Make them use the right browser. The good Microsoft will take care of the rest.
Filter websites and searches in Microsoft Edge
Tragically (not), Edge is slated to be taken out back, told to look at the sunset and dispatched like Cortana, Clippy and IoT Core [ https://9to5google.com/2020/08/18/microsoft-edge-legacy-replaced-chromium/ ] … Microsoft is indeed taking care of the rest …
@craig_howard said:
@brad_H said:
Hey experts,I have a task to write a parental control application for blocking certain black list websites.
I guess two solution that came to my mind was either using a NDIS or WFP to check DNS requests and block if the dns request matches one of the black listed websites.
So which of them is better for this task? or is there any easier solution than this?
Also note that there are situations such as DNSsec, is this possible to do in case an application uses DNssec?
It’s going to be exceptionally difficult, IMHO … were it me I would simply purchase an off the shelf solution like NetNanny and be done with it. Here’s why … (and you likely already know this, this is just for the benefit of others who might find this on a search) … other than the most trivial websites, everyone uses essentially a front facing well known IP address and a slew of servers that the actual connection is made to … so you surf to “youtube.com” [142.250.189.174] but when you pick a video to watch and you look at a connection viewer you’ll find a different address actually serving the content. That means if you “blackhole” the “youtube.com” address in “hosts” or by blocking that connection in WFP or in an NDIS handler unless you “blackhole” the actual service address sending the content all you’re doing is forcing someone to use a different front facing address (which will change based on region, the content provider using a DDOS blocker like CloudFlare or even due to load balancing, as it’s just a DNS entry). That’s a reverse of the problem that content providers like NetFlix face, where they want to restrict certain regions from getting content and people simply use a VPN to change their address …
You’re going to be playing an eternal “whack-a-mole” game if you go down the “block the IP address” route other than for the guy with a WordPress app running on his computer in the basement connected to a ComCast router, essentially, which is what the commercial applications have to do and why they issue daily updates … it’s going to be easier to simply acknowledge that and go drop the $30 for the subscription …
unfortunately, using off the shelf solutions is not an option for me.
So if you HAD to write an application that blocks certain website (written as a kernel driver or user mode app), and no matter which process is trying to resolve that host address (so not just by certain browsers), what would you do?
@Pavel_A said:
Make them use the right browser. The good Microsoft will take care of the rest.
Filter websites and searches in Microsoft Edge
In my case, i need to block any process that tries to connect to blacklisted URLs, so just blocking it in certain browsers is not enough.
@brad_H said:
unfortunately, using off the shelf solutions is not an option for me.
So if you HAD to write an application that blocks certain website (written as a kernel driver or user mode app), and no matter which process is trying to resolve that host address (so not just by certain browsers), what would you do?
Start with the “inspect” WPF sample, have it check the connection IP against a blacklisted list maintained as a binary hash table in the registry. Have a usermode application update the hash table as needed, and play “whack a mole” adding IP’s to the hash table …
So if you HAD to write an application that blocks certain website
… I’d start from understanding what is a website. As craig_howard noted above, this is not trivial. If you are lucky, the user (“parent”) will provide you a ready list of IPs. Otherwise, you will have to resolve (changing) IPs from domain names.
And hope that smart kids don’t use other devices or Tor to access banned sites.
@craig_howard yes, the poor Spartan is dead (as so many things that Microsoft tried to make themselves… sigh) but the Chromium Edge is a dandy.
On my newer win10 PCs I don’t even install other browsers. Only latest “dev” Edge. It works great with everything, even with Google mail and other apps. And IT HAS DISTRACTION-FREE MODE like Safari! Absolutely cool.
@craig_howard said:
@brad_H said:
unfortunately, using off the shelf solutions is not an option for me.
So if you HAD to write an application that blocks certain website (written as a kernel driver or user mode app), and no matter which process is trying to resolve that host address (so not just by certain browsers), what would you do?Start with the “inspect” WPF sample, have it check the connection IP against a blacklisted list maintained as a binary hash table in the registry. Have a usermode application update the hash table as needed, and play “whack a mole” adding IP’s to the hash table …
Yes i have worked with that, but the problem with solutions such as WFP or NDIS is that they fail to detect domains when they are resolved using DNssec, what is the solution for this?
@Pavel_A said:
So if you HAD to write an application that blocks certain website
… I’d start from understanding what is a website. As craig_howard noted above, this is not trivial. If you are lucky, the user (“parent”) will provide you a ready list of IPs. Otherwise, you will have to resolve (changing) IPs from domain names.
