Hey everyone! I'm reaching out to see if anyone has recommendations for a self-hosted website filtering solution that can effectively work with Microsoft Active Directory. Currently, we have a Mikrotik router handling our routing needs, including access points and multiple VPNs. Unfortunately, we can't replace the Mikrotik without downtime, and it can only be placed behind a firewall, not in front of it.
Right now, our MS Active Directory DNS doesn't provide much in terms of filtering capabilities, and while I can forward traffic to another DNS resolver, I can't set exceptions for specific users or IP addresses. Plus, using different DNS servers while forwarding local queries to AD DNS can create problems with Active Directory. I'm specifically looking to filter out malicious sites and unwanted content, like social media and adult content, since many users here aren't very tech-savvy.
Here are some challenges I'm facing:
1. Blocking by IP is tough because of CDNs.
2. Mikrotik doesn't support SNI sniffing due to the rise of TLS 1.3.
3. My DNS forwarding doesn't work with AD, limiting the exceptions I can create.
4. We absolutely cannot replace the Mikrotik, and any additional NAT would disrupt our network.
After testing multiple open-source solutions, I believe the best route might be to employ a proxy or transparent proxy with SSL inspection. I'm also considering a DNS proxy solution that integrates easily with Active Directory. I'd love to hear your thoughts! Your input would be invaluable as I navigate this challenge. P.S. Let's keep the conversation focused on practical solutions rather than ethical debates about SSL inspection and user education, as the goal here is to ensure secure usage.
3 Answers
Consider using an Endpoint Detection and Response (EDR) system with web filtering capabilities. Trend Micro Worry-Free is a budget-friendly option I’ve found useful. It handles SSL inspection and makes DNS filtering much easier without risking network stability. Just be aware that it can be slow to adapt to policy changes.
That's true, but remember that EDRs can't cover all devices on the network where they can’t be installed. Plus, if users bring their own devices, it complicates things further.
You might want to try configuring your DNS to work the other way around. Set it up so that client machines talk to a DNS filtering resolver, which can then forward requests to your AD DNS. Just a heads-up though, Microsoft recommends against this approach because they claim it can break Active Directory. Still, some people say it works fine, but I’d tread lightly if you decide to go that route!
It's risky though, many sources say it can have serious consequences for AD functionality.
Just be aware of potential issues with AD DNS registration.
I think simple DNS filtering is probably your best bet. It’s straightforward and can help block unwanted sites without too much hassle.
Absolutely! Network-level blocking is key when considering how many unmonitored devices come and go.