cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
27
Views
0
Helpful
6
Replies

Sites In Multiple Categories

Numerous sites are tagged in multiple categories.  I understand how a given site can fall under multiple categories but this reduces the effectiveness of the system.  An example is www.victoriassecret.com which is tagged as Ecommerce/Shopping and Lingerie/Bikini.  So to allow access either both categories need to be allowed or the site needs to be whitelisted (but on free OpenDNS there is a limit to the number of sites which can be whitelisted I assume - just like I know there is with blacklisting).  Allow two (or more) entire categories to allow access to a single site is ridiculous.

Sites should only fall in one category.  In the example I used I above, my opinion is that is should be Ecommerce/Shopping.  The reasoning is that the intent of the site is not that of a picture gallery... thus not simply existing to show pictures of, in this case, Lingerie/Bikini.  Yes, I know I know, kids blah blah.  Use a nanny filter to handle that if necessary.  But that's a parenting issue not an OpenDNS issue.

Thoughts??

6 Replies 6

mattwilson9090
Level 4
Level 4

There is no such thing as "allowing" categories in OpenDNS. By default OpenDNS returns DNS results for all DOMAINS (not websites, it's an important difference). From there it can blacklist categories and domains, and whitelist domains, though the whitelisting only matters if the domain is in a category that is blacklisted.

Unchecking a category in the custom list is not the same as "allowing" it. Unchecking a domain is no longer blacklisting it, basically changing ones mind about blocking something, but not actually the same as allowing it. Although in nearly all situations the two are functionally the same, it is a subtle but important difference, especially when it comes down to how the entire system is engineered and designed.

There is one exception to this. One of the pay products (I think it's OpenDNS VIP but I'm not sure if I have the name correct) allows a whitelist only mode, but that is only for whitelisting domains, it does not have the ability to whitelist entire categories. It is only of very limited utility however, since there are only 50 whitelist slots (compared to the 25 in OpenDNS Home) and many "utility" domains (that casual browsers don't realize are used) need to be whitelisted for the internet to work. It's really only practical where someone wants or needs extremely limited access to the internet.

Although in a perfect world each domain would only belong to a single category, the world is not perfect, and as you said, domains such as victoriassecret.com can legitimately belong to more than one category as their primary purpose, in this case Ecommerce/Shopping and Lingerie/Bikini, since the website is intended to sell lingerie/bikini's, and to do so it displays images of such. It's not about protecting children, it's about properly categorizing domains and providing users the ability to block whatever categories they feel is appropriate for their needs. The same could probably be said about the domains for websites that sell such things as alcohol or firearms, to name two other categories that are considered controversial and many people want to block for various reasons.

It's not a perfect system, but unless someone is blocking a very large number of categories, these kinds of "intersections" are fairly rare, and most people can work around them with their whitelist.

Out of curiosity, how many categories are you blocking?

I started with filtering level "High" and consequently quickly found the limit on whitelisting (adding to "Never Block").  So I cleared the Never Block list and changed from High to custom, selected all categories and started browsing.  A little bit of a process but in the end it was pretty close after allowing various categories during my surfing test session.  Sounds all well and good but I knew I wasn't done... the wife and kid weren't home.  They get home and we went through the same process and that's where it fell apart.  My daughter tried to shop on www.victoriassecret.com.  Not surprised by the site being in two categories but that really got me thinking.  My wife had already been through her surfing test so Ecommerce/Shopping was already unchecked.  But now I have to uncheck another entire category or burn one of the precious Never Block entries.  Back to my original point - it's a shopping site.  I currently have 27 categories checked.  I'd have more but the www.victoriassecret.com is an example of why I don't.  Ideally I'd block everything and allow what is necessary but that can't be achieved due to the Never Block limitation.

You started off saying...

"There is no such thing as "allowing" categories in OpenDNS. By default OpenDNS returns DNS results for all DOMAINS (not websites, it's an important difference). From there it can blacklist categories and domains, and whitelist domains, though the whitelisting only matters if the domain is in a category that is blacklisted.

Unchecking a category in the custom list is not the same as "allowing" it. Unchecking a domain is no longer blacklisting it, basically changing ones mind about blocking something, but not actually the same as allowing it..."

Much of that is semantics.  If "porn" (or whatever it's labeled) is checked I can't get to sites tagged as such - they are blocked.  I don't care how it happens but I'm pretty sharp with computers (15 years in InfoSec, prior to that 5 years in network engineering and prior to that 5 years as sysadmin, writing code my entire career as well).  Name resolution is being manipulated...

 

─○ dig +short www.xxx.com                                                                                                                                                                                                         

146.112.61.106

─○ dig +short -x 146.112.61.106                                                                                                                                                                                                   
hit-adult.opendns.com.

 

Maybe the answer is to an option specifying if filtering/blacklisting/whitelisting (whatever you want to call it) for children and that somehow changes how some settings are enforced (or not) in conjunction with how domains are tagged.  Or it may come down to the [free] OpenDNS is not for my household.

 

I appreciate your response, thank you.

 

mattwilson9090
Level 4
Level 4

If you selected all categories to block then you were far more restrictive than the High level. 27 categories blocked is still a huge number, and its guaranteed to cause problems and require a lot of maintenance, and will likely quickly fill up your whitelist. Quite frankly, OpenDNS was never intended to be used that way, especially the free OpenDNS Home product. It has nothing to do with you not liking that some domains are appropriately categorized in multiple categories.