And hope that smart kids don’t use other devices or Tor to access banned sites.@craig_howard yes, the poor Spartan is dead (as so many things that Microsoft tried to make themselves… sigh) but the Chromium Edge is a dandy.
On my newer win10 PCs I don’t even install other browsers. Only latest “dev” Edge. It works great with everything, even with Google mail and other apps. And IT HAS DISTRACTION-FREE MODE like Safari! Absolutely cool.
Unfortunately i need to block URLs, not IP addresses.
Protection at the “DNS53 layer” is trivial and can be achieved by redirecting the DNS packets into user mode using WFP at either the ALE_CONNECT_REDIRECT or DATAGRAM_DATA layers. You can then make a decision after parsing the packet.
I am not familiar with DNSSEC but a quick look over the RFC suggests to me that if your application was running as Admin then you could probably MITM it by controlling the keys it uses for validating. (Note: I could be very, very wrong on this)
DoH will require you to intercept and process traffic as mentioned below, but look for the “application/dns-message” content-type header.
If your goal is to block certain URL’s then you will need a local transparent HTTP/S proxy. You could then redirect outbound TCP 80,443, XXX into this local proxy using WFP. For decrypting the HTTPS stream you’ll need to generate certificates on the fly, signed by a locally generated CA that you’ve put into the Trusted Certificate Store (manually or programmatically).
If you want to support machines that could be behind a corporate proxy then things are a bit more awkward.
Jason
@brad_H said:
Unfortunately i need to block URLs, not IP addresses.
Hmm … there might be a gap in understanding how internet connections are made and resolved … I’m going to be vastly, vastly simplifying things here, bear with me …
When you’re sitting at the browser (or other application) and type “www.youtube.com”, that itself is just a string of letters. That’s like describing your address as “the blue house in the middle of the block”, descriptive and memorable but useless.
Anything on the internet is given an address (through a variety of methods) which is the IP address, looking like 123.456.789.abc which is like your house at “123 Main St” … it’s how the location is actually found.
The “www.youtube.com” is converted into the IP address “123.456.789.abc” by using either a local hosts table (uncommon) or by communicating with another program called a “domain name server” which is usually (but not always) run by your ISP. The IP address of the DNS is listed in your network properties tab (and it’s obtained through a variety of ways), and the browser first connects to the DNS and says “what is the IP address of this “www.youtube.com” thing” and the DNS responds “123.456.789.abc”. The browser then says “cool!” and connects to that address to actually access “youtube.com”
That’s why we are referring to IP addresses; other than something descriptive to put into the bookmarks file or bar, URL’s don’t exist … it’s all about the IP address …
That’s why we are referring to IP addresses; other than something descriptive to put into the bookmarks file or bar, URL’s don’t exist … it’s all about the IP address
Well, yes and no. There’s more to the URL than just conversion to an IP address. It is extremely common for many web sites to share the same IP address… such as on shared hosting providers. So when the URL is passed to the web server, the web server determines (using the URL) which specific web site it serves up.
I suspect that what Mr. @brad_H meant when he said he needs to block URLs, not IPs. I suspect that he needs to see and evaluate the URL, not JUST the target IP address.
I mean, what do I know about networking in 2021 (nuthin’)… but isn’t the only way to do this 100% a proxy?
Peter
1 Like
Correct, shared hosting providers like ‘godaddy.com’ as well as DDOS shield services like ‘cloudflare.com’ use the URL portion of the HTTP header of an inbound connection to identify an ultimate destination, so that ‘mysite.com’ and ‘yoursite.com’ and ‘thissite.com’ can all share the same IP address of ‘godaddy.com’ … the machine hosting that specific IP on ‘godaddy.com’ or ‘cloudflare.com’ will decode the header portion of the connection packet and forward it on to the host for ‘yoursite.com’ and that host will determine from the header the browser type (for loading the right webpage), the originating IP (for blocking) and other stuff …
IMHO the WPF sample “inspect” [ https://docs.microsoft.com/en-us/samples/microsoft/windows-driver-samples/windows-filtering-platform-traffic-inspection-sample/ ] is still the right place to start … I would do an initial scan for a blacklisted IP (or range, as anything hosted on a bulletproof server can’t be good), then do examination of the connection packet header for more info (like the URL that the OP apparently wants to look at) … “inspect” will let you get at all that and more importantly lets you fail the connection attempt rather than attempt to interfere with it …
A proxy solution I’m not familiar with, so I’ll defer to the domain experts for that … 
@craig_howard said:
@brad_H said:
Unfortunately i need to block URLs, not IP addresses.
