XII. Firewall/Security Features

How to block HTTPS sites using the Web Content Filter and DNS Filter

Vigor 2620Ln
Vigor 2760
Vigor 2762
Vigor 2765
Show all

Blocking Sites
Show all

DrayTek routers that support DNS Filtering are able to inspect DNS requests and control access using either the Web Content Filter (all models) or the URL Content Filter (3.7.6 firmware or later required).

This makes it possible to make filtering decisions for https requests by examining the DNS requests and will work regardless of the DNS server configured on the PC, providing the DNS request passes through the routers WAN, so it's not possible to bypass DNS Filtering when applied on the router.

With firmware 3.7.6 onwards, the DNS filter is applied by using the firewall which makes it possible to apply the DNS filtering either to specific network segments or to make exemptions for specified local IP addresses.

In this example, access to Facebook will be blocked using the Web Content Filter, which will block HTTP access, then the DNS Filter will be used to apply the Web Content Filter for HTTPS or non-HTTP traffic.

Please note that the router must have an active GlobalView Web Content Filter license to use the Web Content Filtering facility or perform Web Content Filtering through the DNS Filter.

Firmware 3.6.x

The DNS Filter feature from firmware onwards inspects all DNS queries going through the router and is able to check these against the GlobalView Web Content Filter categorisation, so that sites in blocked categories are blocked by the router.

To set this up, go to [CSM] > [Web Content Filter Profile], on there, make sure that the router has a valid and active Web Filter license. To configure the web content filtering, select a profile index number by clicking on the number:

In the Web Content Filter Profile, give it a suitable name, set the Action setting to Block and select the categories to block, in this example, "Social Networking" will be blocked, click OK to save the settings of the profile:

Upon clicking OK, the router will pop up this warning:

This is for your information only and does not affect the configuration of the Web Content Filter, click OK to continue.

With the Web Content Filter Profile configured, the DNS Filter can now be configured, go to [CSM] > [DNS Filter]. On there, enable the filter and select the Web Content Filter profile to apply using the DNS Filter:

Click OK to save and apply those settings. The DNS Filter will now monitor all DNS lookups going through the router to check the category of each website accessed and if the category is blocked, the router will modify the DNS response so that the site being accessed will instead show the router's block page. The message it shows can be configured on the [CSM] > [DNS Filter] page.

This is an example of blocked access to Facebook through the router:

Please note that some browsers will not show this message and will instead show a certificate error.

How do you rate this article?

1 1 1 1 1 1 1 1 1 1