DNS filtering for childs...

All kinds of 'OS' scripts
Post Reply
lost
Posts: 191
Joined: Thursday 10 November 2016 10:30
Target OS: Raspberry Pi
Domoticz version:
Contact:

DNS filtering for childs...

Post by lost » Monday 22 January 2018 8:35

Not really related to Domoticz... But a machine running 24/7 can be used for side-jobs!

My childs now have their own computer and I didn't wanted them to be able to make their sexual education on the net or being able to visit (intended or not, redirections can sometimes be surprising) violent sites...

As they are young enough to be unable to bypass a DNS filtering, I built a DNS filtering relay on the PI hosting Domoticz. After this, filtering the domains thay can visit is just a DNS setup on the PI IP address. I sent the stuff on the french forum:

https://easydomoticz.com/forum/viewtopi ... =10&t=5735

If google-translate's job is not good & some people here find it useful, I can translate explanations...

jake
Posts: 439
Joined: Saturday 30 May 2015 22:40
Target OS: Raspberry Pi
Domoticz version: beta
Contact:

Re: DNS filtering for childs...

Post by jake » Monday 22 January 2018 19:14

I am running pi hole on the same rpi as domoticz.

User avatar
Egregius
Posts: 2715
Joined: Thursday 09 April 2015 12:19
Target OS: Linux
Domoticz version: Beta
Location: Beitem, BE
Contact:

Re: DNS filtering for childs...

Post by Egregius » Monday 22 January 2018 19:58

Pihole mainly targets on blocking ads.
I run pfsense with pfblocker and you can block all kinds of categories like adult, gambling,...

User avatar
Siewert308SW
Posts: 607
Joined: Monday 29 December 2014 16:47
Target OS: Raspberry Pi
Domoticz version: Beta
Location: The Netherlands - Zoutkamp (gn)
Contact:

Re: DNS filtering for childs...

Post by Siewert308SW » Monday 22 January 2018 20:31

Nice...
I'm not going to crack anything because every solution is a good one.
I do PiHole aswell on a separate RPi3 which also contains a DOmo copy for logging gas/electric and automatic weather tweeting.
But PiHole has block lists which you can add manually via webgui.
Click/add and done, have several lists imported also for adult stuff, saves my little princess seeing my hobbies :lol:
Setup:
- RPi3 - PIco HV3.0A / Domo Beta 3.9XXX / RFXtrx433E / Aeotec Gen5
- RPi3 - PIco HV3.0A / PiHole / PiVPN / NAS / Print Server
- Youless Elec&Gas
- FI9803P Cams
- KD101 detectors
- Zwave & KaKu

MyDomoticz scripts: @GitHub
PIco UPS Toolkit: @GitHub

lost
Posts: 191
Joined: Thursday 10 November 2016 10:30
Target OS: Raspberry Pi
Domoticz version:
Contact:

Re: DNS filtering for childs...

Post by lost » Wednesday 24 January 2018 11:37

Egregius wrote:
Monday 22 January 2018 19:58
Pihole mainly targets on blocking ads.
I run pfsense with pfblocker and you can block all kinds of categories like adult, gambling,...
For blocking ads, I use the hosts file provided here since more than 10 years:
http://winhelp2002.mvps.org/hosts.htm

Instructions for windows are provided. For Linux, hosts file (the "DNS" in a file remnant that was used when there was only several hundreds/thousands machines connected to the arpanet!) is in path /etc/hosts.

Just take care to comment mvps hosts file first lines for local host:
#127.0.0.1 localhost
#::1 localhost #[IPv6]

And keep the ones from your original linux hosts file before appending mvps file content: In fact, localhost name from hosts file is used by several Linux utilities... Problem is sudo, to get admin rights for sudoer users, is in the list!
=> Not keeping these definitions will make sudo unusable. This is quite a problem on some linuxes like Ubuntu that do not activate root account by default: The only possibility to admin the machine is sudo, so you'll have to start on a live CD/mount your HDD root file system to be able to edit hosts files to restore host name definition... Quite annoying!

But with this, all ads and other parasites domains are blocked system wide (ie not only in the navigator) and without having to install firefox addons: You'll just get blanked contents were ads should be in web pages.

Hesmink
Posts: 194
Joined: Monday 22 June 2015 10:48
Target OS: Raspberry Pi
Domoticz version:
Location: The Netherlands
Contact:

Re: DNS filtering for childs...

Post by Hesmink » Wednesday 24 January 2018 13:30

Alternatively you can use OpenDNS, and have it block certain categories, like adult sites.

lost
Posts: 191
Joined: Thursday 10 November 2016 10:30
Target OS: Raspberry Pi
Domoticz version:
Contact:

Re: DNS filtering for childs...

