This morning, I had the opportunity to listen to an educator who has turned every knob in order to prevent inappropriate content from reaching his students. I had let him know that there were some changes about to occur on the Internet with the ability to filter out websites of concern and only certain measures would work, also that this was of course driven by economics. This change, if the rollout is successful, will likely catch many by surprise. This blog is written to assist those who may be tasked with determining options to maintain policies or those who may step in to assist their local schools.

As he ran through the controls in place, it was great to be able to reassure him that the measures they selected so far will continue to work. Endpoint protections built into the browser, Chrome, in this case were in use. Since Encrypted Client Hello (ECH) protects the session between the browser and the Content Delivery Network (CDN), controls such as those managed in the browser will continue to work. These options include the use of SafeBrowsing to filter out known harmful content. SafeBrowsing is a service run by Google that has been integrated into every major browser and is a well-regarded solution. Although this measure is a good one, he (the educator) knows those behind inappropriate content target children and find ways to slip through controls. With this in mind, he is interested in having additional protections in place. We’ll explore the other options that will continue to work for broader awareness.

A while back he had considered a tool that is positioned in the middle of connections, between the browser and web server (or CDN). This type of solution may be referred to as a web proxy with content filtering services or as a “middle box” as it intercepts traffic intended for another endpoint. With ECH being deployed, when enabled, these tools will have diminished value when the content originates from a CDN. In order to have visibility of the true destination web server instead of the CDN, ECH will need to be disabled in the browser. In managed environments, it is possible to disable ECH within the controls for browsers. This browser configuration will prevent the CDN from negotiating the use of ECH, allowing visibility required by middle-box inspection points. Without ECH, the destination server hostname is visible as the Server Name Indicator (SNI) value is not encrypted.

What is ECH?

How we prevent access to inappropriate content once a new and controversial change to the transport layer security (TLS) protocol called ECH is rolled out more fully by web content delivery networks (CDN), including Cloudflare, changes and only certain measures will continue to work as expected. The feature and configuration changes who has visibility into the session endpoints, since the SNI value is replaced with the CDN information when it was previously the destination web server hostname. Since the CDN already has visibility into which clients connect to web servers they manage, there is no additional exposure in terms of privacy for the end user of the browser with this change. The change prevents access to that information from a service or infrastructure that sits between the client and the CDN. It is possible to disable ECH from the browser or management of browsers and we’ll cover that as well for those managing networks for organizations with policies that permit such management.

The CDN can serve up any content and may not have restrictions in place regarding which content they choose to support. The CDN may be accommodating free speech requirements or ensuring they are not partaking in censorship activities by offering up all content without restriction. By enabling ECH, they are shifting where content can be screened with this technology change. With ECH enabled, the control point remains the browser and options to use allow or deny lists to filter traffic are limited to safe browsing and DNS filtering services.

This blog is written to better understand the options an organization or school might have under their established acceptable use policies for Internet content. While filtering does constitute a form of censorship, this is balanced against the very real and constant threat of attacks such as ransomware and phishing, targeting organizations with few resources. These and other attacks may result from vulnerabilities in the browser or host, use of authentication types that are phishable, or malicious content downloaded from the server. Services that filter malicious content aid in the prevention of these attacks until we reach a time where the endpoint is not vulnerable, and authentication is secure. 

Organizations with acceptable policies may also filter content deemed inappropriate for their use base. This action is a type of censorship and certainly raises concern for organizations if it’s intended to filter out access to illicit content, whereas in other censorship instances, filtering is used to screen content that includes access to news, health related information, and other content aligned to access that is considered a basic human right. I am acknowledging that this is a very tricky topic, and at the same time, filtering to acceptable use policies in schools may be the only alternative to no access in order to meet acceptable cultural norm expectations to protect children or in office settings where content must also meet acceptable use policies to foster safe workplace environments.

Web Content Filtering Options

Domain Name Service (DNS) translates a web site name (hostname) to an internet protocol (IP) address. When this translation occurs, there are domain name servers that offer screening services to prevent access to known harmful sites, which could include malicious content or inappropriate content. Since this content can appear on brand new sites, it is also possible for these services to only allow a translation of a hostname to an IP address for sites that have been vetted. This vetting creates an allow list of sites to access. 

The two methods that can be used going forward to restrict access when ECH is enabled include: 

1. Browser based controls, such as the use of block lists provided through SafeBrowsing

2. A DNS service that provides a second point of control to screen out inappropriate or malicious sites.

The DNS based filtering option can be configured at the host-level by setting the DNS servers for the organization in the dynamic host configuration protocol (DHCP) settings and/or within the browser if a DNS over HTTPS (DoH) server provides this filtering option. If you are using a DNS over TLS or a traditional DNS server for this option, be sure that the browser is not overriding this setting with use of a DoH server.

Free options that filter known malicious content (but not inappropriate based on policies):

• Quad9 offers a free DNS filtering service to protect against access to malicious sites. 
• For K-12 schools as part of an offering for state, local, tribal, and territorial (SLTT) organizations, the US government subsidizes a service provided as a free offering through the Center for Internet Security called Malicious Domain Name Blocking and Reporting (MDBR). 
• Avast offers a free DNS over HTTPS (DOH) service to screen malicious content as well.

For schools and other organizations interested in screening out inappropriate content, additional services may be necessary. These services allow for policy-based decisions that determine what types of content are not suitable for the intended audience. There are multiple options available, offered over traditional DNS, DNS over TLS (DoT), and DNS configured directly from the browser using DoH.

Several examples in alphabetical order include:

• Akamai Protective DNS (PDNS)
• Cisco Umbrella DNS
• CleanBrowsing DNS Filtering Service
• CloudFlare Gateway (offers DNS filtering and other options beyond the scope of this recommendation)
• DNSFilter
• Scaler DNS Security
• WebTitan

For families, the following free DNS filtering service is available:

• OpenDNS Family Shield

Please do check any service level agreements and privacy policies to ensure offerings meet your requirements. DNS services offered through your service provider likely come with contracted service levels and security policy requirements that may not be possible to attain with a free service offering. For any recursive resolver used, DNS spoofing is a potential concern and another reason to be diligent on the vetting of the DNS services used. Additionally, if your school or organization has a bring your own device (BYOD) policy in place, mobile device management (MDM) or browser management coupled with filtering solutions at the gateway may be used to ensure use of the approved DNS services. If browsers are not managed, but hosts join the network, offering a DNS server through the DHCP configuration settings may help if DoH is not enabled through their browser.

Solutions listed are limited to traditional DNS as there are no solutions available to date that assist in filtering alternate DNS technologies such as blockchain DNS. Alternative naming systems, such as Blockchain DNS are designed to prevent censorship. Censorship includes government level firewalls to filter content to their citizens, and also controls to protect against access to inappropriate content. Presently, use of alternative DNS services require a plugin to the browser in order to obtain the mapping from these names to the hosting IP addresses of supported websites. If your organization screens content, settings for alternate DNS services should be verified as well to suit the organization's policies. Each of these systems have their place, and this blog is written specifically for controlled domains operating with policies appropriate for their user base. At schools, parents and students often sign agreements for appropriate behavior expectations, including anti-bullying policies and electronic use policies where tools to assist the organization can be helpful. Through these policies, the user accepts the restrictions in place deemed appropriate for the user base in the setting.

Please vet any service offering prior to implementing as this post does not provide an endorsement of any of the mentioned options. Additional options for DNS filtering services may exist that are worth reviewing.

Reviewers: