XII. Firewall/Security Features

How to block HTTPS sites using the URL Content Filter and DNS Filter

Products:
Vigor 2620Ln
Vigor 2760
Vigor 2762
Vigor 2765
Show all

Keywords:
csm
dns
filtering
https
Show all

DrayTek routers with firmware 3.7.6 and later have DNS Filtering which is able to apply the keyword filtering of the URL Content Filter. This makes it possible to make filtering decisions for https requests by examining the DNS requests and will work regardless of the DNS server configured on the PC, provided the request goes through the routers WAN, so it's not possible to bypass DNS Filtering when applied on the router.

In this example, access to Facebook will be blocked using the URL Content Filter blocking the keyword of "facebook", which will block HTTP access, then the DNS Filter will be used to apply the URL Content Filter for HTTPS or non-HTTP traffic. This can be applied either to the entire network using the Default Rule, or it can be applied using Firewall Filter rules - using a filter rule makes it possible to apply the DNS filtering to specific network segments and schedule it if necessary. Please refer to this knowledge base article for details on Scheduling Filter Rules.

There are two types of DNS Filtering on the router:
The DNS filter applied through the firewall has multiple profiles and filters all external DNS access.
The DNS Filter Local Setting filters DNS lookups that use the router IP as the DNS server.

This guide will cover the configuration of both as it is recommended to configure both types of filter to ensure effective DNS filtering.


To set this up, it's necessary to configure the keyword to block first of all, go to [Objects Setting] > [Keyword Object]. To configure a keyword, select a profile index number by clicking on the number:

Give the Keyword Object a suitable name and set the Contents field as "facebook":

Click OK to save the keyword object.


Go to [CSM] > [URL Content Filter Profile] and select an un-used profile by clicking the number link i.e. "1." to go into the profile:

Give the profile a suitable name and set it up as shown:

Priority: Either: URL Access Control First
Tick Enable URL Access Control
Tick Prevent web access from IP address
Set the Action to Block

Click Edit to set the Keywords that are applied in the URL Content Filter, which will pop-up a window to select which Keyword Objects or Keyword Groups will be used:

Click OK to close the pop-up window and click OK on the URL Content Filter Profile to save that profile.


With the URL Content Filter Profile configured, the DNS Filter Local Setting can now be configured, go to [CSM] > [DNS Filter]. On there, enable the filter and select the URL Content Filter profile to apply using the DNS Filter. The DNS Filter Local Setting affects filtering on the router's DNS server i.e. if a client uses the router IP as the DNS server, the DNS Filter Local Setting needs to be configured.

Click OK to save that then go into one of the DNS Filter profiles in the DNS Filter Profile Table to set up the filtering that will link to the firewall:

In the profile, give it a suitable name and select the URL Content Filter Profile to use, then click OK:

The DNS Filter can now be linked to the firewall and there are two different methods for applying this:

Default Rule - The default rule CSM settings will affect the whole network, it is possible to make exemptions from this or set up other CSM profiles through the use of a filter rule.

Filter Rule - Filter rules can be used to apply CSM to specific network segments i.e. a guest network on 192.168.3.x or apply the rules on a schedule. They can also be used to make exemptions to CSM filter settings configured in the Default Rule, or apply a different profile to a specific network segment while applying CSM using the Default Rule.

Default Rule

To set the URL Content Filter and DNS Filter in the Default Rule so that it affects all users, go to [Firewall] > [General Setup] then click on the Default Rule tab. On there, select the URL Content Filter Profile and DNS Filter Profile to use. It is important to use both to ensure that both HTTP and HTTPS traffic can be inspected and filtered by the router.
Click OK to apply the CSM filtering which will take effect immediately:


The DNS Filter will now monitor DNS queries going through the router to check whether the hostname matches the keywords being blocked by the URL Content Filter. If they are blocked, the router will modify the DNS response so that the site being accessed will instead show the router's block page. The message it shows can be configured on the [CSM] > [DNS Filter Profile] page.

This is an example of blocked access to Facebook through the router:

Please note that some browsers will not show this message and will instead show a certificate error.


How do you rate this article?

1 1 1 1 1 1 1 1 1 1