Howdy, Stranger!

It looks like you're new here. If you want to get involved, click one of these buttons!


Thinking about banning Cloudflare IP's on our company Router.
New on LowEndTalk? Please Register and read our Community Rules.

All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.

Thinking about banning Cloudflare IP's on our company Router.

In short the company I start working in it recently do not have good internet speed and we have at least 20 concurrent devices connected in the same time .

DNS was never work employees long time discovered Google free DNS,

So i'm thinking to be more evil and collected as much I can from now streaming website A Records to band them effectively e.g youtube.com 216.58.194.174 my issue is that many of Steaming websites are hidden behind Cloudflare network I'm afraid If I ban it IP range I could ban some legit websites

Additionally I'm collection many free VPS services port range to ban them too, do you think it's good or bad idea doing port blocking like this ?

Comments

  • raindog308raindog308 Administrator, Veteran

    @JustPfff said: DNS was never work employees long time discovered Google free DNS,

    Why are employees allowed to reconfigure their work-provided PCs and devices? This usually means either admin rights (Windows) or root/sudo (Linux).

    If they're using their personal devices...why are they allowed to connect personal devices to the network?

    Fix those problems and your other issues go away.

  • banning cloudflare is a terrible idea as lots of sites use cloudflare CDN

    as raindog308 said why are users re-configuring their DNS?... this normally requires elevated privileges and isn't something "users" would normally be allowed to do or should be doing

    your better sorting that issue out and using DNS filtering to block devices connected to the network going to facebook etc etc

    chip

    Thanked by 1JustPfff
  • JustPfffJustPfff Member
    edited January 2021

    @raindog308 said: Fix those problems and your other issues go away.

    I was not the person who setup the network/ or the PC's I just start work their couple days, and the place are complete mess,
    The previous Admin setup the network very badly, the last one showed to me if it was problem with internet connection on any device I should changes the static IP to something else, even himself put Google DNS because windows will required entering it after changing network card IP setting from Auto (DHCP) to fixed, After I read about the router it have option to assessing fixed IP address according to device MAC address.
    I could fix all of this but it will take time, and the employees are working on their PC's all the time , same drama with the WiFi, each employees have phone from the company to use it with Whatsapp conversations, first I need to collect their MAC address and assign fixed IP address to each of them to prevent adding any device to the network .

    Thanked by 1elliotc
  • DPDP Administrator, The Domain Guy

    No offense but with all these things you're asking and "planning" to do will most likely put yourself into a more messy situation than it already is.

  • ClouviderClouvider Member, Patron Provider

    Could do a tape & glue style solution by setting up a local resolver and forcing everyone to use it and blocking TCP&UDP/53 from all other hosts outside the network ;-).

    But I agree with @raindog308 here; you have more fundamental issues to fix first

  • yoursunnyyoursunny Member, IPv6 Advocate

    Don't ban each IP individually. Instead:

    1. Install a squid proxy and setup domain allowlist.
    2. Configure each device to use squid as HTTP proxy. Install squid private CA certificate to the trust store.
    3. Block the entire Internet except the proxy server.

    Our lab network is setup this way and there's no way around the domain allowlist. However, trust store configuration is painful, because some apps want to have their separate trust stores.

    Thanked by 1jar
  • jarjar Patron Provider, Top Host, Veteran

    Been down this path as an IT guy many years ago. I found it easier in the end to get approval for faster internet than to go down that rabbit hole. People do not like the over zealous IT guy who tries to micro manage everything, they prefer "buffering" over it.

  • raindog308raindog308 Administrator, Veteran

    @jar said: Been down this path as an IT guy many years ago. I found it easier in the end to get approval for faster internet than to go down that rabbit hole. People do not like the over zealous IT guy who tries to micro manage everything, they prefer "buffering" over it.

    Yeah, the best solution is that you focus on how everyone is performing. If they're getting their work done, who cares if they're streaming YouTube.

    But abundant Internet is not available everywhere. I've had some remote sites say "our business app is glacially slow! performance is horrible!" and then when IT nukes a few PCs that are streaming Netflix, suddenly everything improves.

    Those are my favorite calls.

    "Your issue is resolved, and I'm forwarding this ticket to HR for further followup..."
    "Wait! Don't-"
    Click.

  • deankdeank Member, Troll

    I say, give it 500 years.

    Nothing will matter at that point.

  • @raindog308 said:

    @jar said: Been down this path as an IT guy many years ago. I found it easier in the end to get approval for faster internet than to go down that rabbit hole. People do not like the over zealous IT guy who tries to micro manage everything, they prefer "buffering" over it.

    Yeah, the best solution is that you focus on how everyone is performing. If they're getting their work done, who cares if they're streaming YouTube.

    But abundant Internet is not available everywhere. I've had some remote sites say "our business app is glacially slow! performance is horrible!" and then when IT nukes a few PCs that are streaming Netflix, suddenly everything improves.

    Those are my favorite calls.

    "Your issue is resolved, and I'm forwarding this ticket to HR for further followup..."
    "Wait! Don't-"
    Click.

    So just block Netflix and stop getting people fired.

  • In my case, I intercept all DNS requests on router then redirect to OpenDNS. Configure OpenDNS to block social media, adults, streaming providers, etc. FYI, I am using Mikrotik router.

  • yoursunnyyoursunny Member, IPv6 Advocate

    @fazar said:
    I intercept all DNS requests on router

    My host has DNS over HTTPS and your interception doesn't work.

  • @fazar said: In my case, I intercept all DNS requests on router then redirect to OpenDNS. Configure OpenDNS to block social media, adults, streaming providers, etc. FYI, I am using Mikrotik router.

