Network News

X My Profile
View More Activity

When Blocking Porn Isn't Enough

Last year, Security Fix looked at a free service that helps parents and other network administrators block adult Web sites for all of the PCs they control, without installing any software. Now, the company and community that built that service has expanded it to allow administrators to filter a wide range of online content, from hate speech sites and social networking forums to sites promoting drugs and alcohol.

The service comes from OpenDNS, the company responsible for Phishtank.com, a community-based effort that collects data on phishing sites. Phishtank's data about scam sites is fed to anti-phishing features built into Web browsers like Firefox and Opera.

For several months now, OpenDNS has offered that anti-phishing service - along with the adult site filtering feature - to anyone who creates a free account with the company. OpenDNS is now rolling out a beta feature that allows users to block content based on a variety of user-selected categories, including sites that center around drugs, alcohol, gambling, weapons, hate speech, social networking, or any one of nearly two dozen other potentially charged issues.

The new filtering beta takes the same community-based approach that built the Phishtank. Users can vote on whether a given site is properly included in a given blocking category, and/or they can suggest new categories and submit sites for inclusion or removal.

OpenDNS filters out Web page requests at the domain name system (DNS) level. DNS is responsible for translating human-friendly Web site names like "example.com" into numeric, machine-readable Internet addresses. Anytime you send an e-mail or browse a Web site, your machine is sending a DNS look-up request to your Internet service provider to help route the traffic.

Most Internet users use their ISP's DNS servers for this task, either explicitly because the information was entered when signing up for service, or by default because the user hasn't specified any external DNS servers. By creating a free account at OpenDNS.com, changing the DNS settings on your machine, and registering your Internet address with OpenDNS, the company will block whatever content you have specified.

You can change the DNS settings on each computer in your home. But if your network is behind a wireless router, a speedier and more reliable solution is to change the DNS settings on the router (see this link for instructions broken down by router model). That should cover all of the systems that connect to that router.

When I last wrote about this filtering service, I received quite a few comments from readers who took issue with the idea of parents deciding what sites their children should be permitted to visit online. Most who were critical of this approach said parents should instead focus on explaining to their kids why such sites are inappropriate and should be avoided.

But for a lot of parents -- particularly those with very young children -- that approach only goes so far. As nearly anyone who has been online for any length of time can attest, it is often quite easy to start out online at one completely innocent site or simple Web search, only to end up in the back alleys of the Internet's red light district with an errant click.

Finally, I should note what OpenDNS gets out of this whole operation. When OpenDNS users mistype a domain or enter a Web site name that doesn't exist, the service will try to determine which site you meant to visit. So, if you accidentally type "linux.cmo," it takes you to "linux.com." But if it can't fix the domain you typed, it serves you targeted text ads. In addition, users can decide whether they want the company to maintain logs of the sites they've visited, or whether the data should even be stored in the first place (logging is turned off by default).

By Brian Krebs  |  February 26, 2008; 1:28 PM ET
Categories:  Fraud , From the Bunker , Safety Tips  
Save & Share:  Send E-mail   Facebook   Twitter   Digg   Yahoo Buzz   Del.icio.us   StumbleUpon   Technorati   Google Buzz   Previous: YouTube Censorship Sheds Light on Internet Trust
Next: An Opera Update And A Farewell to Netscape

Comments

You haven't needed to create any account to use the free service. All you had to do was point at their DNS servers.

Posted by: antibozo | February 26, 2008 1:59 PM | Report abuse

@antibozo -- if you want to manage what's blocked and what's not, you need to create an account.

Posted by: Bk | February 26, 2008 2:05 PM | Report abuse

Brian, I think it's clear that when you write, "For several months now, OpenDNS has offered that anti-phishing service - along with the adult site filtering feature - to anyone who creates a free account with the company," you are referring to the generic service that doesn't require an account, not the managed service, which does. Your next sentence, after all, is, "OpenDNS is now rolling out a beta feature that allows users to block content based on a variety of user-selected categories..."

