DrayTek DNS Filter
SSL/TLS ("HTTPS") Sites and DrayTek's DNS Filter
Concerns regarding privacy and security have increasingly lead to web sites moving their services to web servers that offer SSL/TLS connections as standard. SSL/TLS connections are those prefixed with https:// or commonly shown with a 'padlock' symbol in your brower.
SSL/TLS is a protocol that allows communication to be secured with encryption so that it can't be read by a third party - anyone in between you and the server. This security also extends to the actual URL (web address) that the user enters, which has an impact on web content filtering methods that categorise websites based on the URL that is being accessed.
The Keyword matching URL Content Filter is unable to make web content filtering decisions for HTTPS requests because the web address is encrypted. DrayTek's Globalview is also affected but the Globalview servers have other methods which can assist with categorisation decisions even when the URL is encrypted, but even with these methods it can be difficult to make a categorisation decision for HTTPS requests so additional mechanisms can be needed to assist; Once such mechanism is the DNS Filter explained below.
DrayTek Vigor routers can control access to web sites accessed over SSL/TLS with the DNS Filter, which builds upon the router's Content Security Management functionality.
When a PC tries to access a web site, it must convert that web address into an IP address (e.g. 22.214.171.124) by performing a DNS Lookup. That IP address itself cannot be encrypted by SSL/TLS because your router has to know where to send the data to!
DrayTek DNS Filter
DrayTek's DNS Filter is able to apply the Keyword matching URL filter (whitelists/blacklists) and/or the Globalview Web Content Filter to DNS lookups. The DNS Filter does this by examining all DNS lookups that devices on the network make and apply filtering decisions before the DNS lookup result is returned to the device making the DNS lookup. This mechanism permits the routers Content Security Management to be enforced on network devices.
In this example, a user attempts to access "https://www.facebook.com".
To do this, the computer must find the IP address of this web site with a DNS lookup. When the computer does this, the DNS Filter checks the name of the website against the Globalview Web Content Filter system's categories (or the URL Filter Keywords).
If the website attempting to be acessed should be blocked by the URL Filter or Globalview Web Content Filter, the DNS Filter modifies the DNS response to return the router's IP address instead of the websites actual IP Address and as a result, the attempt to access the site will be intercepted and blocked.
The DrayTek Vigor router's firewall can apply the DNS Filter to the entire network or individual users in the same way that the URL Filter and Globalview Web Content Filter would.
DrayTek's DNS Proxy
A common technique employed to by-pass DNS based filtering is to alter the DNS server that the computer sends DNS requests to with the idea being to direct DNS requests to a non-filtered DNS server.
The DrayTek DNS Filter avoids this limitation by operating as a mandatory DNS Proxy - all DNS queries that pass in and out of a DrayTek Vigor router are inspected, whether the DNS requests are going to the router directly, an ISP's DNS servers or any other DNS server on the Internet. If the DNS query passes through the DrayTek router then it can intercept it. In this way, DNS requests made by an IP address that has Content Security Management applied to it with the DNS Filter will always be filtered.
Configuration guides for the DNS Filter on your router model are available in the knowledgebase here