Well if you want to harvest your own lists I'd suggest...
http://www.malwaredomains.com/
http://www.malwaredomainlist.com/mdl.php
...but realize these update every few days so you have to stay ontop of it.
I use DNS Redirector, which updates automatically every night - it downloads a bunch of lists when a newer version is found, currently I am blocking ads, known malware/badware, dynamic DNS, free hosting, phishing, and all ccTLDs where we don't do business (*.in, *.cn, *.ru, etc.)
This should work, we just need someone with a Samsung TV to sniff out the DNS traffic so we know which domains to block.
Currently I'm doing the same by using DNS Redirector to prevent my Vizio TV from downloading "new" firmware with bugs or features I don't want.
;BLOCK_Vizio_TV_firmware_updates oui-0x00199d.com updatev.vo.llnwd.net
Why you'd have RDP open to the Internet is beyond me, at least implement: https://rdpguard.com/
No Internet filter on this network? Even if the bad guys can get in, if they can't download this crap, then you're saved, it doesn't have to be expensive: http://dnsredirector.com
Which FSRM script are you using? I think this would have caught it: http://jpelectron.com/stopcrypto
In most cases they're purchasing commercial systems that include options for configuring a captive portal. Most residential routers don't include captive portal options.
If there's custom firmware available for your router that does include captive portal options, sure, that'll work. If there is no custom firmware available, and your router's default firmware doesn't support a captive portal, you're probably not going to be able to modify the firmware to add one. In that case, running a local DNS server along with software like DNS Redirector is an alternative that doesn't require making any changes to the router, other than pointing DNS to the local server.
This article: http://dnsredirector.com/faq/163.asp ...explains it better than I could, including links at the bottom to the Google documentation.
...also includes links to a list of all Google country code domains and how to do it.
Better documentation here I think: http://dnsredirector.com/faq/163.asp (including links to the Google Help articles)
Also, block "explicit.bing.net" (or by creating a dummy DNS zone so it resolves to 0.0.0.0)
Still don't see why anyone would want to search with yahoo - all you're guaranteed to get is more spyware/malware - we block yahoo entirely.
Instead of OpenDNS which seems to be having all sorts of cache problems lately, I would suggest you run DNS Redirector on your server (that can do whatever filtering you need) it then forwards to the Microsoft DNS service (which also gives you cache control) and that forwards to your ISP or GoogleDNS (whatever is faster) There is a way to test that here... http://dnsredirector.com/sample/DNSTest/
Is proxy still really nessesary? How about Internet filtering via DNS (suggestion http://dnsredirector.com) and using the default gateway as the route to the Internet as intended? ACLs to block unnessesary ports and users from trying to reach a 3rd party DNS.
Do you really need to filter the whole URL, or is just the hostname enough?
For example...
full URL: https://www.youtube.com/watch?v=ZY3J3Y_OU0w
hostname: https://www.youtube.com
If you can live with blocking the whole site (youtube.com) instead of just parts of it (the video that loads when you hit /watch?v=ZY3J3Y_OU0w) then DNS is enough, and you don't have to do the whole cert nonsense.
http://dnsredirector.com is what we use, works regardless of HTTP/S or any other port/protocol.
You should block ALL attempted visits to sites by IP address directly, nobody needs that, only viruses. Then block just the bad stuff with your DNS filter of choice.
PRTG
or
Pingplotter
I'd also check on your "PiHole for DNS" ... besides my feeling that it's gennerally too slow on underpowered hardware, and not enterprise ready, if you are blocking things that are HTTPS, and not answering all those requests with something running on port 443, or with a deny firewall rule that will block the traffic, then your browsing likely "appears slow" as those HTTPS things being blocked are actually waiting to timeout. See this thread about a similar product and thier solution: http://dnsredirector.com/faq/145.asp
Zywall USG for the router, multiple VLANs for each SSID.
DNS Redirector http://dnsredirector.com for the captive portal/login. May require multiple instances or some creative code based on time restrictions.
I would always test it for yourself, not rely on some article...
Test as described here: http://dnsredirector.com/sample/DNSTest/
Just cause some DNS server "looks good" on one ISP, doesn't make it the best from another part of the country or from another ISP.
Test it yourself as described here: http://dnsredirector.com/sample/DNSTest/
Just cause some DNS server "looks good" on one ISP, doesn't make it the best one from another part of the country or another ISP.
Carefully read the ToS of the lists that NxFilter tries to download from, it's non-commercial use, and you can get cut off someday. Also, Java, on a server, no thanks.
I use DNS Redirector, runs on Windows.
Proxy slows down the network too much, and becomes a single point of failure.
I know at least two ISPs that offer opt-in filtering for porn and non-family friendly stuff, their using DNS Redirector, no idea of the total load. But put a caching server infront or behind it and you're probably fine.
The only one I use: DNS Redirector - update in one place - takes effect for the whole network - option to bypass temporarily - no browser plug in/extra nonsense to update
We use DNS Redirector, almost exclusively. I'm using it in schools with iPad and Chromebook 1:1 programs, but they are student-owned, so we don't filter when they are off the school network.
DNS Redirector has a "BYOD device registration site" that can do it, works regardless of end-user device/OS. Each student is required to "signin" once per day (or if you want once every period) on every device they use. There are some scripts you can run against the logs to see where a particular device IP went. You can view all devices "registered" to a particular student and back-track from there.
