Hey experts,
I have a task to write a parental control application for blocking certain black list websites.
I guess two solution that came to my mind was either using a NDIS or WFP to check DNS requests and block if the dns request matches one of the black listed websites.
So which of them is better for this task? or is there any easier solution than this?
Also note that there are situations such as DNSsec, is this possible to do in case an application uses DNssec?
A proxy is even easier. It runs in user mode, and runs no risk of blue screens.
Easier yet is to add the domains to \windows\system32\drivers\etc\hosts with fake IP addresses.
@Tim_Roberts said:
A proxy is even easier. It runs in user mode, and runs no risk of blue screens.Easier yet is to add the domains to \windows\system32\drivers\etc\hosts with fake IP addresses.
Doesnāt that require the user to manually import certificates because of ssl issues? And Is there any provided API for this task?
And I donāt think adding domains to hosts will not block them in the case of DNSsec, not sure about the proxy solution tho.
@brad_H said:
Hey experts,I have a task to write a parental control application for blocking certain black list websites.
I guess two solution that came to my mind was either using a NDIS or WFP to check DNS requests and block if the dns request matches one of the black listed websites.
So which of them is better for this task? or is there any easier solution than this?
Also note that there are situations such as DNSsec, is this possible to do in case an application uses DNssec?
Itās going to be exceptionally difficult, IMHO ā¦ were it me I would simply purchase an off the shelf solution like NetNanny and be done with it. Hereās why ā¦ (and you likely already know this, this is just for the benefit of others who might find this on a search) ā¦ other than the most trivial websites, everyone uses essentially a front facing well known IP address and a slew of servers that the actual connection is made to ā¦ so you surf to āyoutube.comā [142.250.189.174] but when you pick a video to watch and you look at a connection viewer youāll find a different address actually serving the content. That means if you āblackholeā the āyoutube.comā address in āhostsā or by blocking that connection in WFP or in an NDIS handler unless you āblackholeā the actual service address sending the content all youāre doing is forcing someone to use a different front facing address (which will change based on region, the content provider using a DDOS blocker like CloudFlare or even due to load balancing, as itās just a DNS entry). Thatās a reverse of the problem that content providers like NetFlix face, where they want to restrict certain regions from getting content and people simply use a VPN to change their address ā¦
Youāre going to be playing an eternal āwhack-a-moleā game if you go down the āblock the IP addressā route other than for the guy with a WordPress app running on his computer in the basement connected to a ComCast router, essentially, which is what the commercial applications have to do and why they issue daily updates ā¦ itās going to be easier to simply acknowledge that and go drop the $30 for the subscription ā¦
Make them use the right browser. The good Microsoft will take care of the rest.
Filter websites and searches in Microsoft Edge
Tragically (not), Edge is slated to be taken out back, told to look at the sunset and dispatched like Cortana, Clippy and IoT Core [ https://9to5google.com/2020/08/18/microsoft-edge-legacy-replaced-chromium/ ] ā¦ Microsoft is indeed taking care of the rest ā¦
@craig_howard said:
@brad_H said:
Hey experts,I have a task to write a parental control application for blocking certain black list websites.
I guess two solution that came to my mind was either using a NDIS or WFP to check DNS requests and block if the dns request matches one of the black listed websites.
So which of them is better for this task? or is there any easier solution than this?
Also note that there are situations such as DNSsec, is this possible to do in case an application uses DNssec?
Itās going to be exceptionally difficult, IMHO ā¦ were it me I would simply purchase an off the shelf solution like NetNanny and be done with it. Hereās why ā¦ (and you likely already know this, this is just for the benefit of others who might find this on a search) ā¦ other than the most trivial websites, everyone uses essentially a front facing well known IP address and a slew of servers that the actual connection is made to ā¦ so you surf to āyoutube.comā [142.250.189.174] but when you pick a video to watch and you look at a connection viewer youāll find a different address actually serving the content. That means if you āblackholeā the āyoutube.comā address in āhostsā or by blocking that connection in WFP or in an NDIS handler unless you āblackholeā the actual service address sending the content all youāre doing is forcing someone to use a different front facing address (which will change based on region, the content provider using a DDOS blocker like CloudFlare or even due to load balancing, as itās just a DNS entry). Thatās a reverse of the problem that content providers like NetFlix face, where they want to restrict certain regions from getting content and people simply use a VPN to change their address ā¦
Youāre going to be playing an eternal āwhack-a-moleā game if you go down the āblock the IP addressā route other than for the guy with a WordPress app running on his computer in the basement connected to a ComCast router, essentially, which is what the commercial applications have to do and why they issue daily updates ā¦ itās going to be easier to simply acknowledge that and go drop the $30 for the subscription ā¦
unfortunately, using off the shelf solutions is not an option for me.
