We are constantly reminded that what we think is “easy” isn’t necessarily the case for everyone, and we take that for granted. In an effort to improve that thinking, we have devoted a majority of the first quarter to updating the apps for key platforms in an effort to improve your experience.
Tech talk: CleanBrowsing is a DNS-based filter that allows you to create an internet experience that best conforms with your beliefs and rules. Technically, it does not require software to be installed. It can also be installed at your router to cover the entire network. It can be enabled on any device that allows DNS to be configured.
* Rebuilt the app; * Fixed numerous bugs, including the load issue post-installation; * Introduced new “password” setting; * Leverages Encrypted DNS (DOH); * Available Direct Download
* Rebuilt the app; * Fixed numerous bugs, including the uninstall issue; * Addressed instability issues with networks; * Leverages Encrypted DNS (DOH); * Removes the need to track public IPs; * Available in App Store
Another important update to the apps is that they all now use a simplified key to enable the custom filter (paid accounts). That key is found in the settings page of every account dashboard.
If you use the app on devices we encourage you to visit the different pages to update your device appropriately.
Congrats to Utah for passing new legislation (H.B. 72) that introduces a “default-on” mechanism for pornographic content on devices sold in Utah.
This bill establishes filter requirements and enforcement mechanisms for tablets and smart phones activated in the state on or after January 1 of the year following the year this bill takes effect. (Description of HB72)
The bill is tailored towards minor and has the following requirements:
Filter must be enabled at activation (today it is a default off, the user has to enable);
The device must prevent the user of the device from accessing material that is harmful to minors on the devices;
The device must enable certain users to deactive the filter for the device for specific content;
The device must notify the user when the content if filtered;
Device makers must introduce a way for the AG to bring a civil action against the manufacturer if the device doesn’t allow this;
Introduces a $10 penalty for each incident;
The effective date is the 1st of January of the year following the bill passing, which means January 1st, 2022.
It’s going to be interesting to see if other states take similar action, and specifically how manufacturers are going to respond. Stay tuned!
One of the most popular mobile platforms, iOS by Apple, has taken a big step forward in placing more emphasis on the tools parents have at their disposal to more easily manage their child devices with the introduction of “Apple for Kids”.
Although this feature to manage a family accounts was introduced in iOS 8, many parents often struggle deploying and managing the feature. This new portal seems to be designed to simplify and aggregate all the content a parent might need when managing their child’s device[s].
Some of the things you’ll be able to fine on this portal include things like:
We really like the steps Apple is taking here to pull this to the forefront. For too long it felt as an after thought and we have worked with numerous parents struggling with what many might consider a simple task. Introducing a page wholly focused on educating parents, is amazing and we hope others will follow suit.
Take some time to play with their portal and feel free to share with them on ways they can improve to better serve parents.
CleanBrowsing works at the network level, specifically via the Domain Name System (DNS).
Via DNS, we can intercept outgoing requests and make a determination if it should be accessible based on the rules created in your account.
Do you allow social media? Should we allow Twitter?
Do you allow adult / pornographic content? Should we allow pornhub?
Do you block mixed conent? Should we block reddit?
…
Basic Example of how Content Filtering Works with Porn
The power of working at the network level is it makes the service agnostic to any specific platform (e.g., Nintendo, TV, Desktop, Notebook, Linux, Mac, Windows, etc…). If a device connects to the network, it undoubtedly makes use of DNS.
The down-side of the network is we’re limited to the network, and cannot see what is happening at the device level. This will make more sense in a bit.
Public vs Private IP’s
Every network has a public and private IP. The public IP’s are issued by your Internet Service Provider (ISP), while the private IP is issued by the router on your network.
The illustration below shows you what this means:
In the illustration above we share these values for IP’s:
Public IP: 192.190.254.34
Public IP: 10.0.0.1, 10.0.0.2, etc…
Yes, every device has a unique IP, but that unique IP is issued by the Dynamic Host Configuration Protocol (DHCP) on your router, while the public IP is issued by the DHCP on the ISP’s router to your router.
The public IP is considered to be part of the Wide Area Network (WAN) while the private IP is part of the Local Area Network (LAN). The LAN is comprised of your desktops, notebooks, laptops, phones, printers, etc. The outside world can’t see them, hopefully, but you can from inside the network.
CleanBrowsing DNS and Public IPs
When using the free filters the toughest part of the job is updating DNS on the device. When you use our paid plans, things change. The platform doesn’t know where to apply the rules; it’s why public IP’s matter.
Every time you create a profile in your CleanBrowsing account you get issued a new set of shared DNS IP’s.
They look something like this:
Primary DNS: 185.228.168.135
Secondary DNS: 185.228.169.135
These IP’s are IPv4, and shared. That means other users are leveraging the same IP pair. No, this does not present a security issue. But it presents a problem in which we have to figure where to apply the rules. We do this by binding the DNS pair issued in a profile, to the public IP recorded in the account.
Building this relationship is a critical step. Without it, the system doesn’t know where to apply the rules.
