This is perhaps the easiest means for a home user to configure, and is one of the tools often used by larger censorship projects.
The DNS system is (simply put) much like an address book, networks deal with IP addresses (i.e. 192.168.1.1) but we often deal in URL’s (i.e. www.google.com). DNS translates our URL to an IP. So the way DNS filtering works, is it ‘lies’ about the address for a blocked site, often leading the user to a page warning them the requested resource was filtered
So for example, although www.mynaughtysite.com may have an IP of 126.96.36.199 the DNS server might return 188.8.131.52 to prevent access to the site.
This option is available to home users through services such as OpenDNS.com (free to use) and offers a range of filtering categories (porn, gambling etc.) but it’s not a magic bullet, and here’s why;
If we slip into teenager mode, we want to access mynaughtysite.com but it’s been blocked using DNS filtering. Here are the steps to bypass (and don’t think a teenager can’t work it out!);
Access dnsquery.org (or run a web-search for “IP Address lookup”)
Enter mynaughtysite.com into the “DNS Record Query” box (use Google.com if you want to test it)
We now have the IP address for the site we want to access
Copy that IP into the address bar and browse to your heart’s content.
Now for some sites, this won’t work because links are coded to force use of the URL (web address). There is however a way around this too;
Open your computers HOSTS file in a text editor
Enter the IP address we retrieved earlier followed by a tab and the web address
There’s not a huge amount you can do to prevent this, you can make sure your kid doesn’t have the permissions to write to the hosts file but that just means they need to do everything manually.
Content-filtering is needed to catch the pages that get past the DNS filtering, or indeed are forced past the DNS filtering by your kid!
Beloved of the Chinese Government, content filtering examines the page as/before it loads and searches for keywords that might trigger a block.
You can either run content-filtering software on the PC your child is using (the common home approach), or run all connections through dedicated hardware (the corporate approach).
Generally content-filters suffer from two main problems;
They miss things
They get bypassed
When dedicated hardware is used, simply using an encrypted connection is sufficient to bypass the filter (i.e. using https instead of http). Of course, the hardware can be configured to allow it to see encrypted streams but no-one would want an Internet Service Provider or the Government to actually do this!
If it were to happen, the ISP/Government would be able to more effectively filter porn etc. but they (and all their employees) would also have the capability to see your passwords, Internet banking and all the other things you might like to keep secure.
This actually happens already in the criminal world and is known as a Man In The Middle Attack.
So, on the national censorship level accessing https://www.mynaughtysite.com instead of http://www.mynaughtysite.com is likely to remain a viable way to bypass the filters for the foreseeable future.
Software installed on the users PC can be very effective, but it does also put it in reach of those who have an interest in disabling it. Most of this software is unaffected by the use of an encrypted connection, but can instead be more readily tampered with.
This becomes even more apparent if you choose to use the same password for it’s settings as you do anything else – Kids aren’t stupid, they will try every one of the passwords that they know you use.
If you make the mistake of letting your kid have an Administrator account, they may also choose to just completely disable the software. They don’t necessarily need to access the software itself to achieve this - in Windows simply disabling the service is often sufficient;
So again, whilst it may seem effective content-filtering can quite easily be circumvented with very little research.