[dns-operations] Embedding MAC address in DNS requests for selective filtering
Shane Kerr
shane at time-travellers.org
Mon Jan 25 19:16:40 UTC 2016
Robert,
At 2016-01-25 12:50:22 -0500
Robert Edmonds <edmonds at mycre.ws> wrote:
> Shane Kerr wrote:
> > At 2016-01-25 10:36:03 -0500
> > bert hubert <bert.hubert at powerdns.com> wrote:
> >
> > > We have heard of implementations where 'per-device DNS filtering' is being
> > > offered, even behind NAT. So this means you might get parental filtering on
> > > your kids' iPads, but not on your own desktop.
> > >
> > > This is then probably implemented by the home router (CPE) appending the MAC
> > > address to queries, presumably over EDNS. The ISP nameserver can then
> > > conditionally filter queries or not, based on customer IP and client MAC
> > > address.
> >
> > Alternately this could be implemented by having the DHCP server give
> > the clients a different DNS server (possibly even in a different
> > subnet, if you wanted to do actual isolation instead of DNS filtering
> > theater).
>
> Hi, Shane:
>
> If I understand correctly, this would only really work with a very
> limited number of filtering options, say "filtered" and "unfiltered".
> But the DNS filtering vendors give you a lot more flexibility than that.
> E.g., this is OpenDNS's "Web Content Filtering" configuration panel:
>
> https://i.imgur.com/wGwNHl7.png
Fair enough. Bert's description of filtering the kids' iPads but being
able to still see the unfiltered network made me think of simple
rule-sets.
I clearly don't have the proper mindset for censorship. :(
Cheers,
--
Shane
More information about the dns-operations
mailing list