In addition to the IPv4 values, we also issue IPv6 values. Because IPv6 is unique, it doesn’t require a public IP to be recorded. If you have the ability to deploy IPv6, and disable IPv4, we encourage that, but it’s highly unlikely to have a whole network that is only operating off of IPv6. It’s why this articles focuses on IPv4.
Public IP’s Can Be Dynamic
A public IP changing is the number 1 reason a service switches from “active” to “inactive”.
The big challenge with our approach is when public IP’s are updated, which happens. Because of the shortage on IPv4, public IP’s have a tendency to rotate public IP’s frequently. This is especially true on residential services, but can occur with commercial ones as well.
The two leading reasons include:
The router is rebooted;
The ISP dynamically does it at some set frequency (e.g., Daily, Annually, monthly);
An ISP can issue a static IP, but that might come with additional costs and has to be requested.
Another approach is to keep your public IP updated via our Dynamic Device links. We have written guides to help you in the process (Generic, Windows, Mac).
Because all devices share the same public IP on the same network, you only need to update the IP from one device and it will affect the entire network.
Alternatively, most routers employ a Dynamic Device option with a third-party (e.g., No-IP, DynDNS). We allow those services to be used in all paid accounts as well.
Public IP’s Don’t Always Matter
Public IP’s don’t always matter, and it really comes down to how CleanBrowsing is deployed on the network. Here are a few instances where the public IP no longer matters:
The free filter by design applies rules to anyone that uses it, it’s why it doesn’t matter.
The other options mentioned make use of the latest in DNS encryption (e.g., DOH, DOT) to create unique stamps. These unique configurations allow us to know exactly where to apply specific rules without the public IP value.
What is my Public IP?
If you’re curious what your public IP is simply use our debugconnection.com site. It will look something like this:
We hope this article helps, but if you have any further questions please leave them in the comments or send them to us via email at support@cleanbrowsing.org.
Every paid dashboard offers its user the ability to easily tune a network to a desired end state. What CleanBrowsing offers is a foundation to build the desired family friendly network.
CleanBrowsing, like most other networking tunes, may require some tuning. This is especially true when it comes to apps, what one customer finds acceptable is not always what another does. To help with this, we don’t dictate what apps can be allowed, but we do provide the tools to help enforce whatever rules a user finds appropriate.
Example: Allowing and Disallowing Discord
To help illustrate what we mean, let’s look at the Discord app. This is a very popular app used to communicate by a lot of people in the gaming industry, making it extremely popular amongst kids.
For most non-technical consumers, what you see as the face of the product is discord.com. This only scratches the surface of what is really happening every time the app is used on your network.
A CleanBrowsing user might think to whitelist: discord.com but find that they are unable to access, communicate or update the app. The reason is because of the various other forms of communication the app is making.
For instance, in the instance of Discord you would have to either allow, or disallow, the following domains to ensure the app continues to function as desired:
discord.com
discord.gg
discord.media
discordapp.com
discordapp.net
The same is true for a number of other apps. Regardless of the app, you have the ability to use the Custom Allow feature in your dashboard to add every domain associated with any app:
The easiest way to find the domains associated with a specific app, or service, is to a) contact the developer of the app or service, or b) perform a basic Google search for “[app name] domains to block on dns”.
Some of the more common apps have already been resolved, and others will require a bit more work. You also have the ability to use the Activity dashboard in your account to isolate outbound requests, or contact us at support@cleanbrowsing.org for some help.
Although we spend a lot of time talking about the benefits of content filtering and how CleanBrowsing can help, there is a hidden benefit that comes in the form of a DNS Firewall that immediately helps any user that leverages the CleanBrowsing DNS Resolver.
To help illustrate how a DNS firewall works, we’ll use Browser hijacking as an example.
What is Browser Hijacking?
Browser hijacking is exactly as the name implies, when a bad actor is able to take control of your local browser settings by injecting it with their preferred settings.
The most common action is when you initiate a search in Google, the results are returned via a Search Engine Result Page (SERP) that looks like Google, but is far from it.
This type of attack is extremely valuable to bad actors, they monetize via ads and unsuspecting online users. While most are benign in the sense that they are abusing the ad ecosystem, some can be used for more malicious purposes (e.g., malware droppers, stealing sensitive information).
Practical Example – MyPrivacyKeeper Hijack
MyPrivacyKeeper Browser Hijacking
This is the exact scenario a customer was recently faced with. They engaged us frustrated that we were blocking their search queries. But what they failed to realize is that the CleanBrowsing DNS Firewall was doing its job, stopping them from accessing a domain intent on doing harm.
If you find yourself dealing with this hijack, don’t fret. MalwareTips has a great guide on how to remove it, and MalwareBytes works extremely well identify and removing all forms of Browser hijacks.
DNS Firewall – The Complementary Security Control
The example above is a real-world example of the benefits of a DNS firewall, but the examples don’t stop there.
Via the CleanBrowsing DNS we have been able to help organizations a) identify infected networks, b) eradicate those infections, and c) help create safe networks for all their users.