So if you HAD to write an application that blocks certain website (written as a kernel driver or user mode app), and no matter which process is trying to resolve that host address (so not just by certain browsers), what would you do?
@Pavel_A said:
Make them use the right browser. The good Microsoft will take care of the rest.
Filter websites and searches in Microsoft Edge
In my case, i need to block any process that tries to connect to blacklisted URLs, so just blocking it in certain browsers is not enough.
@brad_H said:
unfortunately, using off the shelf solutions is not an option for me.
So if you HAD to write an application that blocks certain website (written as a kernel driver or user mode app), and no matter which process is trying to resolve that host address (so not just by certain browsers), what would you do?
Start with the āinspectā WPF sample, have it check the connection IP against a blacklisted list maintained as a binary hash table in the registry. Have a usermode application update the hash table as needed, and play āwhack a moleā adding IPās to the hash table ā¦
So if you HAD to write an application that blocks certain website
ā¦ Iād start from understanding what is a website. As craig_howard noted above, this is not trivial. If you are lucky, the user (āparentā) will provide you a ready list of IPs. Otherwise, you will have to resolve (changing) IPs from domain names.
And hope that smart kids donāt use other devices or Tor to access banned sites.
@craig_howard yes, the poor Spartan is dead (as so many things that Microsoft tried to make themselvesā¦ sigh) but the Chromium Edge is a dandy.
On my newer win10 PCs I donāt even install other browsers. Only latest ādevā Edge. It works great with everything, even with Google mail and other apps. And IT HAS DISTRACTION-FREE MODE like Safari! Absolutely cool.
@craig_howard said:
@brad_H said:
unfortunately, using off the shelf solutions is not an option for me.
So if you HAD to write an application that blocks certain website (written as a kernel driver or user mode app), and no matter which process is trying to resolve that host address (so not just by certain browsers), what would you do?Start with the āinspectā WPF sample, have it check the connection IP against a blacklisted list maintained as a binary hash table in the registry. Have a usermode application update the hash table as needed, and play āwhack a moleā adding IPās to the hash table ā¦
Yes i have worked with that, but the problem with solutions such as WFP or NDIS is that they fail to detect domains when they are resolved using DNssec, what is the solution for this?
@Pavel_A said:
So if you HAD to write an application that blocks certain website
ā¦ Iād start from understanding what is a website. As craig_howard noted above, this is not trivial. If you are lucky, the user (āparentā) will provide you a ready list of IPs. Otherwise, you will have to resolve (changing) IPs from domain names.
And hope that smart kids donāt use other devices or Tor to access banned sites.@craig_howard yes, the poor Spartan is dead (as so many things that Microsoft tried to make themselvesā¦ sigh) but the Chromium Edge is a dandy.
On my newer win10 PCs I donāt even install other browsers. Only latest ādevā Edge. It works great with everything, even with Google mail and other apps. And IT HAS DISTRACTION-FREE MODE like Safari! Absolutely cool.
Unfortunately i need to block URLs, not IP addresses.
Protection at the āDNS53 layerā is trivial and can be achieved by redirecting the DNS packets into user mode using WFP at either the ALE_CONNECT_REDIRECT or DATAGRAM_DATA layers. You can then make a decision after parsing the packet.
I am not familiar with DNSSEC but a quick look over the RFC suggests to me that if your application was running as Admin then you could probably MITM it by controlling the keys it uses for validating. (Note: I could be very, very wrong on this)
DoH will require you to intercept and process traffic as mentioned below, but look for the āapplication/dns-messageā content-type header.
If your goal is to block certain URLās then you will need a local transparent HTTP/S proxy. You could then redirect outbound TCP 80,443, XXX into this local proxy using WFP. For decrypting the HTTPS stream youāll need to generate certificates on the fly, signed by a locally generated CA that youāve put into the Trusted Certificate Store (manually or programmatically).
If you want to support machines that could be behind a corporate proxy then things are a bit more awkward.
Jason
@brad_H said:
Unfortunately i need to block URLs, not IP addresses.
Hmm ā¦ there might be a gap in understanding how internet connections are made and resolved ā¦ Iām going to be vastly, vastly simplifying things here, bear with me ā¦
When youāre sitting at the browser (or other application) and type āwww.youtube.comā, that itself is just a string of letters. Thatās like describing your address as āthe blue house in the middle of the blockā, descriptive and memorable but useless.
Anything on the internet is given an address (through a variety of methods) which is the IP address, looking like 123.456.789.abc which is like your house at ā123 Main Stā ā¦ itās how the location is actually found.