Posted by: antibozo | February 26, 2008 2:11 PM | Report abuse

Couldn't do without OpenDNS these days. Not just for the filtering but for the network-wide keywords too. Very nice service

db

Posted by: David Bradley | February 26, 2008 3:51 PM | Report abuse

As a parent of four kids, ages 9 to 2, I am disappointed but not surprised to hear of comments stating that parents should not be able to control what sites their kids are able to visit. Our society is moving towards trying to remove the rights of parents to raise their own children how they see fit. Internet filtering allows me to feel safer in letting my kids utilize the great power of the Internet, while their maturity and decision-making skills grow.

I have used the OpenDNS service for almost a year now with very good results. Currently, it is mostly to cover the accidental wanderings that can easily occur. Even the most innocent of unfiltered searches can take you to the most unseemly of places. If you don't believe me, try doing an unfiltered image search on Google about the children's book, 'Black Beauty' and see what comes up...

Thanks again Brian for your excellent reporting and assistance.

Posted by: Conservative parent | February 26, 2008 8:53 PM | Report abuse

I too can't sing enough praise for OpenDNS. I've been using it for over a year now and found it to be MUCH faster than the DNS servers in West Africa.

Posted by: WilliamHaun.com | February 26, 2008 10:09 PM | Report abuse

Would you please do a post on other DNS servers that those of us who find OpenDNS objectionable can use? My ISP sends me to OpenDNS by default, and because I take the radical view that children are human beings with the same right as the rest of us to speak and listen as they please, I think it is offering morally repugnant services.

Posted by: Philautos | February 26, 2008 11:07 PM | Report abuse

Philautos,

I disagree with your radical view (or at least the conclusions you appear to draw from it), but perhaps I or others can recommend a name server if you can say what ISP you use and/or where you are located geographically.

Or you can simply run BIND yourself. If you're using Linux, BIND will be available as part of your distro; you'll just need to turn it on and perhaps tweak a few things. If you use Windows, see the following:

http://www.isc.org/sw/bind/view/?release=9.4.2

For MacOS, you may have to build BIND from source (not sure), but it should work fine. In any case, if you choose to run BIND on any platform, be sure to maintain it.

In addition, your OS may have a native DNS server, which is generally preferable as it is maintained by the regular patching process.

Posted by: antibozo | February 27, 2008 12:24 AM | Report abuse

that's great advice there, antibozo. tell a guy who doesn't have the sense enough to point his computer to any one of tens of thousands of available and quite public dns servers that he could instead just set up BIND.

aside from security implications of every clueless idiot out there installing and forgetting about BIND, this is not likely to be of any use to those folks b/c if they can't be bothered to find a public DNS server then they sure as hell won't have the patience or know-how to install BIND.

to philautos -- if you weren't just being a facetious pain in the @$$, just use 4.2.2.1. That's what half the planet uses. It won't be near as fast as OpenDNS, but at least your enlightened child won't have to deal with any morally repugnant slowness.

run BIND, indeed. thanks for the good laugh.

Posted by: whuh? | February 27, 2008 12:43 AM | Report abuse

It hardly seems worth dignifying that idiotic rant with a response, as practically every attempt at argument was already carefully addressed in my prior post. But I'd point out in addition that BIND is pretty trivial to set up, and BIND 9 has had relatively few significant vulnerabilities. I don't assume Philautos is unable to follow simple instructions, nor do I generally trust nameservers run by just anyone, as apparently some others do. Others also seem to miss the point that you have options other than relying on your ISP or nameservers operated by people you have no good reason to trust.

Posted by: antibozo | February 27, 2008 1:13 AM | Report abuse

I have to agree with whuh?

Though I've been running BIND in a corporate setting for many years there is no way that I would recommend that path to anyone who isn't already an expert. Not even to the programmers here at the high-tech company where I work.

Posted by: IT guy | February 27, 2008 10:23 AM | Report abuse

IT guy> I have to agree with...

Running BIND in a recursion-only setup is trivial. Yes, if you're hosting zones, it's trickier. But anyone who can operate a PC can run a recursion-only BIND.

Posted by: antibozo | February 27, 2008 10:57 AM | Report abuse

People who say parents should let (or be forced to allow) their kids to view hate speech and hardcore porn on the net either have no kids or hate kids. These people should be mocked and/or ignored.