We do this by helping them take a proactive approach to mitigating the risk that comes with curious users that click on links, and also by helping them harden their network to monitor their outbound communication.
Example of how DNS Firewall can be used to Protect Your Network
Technically it all happens at the resolver level, where able to see the requests being made and apply specific rules based on what an organization defines as their acceptable use policy. This feature is built into the CleanBrowsing platform by default, and is not restricted to large organizations (i.e., all users, including parents have it by default).
The Domain Name System (DNS) is a critical piece of how the internet works. It is often underutilized as a defensive security control, but it’s highly effective. We encourage you to think about how it might help augment your security program.
If you have an ASUS router you have the good fortune of being able to use the Merlin image for your router. This image is built on DD-WRT, and exposes a number of really cool features that isn’t always available with vanillas Router OS’.
A couple of cool features include:
Prevent DNS changes on local devices, and force your preferred DNS on your network.
Forcing DNS-over-TLS for secure DNS communication;
Prevent Local DNS Changes
One of the really cool features is your ability to force the DNS of your choice on your LAN. You do this via the LAN > DNSFilter settings page.
Here you want to turn ON the “Enable DNS-based Filtering” option, choose “Router” as your filter mode, and enter the DNS pairs we provide in your dashboard.
Apply the settings and it should reset your connection.
What’s really cool about this feature is it doesn’t just kill the DNS connection, it redirects it. The user doesn’t experience interrupted service, instead it responds as you would expect but with your predefined settings.
Nifty!
Encrypt your DNS with DNS-over-TLS (DOT)
Another really neat feature is the ability to use DOT for encrypted DNS communciation.
You configure this via this settings page: WAN > Internet Connection
From there, scroll down until you get to the WAN DNS Setting section. Here you want to make sure to a few options are selected:
Connect to DNS Server automatically: NO
Enter Primary and Secondary IP’s (provided in dashboard)
Forward local domain queries to upstream: YES
DNS Privacy Protocol: DNS-over-TLS (DoT)
Add your DOT server to the table under “Preset Servers”, and leave the drop down empty.
You will use the DOT stamp provided in your dashboard that reads: DNS over TLS (Private DNS for Android)
The IP you want to use is the IP of the domain, not the one in your account. You can find it by doing a basic host lookup:
host custom79xxxxxxxxxxxxxxx5.dot.cleanbrowsing.org
custom79xxxxxxxxxxxxxxx5.dot.cleanbrowsing.org has address 185.228.168.199
This article is for non-technical users, specifically individuals that understand that the web is vast, but want technology to help them filter out the noise.
Whether you’re looking to work with our Free or Paid filters (learn the difference), how you configure CleanBrowsing is almost always identical.
Know the Desired End State
Focus on your desired end state. Are you doing this for a home? Are you doing this to protect all the devices you own? Are you doing this for yourself? Understanding the desired end state will help guide you in making the right deployment decision.
This matters because it helps you think through your deployment strategy. For instance, if you want to cover your entire home we always recommend starting at your router (we have a number of guides to help with this). But if you’re concerned with mobile devices (like phones) moving around you might want to augment that set up with local configurations as well.
First, CleanBrowsing is a networking option and depends on something known as the Domain Name System (DNS) to function. What this means to you is that any device (e.g., mobile phone, computer, TV, refrigerator, server, etc…) that connects to the internet can be configured to use this service as it almost always uses DNS.
All configurations can always be done manually as long as whatever device you’re working on has a network settings option. Where this is located is going to be highly dependent on the device you are using.
Second, not all devices are created equal. Just because a device shows you a network settings option doesn’t mean that the software that powers that device respects the changes.
Third, in most instances it can take as little as 5 minutes to configure. It typically does not require an app to be configured, but we do offer a few for the more common platforms. It can, however, take a bit longer depending on what is going on with your device and network.
The more common issues arise when you have multiple content filtering services running, your ISP has a network restrictions that prevents changes, or incorrect configurations (adding the DNS in the wrong sections).
Getting Started
This is not to dishearten any users. It is to set a basic foundation, and level set expectations, in the hopes of helping to make your experience seamless. To assist, we’ve prepared guides to help configuring the Free and Paid service.
If you have any questions, you can reach us on this community forum or via email at support@cleanbrowsing.org
This article is specific to organizations that leverage the Mosyle Mobile Device Management (MDM) to manage their Apple OS fleet (e.g., iPhone, iPad ). It will show you how you can solve your content filtering needs with Mosyle by leveraging the CleanBrowsing content filtering platform.
Note: This option is available to devices on iOS 14.
DNS-over-TLS (DOT) Integration
The release of iOS 14 introduces a few new encryption options for DNS and DOT is one of those options.
At the bottom of the settings page, assign it to your device, or user.
Step 4: Enable the new profile
If you have any questions, please reach out to our support team at support@cleanbrowsing.org.
If you are an MDM provider and want to ensure your customers can successfully deploy content filtering via your platform send us an email at support@cleanbrowsing.org.
