requests in the round trip time it takes a packet to travel to our servers and back.

Security: DNS is vulnerable to spoofing attacks that can poison the cache of a nameserver and can route all its users to a malicious website. Until new protocols like DNSSEC get widely adopted, resolvers need to take additional measures to keep their caches secure. Google Public DNS makes it more difficult for attackers to spoof valid responses by randomizing the case of query names and including additional data in its DNS messages.

Validity: Google Public DNS complies with the DNS standards and gives the user the exact response his or her computer expects without performing any blocking, filtering, or redirection that may hamper a user’s browsing experience.

A Google Code page details how to change the DNS servers to use Google Public DNS servers. Experienced users need to use the following two DNS servers.

8.8.8.8
8.8.4.4

Privacy Concerns

But what about Privacy? Users who use the Google Public DNS servers will automatically submit extensive data to Google that includes all the websites and other services on the Internet that they visit.

According to the privacy information posted on the project web page Google Public DNS records temporary and permanent data but does not “correlate or combine” these information “with any other log data that Google might have about your use of other services, such as data from Web Search and data from advertising on the Google content network”.

Temporary Logs: The temporary logs store the full IP address of the machine you’re using. We have to do this so that we can spot potentially bad things like DDoS attacks and so we can fix problems, such as particular domains not showing up for specific users. We delete these temporary logs within 24 to 48 hours.

Permanent Logs: In the permanent logs, we don’t keep personally identifiable information or IP information. We do keep some location information (at the city/metro level) so that we can conduct debugging, analyze abuse phenomena and improve the Google Public DNS prefetching feature. After keeping this data for two weeks, we randomly sample a small subset for permanent storage.

Verdict:

Some users will say that providing public DNS servers is just another step in Google’s world domination plans. Others might find out that the benefits outweigh the doubts and concerns. It is definitely not bad to have another option in this field especially with the increasing censorship around the world.

They did provide a switch in the user control panel to disable that feature again but this is again a company that is forcing the user to take action for something that they changed.

Open DNS has been covered before on this website and I just want to remind everyone that Open DNS can be used to get rid of search boxes from your provider. Setup of Open DNS takes a few minutes at most and should be doable for everyone.

By using the service you start using the Open DNS servers instead of the ones from the Internet Provider. DNS meaning Domain Name System which is responsible for “translating” domain names into IP addresses.

Open DNS provides additional advantages such as phishing protection (that is not slowing down your computer), parental controls, typo corrections and shortcuts. Shortcuts work like Firefox keywords, you basically assign a phrase to an url and can use the phrase to open the website.

Those lookups are handled by dns servers and recently a serious vulnerability has been discovered that makde it possible to manipulate those queries. This could be used to send users to a different location which could open the door for serious phishing incidents. Just think about the possibility to fake eBay or Amazon and send visitors to those fake sites even if they type in the real address.

Doxpara Research, run by security researcher Dan Kaminsky, created a script that is checking if the DNS server that you are currently using is vulnerable to the attack. This is done by pressing a button on their website. I tested the script in Firefox and Internet Explorer and both lookups work fine.

One solution if the DNS server is found to be vulnerable would be to switch to the Open DNS system. David Bradley, an active reader of my website, covered the topic as well on his Significant Figures website.

Is your DNS server still vulnerable? Let me know!

This was partially answered in the comments by John Roberts (according to the Open DNS website the VP of Product Development) who confirmed that the connection itself naturally takes longer (in milliseconds) but that the open dns servers were optimized to make up for it. This would of course only be an advantage if the servers of the ISP would not be that optimized. The open dns team soon opens a new server location in London which should speed up things for European users. (not saying that they are slow at the moment, they will just be some milliseconds faster with the server in London). You see what I mean if you traceroute a server in the United States and Europe.

But it is not speed that I would like to talk about. Speed is important but not everything. Open Dns offers two features that your normal ISP does not offer. First, it has a automatic phishing detection routine which warns if you attempt to visit a website that was marked as a phishing website. They do rely on more than one source for up to date information, a nice feature.

Second they do fix typos. Try to access a website like www.ghacks.net and you will automatically be redirected to the correct site. If the typo does not have one solution but more than one a list of possible results will be shown. Nice as well.

They also offer another feature that they are not writing about on their website, maybe because they are unaware of it. Listen up, hehe. Some countries decided to ban domains by banning the dns entries of those domains. If you use the dns of a provider in that country you will not be able to visit that website unless you use the IP address instead.

Another dns server fixes that problem. You are free and ready to visit the website and it will show itself completely. Free Speech at its finest. You might want to try their service if you are living in a country that uses this (weak) method to censor content on the web.

The open dns team published a great guide on how to setup the new dns server on your system and / or router. It normally is only a matter of seconds to enter new dns servers. After that is done you are already using the open dns servers.

If you run into troubles you should try the faq section of their site which has answers to common difficulties.

Oh, I would prefer answers from Allison Rhodes instead of John Roberts if the open dns team wants to comment on this. She just looks that much cuter than him :P (see for yourself)