As a parent, and a technologist, I struggle with creating a safe online experience at home. I’m constantly playing with different technologies – hardware and software – trying to find a healthy configuration that will give me a higher degree of confidence inside my trust zone.
I am specifically thoughtful about what my kids will see as they traverse the web. I want them to explore, but I’m also very concerned about what the web will throw at them. As a technologist that specializes in web security, I’m specifically concerned about the threats that web-based malware pose – specifically things like drive-by-downloads delivered via malvertising or malicious injections inside otherwise benign sites (i.e., hacked sites). There are a number of different tools I’ve played with over the past year and a half, things like OpenDNS, Disney’s Circle, CloudFlare’s 126.96.36.199., and CleanBrowsing.
Understanding the Technology (Context)
OpenDNS, CloudFlare’s 188.8.131.52, and CleanBrowsing are what you call Domain Name System (DNS) resolver (a.k.a DNS lookup). This is the thing that keeps the web running. Every time you type the address of this website, perezbox.com (a.k.a, a Domain), these DNS resolvers work together to navigate your request to a web server somewhere in the matrix. Without these “resolvers,” our browsers (e.g., Chrome, Firefox, Safari, etc..) wouldn’t know where the website is located. This would render a blank page on your browser. Think of them as a traffic control center, matching the domains to their appropriate address (e.g., 184.108.40.206).
The Disney Circle application is a little different. It’s a combination of hardware and software. They seem to have a partnership with Netgear that facilitates a seamless integration, which is really nice. Unlike the DNS resolvers, they use something called Address Resolution Protocol (ARP) spoofing. It’s a technique used by bad actors to mirror devices on a local network (e.g., your home), but as demonstrated by the Disney Circle solution can also be used for good. This is especially important because when you’re working with DNS resolvers you fail to achieve the granularity you might want – e.g. device level control. In other words, with a DNS based control I can apply blanket profiles to devices on the network, but with something like Circle I can say, “shut off Tony’s access to the web at 11:00 pm.”
If you use a Netgear device (e.g., router) you shouldn’t need the Circle device, and should be good to use the Circle app on your device with no physical device.
There are other solutions you might have heard of, a very popular one is the Eero device. It offers a lot of similar controls you’ll find with the Circle device. Heightened degree of control over devices on your network, to include customizing device profiles like the example above.
A Safe Browsing Experience At Home
I landed on the CleanBrowsing platform because of it’s advanced profiling features. OpenDNS has been lagging significantly in it’s product development and innovation since it’s acquisition by Cisco, which makes sense as they’ve shifted their focus to the enterprise. CloudFlare’s 220.127.116.11. is a great resolver, but if you require customizations it’s practically impossible (and we always need a higher degree of granular control). The CleanBrowsing team is a relatively new player on the scene, been around for a year and a half or so and they seem to be employing a similar model to what OpenDNS did when they were first established.
Their real differentiation comes in the form of their granular content filtering controls. For example, here are the various categories at my disposal:
I am especially impressed with their ability to control ads & tracking and malicious sites, something that many other DNS resolvers have not been able to get right. For you techies, in addition to standard DNS, they also support DNSCrypt, DNS over HTTPS, and DNS over TLS. Pretty sure they are one of the first ones to do this. Kudos to the team for that!
There was a really great report talking to the platforms effectiveness against Phishing and Malware distribution that helped provide me more confidence.
DNS can be an important part of your security and act as a first line of defense against phishing and other malicious activity. CleanBrowsing was the #1 provider in my tests , followed by Quad9 and OpenDNS in second (they did well in different areas). – Nykolas Z
These are the three tests Nykolas ran against the more common DNS Resolvers. These results were extremely important for me. Here is a simple way to translate this:
- Not blocked => Means the provider did not effectively block the site. This means that if someone on your home network would have visited the site, they could have fallen victim to a Phishing campaign.
- Blocked => Means the provider did block the site. This means that if someone on your home network would have visited the site, they would not have fallen victim to the Phishing campaign.
Why was this important to me? Because my kids spend a great deal of time clicking through sites looking for games, points and other similar activities. It’s very easy for them to accidentally click something they shouldn’t, couple this with a website owners general lack of security hygiene and I prefer not leave things to chance.
Test 1: Openphish — Mixed bad stuff
Test 2: Phishtank — Real time bad stuff
Test 3: Phishtank — Old bad stuff
I couple the DNS resolver with the Circle app.
Because I use the Netgear Orbi router it’s already built into the router which makes the configuration seamless. Download the app to your phone and follow the prompts (it will require admin access to your router). The navigation will help you configure unique profiles.
I set up my profiles by each kid, I only have three so it’s easy. Yes, it’ll require some time for the name of each device to show up, so be patient. You’ll want to align each of the devices with the right profile. This will become important when you’re trying to configure unique profiles (e.g., you might want to shut off access to the web for your 7 year old at 9 pm on a weekend, and 10 pm for your pre-teen). Feel free to get creative.
Once you set up the profiles, it’s a seamless process.
I especially like the Circle App to control web usage for my kids, and I leave the heavy lifting of security and content filtering to CleanBrowsing.
The Circle app allows similar content filtering features, but CleanBrowsing product gives me a higher degree of control and confidence across the entire network. There are unique features I like about CleanBrowsing, especially the ability to set Google, Bing and Youtube to Safe Mode by default, overriding whatever the local configuration is and the ability to traverse the network to public networks on any device (a write up for another day).
Safe Web Experiences Are Our Responsibility
We live in an increasingly connected world. We have new generations that are being raised never being exposed to a world that isn’t connected. This is a new precedent and as parents we have a responsibility to keep up with the change. If we are relying on big-tech to do this for us (e.g., Google, Facebook, etc..) you’re wrong.