Blocking Domain's Issue (Cisco)

[kittylovermybut]

I wanted to try blocking some domains and ip's on my routers home page. Natrually, I just went into "Basic Rules" on my routers home page and tried entering the website I wanted to block into the "Blocked Domain List". I save directly afterwards and the site is still able to load. Am I forgeting to do something? I very unexperienced with routers and stuff, so dumb it down lol

 

[COLGeek]

Some routers will allow you to exclude some systems from the restricted domain list, you should make sure that isn't the case with you. Also, did you restart the router after making the list and enabling it?

 

[kittylovermybut]

Some routers will allow you to exclude some systems from the restricted domain list, you should make sure that isn't the case with you. Also, did you restart the router after making the list and enabling it?

Yes I added it and restarted the router. I even tried accessing the site from my phone with the service off. I can still get the site.

 

[COLGeek]

What make/model is your router?

 

[COLGeek]

When you entered the address into your router, did you enter as www.domain.com, or as domain.com? I would assume it should be the second option. I can try to verify with your router make/model.

 

[kittylovermybut]

Cisco DPQ3925C DOCSIS 3.0 is the model. Thanks for all the help man. I've just been copying the entire link from the page I want to block to no avail.

 

[COLGeek]

See page 68 of the manual:

http://www.cisco.com/c/dam/en/us/td/docs/video/at_home/Cable_Modems/3900_Series/OL-30824-01.pdf

Just enter the domain (like domain.com) and not the enter URL, in the blocked domain list.

 

[kittylovermybut]

See page 68 of the manual:

http://www.cisco.com/c/dam/en/us/td/docs/video/at_home/Cable_Modems/3900_Series/OL-30824-01.pdf

Just enter the domain (like domain.com) and not the enter URL, in the blocked domain list.

I literally just tried every combination to ban that site possible. Could there be somthing else wrong?

 

[COLGeek]

Do you have parental controls enabled?

 

[kittylovermybut]

Yes sir. This one has had me stumped. It should be working.

 

[COLGeek]

Do you have any other rules configured? Also, is your firmware on the router fully up to date?

Digging through your manual now for clues.

 

[kittylovermybut]

Where would I make sure its up to date? Do I need a program for that?

 

[COLGeek]

It looks like any firmware update would come from your cable provider. You can check the version you have installed via the router itself. Look at the Administration section of the manual.

What about any other rules you have in place. Are you running any others?

 

[bill001g]

I have never spent the time to figure out how this feature works. It either is dependent on the router acting as the DNS and it is intercepting these calls or it is parsing the URL headers looking for strings. Looking though URL headers tends to be extremely CPU intensive. It also only blocks http. Most https and other protocols will pass though a URL string filter.

The first method is a variation of the opendns solution and can likely be bypassed the same way if the PC has a direct DNS name. The second should be blocked it finds the string but this method can be bypassed on many sites by using the IP address directly in the url.

You may be unintentionally bypassing the filter but this is just a guess.

 

[COLGeek]

Assuming the router is using DHCP and assigning all client IP settings, those clients shouldn't be bypassing the rule set. Would you agree bill001g? BTW, bill001g knows networking quite well.

I am still curious about any other rules that may be present on this router and the possibility they are cancelling each other out.

I would also think that a Cisco router would be "smart" enough to not get fooled by a fixed IP or designated DNS bypass method. Before bill001g mentioned it, I hadn't given it any thought.

This acts almost like a whitelist whose listed systems are exempt from rules. I used to use such a system when my daughter was younger and living at home (pre-college).

 

[bill001g]

If the user is say using 8.8.8.8 as the DNS it will go directly out. I tend to set all my DHCP this way mostly because the router acting as a proxy sometimes does a poor job. If the client is set to use the router as its dns then it might be able to stop this if it works that way.

I tend to not even bother with DNS blocking since someone wanting to bypass only has to know how to use a host file.

To block IP addresses using domain requires a lot of work on the router. It would have to reverse lookup every ip address and see if it matched the domain. This only works to a point since ip many times map to a bunch of domains and it also tends to lie when you have akamai involved.