Hmm … there might be a gap in understanding how internet connections are made and resolved … I’m going to be vastly, vastly simplifying things here, bear with me …
Although i appreciate the explanation, I do understand how it works. As Peter said, i meant that i need to block URLs, not IP addresses, because for example the IP address that URL x resolves to might change a 100 times a day, and get updated frequently too, not to mention cloud services that cause the same IP address to be assigned to many URLs…
That’s why i need to block only based on the URL address that process x tries to resolve to IP, whether its a browser or any other application. And obviously this means that if the user types the IP manually this will get bypassed, but we’re talking about parental control here so the user is not advanced.
That’s why i need to block only based on the URL address that process x tries to resolve to IP
Your terminology is causing the confusion here. You want to conditionally block DNS.
Start with using WFP to process DNS as described above, you can then worry about DNSSEC, DoH and DoT when you have a better grip on things.
Jason
Your terminology is causing the confusion here.
I’m sorry, but I disagree. His was a problem statement, but this…
You want to conditionally block DNS.
… is a suggested solution. And, with all due respect, this…
you can then worry about DNSSEC, DoH and DoT
…effectively means “you can go down the road to blocking DNS queries, and then discover that it doesn’t work in an increasingly large number of situations and therefore have to find another way to meet your requirements. “
With the ever-proliferating number of EP Defense products being developed, it shouldn’t surprise you that our team has looked at this very problem. I was not deeply involved, but IIRC the outcome was that the only solution in the encrypted cases was to use a proxy. Otherwise, you see encrypted data, and that’s not going to help.
Peter
@“Peter_Viscarola_(OSR)” said:
With the ever-proliferating number of EP Defense products being developed, it shouldn’t surprise you that our team has looked at this very problem. I was not deeply involved, but IIRC the outcome was that the only solution in the encrypted cases was to use a proxy. Otherwise, you see encrypted data, and that’s not going to help.Peter
If i recall correctly Kaspersky basically does a MiTM, it imports its own certificate into cert store, and this way it intercepts DNSsec and other encrypted traffic, so i guess this is one way of doing it. But seems like a messy solution.
@Jason_Stephenson said:
That’s why i need to block only based on the URL address that process x tries to resolve to IP
Your terminology is causing the confusion here. You want to conditionally block DNS.
I Apologize, yeah now that i am reading my question again i think i could’ve worded it better, i basically want intercept DNS & DNSsec packets and block certain URLs from getting resolved.
That’s why i need to block only based on the URL address that process x tries to resolve to IP
If he stated this in his OP then the vast majority of the ramblings in this thread could have been avoided . ergo - confusing.
is a suggested solution
Is the solution he needs and has asked for
you can go down the road to blocking DNS queries, and then discover that it doesn’t work in an increasingly large number of situations and therefore have to find another way to meet your requirements.
Will allow him to provide security for 90% of applications which are attempting to resolve IP’s while he builds up some understanding of DNS (and perhaps network protocols in general) before he moves onto the edge cases (other protocols). A standard iterative design approach.
@Jason_Stephenson said:
That’s why i need to block only based on the URL address that process x tries to resolve to IP
If he stated this in his OP then the vast majority of the ramblings in this thread could have been avoided . ergo - confusing.
That’s only one solution to this problem, that’s is why i didn’t say it in my OP. I basically want to block any process from connecting to URL x, whether via blocking DNS requests or any other methods. Hell, one might even inject into all processes and hook API calls to achieve this, its all up to you to decide which method is better.
Note that I already solved the problem for the case of simple DNS requests, via blocking the request. My main concern right now is DNSsec.
There is a lot of questionable wisdom on this thread. That’s true of most of the world of REST interfaces just as much as the world of those products designed to regulate them
it should be clear that there are many complex interactions between different levels of the classic OSI networking layers are happening here
in the beginning, the earth was void and without a forum for discussions of this kind - whoops wrong beginning
In the beginning the DNS cache will be empty and no extant TCP or UDP streams will exist. Then a request will be made to resolve a URL - there are many possible ways that this may be done by different UM programs, and several ways in which the OS might provide this. Ultimately, using one or more streams of UDP or TCP packets the ‘base URL’ will be resolved. That part will give you a basic IP address (IPv4 or IPv6 or theoretically an address in any other protocol at this level) but that doesn’t help you much. As others have pointed out, many different base URLs can resolve to the same IP address
The next part is to understand the other parts of the URL - the path and the query string.
next you need a state machine that understands the nuances of those requests
and then you need to do it all again, every time the semantics of the interface change - a frequent occurrence