Enforceing DNS Web Filtering On Apple IOS Devices, Wherever They May Roam…

Rocket iconIn a previous Blog post I talked about setting up Open DNS Family Sheild on your home internet connection as an inexpensive option for performing Web Filtering that can protect your home systems from sites that are known to infect you with Malware and Viruses, as well as protecting children from a lot of the icky stuff that is so easily found on the web.  I use this on my home internet connection, and have for some time now.  My systems stay clean and healthy and so do my children.  However as the kids have gotten bigger, and mobile devices have come into play I have found that although I can protect devices connected to my home WiFi network, I have no control over other networks.. Public Hot Spots, the WiFi at the homes of their friends, and even Cellular Data connections are outside the reach of my protection.

Windows based devices are easy, because the DNS settings are bound to the WiFi Adapter, and not the WiFi Network that you are connecting to.  So for Windows Devices The settings listed here will work regardless of the WiFi network you connect to.  However Apple does not allow you to change the DNS settings for your cellular data connection, and all WiFi networks contain their own DNS configuration settings rather than using a global setting.

The Backstory:
One day not long ago on our way back from a weekend away with my family, I was in a local coffee shop with my family.  I had forgotten my phone in the car, and had one of those “Gotta Google it” moments where I needed an answer right away.  I borrowed by Son’s iPhone, Cracked Open Safari, and right there in that busy little coffee shop was greeted with Pornhub.com, wide open on his screen.  He swore it wasn’t him.  After checking the internet history I asked him if it also wasn’t him the 50 previous times over the weekend while we were connected to the internet at the hotel…

First:
I had a talk with him.  I explained that I understood his curiosity and I wasn’t really Mad at him.  I let him know that, more than anything I was concerned for him.  I wanted him to know that the acts and behavior he may have seen on that screen are not real, and the way the people in those videos treat one another is not normal behavior.  I really wanted to get across to him that, I never wanted to find out that he treated any woman in his life they way those girls are treated.

Second:
I went searching.  I knew there must be something I could do to help filter adult content from my son’s phone even when he wasn’t connected to our home internet connection. After doing some digging I found “DNS OverRide” .  The App is free to download, and with a simple $2.79 cdn in app purchase DNS Override does exactly what you need it to. It protects your device over all WiFi and Cellular networks. Once configured you can enable a pass-code to prevent users from turning off it’s settings.  See the link to configuration instructions below. It accomplishes this global setting by installing a “Dummy VPN (virtual private network) connection”  Although the settings it installs never really connect they do enable the app to set the DNS server based on the profile you select.  The App has several built in DNS profiles one of which is Open DNS Family Sheild.  You can also create your own profiles although this is probably not needed for most parents.

Hands Down this is one of the best apps I have found to enable security and web filtering on Apple devices.  It’s simple and inexpensive.  And frankly any parent who’s children use Mobile devices should be looking for a solution like this to keep them safe.

For More information on Configuring DNS OverRide to protect your device you can check out their Blog Post Here

If you wish you can further enforce this configuration by restricting users from uninstalling apps from the device.  You can access these settings (also pass-code protected) from the “Settings | General | Resrictions” screen and turning off the “Delete Apps” Option.

RestricDeleteApps

I do not want to police my children to death, but I don’t want them to be exposed to Adult content and other dangerous websites, when there are great and easy options out there for me to protect them. I hope that after reading this post, others are now able to take advantage of this information and protect their youngsters as well.

Advertisements

Windows Powershell Script to Collect CDP and LLDP Information

Often as a Network administrator I find myself trying to determine what port, of which switch does a network drop connect back to.  I may need this information for VLAN changes etc.  I have a fluke Etherscope that has a CDP test but it is older and will not communicate with new non-cisco gear.

I have looked unsuccessfully for a simple tool to gather this information for me.  Every project I looked at on GitHub or Sourceforge seemed ill maintained and buggy.  I decided that I could use a Capture filter in Wireshark to capture CDP and LLDP packets. This succeeds in getting the info.  But reading through all the info in the packets, and expanding all the parts of the tree, is a pain.  I decided to simplify this by having a powershell script collect the information using TShark.exe and then parsing the output for the information I wanted to display.