If the router is using a string scanner hoping to read a http header then it can be as simple as opening the pages with https. A huge number of sites are now supporting HTTPS. Even with a packet sniffer you see nothing. You would have to block completely based on IP address to stop https.

 

[COLGeek]

Good explanation, well done. Thanks.

So, given the OP's issue, what would be the most likely successful way of blocking a particular domain, given the router in question?

 

[bill001g]

This feature should work as advertised assuming the router is the DNS and it is filtering DNS calls. It could be as simple as a cached DNS entry in the PC from before the security is set.

I really don't know how this router is working. I tend to not even bother looking at features other than setting fixed IP filters since it not hard to bypass almost any consumer firewall. Where I work we tend to use proxy servers rather than firewall because it is much harder to cheat. Even the HTTPS trick with a local host file does not work since you must pass the actual url to the proxy.

 

[COLGeek]

This feature should work as advertised assuming the router is the DNS and it is filtering DNS calls. It could be as simple as a cached DNS entry in the PC from before the security is set.

I really don't know how this router is working. I tend to not even bother looking at features other than setting fixed IP filters since it not hard to bypass almost any consumer firewall. Where I work we tend to use proxy servers rather than firewall because it is much harder to cheat. Even the HTTPS trick with a local host file does not work since you must pass the actual url to the proxy.

More good info.

So, the OP needs to consider flushing the DNS on each client and ensuring no fixed DNS are assigned (use the router for all networking assignments via DHCP. Also, you are suggesting to block IPs vice domains. Is that correct?

 

[bill001g]

This feature should work as advertised assuming the router is the DNS and it is filtering DNS calls. It could be as simple as a cached DNS entry in the PC from before the security is set.

I really don't know how this router is working. I tend to not even bother looking at features other than setting fixed IP filters since it not hard to bypass almost any consumer firewall. Where I work we tend to use proxy servers rather than firewall because it is much harder to cheat. Even the HTTPS trick with a local host file does not work since you must pass the actual url to the proxy.

More good info.

So, the OP needs to consider flushing the DNS on each client and ensuring no fixed DNS are assigned (use the router for all networking assignments via DHCP. Also, you are suggesting to block IPs vice domains. Is that correct?

The only way to really block sites is to block by IP but there are still major challenges. A IP may represent many sites so you may end up blocking multiple web sites that share the IP. This tends to be common for small hosted sites. You also have the reverse where a domain maps to a huge number of ip because of things like akamai.

 

[kittylovermybut]

This feature should work as advertised assuming the router is the DNS and it is filtering DNS calls. It could be as simple as a cached DNS entry in the PC from before the security is set.

I really don't know how this router is working. I tend to not even bother looking at features other than setting fixed IP filters since it not hard to bypass almost any consumer firewall. Where I work we tend to use proxy servers rather than firewall because it is much harder to cheat. Even the HTTPS trick with a local host file does not work since you must pass the actual url to the proxy.

More good info.

So, the OP needs to consider flushing the DNS on each client and ensuring no fixed DNS are assigned (use the router for all networking assignments via DHCP. Also, you are suggesting to block IPs vice domains. Is that correct?

The only way to really block sites is to block by IP but there are still major challenges. A IP may represent many sites so you may end up blocking multiple web sites that share the IP. This tends to be common for small hosted sites. You also have the reverse where a domain maps to a huge number of ip because of things like akamai.

I would ping the site and ban the ip in question if I knew how to. I know how to get the IP in terminal obviously (Linux) but I'm gonna need help on how to block the sites in question with the IP I've collected.

 

[bill001g]

It would have to be in the ADD RULE screen. They do not show the details of how you do this in the manual. The other consumer routers I have used that work similar you can put in a list of ip that you deny. If you are going to deny for everyone it tends to be easier than denying for just certain users. What I have found though is very few routers allow you block subnets or range of ip with a single rule and some have a very small limit..like 10... total rules you can put in.

It is very strange that you can not get it to block on the domain maybe a it is a bug.