unfortunately, many smartphone apps and multimedia hardware do not support
non-transparent proxies. Only their vendors could fix this. If they do not
decide to do so (which is very likely in my point of view), there is little
you can do.
If all you’re after is the best porn filtering, you might look into a paid DNS filtering service. I’m paying cleanbrowsing.org $5/month and their filtering has been way better than anything I could get working locally in IPFire. The IPFire devs will tell you that a filtering DNS service is not compatible with IPFire, but it actually works fine for me and takes all the self-management headache away. It’s too easy to find ways around the proxy or find new porn sites that aren’t in Shalla’s blocklist which could make your job much harder as you’d have to manually block those as they slip through. Every review I read of porn filtering options indicated that cleanbrowsing.org had the best porn filtering of any DNS service, and after using them for a little over a week, I’d have to agree. Best, they do not block with an intercepted block page, they simply return a page not found error, which may be why it works so well with IPFire.
We are the only provider to support DNSCrypt (port 8443), DNS over TLS (port 853) and DNS over HTTPS (port 443) by default on our Anycast DNS network. DNSSEC is also enforced and validated.
If it makes any difference, Cleanbrowsing provides different DNS servers for their paid service than for the free service and they give you the option of using returning a page not found (which I use) when blocked domains are accessed.
What makes Quad9 different? They use a malware blocklist with 22.214.171.124 but they are listed as a good DNS server on IPfire’s Public DNS page. Actually, I see that their DNS server that does NOT use the blocklist (126.96.36.199) is listed under IPFire’s “Unusable DNS Providers.” That’s the opposite of what I would expect given what you’re saying.
edit: I just noticed on Quad9’s page that 188.8.131.52 does not support DNSSEC, so that answers why they are Unusable. Sorry about that. But the question still remains why 184.108.40.206 is not Unusable if it blocks malware pages.
If it makes any difference, Cleanbrowsing provides different DNS servers for their
paid service than for the free service and they give you the option of using returning
a page not found (which I use) when blocked domains are accessed.
and this is exactly the point where it breaks DNSSEC: The server returns an answer
which differs from the original DNS zone. Cleanbrowsing might be validating DNSSEC,
but as a client using their services, you are simply not capable of doing this, as
all modifications look like DNS hijacking attempts from your resolvers’ point of view.
What makes Quad9 different? They use a malware blocklist with 220.127.116.11 but they
are listed as a good DNS server on IPfire’s Public DNS page. Actually, I see that
their DNS server that does NOT use the blocklist (18.104.22.168) is listed under IPFire’s
“Unusable DNS Providers.” That’s the opposite of what I would expect given what you’re
I have not written that part of the wiki page, but will have a look at it later on.
Feel free to edit it anyway, your login credentials work there as well.
How do we know it’s doing this? According to their site: “By default, we will return a NXDOMAIN (domain not found), but you can change it to a customized page instead.”
they are responding in a different way (NXDOMAIN or “customized page”) than a plain
resolver would do. As I mentioned, they tamper with DNS here - that’s their business idea - and this is precisely what DNSSEC aims to protect against.
No surprise, as the DNSSEC resolver test domains probably are not blacklisted due to
advertising or malware distribution by them. Such a test will therefore likely return a positive
result, while realistic DNS queries will be interfered with.
I asked Cleanbrowsing for their input on this topic. They agree they are breaking DNSSEC, but only for the domains they are blocking, because they respond with a REFUSED status and do not return any valid IP address. I don’t want anyone on my network going to the domains they are blocking anyway, so I’m not sure why it’s bad that DNSSEC is broken for those sites.
I don’t want anyone on my network going to the domains they are blocking anyway,
so I’m not sure why it’s bad that DNSSEC is broken for those sites.
if your applications or client support proxies, you could achieve the same result
(by using an appropriate datafeed, perhaps the cleanbrowsing folks provide their
blacklist as a simple text or Squid ACL file if you paid for it) without interfering
Either way: How can one tell the difference between a blocked domain and a DNS
hijacking attempt? If you monitor your resolvers’ log, using a DNS filtering service
causes so much noise in it that spotting an attacker becomes searching for a pin
in a haystack.
Worse, some users might be unaware of a DNS filtering service being in place and
are confused why they cannot access certain sites (probably not very frequent for
porn sites, but some filtering services have quite rigid policies). If you tell
them to configure a proxy in the first place, they will know their devices will
not talk to the queried services directly, but to a proxy which is capable of
denying their requests. It’s simply more transparent to a user without knowledge
of your local networks’ setup.
That still transfers the bulk of the workload back to me. There’s no easy way in IPFire to use a blacklist that’s as thorough and keeps itself automatically updated without lots of SSHing and manual script writing. When I was managing this myself, I could not find blacklists that had the coverage of a DNS filtering sevice and ended up doing a lot of manual scanning through proxy logs and manual entry into blacklist files.
I think that’s the bottom line: I could not come up with a solution that worked as well as Cleanbrowsing and on top of that, I was spending all my free time managing proxy filtering. Cleanbrowsing works better and requires a lot less elbow grease. I have no need or desire for filtering DNS at my business installation of IPFire, but at home with a small number of users, the last thing I want to be doing is spending what little family time I have to try and get proxy filtering to work half as good as Cleanbrowsing does.
when it comes to malware and other security threats, looking up queried FQDNs
against URIBLs such as Spamhaus DBL is a common way of enforcing local web access policies.
However, since your clients are not able to use a proxy, this unfortunately
does not seem to be an option for your scenario as you cannot enforce a “proxy
or die” policy.
That still transfers the bulk of the workload back to me.
IPFire in particular and any other firewall in general requires ongoing costs
such as maintenance, installing updates, revise firewall rulesets, and so on.
It is nothing you setup and then forget about it, please keep that in mind. We
are trying to make things as simple as possible here - but, as Einstein once said,
not more simple than that.
I understand. I am greatfull for what you do for the community. I like ipfire a lot.
But if i understand correct there is no way to have a proxy (non transparent) to block https content and also have working apps on the phone?
The only thing i want to do is filter out porn for my kids. Also https of course. Non transparent proxy does not support this. However with non transparent proxy all apps on the phones are working. (when using non transparent https filter is working, but some apps are not working anymore on the phones)
Again Thanks for your support, time and effort! (For the entire ipfire team)!
You can use the built-in Shalla blocklist and it does block most of the major stuff. You can also find the static IPs of some of the major porn sites and create a firewall rule that drops traffic to and from those IPs. Those are some of the things I used to do prior. Depending on the ages of your kids, that might be enough. The older they get, the more sophisticated they become at finding ways around. Hopefully Peter has some other suggestions to help, but based on their stance on DNS filtering, your options may be limited unless you want to ignore their stance. I wish you the best and if you find better solutions that don’t involve DNS filtering, please share with the community.