My statements are not just a matter of semantics. They go to how OpenDNS was designed and functions. OpenDNS by default returns results for all DNS queries unless someone has specifically blocked that domain by category or via blacklist. It in no ways "manipulates" those lookups. It also does not have to compare every single lookup against what would be a rather extensive whitelist if unchecking a category was "allowing" that category. It also means that all of the many, many domains that are not categorized will not be blocked unless they are specifically added to the blacklist. If unchecking a category was the same as "allowing it" then you would not be able to reach any of those uncategorized domains unless they were added to your whitelist since they do not belong to a category that you could "allow". There really is a huge difference between no longer blocking a category and allowing it.

It really doesn't matter how many years of experience you've had in IT related fields if you can't, or won't, grasp the fundamentals of how OpenDNS functions, and you don't seem to be grasping how it actually functions. And yes, it DOES matter how it functions, long with the words that describe it.

At this point I don't see OpenDNS making any fundamental changes to how the free product functions. It's a mature, established product, and there simply is no benefit to them in reengineering the entire product that they don't even get any income from. They certainly are not going to be adding functionality that would somehow require additional information to be sent that would allow OpenDNS to figure out who the individual user is or how old they are.

They already have various pay products that allow different filtering options, including filtering based upon specific users or groups of users. However all of them are still a blacklisting system, with whitelisting only used as exceptions to categories that are blocked. There is still no sense of "allowing" categories. They all use some form of agent to accomplish that, and there is no agent associated with OpenDNS Home. The pay products also have options for bypass accounts or codes, which are not tied to agents and can be used on their own or in conjunction with the agent.

There are also routers with LPC (Live Parental Controls) though I think the only vendor currently making them is Netgear. They leverage OpenDNS, and via their Genie software can allow a number of exceptions or bypasses.

But no it does not sound like the OpenDNS Home product is for you since you seem to be treating it as a different product from what it really is, and then being disappointed because you aren't getting the results that you want.

Initially I thought you were going to be a worthy participant to come up with the basis for a suggested feature change/addition... which could make the product more "mature" and "established", as you say.  Established?  Sure.  Mature?  Getting there.  It doesn't generate revenue?  Are you kidding?  The free system is the steering wheel, the launching pad into the paid system.

You're not being semantic?  You said "There is no such thing as "allowing" categories in OpenDNS.".  Then what are the all the checkboxes for different categories for?  You know, the ones that I check and uncheck to either reach or not reach a site in that category?  Let me dumb it down for you.  Can't get to a given site in a given category and that category is checked?  Well then uncheck that category and the site is reachable.  That is "allowing" the site... allowing via the category.  If it's not allowed what is it?  Blocked or blacklisted?  Blocked.  Blacklist comes into play when a given category is not checked (meaning it's allowed) but a user still wants to deny access to it.  But blocked or blacklisted doesn't matter - the result is the same was my point.  Whitelist, conversely, comes into play when a category is blocked... don't want users to reach the sites in the category... with exception to whatever is whitelisted.  Given the limits on the number of entries in the whilelist ("Always Allow" section) and blacklist ("Always Block" section) this system, again, is designed to steer people to the paid service which I'm sure provides less restrictions, more functionality.  Again, so it's a part of how the generate revenue.  This is big picture business.

In more specific technical terms, yes, I absolutely understand DNS (and many, many more technolgies) though it seems you don't.  The point of the service is to resolve names but doing so according to the rules (how the user configures their account) and not to resolve per normal processes (authoritative, recursion, referrals, etc)... thus it manipulates the records that are returned.  This is all the point of DNS - I have contributed code to Bind, designed global DNS infrastructures and managed countless DNS deployments of various services (Bind, Tiny, Microsoft, etc) and all sizes.  All entirely relevant experience to understanding this system.

My proposed change is not fundamental in nature.  Writing code for about 30 years, I am well versed in how features can be added after the fact.

I see it my way and you see it your way.  The difference is that you seem to fall into the masses that don't fully understand the technical workings and simply need a general solution... fits most people in most situations.  I am not disappointed as you assumed with it - I just think it needs some enhancements which is why I started this thread.  There's nothing wrong with you for feeling the way you do given your clear lack of understanding.  More importantly, there's nothing wrong with the system.  But for those of us that want something more flexible, more secure then there is at one definite shortcoming (the single site being listed in multiple categories).  You are right in that regard - it seems the free offering is not for my needs.  I could easily couple it with other technologies (additional blackholing DNS on the authoritative DNS I already run, outbound firewall ACLs, proxy, etc) or i could abandon the use of this system (which I do see value in - though I didn't drink the OpenDNS Kool-Aid like you).  But I'd still need another solution which is likely multiple technologies working in conjunction like I already mentioned.

Best of luck to you.

mattwilson9090
Level 4
Level 4

I'm not going to waste any more of my time on you. I've explained to you how OpenDNS works, and you insist that it works in a completely different manner, while completely ignoring all of the points I made and the details I explained. You then proceed to insult and belittle me because you've decided that you have more knowledge and experience than me, and are likely smarter as well.

Have fun in finding whatever solution you like, but you won't be getting any further input from me.

rotblitz
Level 6
Level 6

"Ideally I'd block everything and allow what is necessary"

If this is what you're looking for, you use OpenDNS Home VIP which comes with whitelist-only mode and a bigger whitelist.

"Maybe the answer is to an option specifying if filtering/blacklisting/whitelisting (whatever you want to call it) for children and that somehow changes how some settings are enforced"

The solution here is to use the OpenDNS FamilyShield resolver addresses 208.67.222.123 and  208.67.220.123 instead of the normal ones.