This script requires that a recent version of Wireshark be installed on the system running the script along with the optional tshark components.

I am sure that some of the code here could be improved and welcome comments and suggestions.

############################################################################
# Script: PortCheck.ps1
#
# Description: Listens for CDP and LLDP Displays Switch Port Information
# For the Selected Interface
#
# Author: Dan Parr / 2016
#
# Version: 1.4
#
# NOTE: Script Requires a Recent Version of Wireshark to be installed in the
# Default program files directory
############################################################################


Function Process-CDP{

#This Function Pulls some info from the CDP Packet blob To Display to the User
#And Returns the display string. Could be expanded to Include any other details
#contained in the packet.

$Device = $args[0] | Select-String -Pattern "Device ID: " -Encoding Unicode
$Platform = $args[0] | Select-String -Pattern "Platform: " -Encoding Unicode
$IP = $args[0] | Select-String -Pattern "IP Address: " -Encoding Unicode
$Interface = $args[0]| Select-String -Pattern "Port ID: " -Encoding Unicode
$VLanID = $args[0]| Select-String -Pattern "Native VLAN: " -Encoding Unicode

$D = $Device[0].tostring().trim().replace("Device ID: ","Switch Name: ")
$P = $Platform[0].tostring().trim().replace("Platform: ","Switch Description: ")
#Truncate Platform information if needed

if ($P.lenght -gt 88){
$P = $P.substring(0,87).trim() + " (Truncated...)"}

$I = $IP[0].tostring().trim().replace("IP Address: ","Switch IP Address: ")
$V = $VLanID[0].tostring().trim().replace("Native VLAN: ","Current VLAN Assignment: ")
$Int = $Interface[0].tostring().trim().replace("Port Id: ","Switch Port: ")

$Response = "
######################################################
CDP information Collected
######################################################

$D
$Int
$I
$V

$P

######################################################"

$Response
}

Function Process-LLDP{

#This Function Pulls some info from the CDP Packet blob To Display to the User
#And Returns the display string. Could be expanded to Include any other details
#contained in the packet.

$Device = $args[0] | Select-String -Pattern "System Name: " -Encoding Unicode
$IP = $args[0] | Select-String -Pattern "Management Address: " -Encoding Unicode
$Platform = $args[0] | Select-String -Pattern "^\s*System Description" -Encoding Unicode
$Interface = $args[0]| Select-String -Pattern "Port ID: " -Encoding Unicode
$VLanID = $args[0]| Select-String -Pattern "Port VLAN Identifier: " -Encoding Unicode

$D = $Device[0].tostring().trim().replace("System Name: ","Switch Name: ")
$P = $Platform[0].tostring().trim().replace("System Description =","Switch Description:")
#Truncate Platform Info if needed
if ($P.length -gt 88){
$P = $P.substring(0,87).trim() + " (Truncated...)"}

$V = $VLanID[0].tostring().trim().replace("Port VLAN Identifier: ","Current VLAN Assignment: ")

$I = $IP[0].tostring().trim().replace("Management Address: ","Switch IP Address: ")
$Int = $Interface[0].tostring().trim().replace("Port Id: ","Switch Port: ")

$Response = "
######################################################
LLDP information Collected
######################################################

$D
$Int
$I
$V

$P

######################################################"

$Response

}

### MAIN SCRIPT ###

Clear
Write-Host -ForegroundColor Green "
#############################################################################
#
# PortCheck: CDP and LLDP Scanner
#
# Ver. 1.4 / Jan 26 2017
# Author: Dan Parr
#
# This Script is provided without warranty of any kind.
# Use at your own discretion.
# This Script Requires Wireshark (with TShark) to be installed
#
#############################################################################
"

#Utilize TShark.exe to display interfaces
$Command = "C:\Program Files\Wireshark\tshark.exe"
$InterfaceOptions = @('-D')

Write-Host "Collecting Adapters:"
#Execute Tshark.exe and pass an array of arguments
& $Command $InterfaceOptions

#Have user Input the interface ID number
$IntID = Read-Host -Prompt "Please Enter The Interface ID# That You want to Monitor"

##########################################################################
#TShark Command Line Options
##########################################################################