Honestly, don't know how it's your school's/job/policy to monitor everywhere someone is going on the Internet - our take is more if "explosion making" is not part of the curriculum, then block it, no need for it.
If you're paying for OpenDNS, you're paying too much. If you're not paying for OpenDNS, they will eventually notice the amount of queries coming from your network and their sales guys will hound you to try and pay for a plan.
We decided to forgo that hostage situation and went with DNS Redirector instead, saved us allot of $$
You can even install it on your existing AD servers (you should have at least two) and enjoy content filtering without any subscription.
Sonicwall is archaic, over-priced, over-complicated crap, and the fact they Dell bought them didn't make them any better. For a real firewall, look at Zywall's USG series, or Peplink Balance if you need, or think you'll need in the future, to combine the throughput of multiple ISPs.
Yep, anything with an IP in the URL is certainly going to be bad, that's why your firewall needs to block all URLs with an IP in them (not as a firewall ACL, but as an HTTP inspection rule), a simple regex takes care of that. Edit: found where I learned how to do it: http://dnsredirector.com/faq/115.asp Haven't had to cleanup a virus in years.
Three approaches for you...
A) does your server really NEED to be a public resolver? probably not.
B) just block all China IPs, all they do is DNS amplification attacks all day, no reason they should be able to resolve anything.
C) use a blocklist of known DNS abusers, one that I trust: http://dnsredirector.com/cloudprotect I find this is helpful because there are allot of universities or "research" groups that are probing for open resolvers, and when they find yours, you get added to a list, which is then bought or leaked to the "bad guys" who will hammer your server with bogus requests, or get used by the malware/badware they just wrote. It's a worthless research project that's only aiding the bad guys, can't see what the point is except for some washed-up "professor" to keep showing his students something "interesting"
Here is an example: http://dnsredirector.com/networks/09/ using cheap hardware, you could experiment/adapt it to your needs.
The biggest problem is does your current hardware (at least all switches) support VLANs, and does your FW support VLANs or if not at least have an extra LAN interface available?
Not sure why they get to advertise in this sub, perhaps they can't read the side-bar.
You could try the free version of what they are doing (perhaps they even just repackaged this guy's thing) http://www.nxfilter.org/p2/
Or your could try DNS Redirector which needs no subscription http://dnsredirector.com
Or you could use NortonDNS for free http://en.wikipedia.org/wiki/Norton_ConnectSafe (but I would put your own DNS caching server between your computers and then forward to NortonDNS, so you don't look like such a huge load to their servers)
You should not use channel 13 in the USA, use 1, 6, or 11 only. 13 is OK if you are in another country.
20Mhz solves allot of problems when there are no free channels available, based on your screenshot there are other things near you using the same channels, so I would not complicate the issue by using 20/40Mhz width. You're supposed to achieve a speed boost by using the larger width, but for just surfing the web/reading email it's not something you'll notice or need.
It is important to have your two router's on different channels, without that there will be crosstalk and roaming (the ability for your phone/PC to automatically move from one wireless to the other) will not work correctly. Based on your screenshot I would pick 11 and 6.
If the DNS change solved your issue you should be OK - I would also check for a router setting like DNS forwarding or DNS masquerading or DNS proxy, disable that if you find it (it doesn't help and makes your router more vulnerable to attack) keep using Google DNS, it's likely better than your ISPs DNS. If you're feeling adventurous and want to try different DNS providers you can follow the steps here: http://dnsredirector.com/sample/dnstest/
Try changing your router's DNS to Google DNS which is 8.8.8.8 and 8.8.4.4 and then reboot your router and computers so the change takes effect.
If your router has a setting for DNS proxy, or DNS forward, or DNS masquerading, disable it - that never helps.
You can also test which DNS server's are fastest for your connection (your ISP or Google DNS may not be the best, although Google DNS works for me) see: http://dnsredirector.com/sample/DNSTest/
Instead of your DNS going from: Your computer > your router > your ISP
(this is what happens when the router has all zero's in there for DNS, it will get the DNS server's from your ISP automatically, and then forward to them)
Now your DNS will go from: Your computer > Google DNS
...many routers are lousy DNS forwarders, meaning as they get hot, or are busy routing other traffic, the local DNS cache gets dropped or corrupt.
...many ISPs offer lousy DNS service, or it is under constant attack and they don't really care/know how to do anything about it, the result is it's slow.
Google DNS is a global service that has much better caching and performance than even some major ISPs - so the end result, is faster resolves.
Remember to restart your computer after changing the DNS setting in your router, so your computer picks up the change.
See: https://developers.google.com/speed/public-dns
and: http://en.wikipedia.org/wiki/Domain_Name_System
To test your DNS and determine who is really fastest for you (realize this does not test who has stale/corrupt cache) see: http://dnsredirector.com/sample/DNSTest/
If you still have problems after trying different DNS providers - the problem may be something else...
spyware/adware on your computer, run a full scan with Malwarebytes (free version is fine)
your ISP connection may be at fault (call them, only they can test/diagnose a line or signal fault)
your router may be bad/faulty/unable to keep up with whatever traffic is going through it, it could be under attack from the WAN or LAN side.
I'm confused how David says "were growing leaps and bounds and we have 1000's of customers" and then the result becomes "were eliminating free stuff and making everything else more expensive"
There are other solutions out there, I moved off OpenDNS years ago because I needed more domain blacklisting options... http://dnsredirector.com/compare