Like many technologists who are also parents, I think a great deal on how best to protect my family online. Working for a security company, I have access to more tools than the average person, so recently I’ve implanted DNS security at home. I focused more on DNS because there are no “services” offered on my home network, and I’m mostly concerned more about my kids or wife clicking on a phishing link or similar outbound malicious traffic.

My setup is relatively straightforward, I have 2 Raspberry Pi’s attached to my access point running DD-WRT, one Pi running Pi-Hole and the other running ThreatSTOP’s DNS Defense on BIND9 installed on Raspbian. Both are configured with static IP addresses due to the need of having a definite and certain IP address to point DNS resolution towards.

There are two reasons for running a Pi-Hole: I’m concerned about privacy and the rampant data-mining that goes on, and because many of the Pi-Hole policies are licensed to prevent commercial use. ThreatSTOP doesn’t break licensing agreements and protecting my home network entitles me to use those data sources. We’ve also, for the time being, opted not to create many content-based lists as targets at ThreatSTOP.

As DHCP is easy to configure on DD-WRT, I point the DHCP config to use the Pi-Hole as the primary resolver. The Pi-Hole is configured to point to the ThreatSTOP-enabled Raspberry Pi as a DNS resolution forwarder, which means two devices are filtering DNS traffic. A Raspberry Pi can hold a little less than 2 million records so the policy couldn’t be as broad as I would have liked.

For instance, we now have premium targets for Farsight NOD, which are the largest in our system. This target assumes anything that just started resolving is suspicious because normal people don’t operationalize a domain within hours. (However, criminals certainly do) A workaround for the “2 million” limitation is to install the Roaming Defense Client on laptops, also with a different policy than the DNS resolver attached to the access point. For now, my kids’ laptop doesn’t “travel," so it’s always protected by the home network.

This does, however, allow me to test our more experimental targets against “real” traffic before releasing them to customers. We are doing some work in machine learning and the feedback loop that we want to be sure don’t break connectivity to important services before enabling them. At this point, most of the identified false positives are generated not from our customers but this kind of testing.

This testing presents some interesting issues at home. If I get a DNS error, I can work around the problem, diagnose and apply a whitelist. My family is somewhat less tech savvy and they’ll just complain “things don’t work.” All of those false positives were contained in one feed, which has led me to work with that provider to clean up their data.

There is also another advantage. YouTube, Bing and Google all have the ability to have “safe searching” to provide more kid-friendly search results. I could set this on the laptops, but it can be undone pretty easily. The bigger concern is the “smart” TV, which allows for YouTube video searching. Using DNS, it’s possible to redirect, at the query-level, requests for searches to only the “safe search” infrastructure. This means the smart TV, which I can’t easily modify, will show kid-friendly YouTube videos because I control DNS.

In the end, this helped me get control of my home wireless network for the cost of two Rasbperry Pi’s from Canakit and spending a couple hours of time getting it up and running. (Most spend waiting for downloads)

 

Ready to try ThreatSTOP in your network? Want an expert-led demo to see how it works?

Get a Demo