Post by lost » Thursday 25 January 2018 8:35

Hesmink wrote:
Wednesday 24 January 2018 13:30
Alternatively you can use OpenDNS, and have it block certain categories, like adult sites.
I tried it... but it was not blocking some sites domains that looks popular in college playgrounds: So I'm not confident at all with openDNS categories blocking.
Anyway, if I do not use the DNS from my internet provider (even filtering some requests), there is a responsibility problem if my bank domain is redirected by a compromised DNS server. This was not a problem if setting openDNS only on childs computer, indeed (it was just not doing the job!)... but on a shared family computer, take care.

So I decided to manage this myself...

User avatar
Egregius
Posts: 2715
Joined: Thursday 09 April 2015 12:19
Target OS: Linux
Domoticz version: Beta
Location: Beitem, BE
Contact:

Re: DNS filtering for childs...

Post by Egregius » Thursday 25 January 2018 10:58

With pfSense or Pihole you could combine this. Set your own set of filters and use OpenDNS as DNS server. Think it should be pretty safe then ;)

lost
Posts: 191
Joined: Thursday 10 November 2016 10:30
Target OS: Raspberry Pi
Domoticz version:
Contact:

Re: DNS filtering for childs...

Post by lost » Friday 26 January 2018 16:55

Egregius wrote:
Thursday 25 January 2018 10:58
With pfSense or Pihole you could combine this. Set your own set of filters and use OpenDNS as DNS server. Think it should be pretty safe then ;)
pfSense is supposed to be a FW... So not a filtering domain stuff. PiHole, I didn't know about it and discovered it's existence with this thread... But even if I knew it before, I usually prefer to stick to what is availlable in Debian repos. Even if configuration is less user friendly I agree!

User avatar
Egregius
Posts: 2715
Joined: Thursday 09 April 2015 12:19
Target OS: Linux
Domoticz version: Beta
Location: Beitem, BE
Contact:

Re: DNS filtering for childs...

Post by Egregius » Sunday 28 January 2018 8:15

pfSense is so much more than just a firewall.
It also provides DHCP, DNS, several VPN services.
For security I added the pfBlockerNG packages wich allows to grab blacklist for the DNS resolver and add's GeoIP database to the firewall.
Thanks to that I don't have adds on any of my devices, without doing special settings or add-ons on each device. Because of the GeoIP database my web interface is only accessible from within Belgium and the surrounding countries.
In the 3 months that it's up and running now it already blocked 239565 connection attempts from other computers and protected my computers from 1017342 ad or malicious domains.

lost
Posts: 191
Joined: Thursday 10 November 2016 10:30
Target OS: Raspberry Pi
Domoticz version:
Contact:

Re: DNS filtering for childs...

Post by lost » Sunday 28 January 2018 8:34

Egregius wrote:
Sunday 28 January 2018 8:15
pfSense is so much more than just a firewall.
It also provides DHCP, DNS, several VPN services.
For security I added the pfBlockerNG packages wich allows to grab blacklist for the DNS resolver and add's GeoIP database to the firewall.
That's the "problem" of solutions that integrates many features (or add them with time): You may not even consider they may fit your needs when searching, because only the top one (by use or development life) is clearly advertised!

It may probably have replaced many setups in my system: ufw for general rules + dynamic temporary ones by fail2ban for login robots on https & ssh, the later now being port-knocked to open because attackers now use lots of compromised machines when an IP is blocked ; dns filtering now.
Not sure I'll change now a working system, but I'll have a look to it's full feature set to have this possibility in mind in the future.

Thanks for the tip!

User avatar
Egregius
Posts: 2715
Joined: Thursday 09 April 2015 12:19
Target OS: Linux
Domoticz version: Beta
Location: Beitem, BE
Contact:

Re: DNS filtering for childs...

Post by Egregius » Sunday 28 January 2018 9:12

You don't change a working system, you install a new one. pfSense requires a dedicated device as it can only be installed from an image.
I run it on top of ProxMox on a Intel Nuc. My domoticz runs in a separate VM.

lost
Posts: 191
Joined: Thursday 10 November 2016 10:30
Target OS: Raspberry Pi
Domoticz version:
Contact:

Re: DNS filtering for childs...

Post by lost » Tuesday 30 January 2018 9:51

Egregius wrote:
Sunday 28 January 2018 9:12
You don't change a working system, you install a new one. pfSense requires a dedicated device as it can only be installed from an image.
I run it on top of ProxMox on a Intel Nuc. My domoticz runs in a separate VM.
OK, so no regrets to have: For now, the only always-on machine I have is the PI hosting Domoticz! That's low power enough to be feed by the 5V USB from my modem that have it's 12V power backed (so both benefit). If I have more features to add, I should also use some containerization stuff on a machine with more horsepower, to better separate features (+ease reinstall process!)... But for now, the PI does the job!

Post Reply

Who is online

Users browsing this forum: No registered users and 1 guest