New platform release available

Posted May 23, 2016 by David Redekop to Feature

DNSthingy services are now available as a preview release that can be installed on pfSense® software from ESF.

Minimimum system requirement is simply any existing pfSense® installation version 2.3+. pfSense® is a platform chosen by many seasoned IT veterans that focus on managed gateways for a variety of business sectors. Based on FreeBSD, this platform’s strength is in its stability and subscription-free operating system. While DNSthingy is subscription-based, it is still a fit based on the high number of requests over the past while to offer our services on this platform.

For a preview-release installation and a free evaluation, simply contact our support team. We are looking in particular for more multi-WAN environments as well as usage of several VLANs with restrictive/hardened environments.

pfSense® is a registered trademark owned by Electric Sheep Fencing LLC and is used herein with permission.
More information as to pfSense® can be found at www.pfsense.org.

Schedule Internet Access Rules

Posted April 12, 2016 by David Redekop to Feature

Did you know you can schedule your Internet access rules?

Here’s a screenshot of a sample schedule in use by one of our homeschoolers, designed to minimize distractions during the schooldays, while providing entertainment and social media access in specific times of the day:

Scheduled Internet Access

You can completely customize it your own. Here are some typical use cases:

  • Your small business likes to keep staff focused on specific tasks during specific hours. Create a ruleset and a schedule that whitelists only required services for required times.
  • While the office is closed, no Internet access is required except for services such as operating system updates and online backups. Create a schedule that these are the only services allowed during closed hours.
  • Not sure what your Internet-of-Things devices are doing? Schedule them to be online only when they’re in use.

Here’s a short 3-minute video to give you an alternate example:

Authoritative DNS made easy

Posted February 15, 2016 by David Redekop to DNS Feature

How often do you end up having to remember IP addresses to access internal resources such as a NAS or any of your IoT devices? Consider using names instead of IP addresses:

Before After
By IP address By memorable name
Example: http://192.168.1.10 Example http://MyNAS.local
Hard to remember Easy to remember
Might change with a factory reset Never needs to change
Incompatible with future network schemes Never needs to change
Will need to change with IPv6 Never needs to change

A better practice is to simply choose an easy-to-remember name and use your DNSthingy to create an authoritative list and enable it on your rulesets. Now you’ll never have to remember the IP address by simply following these steps, for example, if you had a NAS at 192.168.1.10 you wish to access by various names:

  1. From DNSthingy.com/dashboard, login and create a new authoritative list like this:
    Create an authoritative list
  2. Fill in the IP address and the full list of names you want to work, similar to this:
    Edit the list names
  3. Finally, enable the list in your rulesets so it looks like this:
    Authoritative list enabled

That’s it! You’re all set! Now you can always access your NAS via http://mynas.local or http://nas.local or http://yournas.local or http://newnas.local.

Important: this feature requires version 2.7.0 which will be automatically upgraded for all subscribers and non-subscribers alike.

Real SSL certificate on our firmware

Posted December 7, 2015 by David Redekop to Feature Security

Securing the world of Internet communications with self-signed SSL certificates has had an unintended consequence:

invalid certificate

We would like to undo this. The reasons why prosumer-grade or even commercial-grade routers have never done this is two-fold:

  1. The nature of manual firmware upgrade cycles. Manufacturers have traditionally waited for the end-user to download and apply firmware upgrades.
  2. Certificates have an actual expiry date. Therefore, if the end-user does not upgrade the certificate (i.e. firmware), the certificate expires, in which case it’s even worse than a self-signed or unsigned certificate as some browsers don’t even allow for an override to continue.

Since DNSthingy firmware in prosumer gateways are upgraded without the option of opting out, it opened the door for us to include a real SSL certificate and at the very least contribute to the undoing of the comfort level of self-signed or unsigned certificates. When you access the gateway of any of our ASUS routers flashed with DNSthingy firmware and inspect the SSL certificate, this is what you will see:

mybox.management certificate

We recognize that this approach could be analyzed as a weakness insomuch as reverse engineers could capture the private key off any of our firmware devices. That means in combination with DNS poisoning in a man-in-the-middle scenario + possession of the private key, our domain mybox.management could be abused. However, the domain mybox.management is used nowhere else except on the devices themselves, and is irrelevant to our device-to-controller communications. From our perspective, the upside is dramatically more pronounced than the down-side.

In related news, we salute the efforts of letsencrypt.org‘s sponsors to make SSL everywhere more accessible and affordable. Beta is now open to the public.

