DansGuardian Documentation Wiki

You are here: Main Index » downloadable_blacklists


|

Wiki Information

Differences

This shows you the differences between the selected revision and the current version of the page.

downloadable_blacklists 2010/02/13 20:22 downloadable_blacklists 2010/03/17 23:54 current
Line 157: Line 157:
You can combine using OpenDNS and using local blacklists to improve the depth of your filtering. However to avoid horrid management confusion, customize OpenDNS to forbid only categories that will never be excepted (proxies, phishing, malware, ?). In this configuration whenever you add a new site exception you know it will always go in DansGuardian. You can combine using OpenDNS and using local blacklists to improve the depth of your filtering. However to avoid horrid management confusion, customize OpenDNS to forbid only categories that will never be excepted (proxies, phishing, malware, ?). In this configuration whenever you add a new site exception you know it will always go in DansGuardian.
-You can also use OpenDNS exclusively. Configure DansGuardian to not use any local blacklist at all (just as you would do for whitelist mode). In this case there is no need to customize OpenDNS to forbid only some categories. All you need to do is set the protection level as desired. In this configuration all new site exceptions will always be done through OpenDNS; the DansGuardian mechanism will not be used. +You can also use OpenDNS exclusively. Configure DansGuardian to not use any local blacklist at all (just as you would do for whitelist mode). In this case there is no need to customize OpenDNS to forbid only some categories. All you need to do is set the protection level as desired. In this configuration all new site exceptions will always be done through OpenDNS; the DansGuardian mechanism will not be used. (Note though some have questioned the thoroughness and timeliness of OpenDNS updates, suggesting using OpenDNS exclusively while also neglecting constant improvement of content scannng recipes may leave a system vulnerable to circumvention by public proxies.) 
In either case (OpenDNS combined with blacklists, OpenDNS exclusively), you must arrange that all your computers ultimately get their DNS service from the OpenDNS servers, and most importantly that your computers cannot get DNS service from anywhere else. Otherwise users who wish to reference proxy systems can simply reconfigure end user computers to use different DNS servers, then proceed to access systems that you thought were forbidden. One way to do this is with DHCP (to point all computers at the desired DNS servers), a local caching DNS service (to centralize your references to OpenDNS) and some IPtables rules (to keep end user computers from accessing any DNS servers other than your local caching DNS system). By sending each DNS query over your ISP connection only the first time, a local caching DNS service will [[Performance Tuning|considerably improve performance]], both by freeing up a great deal of ISP bandwidth for more web content and by responding much more quickly to most requests since responses can come out of the local cache without ever entering the cloud.  In either case (OpenDNS combined with blacklists, OpenDNS exclusively), you must arrange that all your computers ultimately get their DNS service from the OpenDNS servers, and most importantly that your computers cannot get DNS service from anywhere else. Otherwise users who wish to reference proxy systems can simply reconfigure end user computers to use different DNS servers, then proceed to access systems that you thought were forbidden. One way to do this is with DHCP (to point all computers at the desired DNS servers), a local caching DNS service (to centralize your references to OpenDNS) and some IPtables rules (to keep end user computers from accessing any DNS servers other than your local caching DNS system). By sending each DNS query over your ISP connection only the first time, a local caching DNS service will [[Performance Tuning|considerably improve performance]], both by freeing up a great deal of ISP bandwidth for more web content and by responding much more quickly to most requests since responses can come out of the local cache without ever entering the cloud.