Reply

Re: Blocking Sites not working

garry68046
Tutor

Blocking Sites not working

I'm trying to block certain web sites, but it is not working.  I got to the "Advanced" tab.  I click on the "Security" pulldown.  I click on "Block Sites".  I have "Keyword Blocking" set to "Always".  In the "Type keyword or domain name here" box, I type in keywords:

 

www.youtube.com

http://www.youtube.com/

https://www.youtube.com/

m.youtube.com

http://m.youtube.com/

https://m.youtube.com/

 

Nothing works. If you look at the help center, it gives examples:

 

Blocking access to certain domains (for example, www.badstuff.com/XXX).  Is "XXX" a wildcard I should be tacking onto the end of the URLs I want to block (if so, this is completely unclear).  Is there something else I need to have enabled in order for this to work?

 

I've tried using routes to block the traffic.  For example, www.youtube.com comes back with an IP of either 172.217.*.* or 216.58.*.*.  So I tried adding a route through 127.0.0.1 (that's been effective before on computers), but it won't let you add that as an invalid route.  But it will let you add say 10.10.10.10 or 1.1.1.1, which should effectively block the traffic (as neither of those addresses should be routing traffic to youtube, right?).  Still doesn't help.

 

Clicking on "Parental Controls" just whisks me away to some web site where I'm supposed to downlaod some app for my phone.  It looks like it is just an app, NETGEARgenie, that appears to just offer a friendly interface to do the same exact things I'm trying to do via my router's http interface.

 

What am I doing wrong here?  Why doesn't "Block Sites" block anything?

Model: R7000|Nighthawk AC1900 Dual Band WiFi Router
Message 1 of 17
TheEther
Guru

Re: Blocking Sites not working

The site blocking feature doesn't work with https.  https is encrypted so the router can't see the URL.

 

Trying to block by IP address is a losing battle.  Most services, like YouTube, are reachable through dozens of IP addresses.  It would be impractical to block all of them.  

 

You can try using DNS-based filtering services, like OpenDNS or Netgear Parental Controls, which is really OpenDNS customized to Netgear's specifications.  DNS filtering is not foolproof and has its own drawbacks.  

 

You may have resort to installing parental control software on each device to maintain full control.  Consumer grade routers really aren't cut out to provide ironclad protection.

Message 2 of 17
garry68046
Tutor

Re: Blocking Sites not working

Here's what I find odd - I block something, like www.youtube.com, and then I try to go to "http://www.youtube.com/" AND I AM REDIRECTED TO "https://www.youtube.com/" - now if http is being blocked, how do I get redirected?

 

"Trying to block using IPs is a loosing battle" - I understand that they use multiple IPs, however, I'm still able to get to them using the IPs that have supposedly been blocked.

 

The fact remains, the features being advertised don't work.

Message 3 of 17
TheEther
Guru

Re: Blocking Sites not working

It's not so odd.  Most browsers support something called HTTP Strict Transport Security (HSTS).  In a nutshell, it's a way for websites to tell browsers to use https.  In addition, browsers are pre-seeded with a list of popular websites in order to prevent the initial exchange over http.  It just so happens that www.youtube.com is among that list.  Chrome's pre-seeded list is here (beware, it's a fw megabytes in size).  Firefox uses their own list but it's based off of Chrome's list (source).

 

To illustrate.  The following are the first 3 packets exchanged when opening http://www.youtube.com in Chrome.  Note: I requested http, not https.

 

No.     Time               Source                Destination           Protocol Length Info
      1 19:37:07.279531    192.168.1.39          8.8.8.8               DNS      75     Standard query 0xd81d A www.youtube.com
      2 19:37:07.306909    8.8.8.8               192.168.1.39          DNS      141    Standard query response 0xd81d A www.youtube.com CNAME youtube-ui.l.google.com A 216.58.194.206 A 216.58.194.206
      3 19:37:07.307134    192.168.1.39          216.58.194.206        TCP      78     53131 → 443 [SYN] Seq=0 Win=65535 Len=0 MSS=1460 WS=32 TSval=593436718 TSecr=0 SACK_PERM=1

 

Packet #1 is the DNS query for www.youtube.com.  Packet #2 is the DNS response.  Packet #3 is initiation of the TCP session.  Notice that it is to port 443, which is the standard port for https, not port 80.  Chrome automatically switched to using https.  There was no http request for the router to block.  The router has already lost its chance to shut things down.  If it were to have any hope, it would have blocked the DNS query.  But that would be a DNS-filtering feature, not a keyword/URL blocker.  They're different features.

 

My advice is to not bother with keyword filtering.  On a router, it's an anachronism.  The only place where it can work is on the device itself.

Message 4 of 17
Crick
Tutor

Re: Blocking Sites not working

I've read your reply TheEther, and understand it.

I have blocked *minecraft* using the R7000 blocking feature.

For Safari and Firefox, the blocking works. 