The āwww.youtube.comā is converted into the IP address ā123.456.789.abcā by using either a local hosts table (uncommon) or by communicating with another program called a ādomain name serverā which is usually (but not always) run by your ISP. The IP address of the DNS is listed in your network properties tab (and itās obtained through a variety of ways), and the browser first connects to the DNS and says āwhat is the IP address of this āwww.youtube.comā thingā and the DNS responds ā123.456.789.abcā. The browser then says ācool!ā and connects to that address to actually access āyoutube.comā
Thatās why we are referring to IP addresses; other than something descriptive to put into the bookmarks file or bar, URLās donāt exist ā¦ itās all about the IP address ā¦
Thatās why we are referring to IP addresses; other than something descriptive to put into the bookmarks file or bar, URLās donāt exist ā¦ itās all about the IP address
Well, yes and no. Thereās more to the URL than just conversion to an IP address. It is extremely common for many web sites to share the same IP addressā¦ such as on shared hosting providers. So when the URL is passed to the web server, the web server determines (using the URL) which specific web site it serves up.
I suspect that what Mr. @brad_H meant when he said he needs to block URLs, not IPs. I suspect that he needs to see and evaluate the URL, not JUST the target IP address.
I mean, what do I know about networking in 2021 (nuthinā)ā¦ but isnāt the only way to do this 100% a proxy?
Peter
Correct, shared hosting providers like āgodaddy.comā as well as DDOS shield services like ācloudflare.comā use the URL portion of the HTTP header of an inbound connection to identify an ultimate destination, so that āmysite.comā and āyoursite.comā and āthissite.comā can all share the same IP address of āgodaddy.comā ā¦ the machine hosting that specific IP on āgodaddy.comā or ācloudflare.comā will decode the header portion of the connection packet and forward it on to the host for āyoursite.comā and that host will determine from the header the browser type (for loading the right webpage), the originating IP (for blocking) and other stuff ā¦
IMHO the WPF sample āinspectā [ https://docs.microsoft.com/en-us/samples/microsoft/windows-driver-samples/windows-filtering-platform-traffic-inspection-sample/ ] is still the right place to start ā¦ I would do an initial scan for a blacklisted IP (or range, as anything hosted on a bulletproof server canāt be good), then do examination of the connection packet header for more info (like the URL that the OP apparently wants to look at) ā¦ āinspectā will let you get at all that and more importantly lets you fail the connection attempt rather than attempt to interfere with it ā¦
A proxy solution Iām not familiar with, so Iāll defer to the domain experts for that ā¦ 
@craig_howard said:
@brad_H said:
Unfortunately i need to block URLs, not IP addresses.
Hmm ā¦ there might be a gap in understanding how internet connections are made and resolved ā¦ Iām going to be vastly, vastly simplifying things here, bear with me ā¦
Although i appreciate the explanation, I do understand how it works. As Peter said, i meant that i need to block URLs, not IP addresses, because for example the IP address that URL x resolves to might change a 100 times a day, and get updated frequently too, not to mention cloud services that cause the same IP address to be assigned to many URLsā¦
Thatās why i need to block only based on the URL address that process x tries to resolve to IP, whether its a browser or any other application. And obviously this means that if the user types the IP manually this will get bypassed, but weāre talking about parental control here so the user is not advanced.
Thatās why i need to block only based on the URL address that process x tries to resolve to IP
Your terminology is causing the confusion here. You want to conditionally block DNS.
Start with using WFP to process DNS as described above, you can then worry about DNSSEC, DoH and DoT when you have a better grip on things.
Jason
Your terminology is causing the confusion here.
Iām sorry, but I disagree. His was a problem statement, but thisā¦
You want to conditionally block DNS.
ā¦ is a suggested solution. And, with all due respect, thisā¦
you can then worry about DNSSEC, DoH and DoT
ā¦effectively means āyou can go down the road to blocking DNS queries, and then discover that it doesnāt work in an increasingly large number of situations and therefore have to find another way to meet your requirements. ā
With the ever-proliferating number of EP Defense products being developed, it shouldnāt surprise you that our team has looked at this very problem. I was not deeply involved, but IIRC the outcome was that the only solution in the encrypted cases was to use a proxy. Otherwise, you see encrypted data, and thatās not going to help.
Peter
@āPeter_Viscarola_(OSR)ā said:
With the ever-proliferating number of EP Defense products being developed, it shouldnāt surprise you that our team has looked at this very problem. I was not deeply involved, but IIRC the outcome was that the only solution in the encrypted cases was to use a proxy. Otherwise, you see encrypted data, and thatās not going to help.Peter
If i recall correctly Kaspersky basically does a MiTM, it imports its own certificate into cert store, and this way it intercepts DNSsec and other encrypted traffic, so i guess this is one way of doing it. But seems like a messy solution.