Hey everyone! I'm currently trying to implement a self-hosted web filtering solution that integrates well with Microsoft Active Directory at a small community hospital. The setup involves using a Mikrotik router for routing and managing everything from access points to VPN connections, which makes replacing it during implementation tricky. Essentially, I can't put a firewall in front of it, only behind. The DNS through MS Active Directory isn't suitable for filtering, and while forwarding traffic to another DNS resolver is an option, it doesn't allow exceptions for specific users or devices. The goal is to block harmful and inappropriate sites without complicating the existing network setup.
Here's a quick overview of my challenges:
1. I can't block sites by IP anymore due to CDN use.
2. SNI sniffing is ineffective on Mikrotik routers now that TLS 1.3 is on the rise.
3. Using another DNS server can lead to issues with Active Directory, and I can't set up a second DNS resolver without hindering the local ones.
4. The router setup restricts adding anything before it, and I can only place solutions behind it without causing issues with NAT.
I've been researching open source tools, but I'm looking for recommendations. My thought is that a proxy or transparent proxy with SSL inspection is necessary, along with a DNS proxy solution that smoothly integrates with Active Directory and allows for exceptions. For example, we need some users to access Facebook for their work.
Also, I'd appreciate it if we could skip debates on the ethics of SSL inspection and blocking sites since this isn't the first time I'm tackling this issue! Thanks in advance for your help!
3 Answers
One approach could be to reverse your DNS setup. Let clients communicate with the DNS filtering resolver first, which can then forward queries for the AD domain. However, be careful; Microsoft recommends against this, saying it can break Active Directory's functionality. Just keep that in mind if you go this route!
True, but every single MS KB says it’s a bad idea and may lead to issues with AD, claiming it should only resolve queries through AD DNS.
Using an Endpoint Detection and Response (EDR) tool that includes web filtering could be a solid option. I found Trend Micro Worry-Free to be great, especially on a budget. It allows for SSL inspection without complicating your network too much. Just note it can be a bit slow to apply new policies.
That's true, but EDR won't cover all devices on the network if you can't install it on every one of them. It's becoming more complicated with devices users bring in themselves, like personal laptops. We need something that addresses rogue devices too.
Exactly, plus as more devices randomize their MAC addresses, traditional security measures become less effective!
DNS filtering might be your easiest bet! It streamlines blocking unwanted sites without too much hassle.
Yup, definitely advised against in many places because of potential AD DNS registration problems.