Posted by: John Hopkins | February 27, 2008 11:51 AM | Report abuse

I've been using OpenDNS for several months with my whole family, and I've been impressed with the results. We've yet to encounter an overblock, though I did find some underblocking in testing. My review is here
http://filteringfacts.org/2008/01/01/review-opendns-adult-site-blocking/

Posted by: David Burt | February 27, 2008 11:59 AM | Report abuse

Now if there was a solution for all the emails I get from the porn sites EVERYDAY, ALL DAY, not to mention the scams coming from europe and africa. Yesterday before 8:00AM I had recieved seven emails saying I had won a british lottery of some kind,you know, just send us ALL of your personal info and we'll send that billion dollars right to you. There must be a bunch of greedy people out there because one cannot scam another person without the potential victim being greedy because that is what entices the victim in the first place. If it sounds too good to be true...it is!

Posted by: killsing | February 27, 2008 2:17 PM | Report abuse

Woe be unto you should you lay your eyes upon some "errant" web site. If thine eye offends thee, pluck it out!

Posted by: thinker | February 27, 2008 9:42 PM | Report abuse

Having the _choice_ to control the content that enters a home via the Internet is what separates the U.S. from many a country. If parents choose to let their kids access whatever website loads into a web browser, then that's their choice... and they have to manage the resulting questions and repurcussions. If a parent chooses to limit their child's exposure to particular genres of content, then that's OK too. For better or worse, the child may have a more limited scope of Internet-exposure.

Oh, and by the way, a child's errant click on a mal-formed web site link, less-than-scrupulous banner-add or overt phishing attempt might cost both the child and the parent many hours of repair and recovery work to bring the computer back to a usable state. That is if the child or parent(s) even know that something malicious has occurred on the computer.

The freedom to surf everything and anything does not come without consequences and societal / economic cost.

Posted by: C.B. | February 28, 2008 2:15 PM | Report abuse

Does anyone know if Julie Amero is going to be re-tried for the crime of having a spyware infested pc? 40 years was the first sentence, but that conviction was overturned.
Conservative Parent...
"Our society is moving towards trying to remove the rights of parents to raise their own children how they see fit."
I'd argue that really, there is a strong anti-authoritarian tendency in our society that some people take to an extreme. Speed limits, laws, regulations, rules, standards, manners - too many of those you encounter on the Internet are ready to chuck the whole lot.

Posted by: Liberal but not religious about it | February 28, 2008 2:51 PM | Report abuse

OpenDNS provides a very useful private service meeting a real demand. They are not the govt therefore they are not censoring.
It would be problematic if they were the only venue, but they aren't.

There are other options for people who don't have small children, don't care if they are harassed by phishers, spammers, pornmeisters, etc.

It's a C-H-O-I-C-E something we need to maintain when it comes to the scammers who are giving away the public interest in the internet, airwaives, etc AKA elected officials, legislators and their appointees who are selling out to the highest bidder and giving away OUR public assets to the ever-greedy corporations that are sending american jobs, tax revenues and resources overseas every day.

That's who should be monitored!

Posted by: Thanks to OpenDNS | February 28, 2008 8:55 PM | Report abuse

This is a great service for parents. I am a strong advocate for parental controls. Thanks OpenDNS for providing helpful tools for parents so they can allow safer passage for their childrens online surfing.

www.zpryme.com

Posted by: N.Walter | February 28, 2008 10:09 PM | Report abuse

The OpenDNS service is a great idea, and a great service, but people need to be aware that it can't block phishing links that bypass DNS altogether, e.g.:

[a href="127.0.0.1"]www.google.com[/a]

(where 127.0.0.1 is replaced with the numeric IP address of a malevolent website.)

You will need a HOSTS file blocker for that, or the equivalent in your router.

P.S. Anyone who thinks that children don't need parenting is a complete idiot, and the root cause of many of our current societal ills.

Posted by: TE | February 29, 2008 5:52 PM | Report abuse

TE's comment is correct, and it's actually worse than that. It's fairly trivial to ask another DNS server besides the one your computer is set to use what the IP address is, which means that your child finding his way to an objectionable site is a as simple as typing:

nslookup badsite.com anyRealDNSServerNameOrIP

...and then typing the IP address that comes back into any browser.

