How a scam should fail

Posted August 25, 2017 by David Redekop to Case Study Security Whitelist

I’m dumbfounded at how often I personally receive deceptive SMS messages like this one here I just received:

When I opened the message, I see that it would be a motivating message for someone to click on if there’s hope to receive some “refund”, even if it’s someone else’s:

Fortunately I was confident with our zero trust model that I could go ahead and click on the link and was unable to go any further:

This is really what it looks like when you protect an end-user, even if that’s yourself 🙂

Using a Zero Trust Model to block outbound VPN, Proxy, TOR, and P2P

Posted July 28, 2017 by David Redekop to Feature Security Whitelist

Traditionally, it has been difficult to block unwanted traffic that is initiated behind an Internet gateway. This is completely understandable considering that a traditional consumer, prosumer, and SMB gateways take an allow all, block some approach. This means that workarounds just need to find one protocol, destination or port that isn’t blocked, and bingo! Your egress channel is now unrestricted using that open hole.

What we are demonstrating here, though, is the opposite. A zero trust model works like this: block all, allow some. This idea of whitelisting is far from new. However, a practical and convenient way to do so has been the challenge. We would like to share with you how we implement a practical solution:

The DTTS (Don’t Talk To Strangers) is currently available for an early adopter group. If you’re interested, kindly contact us via support.

Blacklisting vs Whitelisting

Posted July 22, 2016 by David Redekop to Blacklist Whitelist

whitelisting-blacklisting-infographic

In the context of web resources to allow or block, the traditional approach has been to block the bad. That’s blacklisting. It is the ideology of allow everything, block some.

Whitelisting, on the other hand is the opposite ideology: block everything, allow some.

This infographic is not controversial in nature, but there are legitimate reasons why whitelisting has not gained traction. However, let’s examine a few real-life examples where the trend towards whitelisting is succeeding.

iOS AppStore
While criticism over a curated AppStore has never stopped, the end result is undeniably a safer mobile app ecosystem for the normal user.

Microsoft AppLocker
From Microsoft directly:

“AppLocker contains new capabilities and extensions that allow you to create rules to allow or deny applications from running based on unique identities of files and to specify which users or groups can run those applications.”

Essentially, this is an accepted and recommended solution that whitelists executable applications in business versions of Windows, and many systems administrators literally use this approach insted of anti-virus protection, with great success!

It is only logical that DNS-based whitelisting for Internet-based resources would also be filtered using a whitelist method. It has not been widely deployed in the past due to the onboarding effort. This is where DNSthingy helps with the whitelist ecosystem including DNSthingy Whitelist Assistant Google Chrome Extension, real-time logging visibility, Whitelist Subscriptions (for sites with dependencies such as YouTube, Google, Facebook, etc.), learning mode for businesses who deploy in passive mode for 60-90 days in order to gain an organic whitelist suitable for their own enterprise.

So if you’ve wanted to give whitelisting a try, now there’s a simple and free way to try it out!

See what is going on | new real-time logging feature

Posted October 26, 2015 by David Redekop to Blacklist Feature Whitelist

The log page has been moved to mytools.management/log.

In this new feature, we provide a toolset for the advanced subscriber who wants to have complete visibility as to what is going on in your network.

In short, this feature requires your explicit permission first by following these steps:

  1. Log onto your DNSthingy dashboard
  2. Click on Manage Devices
  3. Beside the device from which you want to observe the logs, select “View all logs”
  4. Wait one minute and try visiting http://mytools.management/log from the computer which you just granted permission
  5. Enjoy the filtering feature to filter by IP address of the device you wish to monitor

Furthermore, note that this feature is only visible on your own network. You cannot view these logs remotely (unless you make a VPN connection back to your DNSthingy location first).

White List Unblock Request Feature

Posted July 17, 2015 by David Redekop to Feature Whitelist

With the latest firmware upgrade you can now enjoy a white list unblock feature as we describe in this video here:

This feature is designed with full white list lifecycle management in mind. Key features include:

  • End-user device compatible with mobile, desktop, iOS, Android, Windows, BlackBerry
  • Administrative approvals required for each white list unblock request
  • Unblock requests sent to subscribed whitelists are sent to the maintainer of said list
  • Unblock request is only displayed to users on rulesets based on white lists

For any feedback or additional support, we would love to her from you!

Family-Friendly whitelist of Alexa top 10000

Posted June 3, 2015 by David Redekop to Whitelist

A million new websites come on the scene each month, adding to the more than one billion already up and operational!

As you may or may not be aware, many of these sites are wonderful, but sadly, many more are not healthy or moral.

We now have 10,000 safe sites available that are family-friendly, secure from those negative and immoral influences, and by its very nature, much safer against phishing, malware, third-party advertising networks, trackers, etc.

This is the culmination of years of work to provide a family-friendly online experience, for you, your loved ones and especially your children.