Avoid private DNS record leakage

Posted November 12, 2015 by David Redekop to DNS Feature

The nature of mobile devices that roam from site to site, often means that private DNS records unintentionally leak out to the public Internet. For example:

DNS record OK to be public visible DNS record that should remain secret
MailServer.YourCompany.com YourSecretServer.YourCompany.local
As long as your devices stay on your business network, network information leakage isn’t a concern. However, let’s say a mobile device is setup at the office with an application that references YourSecretServer.YourCompany.local and then it is taken home by a team member.

As soon as the app is launched at home, the home router is asked:

Hi, where is YourSecretServer.YourCompany.local?

And, of course, it sends that request upstream to your Internet Service Provider. Even though it cannot answer it, the DNS request (the question above) has been sent across the Internet in clear-text and therefore subject to surveillance of the most trivial kind.

To avoid this type of DNS leakage, DNSthingy firmware never allows DNS queries to be sent to the Internet unless they are part of the Mozilla Public Suffix list found at:

publicsuffix.org

In any and all foreign premises where DNSthingy answers DNS queries, when the query for YourSecretServer.YourCompany.local is asked, DNSthingy simply answers with NXDOMAIN, meaning it does not exist.

That’s how we prevent DNS record leakage in all of our current firmware versions.

New router support – ASUS RT-AC3200

Posted October 29, 2015 by David Redekop to Feature

This ASUS Triband Gigabit Router is now even better with DNSthingy firmware!

AC3200-front AC3200-back
If you wish to try out our firmware, simply contact us and we look forward to helping you out with do-it-yourself instructions and support!

Comparing DNSthingy with desktop software

Posted October 26, 2015 by David Redekop to Feature
Compare DNSthingy Accountability Software Desktop Filtering Software
Price $7.99/mo subscription Monthly/Annual cost Free and subscription options
Is there software to install on computers/devices? No Yes Yes
Do I need a separate or modified router? Yes No No
Does software need to be installed on all devices? No Yes Yes
Does it protect you in non-browser apps such as Facebook on mobile? Yes No Sometimes
Does it protect you in third-party apps? Yes Sometimes Sometimes
Can you circumvent it with administrative rights on a computer? No Yes Yes
Can you circumvent it by making a VPN connection to a public service? Yes (can be restricted) Yes (no way to restrict) Yes (no way to restrict)
Reports your activities to an accountability partner No Yes No
Your protection travels with the device Yes (when VPN back to site is used) Yes Yes
Protects all devices (even guests) on your network Yes No No
Designed to be preventive Yes No Yes
Your preferences are stored centrally for all devices Yes No No
You can have different rules for different devices Yes n/a Yes
Whitelist ecosystem to support whitelist only ideals Yes* No No
Blocks third party ad networks Yes No No
Blocks trackers (behaviour profilers) Yes No No
Forces Google SafeSearch (without circumvention possibilities) Yes No No
When protected – how does it impact computer speed? Faster experience About the same Slower experience
* Whitelist ecosystem includes:

  • DNSthingy Whitelist Assistant Google Chrome extension
  • Unblock Request button on blocked web pages
  • Crowd-sourced white-listing
  • Sharing and subscription of whitelists
  • Verified (managed) whitelists

See what is going on | new real-time logging feature

Posted October 26, 2015 by David Redekop to Blacklist Feature Whitelist

The log page has been moved to mytools.management/log.

In this new feature, we provide a toolset for the advanced subscriber who wants to have complete visibility as to what is going on in your network.

In short, this feature requires your explicit permission first by following these steps:

  1. Log onto your DNSthingy dashboard
  2. Click on Manage Devices
  3. Beside the device from which you want to observe the logs, select “View all logs”
  4. Wait one minute and try visiting http://mytools.management/log from the computer which you just granted permission
  5. Enjoy the filtering feature to filter by IP address of the device you wish to monitor

Furthermore, note that this feature is only visible on your own network. You cannot view these logs remotely (unless you make a VPN connection back to your DNSthingy location first).

ClearOS 7 Marketplace ready

Posted August 4, 2015 by David Redekop to Feature

We’re thrilled to announce readiness of the DNSthingy app on the ClearOS Marketplace upon version 7 reaching production status. Launch is expected in October of 2015.

ClearOS is an excellent Network, Gateway, Server (NGS) platform for organizations of varying sizes. The power of ClearOS’s linux foundation combined with an easy-to-use click/install marketplace for a variety of apps, makes it a preferred choice for DNSthingy services deployment for Canadian Tire stores, for example.

Contact support for backward compatibility with version 6.6. DNSthingy will not install on ClearOS 6.5 and earlier.

Official support is available for both Community and Professional editions of ClearOS.

ClearBOX 300 appliance

ClearOS 7 with DNSthingy

Contact support@dnsthingy.com if you would like to try DNSthingy on ClearOS 7 beta.