Think that's too complex for your child? You can perform IP lookups at thousands of websites which you can conveniently find by typing "nslookup" into a google search. Or they can simply get the IP address from a friend who does use a "safe" DNS server.

Solutions like SafeDNS might be adequate for very young children, but no one else should rely on them.

True safe browsing software must use an "approved list only" approach, and must be enforced at the network level or at least by the operating system.

Posted by: markgo | March 4, 2008 9:43 AM | Report abuse

For an intro to OpenDNS see

OpenDNS provides added safety for free
http://blogs.cnet.com/8301-13554_1-9834579-33.html

Posted by: Michael Horowitz | March 6, 2008 11:44 PM | Report abuse

markgo> your child finding his way to an objectionable site is a as simple as typing:
markgo> nslookup badsite.com anyRealDNSServerNameOrIP
markgo> ...and then typing the IP address that comes back into any browser.

Not really. Name-based virtual hosting will break that approach on many, if not most, pr0n sites. This is not to say that it isn't possible for a clever child to subvert DNS-based approaches with relative ease, but it's generally not as easy as you suggest.

markgo> True safe browsing software must use

There ain't no such thing. This is the reason that children need to be cautioned and supervised anyway, which is the point of those who argue against using any form of content blocking. I think they're wrong, of course. Analogy: you can put a fence around your yard to keep your children from wandering into the street. This does not mean you don't need to teach your children not to go into the street. But the fact you have to teach them not to go into street likewise doesn't mean the fence is useless.

Posted by: antibozo | March 7, 2008 10:42 AM | Report abuse

WideCircles is one of a kind viral, word of mouth advertising platform. Have your message seen by millions of users on highly related forum/blog/wiki and other types of social networking websites. Recieve instant website hits from untapped market potential and boost your search engine rankings. Only pay low fee for messages that remain active on websites for specific number of days. More affordable and better then pay per click advertsing. To find out more, please visit us today. http://widecircles.com?s=a1

Posted by: cherries | March 25, 2008 10:20 AM | Report abuse

Kindly remove comment spam above.

Posted by: x | March 26, 2008 3:20 PM | Report abuse

I like this method.User reviews and comments that include profanity or personal attacks or other inappropriate comments or material will be removed from the site.

...................
Chamika

WideCircles or Wide Circles is one of a kind viral, word of mouth advertising platform. Have your message seen by millions of users on a highly related forum/blog/wiki and other types of social network websites. Recieve instant website hits from untapped market potential and boost your search engine rankings. Only pay for messages that remain active on websites. Avoids issues related to pay per click fraud. To find out more, please visit us today. http://widecircles.com

Posted by: Chamika | April 3, 2008 7:40 AM | Report abuse

I agree.. That is very helpful to all parents and also in the community.

----------------
Sam Milby

WideCircles or Wide Circles is one of a kind viral, word of mouth advertising platform. Have your message seen by millions of users on a highly related forum/blog/wiki and other types of social network websites. Recieve instant website hits from untapped market potential and boost your search engine rankings. Only pay for messages that remain active on websites. Avoids issues related to pay per click fraud. To find out more, please visit us today. http://widecircles.com

Posted by: Sam Milby | April 3, 2008 8:00 AM | Report abuse

Its a good thing that a lot of companies out there are trying to keep the Internet safe specially for kids.

------------------------
Sam Milby

WideCircles or Wide Circles is one of a kind viral, word of mouth advertising platform. Have your message seen by millions of users on a highly related forum/blog/wiki and other types of social network websites. Recieve instant website hits from untapped market potential and boost your search engine rankings. Only pay for messages that remain active on websites. Avoids issues related to pay per click fraud. To find out more, please visit us today. http://widecircles.com

Posted by: Sam Milby | April 3, 2008 12:09 PM | Report abuse

Thank you for this post. I'll try this soon.

.............
Chamika

Wow, check out this site called www.fluc.com</a
. Free SMS and free mobile ads!! Its fantastic

Posted by: Chami | May 4, 2008 5:19 AM | Report abuse

The comments to this entry are closed.

 
 
RSS Feed
Subscribe to The Post

© 2010 The Washington Post Company