Web filtering keeps you a little safer

Topic

New Reply

	TOP STORY Web filtering keeps you a little safer
	By Susan Bradley Web-filtering services can provide additional security and protection from Malware. Several vendors now provide this valuable service.

---

The full text of this column is posted at windowssecrets.com/top-story/web-filtering-keeps-you-a-little-safer/ (opens in a new window/tab).

Columnists typically cannot reply to comments here, but do incorporate the best tips into future columns.[/td]

[/tr][/tbl]

Reply | Quote

Replies

Setting the DNS is a little hassle for an experience user and very unlikely for the novice. I’ve been using a free utility for a couple years called DNS Jumper – I believe it may be the only such tool out there and it works like a charm. It basically makes it drop-down easy to set your DNS to wherever you want, and even tests the speed of one you have selected or all of them to show you which one’s faster.

Its home page is here:
http://sordum.3eeweb.com/?p=4573

And as you pointed out, some like Comodo block some of the bad guys. Granted, this is at the PC level and not at your router, but its testing would be useful there. Most people use whatever their ISP provides, never knowing they can get a little speed boost as well as a little added safety in some cases.

Reply | Quote

I have used OpenDNS in the past, but found that, on occasion and although I has set no restrictions, it suddenly decided I could not watch YouTube or access some site or another due to my ‘policy’, then later reverted to working — as far as I could tell — properly. I had not set restrictions.

Currently, I use Google DNS rather than my ISP’s DNS, as I figure it is probably very accurate. See https://developers.google.com/speed/public-dns/faq It claims to be unfiltered and says,

” Does Google Public DNS offer the ability to block or filter out unwanted sites?No. Google Public DNS is purely a DNS resolution and caching server; it does not perform any blocking or filtering of any kind. We believe that such functionality is best performed by the client. If you are interested in enabling such functionality, you should consider installing a client-side application or browser add-on for this purpose.

For site filtering, I have used Spybot Search and Destroy’s immunization for many years now and consider it a must-have. http://www.safer-networking.org/en/download/index.html

I run the scan periodically, but don’t worry to much about some of the cookies it turns up. It has on occasion found more undesirable things on machines for me, though. I generally use it as part of my clean-up of friends’ machines, along with (indispensable) Malwarebytes.

My understanding is that this free application (I found it is worth a donation) maintains a list of bad IPs that that it injects into the HOSTS file on the user’s computer and silently and unobtrusively redirects those IPs to 127.0.0.0 It seems completely unobtrusive, but needs regular manual updating and immunization. I tried the new beta and found it unintuitive and slow, but the tried-and-true 1.62 version has served me well on many machines. It has other protections which I can’t claim to really understand, but which seem to be reasonably lightweight, and, of course, there is the scan.

Reply | Quote

Hi

Currently I use the HOSTS file provided by http://winhelp2002.mvps.org/hosts.htm How does this differ from 3rd party web filtering products?

I also note that Steve Gibson has been promising a GRC Net Filter for the last several years (see http://www.grc.com/nf/netfilter.htm ). He seems to have gone completely off line for some time, does anybody know if he is OK :o: and if he intends to continue the Net Filter? I hope so because I started using his freeware programmes with the original ASPI_ME back in the day and I find his products amazing.

Reply | Quote

He (Steve Gibson) is alive and well. You can watch his video webcasts, called “SecurityNow”, every Wednesday @ live.twit.tv or download the recordings from http://www.grc.com/securitynow.htm

Reply | Quote

DNS tracking and filtering is ideal for government/commercial information harvesting and control, some versions of it are already in place in jurisdictions where information access is restricted.

In corporate networks, set up your own web proxy, but not for the purpose of catching malware. (Smoothwall is free.) No DNS system can keep one of your trusted sites from getting hacked.

The best way to protect against these things so far is Firefox with NoScript, and a behavior-limiting software firewall (Private Firewall, free, has picked up where KPF left off). Backed up by AVG or the like. This way, a user has to allow the malware to run with two or three different explicit ‘allow’ actions. Works best of anything I’ve ever tried, it takes a determined user to infect a machine. For the corporate dummy users, hide the desktop and menu links to IE but leave it installed for updates, and don’t give them the password to an admin account on the machine.

Bottom line: DNS filtering can only give a false sense of security, in my humble opinion.