DNSthingy dashboard where you enable this new feature

The source of the 10,000 domains comes from May 2015’s Alexa worldwide ranking.

A few additional notes:

  • We would love feedback from our subscribers
  • We recommend you create a new profile when trying it out for the first time, and assign that profile just to the device you want to try it out on
  • The list will be dynamically updated and added to, with little regard to the 10,000 number – in other words, the list will increase as needed, based on family-friendly sites that our users would assume are part of the list already

White lists – Black lists – Rainbow lists

Posted August 8, 2014 by David Redekop to Whitelist

Having choice in how individual domains or websites are treated is at the core of DNSthingy. Today I would like to explore with you how the three types of customization lists work.

UI to manage customizations

WHITE LIST

As the name implies, white is good. All of the websites and domains you wish to be available must be listed here. In essence, a white list is the philosophy of “Block all, allow some“. The key aspects to this type of list are:

  • A white list means that it is exclusive. It means that anything that isn’t explicitly listed here will be filtered.
  • Multiple white lists can be created and combined for easier management.
  • Since most websites and services use multiple domains, we’ve made it easier for you with a free Chrome extension called DNSthingy Whitelist Assistant.

In Canada, we’ve been fortunate to support and maintain Canadian Tire Stores’ white lists for many years, so this aspect of permission-based access works really well in environments that want to enable computers & devices for very specific functions and eliminate the risk of anything else whatsoever.

BLACK LIST

In a way, a black list is the opposite of a white list; it simply lists sites to be blocked. It is the “Allow all, Block some” philosophy. In a workplace environment where a certain website serves as a distraction, that site can easily be black-listed here.

RAINBOW LIST

Warning: NerdSpeak to follow here as this is likely a feature only your IT administrator would use.  This customization list is for domains, sites and services that should not receive any custom filtering treatment, but rather be sent to a non-default DNS server for resolution. These are typical uses of rainbow lists:

  • Local domains that need to be forwarded to an Active Directory server for resolution such as mycompany.local
  • Split-DNS zones that resolve differently internally on a network than externally on the Internet
  • Create an exception for a domain that you want to be treated differently than the last-resort resolver treats it. For example, if OpenDNS blocks a domain and it’s a false positive, this is how you can treat the exception by sending that domain’s resolution request to 8.8.8.8 (Google DNS).

With any of these lists, you can create what you think may work and explore. You can come back and modify at any point.

White lists can be shared with others. This is the beginning of what we’re calling crowd-sourced white listing.

One important point to note: creating the list(s) itself does nothing at all – you still need to choose which profiles they apply to by turning them on in your Profiles dashboard.

We hope you enjoy this customization feature in DNSthingy!

Whitelist Assistant

Posted March 20, 2014 by David Redekop to Whitelist

One of the tools that we make publicly available, free of charge, is our Whitelist Assistant.

Whitelist Assistant Screen
What is a Whitelist?

Let me answer that in context and in contrast to a Blacklist.  There are two fundamental approaches to filtering in the context of website access.

Option 1: Allow all, block some.  This is effectively a Blacklist.  This is an approach where bad domains are disallowed.

Option 2: Block all, allow some.  This is effectively a Whitelist.  In this approach, only websites and domains explicitly listed can be accessed.

Why is Whitelisting so hard?

One of the key reasons that whitelists have been difficult to adopt in the past is because of the great deal of dependencies on non-obvious domains.  Let’s say you wanted to whitelist our website at www.DNSthingy.com.   In the old days, you would simply concatenate the www and make a whitelist entry of DNSthingy.com so that http://DNSthingy.com as well as http://www.DNSthingy.com would work.

It’s not quite that simple anymore, especially since a website could be a combination of several sources of information that “live” on different domains, and/or different servers.

For example, let’s say your business needs to interact on eBay and you’re on a whitelist system.  You would need to whitelist all of these domains (if accessing from a commonwealth country, possibly more if you’re visiting from elsewhere):

ebay.com (ebay)
ebay.ca (ebay)
ebay.com.au (ebay)
ebay.co.uk (ebay)
ebaystatic.com (ebay)
ebayrtm.com (ebay)
ebayimg.com (ebay)
googlesyndication.com (ads)
bluekai.com (behaviour profiling)
facebook.com (to be able to like something)
akamaihd.net (Content Delivery Network)
turn.com (behaviour profiling)
ebaydesc.com (ebay)
inkfrog.com (images)
frooition.com (ebay designer)
2o7.net (behaviour profiling)
paypal.com (commerce)

A tool to make Whitelisting easier

For our own subscribers (or if you’re running your own whitelist system), we are facilitating a free Google Chrome Extension called Whitelist Assistant by DNSthingy.  If you’re a DNSthingy subscriber, there are additional features such as integration into your subscriber account coming shortly.

Enjoy!