Discussion stats
  • 5 replies
  • 391 views
  • 2 kudos
  • 2 in conversation
Announcements

Top Contributors
Reply
Highlighted
Guide

Domain Fronting / Inability to Block Sites

All,

 

I'm trying to block websites for my child (without Disney app, which I didn't find useful) and am having some issues.

 

I've tested various sites to block, e..g, 

- discord / discordapp / discordapp.com / www.discordapp.com etc

- youtube / youtube.com / etc

 - many others

 

With all of these websites, they keep pushing through.  Not a single one is blocked.

 

When I go to the logs (and after googling), I seem to have found the issue - Domain Fronting.  In the logs, I'm not seeing the requested site, rather I'm seeing:

 - ... s3.amazonaws.com

 - ... cloudfront.net

 - ... digicert.com

 - ... letsencrpyt.org

 

It appears that orbi is letting the request go through and hoping to block on the return, but the return (the site url / fronted domain) is different from the requested/blocked url and therefore it isn't stopped.  I obv can't block 'amazonaws.com' and others... as I have other sites that should be accessible, including personal business websites.

 

I would really appreciate your guidance.  Trying to help protect my daughter here and I'm not having any luck with controls that should work without issue (in my opinion).

 

Thank you in advance

 

Model: RBR50|Orbi AC3000 Tri-band WiFi Router
Message 1 of 6

Accepted Solutions
Highlighted
Guide

Re: Domain Fronting / Inability to Block Sites

This issue is solved

 

By going through the 3rd party DNS (eg OpenDNS), which was free, easy to set up and easy to add/configure in the Orbi settings, I was able to successfully block all the sites that I wanted.

 

Additionally, OpenDNS

 - already had different tiers/levels of security with pre-screened + blocked sites

 - once you choose a tier, you can add additional blocked sites

 - you can also add 'always allowed' sites

 - and, finally, the reporting gave me all the details that I need to actively monitor and protect my child; I can browse the list daily and identify/block any new, questionable sites

 

The earlier response which indicated failures between Chrome and Safari was purely a timing issue.  Chrome recognized the updated settings almost immediately whereas Safari needed a couple hours (likely some caching somewhere, but it finally accepted).

 

Now that I'm using OpenDNS, if anyone recommends other DNS providers instead (Quad9, others), please share your thoughts.

View solution in original post

Message 6 of 6

All Replies
Highlighted
Master

Re: Domain Fronting / Inability to Block Sites

I agree completely that Netgear's site blocking capability is too primitive and does not meet user expectations.

This may be the reason they have partnered with Disney Circle (which cleaver teenagers appear to be able to bypass with impunity, but that's another story.  Google "disable disney circle" some time.)

 

The Orbi "logs" (in my opinion) are not a reliable method to determine how the site blocking is actually failing.  They do not report actual DNS conversations.  A more precise method is to capture the actual Wide Area Network (WAN) traffic between Orbi router and internet.  Web site "fronting" may indeed be (yet another) way that Orbi's site blocking fails.

 

I'll try to set up a test tonight.

I love my Orbi.
Message 2 of 6
Highlighted
Guide

Re: Domain Fronting / Inability to Block Sites

Thank you

 

I saw your response on the other post and attempted your test.  Different site, but same test, and I couldn't make rhyme or reason what was going on.

 

Test browser was Safari

 

On test,

- didn't block on first go via direct url

- did google search via browser and then selected google result.  Didn't block.

- tried url with https://.  Site blocked.

- tried url again, but with http://.  Site again blocked.

- after that, all bets were off.  Site never blocked again.

 

 

Message 3 of 6
Highlighted
Master

Re: Domain Fronting / Inability to Block Sites

Alas, my experiment was a dud.  I had failed to remember that DNS is "cached all over".  The Orbi DNS relay caches responses. My Windows computer caches responses.  We enter "blcked sites" by a string of letters found in the DNS name, not by IP address.  So, by trying to browse to one of these web sites before enabling blocking, I had already poisoned both my Windows computer and the Orbi DNS cache.  Typical DNS "Time to Live" values are one hour (3,600 seconds) or one day, (86,400 seconds).  I can probably clear my Windows DNS cache, but I know of no method for clearing the Orbi DNS cache, except letting all the entries "age out."

 

I'm such a Klutz.  Sorry.Could you identify any other web sites you want to block so I can "start fresh"?  (Not Facebook. The family would go ballistic if Facebook disappeared even for a few minutes!)

 

I have confirmed my earlier observation.  I created a block for a non-existent web site.  "sexpot.com"  (why no one has claimed that is a mystery).  When I browse to http://sexpot.com, Orbi immediately blocks it.  When I browse to https://sexpot.com, Orbi does not block it, but there is a several second time lapse, the web browser displays "Unable to connect." (because it doesn't exist).

 

I notice that when I browse to http://discordapp.com, what appears on my Chrome, Edge, Firefox, and Opera browsers is https://discordapp.com. In other words, my belief is that Orbi's "site blocking" has been rendered pointless by a combination of (a) not blocking port 443 at all, and (b) modern browsers automatically looking for SSL versions of web sites.

I love my Orbi.
Message 4 of 6
Highlighted
Guide

Re: Domain Fronting / Inability to Block Sites

Thank you, CrimpOn, appreciate the help and very helpful/insightful

 

Realizing that the Orbi/Netgear features were limited, inadequate and not going to be resolved in the near future, I extended my test through 3rd party DNS providers (eg Quad9, OpenDNS, etc.). and integrating them into the Orbi configuration  

 

Note: Dynamic DNS was ENABLED during this test.  I'm not sure what impact that has had on resultes.

 

Sites tested:

 - discordapp

 - youtube

 - cnn

 - foxnews

 

Random sites.  I'm not preparing to block my daughter from coservative or liberal content, I just wanted a relevant and expansive sampling to test results. Smiley Wink

 

Results:

 - discord app: BLOCKED on Chrome, BLOCKED on Safari

  - YouTube: NOT BLOCKED on either

 - CNN: SEMI-BLOCKED (no images, text only, unable to open links) on Chrome, NOT BLOCKED on Safari

 - FoxNews: NOT BLOCKED on either

 

Every test opens up a new issue.  I'll keep working on this path but there are so many issues and so many inconsistencies; it is very difficult to track all of the failure points and most likely, intentionally so.  Looking at the list above, I think I'll try smaller businesses next vs bigger businesses (Facebook, YouTube, etc.) to (likely) confirm that they are using Fronting techniques to avoid the checks.

 

 

 

 

 

Message 5 of 6
Highlighted
Guide

Re: Domain Fronting / Inability to Block Sites

This issue is solved

 

By going through the 3rd party DNS (eg OpenDNS), which was free, easy to set up and easy to add/configure in the Orbi settings, I was able to successfully block all the sites that I wanted.

 

Additionally, OpenDNS

 - already had different tiers/levels of security with pre-screened + blocked sites

 - once you choose a tier, you can add additional blocked sites

 - you can also add 'always allowed' sites

 - and, finally, the reporting gave me all the details that I need to actively monitor and protect my child; I can browse the list daily and identify/block any new, questionable sites

 

The earlier response which indicated failures between Chrome and Safari was purely a timing issue.  Chrome recognized the updated settings almost immediately whereas Safari needed a couple hours (likely some caching somewhere, but it finally accepted).

 

Now that I'm using OpenDNS, if anyone recommends other DNS providers instead (Quad9, others), please share your thoughts.

View solution in original post

Message 6 of 6