Web filtering for SMB

AdamF

Does anyone use Web filtering in the SMB space ? If so, what is recommended for a small (less than 10 person) office? A Ubiquiti Edge router is on the edge, but if you would want to then filter web traffic through a box that filters and also monitors, what are people using? I previously used untangle back in the day, but have not worked with any web filters since then. 100% not interested in a UTM.

DustinB3403

Are you looking to block content, like online gambling, porn etc? PiHole does an amazing job out of the gate and makes it pretty easy to do this if you want something quick and simple to setup and maintain.

travisdh1

Easiest, fastest, use Cloudflare DNS
1.1.1.2 and 1.0.0.2 blocks known malware sites
1.1.1.3 and 1.0.0.3 blocks malware and porn sites

PiHole is good if you want an easy local solution.

AdamF

@DustinB3403 said in Web filtering for SMB:

Are you looking to block content, like online gambling, porn etc? PiHole does an amazing job out of the gate and makes it pretty easy to do this if you want something quick and simple to setup and maintain.

I use Pi-Hole at my house. Good idea. I'm looking to block accidental stuff. Want to do what I can to keep malware, etc out as much as possible.

AdamF

@travisdh1 said in Web filtering for SMB:

Easiest, fastest, use Cloudflare DNS
1.1.1.2 and 1.0.0.2 blocks known malware sites
1.1.1.3 and 1.0.0.3 blocks malware and porn sites

PiHole is good if you want an easy local solution.

That's great. I didn't know they came out with 1.1.1.3. That's awesome!

dbeato

I have continued to use Untangle, Pi-Hole and Yes NGFW as well. So it depends what you want to use, if DNS you know people can circumvent them outright but it is all up to you.

thecreaitvone91

Back in My SMB days I used NxFilter. You point your clients DNS to it (I did it using DHCP) and you can still use it if you have a domain, I just setup Zone Transfers from the AD DNS to Nxfilter, I had them setup in a failover pair. Does AD authentication for Group Lists of allowed/block sites, reporting etc. You'd normally block client devices from using Port 53 so they couldn't do their own lookups on your firewall.

https://nxfilter.org/p3/

Dashrender

@thecreaitvone91 said in Web filtering for SMB:

Back in My SMB days I used NxFilter. You point your clients DNS to it (I did it using DHCP) and you can still use it if you have a domain, I just setup Zone Transfers from the AD DNS to Nxfilter, I had them setup in a failover pair. Does AD authentication for Group Lists of allowed/block sites, reporting etc. You'd normally block client devices from using Port 53 so they couldn't do their own lookups on your firewall.

https://nxfilter.org/p3/

A zone transfer instead of just making the NXfilter the upstream DNS for AD's DNS?

thecreaitvone91

@Dashrender said in Web filtering for SMB:

@thecreaitvone91 said in Web filtering for SMB:

Back in My SMB days I used NxFilter. You point your clients DNS to it (I did it using DHCP) and you can still use it if you have a domain, I just setup Zone Transfers from the AD DNS to Nxfilter, I had them setup in a failover pair. Does AD authentication for Group Lists of allowed/block sites, reporting etc. You'd normally block client devices from using Port 53 so they couldn't do their own lookups on your firewall.

https://nxfilter.org/p3/

A zone transfer instead of just making the NXfilter the upstream DNS for AD's DNS?

You couldn't do Groups or custom filters or reporting if you did it that way as all requests would be coming from the DC itself.

black3dynamite

@dbeato said in Web filtering for SMB:

I have continued to use Untangle, Pi-Hole and Yes NGFW as well. So it depends what you want to use, if DNS you know people can circumvent them outright but it is all up to you.

Wouldn’t you just deny at the firewall from using any dns except for pi-hole?

DustinB3403

@black3dynamite said in Web filtering for SMB:

@dbeato said in Web filtering for SMB:

I have continued to use Untangle, Pi-Hole and Yes NGFW as well. So it depends what you want to use, if DNS you know people can circumvent them outright but it is all up to you.

Wouldn’t you just deny at the firewall from using any dns except for pi-hole?

That's what I'd do.

JaredBusch

@black3dynamite said in Web filtering for SMB:

@dbeato said in Web filtering for SMB:

I have continued to use Untangle, Pi-Hole and Yes NGFW as well. So it depends what you want to use, if DNS you know people can circumvent them outright but it is all up to you.

Wouldn’t you just deny at the firewall from using any dns except for pi-hole?

This will only work for another year or so. Most browsers are going to default to DNS over HTTPS soon.

black3dynamite

@JaredBusch said in Web filtering for SMB:

@black3dynamite said in Web filtering for SMB:

@dbeato said in Web filtering for SMB:

I have continued to use Untangle, Pi-Hole and Yes NGFW as well. So it depends what you want to use, if DNS you know people can circumvent them outright but it is all up to you.

Wouldn’t you just deny at the firewall from using any dns except for pi-hole?

This will only work for another year or so. Most browsers are going to default to DNS over HTTPS soon.

Yeah, I forgot about that.

Dashrender

@JaredBusch said in Web filtering for SMB:

@black3dynamite said in Web filtering for SMB:

@dbeato said in Web filtering for SMB:

I have continued to use Untangle, Pi-Hole and Yes NGFW as well. So it depends what you want to use, if DNS you know people can circumvent them outright but it is all up to you.

Wouldn’t you just deny at the firewall from using any dns except for pi-hole?

This will only work for another year or so. Most browsers are going to default to DNS over HTTPS soon.

This is overridable. So for business it something you can overcome.
And MS is also working to update their DNS to be DNS over HTTPS... just need PI Hope to follow suit... then the browser will stick with the DHCP provided DNS.

JaredBusch

@Dashrender said in Web filtering for SMB:

@JaredBusch said in Web filtering for SMB:

@black3dynamite said in Web filtering for SMB:

@dbeato said in Web filtering for SMB:

I have continued to use Untangle, Pi-Hole and Yes NGFW as well. So it depends what you want to use, if DNS you know people can circumvent them outright but it is all up to you.

Wouldn’t you just deny at the firewall from using any dns except for pi-hole?

This will only work for another year or so. Most browsers are going to default to DNS over HTTPS soon.

This is over rideable. So for business it something you can’t overcome.
And MS is also working to update their DNS to be DNS over HTTPS... just need PI Hope to follow suit... then the browser will stick with the DHCP provided DNS.

Can you edit that to English?

scottalanmiller

@fuznutz04 said in Web filtering for SMB:

@DustinB3403 said in Web filtering for SMB:

Are you looking to block content, like online gambling, porn etc? PiHole does an amazing job out of the gate and makes it pretty easy to do this if you want something quick and simple to setup and maintain.

I use Pi-Hole at my house. Good idea. I'm looking to block accidental stuff. Want to do what I can to keep malware, etc out as much as possible.

Pi-Hole + CloudFlare DNS goes a long way. And free.

scottalanmiller

@dbeato said in Web filtering for SMB:

I have continued to use Untangle, Pi-Hole and Yes NGFW as well. So it depends what you want to use, if DNS you know people can circumvent them outright but it is all up to you.

He said his goal was accidents. DNS filtering is perfect for accidents.