#Define a Capture Filter to Capture only CDP or LLDP packets
$CaptureFilter = "(ether proto 0x88cc) or ( ether host 01:00:0c:cc:cc:cc and ether[16:4] = 0x0300000C and ether[20:2] == 0x2000)"
#Define How long TShark will Wait in Seconds for a CDP or LLDP packet
$Duration = "120"

#Other CMD Options used:
#-c: Count of Packets to Capture
#-V: Collect Packtet Details
#-Q: Only Log true errors to stderr (quieter than -q)


#Found some possible unneeded command line options ('-S','-l')
#$Options= @('-i',"$IntID",'-f',$CaptureFilter,'-a',"duration:$Duration",'-S','-l','-c','1','-V','-Q')

$Options= @('-i',"$IntID",'-f',$CaptureFilter,'-a',"duration:$Duration",'-c','1','-V','-Q')

###########################################################################

Clear
Write-Host -ForegroundColor Green "
Listening for CDP or LLDP Advertisements on the Wire
This May Take up to 90 Seconds
"
#Execute TShark Command and pass an array of arguments. Use STDOut to populate Variable
$CDP = & $Command $Options
$CDP > .\Packet.txt
#Determine the type of Data Received and Act on it
If ((Select-String -Pattern "Cisco Discovery Protocol" -InputObject $CDP).length -gt 0) {
Write-Host -ForegroundColor Yellow "Received CDP Annoucement:
"
$CollectedInfo = Process-CDP $CDP
}
ElseIf ((Select-string -Pattern "Link Layer Discovery Protocol" -InputObject $CDP).length -gt 0) {
Write-Host -ForegroundColor Yellow "Found LLDP Annoucement on the Wire:
"
$CollectedInfo = Process-LLDP $CDP
}
Else {
Write-Host -ForegroundColor Magenta "No CDP Or LLDP info Received"
}
Set-Clipboard $CollectedInfo
Write-Host -ForegroundColor Green $CollectedInfo
Write-Host -ForegroundColor Yellow "Note: This information has been copied to the Windows clipboard
"
Read-host -Prompt "Press Enter to End the Script and close"

Easy Family Friendly Web Filtering, And Best of All it’s Free

One of the easiest protections that I use on my home network to prevent inappropriate websites from finding their way onto my children’s screens is a DNS Web filtering.

DNS stands for Domain Naming System.  The easiest way to describe this is that DNS is the phone book of the internet.  A web address is a name, and the web servers IP address is the phone number.  When you key in a website or click a link your computer sends the website address to the DNS server which returns the correct IP address for your computer to contact for the content it is looking for.  DNS Filtering simply does not give back the correct IP address to your computers when trying to reach inappropriate web sites.

OpenDNS is a free DNS provider that offers a simple an easy to use product called Family Shield.  Click the following link for more information: Family Shield.

Once Configured, when a user attempts to access an adult website either accidentally or out of curiosity (We are all curious, especially in our youth…) they are redirected to a standard block page:

Blocked Playboy

OpenDNS provides basic configuration instructions Here: https://www.opendns.com/setupguide/?url=familyshield

The recommended configuration is to configure your home router to issue these servers to any device that connects using your internet connections.  This allows you to easily and automatically configure this protection for every PC, Laptop, tablet, iPod, Cell phone, or Gaming console that connects from inside your home network.  However you can easily set this up on individual devices as well.

In the coming days I hope to provide a tutorial video on configuring a router, as well as a utility to easily configure a single Windows PC with Family Shield protection.

Comment below if you have any questions!

Simple Steps toward a Safer Online Experience

Although the Internet offers the most amazing resources for research, education, information, and media.  We are all aware of of how ugly the internet can be. However at this day in age our impressionable children are some of the most reliant on the internet for their daily lives.  Everything from education to entertainment is centered on the internet.  I am an IT Dad.  I have made it my life to be in touch with technology and my children hate it.  I impose restrictions on them that many parents do not know are possible. I am currently working to educate others, and make them aware of how easy some of these changes are implement.  Future posts will touch on some basic filtering, technologies, and how to limit access via time limits and curfews. Where possible I will be including instructions, videos and access to utilities to help others safeguard their children while online.