Reply | Quote

I too, use Spybot Search Destroy Immunize, NoScript, Avast paid, SpywareBlaster paid, AdBlock Plus, Better Privacy. Have been trying to figure out whether to get w/ VPN service and then read this.
Confused if this is a parallel protection or something quite different? Do one or both? Great article, just that now I’m left confused what’s best for an all-in-one solution for both desktop and wi-fi laptop I might use at Starbucks, for example.

Reply | Quote

It looks like OpenDNS Premium is still free. It has a limit of how many sites you can manually block.

Reply | Quote

Just read the article and noticed that you are using a non-routable address in the paragraph for policy 1:

Policy 1: This base-level filtering blocks malware, phishing sites, scam sites, and Web proxies. For this level, set your DNS entries to 192.153.192.40 and 198.153.194.40.

Shouldn’t that first octet start with 198 like all the others?

Reply | Quote

So how do these DNS-filtering services you speak of (I won’t say “recommend”, but really, that’s what it amounts to) make their money? Do they track activity and sell that info to advertisers? Do they inject ads into one’s web surfing in some way? Do they rely on upselling into their paid services? What’s in it for them? I looked at two of their sites and didn’t see anything that answered these relatively straightforward questions. Any reasonable user should ask about such things prior to making use of an apparently “free” service on today’s Interporn.

It’s very odd that there’s *no* mention whatsoever of this topic in your article.

Reply | Quote

So how do these DNS-filtering services you speak of (I won’t say “recommend”, but really, that’s what it amounts to) make their money? Do they track activity and sell that info to advertisers? Do they inject ads into one’s web surfing in some way? Do they rely on upselling into their paid services? What’s in it for them? I looked at two of their sites and didn’t see anything that answered these relatively straightforward questions. Any reasonable user should ask about such things prior to making use of an apparently “free” service on today’s Interporn.

It’s very odd that there’s *no* mention whatsoever of this topic in your article.

Yes, yes and sometimes yes. Ads as in Post #8 above, and selling info collected, as Susan Bradley suggested in the article. When this occurs, the service usually has something about it in their Terms, End User Agreement, or Privacy Policies. Some services also push paid upgrades. OpenDNS, being Open Source, relies on voluntary donations to keep their product free and ad-free. Be aware, if you use any Open Source program and do not donate, you may someday find yourself dodging things like OpenCandy, as developers cannot continue their projects without some sort of financial support.

I use Commodo Secure DNS service in Windows XP, with IE 8 or Firefox, as part of their free firewall package. No serious Internet slowdowns, and few sites I want to go to blocked using IE or Firefox. No YouTube blocking. Unlike ibe98765 in Post #8, I have not experienced increased ads when using Comodo Secure DNS as part of the free firewall package. Then again, I use ad and script blockers with Firefox. (See below.)

http://www.comodo.com/secure-dns/

The Comodo Secure DNS service filters malicious sites as determined by one of the world’s leading security products companies. And Comodo is also a DNS Certificicate Authority, so they may know a lot about DNS security. Then again, Comodo was involved in a fraudulent Certificates scandal not long ago, so take that into consideration as well. I have not read Comodo’s Privacy or End User Agreements, so users might want to review these policies before installing Comodo Secure DNS.

I agree with MinerSevenTango (Post #5) about NoScript for Firefox. Also add to that the Abine Privacy Suite. I use both of these, and Ghostery with its blocking features, in Windows XP. For MS Updates, I use Firefox with IE Tab. (Windows Updates needs Active-X.) The Windows Updates link in MSE 2 is “Get Software Updates”. (Although this link is disabled on my Windows 7 laptop, where the normal MS Updates mechanism operates directly, presumably using an IE9 window.) The MSE 2 link can open the FF-IE Tab link directly. IE still needs to be patched, but no need to save its user links for any reason whatsoever, IMHO.

Remember, many software updates and some software user displays will still use IE links. (Even though they do not always look like IE windows.)

Comcast blocking (Post #14) looks to me more like spam or phishing filtering based on IP Address or Originating ISP than DNS filtering, especially in llight of the GMail workaround posted there. There’s a difference between spam filtering and DNS security filtering.

I don’t bother with any of these filtering or proxy or VPN complications when using Chrome or IE9 under Windows 7 or Windows 8. I haven’t been bothered by anything malicious, and full file scans with several AV/AS/AM products do not reveal anything other than a few tracking cookies. Chrome under Windows 7 all by itself once blocked a suspected Liza Moon type of attack and held it within the browser cache/sandbox. And IE9 web security is at least as good. Good enough for me. Your mileage may vary.