Chrome, however, loads the site.

What is the difference, and more to the point, can Chrome be set to "work" with the Netgear blocking function as do Safari and Firefox?

Model: R7000P|Nighthawk AC2300 Smart WiFi Router with MU-MIMO
Message 5 of 17
TheEther
Guru

Re: Blocking Sites not working

It could be that Chrome's HSTS database is different than Firefox's and Safari's. You can point Chrome at chrome://net-internals/#hsts. Enter the site name in the Query doman and see if Chrome returns a positive hit. You can, then, try deleting that domain.
This won't work if Chrome has preloaded it.

BTW, blocking just "*minecraft*" may not be good enough. There are plenty of minecraft servers with other names. Just look at the list at this site:
http://minecraftservers.org/
Message 6 of 17
Crick
Tutor

Re: Blocking Sites not working

Thanks for your reply.  I confirmed that when minecraft.net is not in the HSTS set, minecraft.net will load and be added to the HSTS set again. Interestingly, when minecraft.com (not in the HSTS set) is loaded, it is properly blocked by the router and, unllike minecraft.net, minecraft.com is not re-added to the HSTS set.

 

On another (same OS) computer on the same network, minecraft.net is blocked by chrome. 

 

Any other ideas, please pass them along.

Crick

 

 

Message 7 of 17
aptninja
Guide

Re: Blocking Sites not working

First, your Model # drop down menu does not contain Orbi RBR50 on this forum when I go to make a post. Can you please add it to this forum so that the community can tag posts with the Orbi Model #'s that Netgear sells?

 

You stated:
"Consumer grade routers really aren't cut out to provide ironclad protection."

 

I don't think the idea is to provide ironclad protection. I think the idea is to actually provide enough protection that makes sense (common sense levels of functionality for protection) or don't provide any protection at all. Because, it sets the expectation with the user/customer that when a domain is added to the firewall block list that it is actually secure and will blocked when in fact it can very easily be worked around by simply going to its https URL.

 

The section to add domains and keywords in the Advanced > Security > Block Sites page is misleading and the basic functionality needs to be improved in the following ways:

 

1. It says to "type keyword of domain here" to enter a domain to block. There is no mention that the protocol is limited to http and that https will not be blocked. If it is limited to http, then it should state it right in the user interface. The use of the word "keywork" is ambiguous. "Keyword" where? In the URL? In the webpage? If it is keyword in the URL then again that sort of breaks the expectation because the keywords in the URL are not even considered if is to an https site.

 

2. Initial handshake requests for https sites are not encrypted as they head from the client/browser to the router. Certainly the router would be able to look at this initial request based on domain name or keyword in domain name and block it? Right?

 

3. One of the features on the "Block sites" page is to allow trusted IP addresses to visit blocked sites. However, now that I know that since https sites are not blocked and that I would need to block them using OpenDNS, this feature does me no good. And as far as I can tell I cannot block a domain within OpenDNS and then "allow trusted IP addresses to visit blocked sites" as OpenDNS is not on my internal network but blocks it as part of the DNSing that happens with my public facing IP address.

 

4. You might say, "well hey install the NetGear Genie client on all of your PC's". Well you know, I would like to actually control my home network without having to result to agent based software and asking all of my dumb house guests and their dumb ass kids to install an agent on their devices. Plus you can't get an agent onto a Chromebook. I know, there is a Supervised user configuration fro Chromebooks that can be used; however currently there is a bug in the ChromeOS that breaks it (https://bugs.chromium.org/p/chromium/issues/detail?id=772118#c12) You also can't block specific devices from access specific domains. Or block a specific domain and then allow specific devices to bypass it.

 

You know I spent $500 on my Orbi router system and it has great coverage an back haul speed. But why the half assed firewall and network controls?

Message 8 of 17
aptninja
Guide

Re: Blocking Sites not working

When does Netgear plan to make the basic functionality sufficient to at least pass a common sense standard of quality?

Message 9 of 17
JamesGL
Master

Re: Blocking Sites not working

Hi aptninja,

 

You can post it under Orbi board since you have an Orbi system. The board is for Nighthawk which is the reason why Orbi model is not on the drop down list.

 

https://community.netgear.com/t5/Orbi-WiFi-System/ct-p/home-orbi

Message 10 of 17
ng6400sux
Initiate

Re: Blocking Sites not working

Never. Netgear sucks. i bought 2 of them, and thery are the worst routers I have ever owned.

Not only does the black lost not work at all, but the USB ports are worthless. The drives drop constantly during backups.

It's all over the internet, I wish I had researched them befiore buying them.

I trusted the name, and got screwed.

Message 11 of 17
userisme
Initiate

Re: Blocking Sites not working

https is encrypted???

 

Maybe the content going back and forth is encrypted, but you and I can still see "yahoo.com" whether or not there is an s in front of the // or not.

 

Really, please answer that. Because after seeing that, I can't believe anything else since I believe it to be false.