    I use the same thing long time ago, except use my own DNS filter before pi-hole born. not perfect but it works.

    Thanked by 1fazar
  • HxxxHxxx Member
    edited January 2021

    Assuming this is a network of computers with Windows, the issue is that you guys are miserably missing an active directory server and proper policies in place to limit, disable, and restrict what can be done on each workstation. Once you get that done and literally nuke the privileges, then you can setup something like pfSense with squid on your network, force the Active directory to push the new DNS settings and that's it.

    Basically what @yoursunny said , I'm just adding the Active Directory and policies to disable anyone from changing computer settings such as DNS, except the admin.

    Thanked by 1JustPfff
  • @yoursunny said:
    My host has DNS over HTTPS and your interception doesn't work.

    as @sibaper said, its not perfect but work as intended. 99% of our internet users is not tech-savvy people, whom not know about DoT, DoH or DoQ. 😀

  • You could configure QoS on the router/firewall. Known video sites are lowest priority. Users that use excessive bandwidth are lower priority than light users.

    Then go upgrade your bandwidth!

  • maybe you have a cam girl live streaming from under her desk

    Thanked by 1dedotatedwam
  • AbdAbd Member, Patron Provider

    Set DHCP for the LAN connected devices,

    Set QOS control on the WiFi, TL-WR840N does have that option.
    I recommend keeping it DHCP, you don't want people contacting you for adding every single device & blaming you blocked their connectivity (you're new there, correct?)

    Use NextDNS filtering https://nextdns.io/ to block streaming sites.

  • WebProjectWebProject Host Rep, Veteran

    If it’s small office you can restrict access to certain URLs via your router, if it’s bigger company - you do have options like mentioned above like OpenDNS and filter access.

  • @WebProject said:
    If it’s small office you can restrict access to certain URLs via your router, if it’s bigger company - you do have options like mentioned above like OpenDNS and filter access.

    If OP is in a small office, he better do nothing unless his boss told him to do so. This will offend all other employees.

  • Block domains than cloudflare IPs. Because cloudflare provides dynamic IPs. It's not dedicated to a domain name. It might change when DNS records are updated by the domain owner. So if you ban IP X.X.X.X used by siteX.com, it might happen IP X.X.X.X is given to siteY.com and now siteX uses another clouldflare IP.

  • WebProjectWebProject Host Rep, Veteran

    @elliotc said:

    @WebProject said:
    If it’s small office you can restrict access to certain URLs via your router, if it’s bigger company - you do have options like mentioned above like OpenDNS and filter access.

    If OP is in a small office, he better do nothing unless his boss told him to do so. This will offend all other employees.

    haha, I personally done similar project in small office definitely upset almost everyone as restricted access to FB, YouTube and other social networking :smiley: :wink:

  • @WebHorizon said:
    Set DHCP for the LAN connected devices,

    In fact i don't know why the hell previous admin, setup theses devices to have fixed IP address, first I though this related to printers and SQL server that used on one office(connected on the same network), + I know that's windows could get confuse with 192.168.0.200 gateway address , in past have this issue even with DHCP enabled from the router windows stupidly give the PC wrong IP/gateway address .
    Anyway I figure out way in TL-WR840N to assign fi````````````````````````````````e control on the network , the other complexes solution will take from me time to learn/test it, as I mention it's working environment can't mess with their setup

    Set QOS control on the WiFi, TL-WR840N does have that option.

    I don't remember seeing that option before but I'll re checked it again .

  • Buy a hardware firewall, such as FortiGate, and set which websites employees can visit, connect employees' computers to the domain/AD.

  • Set up a group policy to push out a file called c:\windows\system32\drivers\etc\hosts . The file should contain:

    127.0.0.1 youtube.com
    127.0.0.1 netflix.com

    For extra fun, substitute 127.0.0.1 with the corporate webserver IP address.

    Thanked by 1WebProject
  • @JustPfff said:
    DNS was never work employees long time discovered Google free DNS,

    Block port 53 to/from anything outside your network except your local DNS service (they'll need to see your upstream DNS resolvers of course).

    Thanked by 1JustPfff
  • yoursunnyyoursunny Member, IPv6 Advocate
    edited January 2021

    @skorous said:
    Set up a group policy to push out a file called c:\windows\system32\drivers\etc\hosts . The file should contain:

    127.0.0.1 youtube.com
    127.0.0.1 netflix.com

    For extra fun, substitute 127.0.0.1 with the corporate webserver IP address.

    I did this in high school, circa 2001.

    Motivation:

    • Every night, we are supposed to do homework in the classroom.
    • Classroom computer is available for use if a student wants to lookup study material online.
    • However, my classmates are watching soccer on the classroom computer, and yells if their favorite team wins / loses.

    Background:

    • The computers are Windows 98 and Internet Explorer 4.0.
    • Every computer has a hardware recovery card that reimages the hard drive upon reboot. You can't save anything to the hard drive.
    • Browser homepage is the school website, which is listed as a trusted site.
    • School has a personal webpage service that allows ASP.

    Attack:

    • I uploaded an ASP Trojan horse to my personal webpage folder.
    • I used this Trojan horse to edit the school homepage, inserting VBScript but only if it's accessed from my classroom IP address at night for the first time (via Cookie).
    • The VBScript would write a HOSTS file that redirects soccer websites to the school homepage.

    My classmates thought the school blocked their soccer website. I can do my homework in a quiet classroom again.
    This is #NerdRevenge.

    I eventually got caught because I mistakenly deleted the school homepage, in a different incident. However, nobody knew the secret behind the soccer websites, until today.

    Thanked by 1Erisa
Sign In or Register to comment.