can I redirect https to my router?

David1234 · July 17, 2017, 1:25pm

I’m using openDNS to block adult content in my office
is there any way I can redirect the opendns page I’m getting to my proxy error page?
the page is :
https://blcok.opendns.com/

?

normis · July 17, 2017, 1:58pm

Why? Can’t you just enter a custom message in OpenDNS settings?
https://support.opendns.com/hc/en-us/articles/227988247-Getting-Started-Configuration-Setup-FAQ-

David1234 · July 17, 2017, 2:16pm

I like mikrotik error page better

I’m using their free DNS service.

pe1chl · July 17, 2017, 2:50pm

https pages cannot be redirected by a router. a proxy could do it but only for an entire domain, not a detail page like an error page.

ZeroByte · July 17, 2017, 9:58pm

Given that more and more of the Internet is switching to using SSL by default, the ability to hijack www traffic is going to dwindle.

Of course you can still redirect it to your router, but it’s going to give SSL warnings to the user, and if you can get around that, then you can man-in-the-middle their web banking transactions just as easily - so no wonder that this cannot be done w/o administrative access to the clients.

Van9018 · July 17, 2017, 11:36pm

Mikrotik won’t be the right choice for web content filtering.

Other devices (Sonicwall? Fortigate?) have features where you can upload your own CA certificate, and install that CA cert on the internal computers. Now the router can generate certs on the fly and those certs will be trusted by the internal computers. Only now can you have the option to redirect HTTPS pages without internal computers displaying certificate errors. If a visitor comes onsite, he’ll see the cert errors since he doesn’t have the CA installed.

normis · July 18, 2017, 6:41am

RouterOS also has the ability, but you still have to force the users to accept the certificate mismatch. This is the wrong way to go about this in the OPs situation. If you use a free service and don’t like their error page, maybe don’t use this service, or start paying, so you can replace the error message in an official way.

ZeroByte · July 18, 2017, 5:12pm

This is why you should NEVER install a trusted CA certificate unless you actually trust that CA and know that their root cert is secure. Any time a CA cert is comprimised, the ENTIRE INTERNET is comprimised for any computer trusting that certificate. Because now, hackers could use that cert to sign ANYTHING they want - including mybank.example.com, www.google.com, etc. And your computer would consider it LEGITIMATE.

Van’s suggestion is standard practice for many enterprise environments. It works because Active Directory can remove any certs that get comprimised, and push new ones out to replace them.

I would never, ever accept a third-party root CA from anyone telling me that I had to install it on my computer in order to use their network, and unfortunately, if you’re not running a domain, then this would be the only way to be able to intercept HTTPS sessions without triggering alarms.

Van9018 · July 18, 2017, 8:49pm

Neither would I, and as the I.T. of a company I wouldn’t ask guests or contractors to do so. But they would be expected to use the guest wifi where there would be no content filter because what they do on their on computers isn’t my concern.

For OpenDNS, even if you paid for it, I can’t see how HTTPs would redirect without certificate errors unless you used OpenDNS’s self-signed CA. Or if you created your own self-signed CA, but then you’d have to upload your cert and private key to OpenDNS. Both methods bear the exact same security concerns.

I wouldn’t use OpenDNS, or any website that expected that much trust from me. Atleast with the sonicwall it’s a device you buy, and use on-premise. I’d feel ok with uploading my self-signed CA and Private Key on that. And again my CA only gets installed on company owned computers as their security falls under my responsibilities. As for Adult Content, Sonicwall even has a cool feature where you can enforce all Google searches to use the ‘Strict’ filter. Without this feature, Google Images is a source for adult content.

So maybe I’ll change my answer for the OP. Either research and invest in a proper content filter solution, or live with the limitations of the free version of OpenDNS. Also, everyone knows they shouldn’t be viewing adult content on office computers - so does it really matter if they see a customized “forbidden” web page vs a “DNS can’t be resolved” web page?

normis · July 19, 2017, 8:06am

Actually OpenDNS has a built-in capability to display a custom error message, even your own logo. So I still don’t understand the original request.

David1234 · July 20, 2017, 6:36am

Im only using their DNS server for blocking
I donlt have an account
this is why I ask what I ask

normis · July 20, 2017, 6:44am

The account is free. Has all kinds of settings.

pe1chl · July 20, 2017, 11:43am

Well, it depends a bit… it is possible to create a free account and indeed it has lots of configurability but its usage is restricted.
To use it for business purposes it is formally required to ask them for a quote for a paid account. And it is very expensive (I tried).
However, nothing will happen when you use a free account for business, with limited traffic. Put the MikroTik DNS in front of it as a cache.

reinerotto · July 20, 2017, 7:25pm

And that is the reason, I developed a simple clone of openDNS for a hotspot provider. With custom “Blocked !” page, of course

David1234 · July 23, 2017, 12:02pm

Can you give me more details about it?

Thanks ,

reinerotto · July 23, 2017, 1:55pm

Because of the costs of openDNS for commecial use, but the necessity of filtering the access to public, open hotspots of a client, I did a “worst case” DNS-server, considering several blocklists, most of all porn, of course, but also gambling etc. So no special consideration of age-ranges, because of open access.
Only filtering of domains, not URL based. Quality of filter depends upon blocklists used, of course.

ZeroByte · July 23, 2017, 9:04pm

Excellent detail to point out.

So for those who don’t quite get what the difference is:

somesite.example.com/family-friendly.html
somesite.example.com/porn.html

DNS blocking can only block the server somesite.example.com - meaning you couldn’t get to the family-friendly.html page either. URL filters would be able to block porn.html but allow family-friendly.html

normis · July 24, 2017, 6:44am

Can you give an example, where a porn hosting website would also have family oriented pages on the same domain ?

reinerotto · July 24, 2017, 7:11am

Correct. BUT URL filters are much slower, beacuse of the ‘work’ envolved to parse the URL and some type of required data base access.
Besides, URL filters have a serious problem when https is used.

David1234 · July 24, 2017, 7:16am

true
the big problem is in https …
this is why i thought I can take the DDNS page and then redirect it.