-- rc primak

Reply | Quote

Thanks for your article. I always wondered how this works. I have a related question — How does one keep peer-to-peer traffic off of the local network? My ISP won’t block it. I don’t have control of the computers that connect by Wi-Fi, but I do control the router and could install hardware if needed.
Any comments would be appreciated!
Dave

Who is John Galt?

Microsoft Surface Pro 3 with Windows 10, MS Office. Samsung Galaxy S9+ with Android 10.

Reply | Quote

There’s a typo in number 1 – should be 198 not 192. Apologies.

For this level, set your DNS entries to 192.153.192.40 and 198.153.194.40.

Should be 198.153.192.40

Reply | Quote

I have friends in various foreign countries, including France, England, and Australia. Without warning, Comcast has blocked incoming email from legitimate providers in each of these countries. Is this what Ms. Bradley means by: “Along with DNS, some ISPs (such as Comcast) include Web filtering — also called content filtering — for additional security?”

When Comcast blocks the incoming mail, sometimes the sender gets a bounce message from Comcast. Equally often, they have no way to know that Comcast has blocked the email. Nor do I. This happened with some important email from my bank in France, for example.

Each time it happened and I found out, I called Comcast’s security division. They would check, discover that the particular domain had a block on it, and then release the block. This might last for a while, or the block might reappear a few days later. If this is web filtering, Comcast’s version is not worth the trouble it causes.

After dealing with this for a couple of years, I found the solution. I use gmail for all my foreign correspondents. I really hate doing this, but there is nothing else I can do until I change providers.

Reply | Quote

After dealing with this for a couple of years, I found the solution. I use gmail for all my foreign correspondents. I really hate doing this, but there is nothing else I can do until I change providers.

Sound like you’ve found the workaround for your problem—what else to do? Carry on and chin up!

Reply | Quote

I’ve been a happy user of OpenDNS for years, and recently joined their group of volunteer moderators. In my opinion, they have great approach to keeping up with the ever-changing Internet. Users of OpenDNS are welcome to suggest categories for web sites, then other users vote on whether those tags fit those sites, once enough have done so, one of the moderators will confirm the accuracy of the tag. This both ensures sites that need tagging are, and that sites aren’t given inappropriate tags even if a lot of people conspire to do so.

I agree with the earlier comment about the security value of NoScript – without it, I would not be willing to visit some of the sites whose tags I moderate. But OpenDNS is an important additional protection, keeping me (or anyone else using my network) from accidentally or even purposefully visiting types of sites I’ve selected as inappropriate. I use custom settings for OpenDNS, which allows me to be extremely specific about what I do and don’t want to allow access to on my network. In return, I’m happy to volunteer some of my time in semi-retirement from an IT career to help the system work well for all.

I don’t know this for sure, but suspect OpenDNS would be happy to hear from others interested in volunteering as moderators. (At this moment, it looks like we have 193,196 more web sites to moderate.)

Reply | Quote

I use L3 DNS servers w/o blocking. The services that do proactive blocking sometimes block harmless things that I want to check out. For instance, Comodo blocks ALL parked pages on the premise that no one wants to see ad filled pages. But in this case, I DID want to see what the guy was doing. So I dumped their secure DNS because they do not offer a real-time option to override their blocking.

Reply | Quote

Hmmm. I’ve been using OpenDNS at home for a while now and it seems to work well, but your comment about the change in business-version policy prompted me to think again.

2.5 years ago the OpenDNS president wrote to his business users, when introducing new business versions, “the free version you use and love today, what we’re calling OpenDNS Basic, is not going away. Ever.” Now, that same president appears to be channeling Ron Ziegler (Richard Nixon’s press secretary) with his announcement that “that statement is no longer operative” (though, of course, he didn’t put it in those words, even when directly challenged on the blog which you cited).

I’ll continue using free OpenDNS for now but will also keep an eye out for alternatives just in case they decide to renege on their word for home as well as business users. If you don’t need anything more in your own business than the ‘home’ version I’d encourage you to use it if you can get away with it, given that you were unambiguously told that you could do so forever a while back.

Reply | Quote

Here’s a snip from the Web filtering article

“Whenever your PC connects to an ISP, the company updates your gateway/router with the information it needs to connect with the ISP’s Domain Name Services (DNS) servers.”

Is it really possible for my ISP to meddle with settings of MY router?

Thanks,
-mulangi-

Reply | Quote