Orbi not blocking sites in Keyword/Domain list

Question

The original post is here:&nbsp;https://community.netgear.com/t5/Orbi/Orbi-not-blocking-sites-in-Keyword-Domain-list/td-p/1845336Netgear has not replied to that post with a solution, but closed that post due to 'inactivity'. I think that's quite lame, so here's the new post.&nbsp;So far we know the problem is that the 'Block Sites' functionality only blocks http (non-secured) sites that matches the keyword. Some people thought that it works for Edge but does not work for Chrome. Well, the reason for that behaviour is that when you enter an URL into Chrome, Chrome defaults it to a https URL. But Edge will default it to a http URL. Let's try this:&nbsp;1. Configure your Orbi to block&nbsp;"twopalyergames.org".2. Open Chrome, enter the url "twopalyergames.org". Orbi does not block it, and you can see that the site is secured.3. Type the full http URL into the address field "http://twoplayergames.org". Now it is blocked by Orbi in Chrome.4. Now open Edge, enter&nbsp;the url "twopalyergames.org". Orbi blocks it, and you can see that the site is NOT secured.5.&nbsp;Type the full https URL into the address field "https://twoplayergames.org". Now it is not blocked by Orbi in Edge, and you can see the site is secured.&nbsp;For sites that auto redirects from http to https, you will never be able to block it. For example, http://mylotto.co.nz.&nbsp;Come on Netgear, we paid a fortune for your product, when are you going to release the firmware to fix this issue?

CrimpOn · Answer

Conax&nbsp;wrote:And I just found out, the free modem that came with Spark fiber can block https urls without issue. Does this mean the modem passes text url to the Orbi router for http traffic, but encrypted url for https traffic?Would love to see the brand and model number of this free modem.

schumaku · Answer

Well, the "last" answer might be it's not possible at all - certainly not without dealing with some end point security.
&nbsp;
Netgear's current implementation does capture http traffic - alone this is useless nowadays (as explained several times now).
&nbsp;
Up to TLS 1.2, it might be possible to find the URL called in the initial handshake. For sites using TLS 1.3 this is no longer feasible.
&nbsp;
The last design approach would be capturing the plain text DNS for DNS queries ... what is easily circumvented when&nbsp;also using secured/encrypted&nbsp;DNS.
&nbsp;
Now read the first line again....
&nbsp;
Same limitation on advanced security appliances by the way.

Conax · Answer

And I just found out, the free modem that came with Spark fiber can block https urls without issue. Does this mean the modem passes text url to the Orbi router for http traffic, but encrypted url for https traffic?

schumaku · Answer

Conax&nbsp;wrote:
And I just found out, the free modem that came with Spark fiber can block https urls without issue.

Don't know anything about this device implementation or the Spark service named Net Shield.
&nbsp;
As I said, the https connection is either &lt;=TLS 1.2, or the device is filtering plain text DNS.&nbsp; Both is technically feasible (hey I'm not Netgear, but they kow from where I'm coming from ....) so I can say the current Keyword Blocking feature is just j**k. Try using an encrypted DNS and you might find the computer does bypass....

Conax · Answer

Hi&nbsp;CrimpOn&nbsp;, it is Huawei HG659b.&nbsp;After I did this:then I did a ipconfig /flushdns as suggested in this article:https://blogs.msmvps.com/mickyj/blog/2020/12/22/parental-controls-on-huawei-home-gateway-hg659-url-filters/&nbsp;then when trying to browse the site, I get this:

Forum Discussion

Orbi not blocking sites in Keyword/Domain list

10 Replies