Message 12 of 17
TheEther
Guru

Re: Blocking Sites not working

It's better to say that you don't understand something than to believe it to be false, unless you can back up your assertion.

 

Yes, https is encrypted. The 's' stands for "Secure".

 

You may be able to see "yahoo.com" in your computer's browser, but your router can't see it embedded in the URL information contained in https traffic.  Netgear's keyword blocking feature operates by inspecting URLs and blocking the associated http connection from being established.  Because keyword blocking can't access the URL inside a https connection, it fundamentally doesn't work on https.

 

Now, what routers do have visibility into are the DNS queries to find the IP addresses for domain names, like "yahoo.com". These queries are unencrypted and can, therefore, be inspected. DNS filtering services, like OpenDNS, can effectively block domains by providing a DNS reply containing an alternate IP address that takes the browser to a "site is blocked" page.

 

To a user entering a website into browser, the distinction between a URL and a domain name can be easily lost.  But the underlying mechanics of how computers deal with them are quite distinct and separate.

Message 13 of 17
sadchild
Initiate

Re: Blocking Sites not working

I have been trying to block Google and YouTube as well (on my WNR2000v2, and have accepted that the Block Sites won't work because they are https (encrypted) so the router can't see the information.

 

My original goal was to block ALL website browsing (on a schedule) and succeeded with Block Services.... except for Google and Youtube. They still loaded after blocking port 80 and port 443.

 

I discovered that to block Google and Youtube web browsing, I had to create two custom services.

 

The first was:

Service Type: User Defined

Protocol: TCP + UDP <--important!!!!!

Starting Port: 80

Ending Port: 80

Service Type/User Defined: HTTP WITH UDP

 

The second is the same, except both ports are 443 and the last line is HTTPS WITH UDP

 

Now I've succeeded in blocking all web browsing including Google and Youtube. So when I leave my 12 year old at home and have said, "No internet today" he can still have wifi for email and such, but web browsing (on any device) won't work.

Message 14 of 17
schumaku
Guru

Re: Blocking Sites not working


@sadchildwrote:

My original goal was to block ALL website browsing (on a schedule) and succeeded with Block Services.... except for Google and Youtube. They still loaded after blocking port 80 and port 443.

...

Protocol: TCP + UDP <--important!!!!!

...

The second is the same, except both ports are 443 and the last line is HTTPS WITH UDP

... 

Now I've succeeded in blocking all web browsing including Google and Youtube.


Cause here is an experimental (not formally RFC'ed yet) transport protocol named QUIC - heavily used by Alphabet/Google, more and more other providers, too. FMI: https://en.wikipedia.org/wiki/QUIC 

Message 15 of 17
garry68046
Tutor

Re: Blocking Sites not working

So your packet sniffing illustrates that the first thing that the router sees is a DNS query for www.youtube.com.  The router looks it up and returns the IP address that it finds in DNS.  The next packet is an HTTPS packet to the IP address it just looked up as www.youtube.com.  Granted, www.youtube.com may use multiple IPs, but it knows which IP I'm going to try to use to get there because it did the DNS lookup for me.  So my router knows that I'm sending HTTPS packets to www.youtube.com, yet it does not block the traffic.  Sure, it can't see the URL, but it can see the IP address in the IP header, and it knows that is the IP address for www.youtube.com, and it can see it is going to port 443.  Based on this information, it should block the traffic.  Your packet sniffing proved it can be done.  Netgear is just to lazy to make do a good job on their site blocking features.

 

Blocking HTTP without also blocking HTTPS is, as you point out, pointless, as browser do try to switch to HTTPS whenever possible. 

Message 16 of 17
TheEther
Guru

Re: Blocking Sites not working

In my example, the router did not process the DNS query(*). The query went straight to 8.8.8.8, which is Google's DNS server. I suppose the router could sniff the DNS replies to build a local DNS cache with which it can perform domain blocking, as you described.  But this starts to stray pretty significantly from what Netgear's Block Sites feature is supposed to do, which is to filter URLs.  If all you want to do is block domains, then Netgear already has an answer: Use parental controls or use a third-party DNS service that offers domain blocking, like OpenDNS.

 

Netgear's Block Sites is simply an anachronism in today's world, where most web traffic is encrypted over https.  The only way I see any future for it is for Netgear to add support for a web proxy.  But that might be too much for a router to handle without bogging down.  It's also a pretty significant feature for Netgear to add.  I wouldn't accuse them of being lazy about doing that.

 

(*) It's not easy to bypass the DNS server in a Netgear, but my R7000 runs 3rd party firmware that makes it trivial to do so.  Or you can override the DNS server settings in your devices, which is a pain.  If you want Netgear to offer more DNS server options, then upvote my request.  

Message 17 of 17
Top Contributors
Discussion stats
  • 16 replies
  • 68482 views
  • 37 kudos
  • 9 in conversation
Announcements