I'm using openDNS to block adult content in my office
is there any way I can redirect the opendns page I'm getting to my proxy error page?
the page is :
https://blcok.opendns.com/
?
RouterOS also has the ability, but you still have to force the users to accept the certificate mismatch. This is the wrong way to go about this in the OPs situation. If you use a free service and don't like their error page, maybe don't use this service, or start paying, so you can replace the error message in an official way.Mikrotik won't be the right choice for web content filtering.
Other devices (Sonicwall? Fortigate?) have features where you can upload your own CA certificate, and install that CA cert on the internal computers. Now the router can generate certs on the fly and those certs will be trusted by the internal computers. Only now can you have the option to redirect HTTPS pages without internal computers displaying certificate errors. If a visitor comes onsite, he'll see the cert errors since he doesn't have the CA installed.
This is why you should NEVER install a trusted CA certificate unless you actually trust that CA and know that their root cert is secure. Any time a CA cert is comprimised, the ENTIRE INTERNET is comprimised for any computer trusting that certificate. Because now, hackers could use that cert to sign ANYTHING they want - including mybank.example.com, www.google.com, etc. And your computer would consider it LEGITIMATE.Now the router can generate certs on the fly and those certs will be trusted by the internal computers. Only now can you have the option to redirect HTTPS pages without internal computers displaying certificate errors.
Neither would I, and as the I.T. of a company I wouldn't ask guests or contractors to do so. But they would be expected to use the guest wifi where there would be no content filter because what they do on their on computers isn't my concern.I would never, ever accept a third-party root CA from anyone telling me that I had to install it on my computer in order to use their network
And that is the reason, I developed a simple clone of openDNS for a hotspot provider. With custom "Blocked !" page, of courseTo use it for business purposes it is formally required to ask them for a quote for a paid account. And it is very expensive (I tried).
Excellent detail to point out.Because of the costs of openDNS for commecial use, but the necessity of filtering the access to public, open hotspots of a client, I did a "worst case" DNS-server, considering several blocklists, most of all porn, of course, but also gambling etc. So no special consideration of age-ranges, because of open access.
Only filtering of domains, _not_ URL based. Quality of filter depends upon blocklists used, of course.
Correct. _BUT_ URL filters are much slower, beacuse of the 'work' envolved to parse the URL and some type of required data base access.DNS blocking can only block the server somesite.example.com - meaning you couldn't get to the family-friendly.html page either. URL filters would be able to block porn.html but allow family-friendly.htmlBecause of the costs of openDNS for commecial use, but the necessity of filtering the access to public, open hotspots of a client, I did a "worst case" DNS-server, considering several blocklists, most of all porn, of course, but also gambling etc. So no special consideration of age-ranges, because of open access.
Only filtering of domains, _not_ URL based. Quality of filter depends upon blocklists used, of course.
The problem is usually not that, but there are indeed cases where some people want to block "part of a site".Can you give an example, where a porn hosting website would also have family oriented pages on the same domain ?
In this case, you can combine URL filter + DNS filter, to get best of both worlds, at least for http.The problem is usually not that, but there are indeed cases where some people want to block "part of a site".Can you give an example, where a porn hosting website would also have family oriented pages on the same domain ?
E.g. some site that offers games (that are seen as unwanted, e.g. timewasting) and useful content.
In general it is better to use different methods than blocking to prevent the timewasting...
What I mean is that you probably should not try to solve it by blocking the unwanted content, but by explaining to your usersIn this case, you can combine URL filter + DNS filter, to get best of both worlds, at least for http.The problem is usually not that, but there are indeed cases where some people want to block "part of a site".Can you give an example, where a porn hosting website would also have family oriented pages on the same domain ?
E.g. some site that offers games (that are seen as unwanted, e.g. timewasting) and useful content.
In general it is better to use different methods than blocking to prevent the timewasting...
General problem of URL filtering for https still applies, though.
I call this layer 8 policy filtering.What I mean is that you probably should not try to solve it by blocking the unwanted content, but by explaining to your users
what content they are not supposed to visit and what will be the corrective actions when they still do it.