Random thoughts on everything

Internet access control

June 25, 2019

As a parent in todays device centric world it is a daily struggle to balance the kids device time. Here is the approach I’ve taken to handle this problem.

Introduction

Devices (iPad, X-Box, Smart TV’s, iPhones, Computers, etc…) is both a blessing and a curse. While providing an endless amount of resources for whatever your media consumtion needs might be they can definitley eat too much time. I think every parent can relate to the constant ongoing struggle of balancing device time between other activities; home work, after school, sports, friends, etc…

While there are probably several ways to handle this I would guss time is probably the single most used metric to control device usage. You can have a check-in/out system where the kids request a device check-out and you track time in a ledger (be it on paper or in excel - the principle is the same). You can use some parental settings on the device or as a service on your internet access gateway. Or a combination of everything.

Device parental settings

We started out using screen time settings for our kids to control it - the primary reason was YouTube usage. We left the common messaging apps open, in order for our kids to send us messages even after screen time was up.

screen time

It didn’t take long before my son had figured out ways around the block. Turned out the our son were sending a lot of messages to a frind of my wife, each message was in the form of an emedded youtube video. This way he could watch youtube on after screen time was up. Have to admit it was quite a clever way to circumvent the protection. I wasn’t aware as I never used the functionality myself. Once we decided to block ALL applications that problem went away - until we realized he knew the parental code lock and extended the time as he wished.

A different method was needed.

Internet gateway

Basically each home is connected to the internet through a single point - the internet access gateway. Your wired and wifi connections are bound to pass this single point. What if we could introduce something at this point to control internet access in a similar manner as a device.

I looked around for solutions to block devices and sites. There are a number of options out there to block sites and to control internet access. But I couldn’t find any solution giving me a decent resolution of my control. What I wanted was:

  • Per device, block based on a list of sites or a generic time ban
  • Per site, block a specific list of devices (as a bonus, this can be used as an ad-blocker)
  • Ban a device completely

There are many solutions out there providing one or more of these features (like: https://pi-hole.net/). But I couldn’t find anything providing the whole package. Most of these solutions use a DNS Proxy method to achieve blocking. This works for more or less every application out there. There are some notably exceptions; Skype, Facetime, etc.. These applications seems to have their own DNS handling in case the network provided fails.

DNS Functionality

The purpose of DNS is to translate names to numbers. Machines can understand numbers and numbers can be subjet to mathematical operations. Hence, when you type www.google.com (Domain Name) in your browser, the browser will ask the Domain Name Service (DNS) what the corresponding number is. The DNS will look it up and respond with something like: 1.2.3.4. The browser wil use that number for actual communication.

DNS Proxy

A DNS Proxy is basically just a software running on a machine receiving DNS requests, runs some rules on the request and pass them on to a DNS Server if the rules allow it. A DNS Proxy doesn’t stop internet access per se. You could still use IP numbers directly and if you distrbute DNS settings on your network via DHCP one could overwrite them with different settings providing unfiltered DNS. However, for my kid’s the knowledge of how the internet works is not that big. Letting the DHCP server (the router in my case) distribute the DNS Server setting along with the rest is perfectly fine.

The DNS Proxy is required to see the IP number of the client talking to it. Otherwise we can not apply per client rules.

Gateway with DNS settings

Finding a gateway with proper DNS control was not the easiest. It turns out the many of the consumer grade gateways (like: Netgear) do supply a DNS setting but always sends the Router as the DNS Server and then the router sends these requests to where your settings says the DNS server is. This won’t work, as our DNS Proxy would see the router IP number

After a bit of searching I decided to buy a small business router from Ubiquiti. I anyway wanted to have their Access Points for seamless wifi in the house. Unifi USG supports proper DNS Settings in their network configuration section.

UniFI DNS

By pointing the DNS to my proxy I can now properly intercept every DNS request and filter it.

Device Names and DHCP

One problem that quickly became obvious was that DHCP gives out dynamic IP addresses. Meaning a client device can be given a new IP whenever the IP lease expires (or switched on/off). It is possible to lock the IP address of a client in the UNFI control panel but it is still a hassel to remember which device has which IP. Especially in a house with a lot of devices. Instead I wanted to use the client name list from the UniFI Controller.

UniFI Client List

Luckily for me there is an API available for the UniFI products. I guess this is another thing that sets them apart from pure consumer grade products. For instance, Netgear has an API but it’s undocumented. You can find people who have reversed engineered it but it’s not supported nor documented from the manufacturer. Having a properly supported API makes it easier to integrate for 3rd party applications - like the DNS Proxy.

Rules

Now when all pieces where coming together it was time for the rules. There are two sections for the rules.

  • Device based
  • Domain based

Device based rules are good for things like time control while domain based rules are good for blocking multiple devices per domain (like blocking the TV and XBox from reaching YouTube).

There are five different type of rules:

  • None, a no rule - will explicitly revert to the default
  • Pass, allowed - used to explicitly allow devices or domains
  • Blocked Device, the device is banned from domain or internet at all times
  • Site Ban, the device is banned from the site
  • Time Span, block the device between certain hours

The DNS Proxy also has a default rule - generally you will set this to pass. However, if you want to cut any network access you can set it to ‘BlockedDevice’ or ‘SiteBan’ (wouldn’t matter) and then add a ‘Pass’ rule for a single device.

Example Domain based rule, this rule will block the LG TV in our house to reach youtube.com

"Domains": [
        {
            "Name": "*.youtube.com.",
            "Hosts": [
                {
                    "Name": "LGwebOSTV",
                            "Rules": [
                                    {
                            "Type": "ActionTypeBlockedSiteBan"                  
                                    }
                            ]
                }
            ]
        }
]

Example client time based rule, this device is blocked between 10:00 AM and 2:00 PM (14:00). Outside that time span the device is allowed out on the internet.

"Hosts": [
        {
            "Name": "192.168.1.17",
            "Rules": [
                {
                    "Type": "ActionTypeBlockedTimeSpan",
                    "TimeSpan": "10:00-14:00"
                }, 
                {
                    "Type": "ActionTypePass"
                }
            ]
        }
    ],

I am afraid there is no user interface at the moment. You would have to use a text editor to manipulate the rules. This is a bit of a bummer and needs to change.

Statistics

The DNS Proxy will output in a machine friendly way. I use Node-RED (https://nodered.org/) to transform the output from the DNS Proxy and write it to an InfluxDB (https://www.influxdata.com) and then presenting the data with help of Grafana (https://grafana.com/).

The Node-RED flow is very simple: Node-RED Flow

The result looks like (this is the clients access time dashboard): Active Clients Stat

There are quite a few things one can extract from the data. It’s also interesting to see how active devcies are when you don’t touch them. You can also configure the proxy to block trackers, like: Grafana_TopBlocked

Conclusion

Does it work? Yes - very well. Besides the little hurdle to change the configuration. We have most trackers blocked (for everybody) and we can control when/how the kids access the internet. We also get the monitoring in place. We can see which sites they use - but not the content nor the exact URL (they deserve some privacy).

The DNS Proxy you can find at: https://github.com/gnilk/dnsproxy

It is not for everybody - you need to be fairly tech savvy to compile/configure/run it. If you are - and you internet access point allows it - then it’s a decent tool.

If you are just looking to block trackers and similar I would recommend pi-hole instead, https://pi-hole.net/

Profile picture

Written by Fredrik Kling. I live and work in Switzerland. Follow me Twitter