For our parental controls system, we use a method called "DNS Firewalling" to ensure that websites are blocked. How does this work? To understand this, we have to first know what DNS is.

What's DNS?

In order for your computer to connect to a website, it has to get the website's IP address. This is done through DNS. Say you want to go to https://murillo.saggis.com for example. Your computer has to know the IP address of our website server to connect to it. So, your computer sends the request "hey, who is murillo.saggis.com?" to the DNS server, who then replies with "murillo.saggis.com is 32.092.903.12". However, the DNS server can also reply with the wrong IP address on purpose, in order to prevent you from accessing a website, or for more malicious reasons.

What does Murillo's DNS do?

Our firewall runs a multi-horizon DNS service, which is a fancy way of saying that it'll route different requests to different servers. This is user-configurable. By default, we have two zones: family, and unfiltered. Any device in the "family" category will have their request sent to OpenDNS Home, and the "unfiltered" category will be sent to Cloudflare's DNS service. Then, you can add your own rules on top of these categories as DNS requests. If you want to block facebook as well, you can add a rule to the family category that will block Facebook for all devices in the "family" category.

Isn't it easy to get around DNS firewalls?

Not if it's configured correctly. The firewall blocks outbound 53 and 853, which means that you can't change your DNS service without breaking your internet connection. However, there is a new technology called DNS-over-HTTPS, which is sent over port 443. This means that blocking port 443 means blocking all websites (running over the HTTPS protocol). However, adoption of the technology is currently low, and we are working on a way to filter HTTP traffic directly.

Conclusion

DNS firewalls are a great way to implement simple filtering. With our best-in-class DNS server, you will have the ability to set devices to be filtered wtih OpenDNS's awarded family filter, and to set rules yourself.

Image Source: https://www.mustbegeek.com/understanding-dns-forwarders-and-root-hints-in-windows-dns-server/