Hello be all blessed.
Our church has a small project to install a DNS server in the cloud to filter out harmful content on the internet and protect our children. The idea is that every member of our church can use these DNS from anywhere in the world. We want to filter content by ip address, domains and specific channels inside youtube (those who promote bulimia or suicide) without full blocking YouTube wich makes no sense.
We do not want to do this with any external service provider. Do you think OPNsense is the right tool to achieve this task? We are about 100,000 members around the world and have an annual budget of about $20,000.
Thanks in advance.
Quote from: hmijares on September 07, 2020, 12:46:32 PM
The idea is that every member of our church can use these DNS from anywhere in the world.
That means your goal is to provide a public DNS resolver.
Quote from: hmijares on September 07, 2020, 12:46:32 PM
We want to filter content by ip address, domains and specific channels inside youtube (those who promote bulimia or suicide) without full blocking YouTube wich makes no sense.
IP address is limited possible - you can prevent a name to be resolved to that IP-Address but not the access to it.
Domains work but the YouTube stuff will only work with a web proxy - so forget that.
Quote from: hmijares on September 07, 2020, 12:46:32 PM
We do not want to do this with any external service provider. Do you think OPNsense is the right tool to achieve this task?
NO
Quote from: hmijares on September 07, 2020, 12:46:32 PMWe are about 100,000 members around the world and have an annual budget of about $20,000.
I guess you should invest that into a developer who will write a custom dns proxy and at least two servers for high availability.
No OPNsense seems the wrong project to archive that stuff.
BTW. you will have hard time to archive this in future anyway with upcoming changes to DNS over HTTPS.
If your kids are smart bypassing is not a big deal.
Quote from: banym on September 07, 2020, 07:06:32 PM
BTW. you will have hard time to archive this in future anyway with upcoming changes to DNS over HTTPS.
If your kids are smart bypassing is not a big deal.
Don't need to be, in the US for example, DoH is enabled by default.
@fabian, yes but wouldn't that bypath his attempt to block that traffic or that DNS solutions?
If you block it using a local resolver with blacklists, in my understanding a browser using DNS over HTTPS would not use that resolver anyway. Only if you configure it to not use it.