Mailing List
Mailing List
Sign Up Here
Like, follow & share: visit DrayTek UK's Facebook page visit DrayTek UK's Twitter page visit DrayTek UK's Linkedin page
DrayTek

How to block HTTPS sites using the Web Content Filter and DNS Filter

Products:
Vigor 2832
Vigor 2952
Vigor 3220
VigorBX 2000
Show all

Keywords:
content filtering
csm
dns
https
Show all

DrayTek routers that support DNS Filtering are able to inspect DNS requests and control access using either the Web Content Filter (all models) or the URL Content Filter (3.7.6 firmware or later required).

This makes it possible to make filtering decisions for https requests by examining the DNS requests and will work regardless of the DNS server configured on the PC, providing the DNS request passes through the routers WAN, so it's not possible to bypass DNS Filtering when applied on the router.


With firmware 3.7.6 onwards, the DNS filter is applied by using the firewall which makes it possible to apply the DNS filtering either to specific network segments or to make exemptions for specified local IP addresses.


In this example, access to Facebook will be blocked using the Web Content Filter, which will block HTTP access, then the DNS Filter will be used to apply the Web Content Filter for HTTPS or non-HTTP traffic.

Please note that the router must have an active GlobalView Web Content Filter license to use the Web Content Filtering facility or perform Web Content Filtering through the DNS Filter.

The DNS Filter feature from firmware 3.6.4.1 onwards inspects all DNS queries going through the router and is able to check these against the GlobalView Web Content Filter categorisation, so that sites in blocked categories are blocked by the router.

To set this up, go to [CSM] > [Web Content Filter Profile], on there, make sure that the router has a valid and active Web Filter license. To configure the web content filtering, select a profile index number by clicking on the number:

In the Web Content Filter Profile, give it a suitable name, set the Action setting to Block and select the categories to block, in this example, "Social Networking" will be blocked, click OK to save the settings of the profile:

Upon clicking OK, the router will pop up this warning:

This is for your information only and does not affect the configuration of the Web Content Filter, click OK to continue.


 

With the Web Content Filter Profile configured, the DNS Filter can now be configured, go to [CSM] > [DNS Filter]. On there, enable the filter and select the Web Content Filter profile to apply using the DNS Filter:

Click OK to save and apply those settings. The DNS Filter will now monitor all DNS lookups going through the router to check the category of each website accessed and if the category is blocked, the router will modify the DNS response so that the site being accessed will instead show the router's block page. The message it shows can be configured on the [CSM] > [DNS Filter] page.

This is an example of blocked access to Facebook through the router:

Please note that some browsers will not show this message and will instead show a certificate error.

The DNS Filter feature from firmware 3.7.6 onwards links to the router's firewall (for firmware prior to this, refer to the Firmware 3.6.x instructions)
This can be applied either to the entire network using the Default Rule, or it can be applied using Firewall Filter rules - using a filter rule makes it possible to apply the DNS filtering to specific network segments and schedule it if necessary. Please refer to this knowledge base article for details on Scheduling Filter Rules.

There are two types of DNS Filtering on the router:
The DNS filter applied through the firewall has multiple profiles and filters all external DNS access.
The DNS Filter Local Setting filters DNS lookups that use the router IP as the DNS server.

This guide will cover the configuration of both as it is recommended to configure both types of filter to ensure effective DNS filtering.


 

To set this up, go to [CSM] > [Web Content Filter Profile], on there, make sure that the router has a valid and active Web Filter license. To configure the web content filtering, select a profile index number by clicking on the number:

In the Web Content Filter Profile, give it a suitable name, set the Action setting to Block and select the categories to block, in this example, "Social Networking" will be blocked, click OK to save the settings of the profile:

Upon clicking OK, the router will pop up this warning:

This is for your information only and does not affect the configuration of the Web Content Filter, click OK to continue.


With the Web Content Filter Profile configured, the DNS Filter Local Setting can now be configured, go to [CSM] > [DNS Filter]. On there, enable the filter and select the Web Content Filter profile to apply using the DNS Filter. The DNS Filter Local Setting affects filtering on the router's DNS server i.e. if a client uses the router IP as the DNS server, the DNS Filter Local Setting needs to be configured.

Click OK to save that then go into one of the DNS Filter profiles in the DNS Filter Profile Table to set up the filtering that will link to the firewall:

In the profile, give it a suitable name and select the Web Content Filter Profile to use, then click OK:

The DNS Filter can now be linked to the firewall and there are two different methods for applying this:

Default Rule - The default rule CSM settings will affect the whole network, it is possible to make exemptions from this or set up other CSM profiles through the use of a filter rule.

Filter Rule - Filter rules can be used to apply CSM to specific network segments i.e. a guest network on 192.168.3.x or apply the rules on a schedule. They can also be used to make exemptions to CSM filter settings configured in the Default Rule, or apply a different profile to a specific network segment while applying CSM using the Default Rule.



To set the Web Content Filter and DNS Filter in the Default Rule so that it affects all users, go to [Firewall] > [General Setup] then click on the Default Rule tab. On there, select the Web Content Filter Profile and DNS Filter Profile to use. It is important to use both to ensure that both HTTP and HTTPS traffic can be inspected and filtered by the router.
Click OK to apply the CSM filtering which will take effect immediately:


To set the Web Content Filter and DNS Filter in a filter rule, go to [Firewall] > [Filter Setup], on there, select 2. Default Data Filter by clicking the "2." link and select the first unused rule in that filter set by clicking the button for the filter rule. In the filter rule, configure the schedule settings (if required), the Source IP (to control which network segment / IP it applies to), leave the Action set to Pass Immediately or Pass If No Further Match then select the Web Content Filter Profile and DNS Filter Profile to apply. Click OK and the filter rule will take effect immediately

 

The DNS Filter will now monitor DNS lookups going through the router to check the category of each website accessed and if the category is blocked, the router will modify the DNS response so that the site being accessed will instead show the router's block page. The message it shows can be configured on the [CSM] > [DNS Filter] page.

This is an example of blocked access to Facebook through the router:

Please note that some browsers will not show this message and will instead show a certificate error.


 

How do you rate this article?

1 1 1 1 1 1 1 1 1 1




Add a comment to this article

In the below box, you can add comments which you consider might be helpful to other users reading this article:

(As you'd like it to appear on the comment)


NOTE : All comments are reviewed before publication and may not be posted or may be redacted if the editors do not consider them helpful. The use of offensive or obscene language, copyrighted material, or advertising or promotion or linking to any other product or service is prohibited. By submitting your comment, you confirm that you are the original author and assign copyright of the content to DrayTek indefinitely and irrevocably.