Different DNS for Standard User

ad4ms3 · 2023-01-13 14:30:18

I noticed my kids accessed inappropriate websites, so I want to block access to them.
OpenDNS works charm but there is a problem.

Both laptops have got Arch Linux as daily driver, and Windows 11. I tried to enable dns-crypt service in windows for kids' account only but I failed.. I only manage to secure it well with mmc.
So, is there a way to allow Standard User use a different DNS (at the same time disallow VPN connection)? If so, I would appreciate any guidance.
I am using NetworkManager.service
To my understanding, network settings are global and cannot be user-specific, but as usual, uncle google says it can and can't be done.

I read about tinyproxy, but it involves entering url's manually
ddclient manual also does not specify two separate users.

seth · 2023-01-13 16:15:05

https://wiki.archlinux.org/title/Parental_control

I am using NetworkManager.service
To my understanding, network settings are global and cannot be user-specific, but as usual, uncle google says it can and can't be done.

https://wiki.archlinux.org/title/Networ … connection
Just make sure to have custom connections for each account that are not set to be available to all users.

I read about tinyproxy, but it involves entering url's manually

https://wiki.archlinux.org/title/DansGuardian
https://help.ubuntu.com/community/DansGuardian at least shows you how to use iptables to effectively "enforce" (see below and the warning on the parental control wiki) the use of the proxy.

BUT (brace urself, tight) - this is gonna be a semi-rant:
---------------------------------------------------------

DNS blocking isn't a usable way to block access to anything.
dnscrypt exists to make sure that your DNS query hasn't been tampered with, it doesn't prevent that you ask a different server.

If your kids are old enough to watch porn, they'll get around DNS blocking atempts in no time.
Specifically you can configure DNS (and DoH!) servers (and, ftr: proxies) in the clients (ie. in doubt the browser)

You're looking for a firewall/proxy in a node that
a) your kids *have* to use
b) don't have (ideally physical) access to

The latter should be able w/ a wifi-router and a padlock.
The former is a problem unless said padlock locks a chain attached to your kids (in which case you should probably report yourself to the police)

Anything that is done on the device is borderline pointless.
In doubt they can boot some live distro and download a weekly supply of porn.
Even if you limit the boot devices, there's probably a cheat to reset the UEFI or a master password to it.

But let's say you achieved that AND you made sure that they cannot issue boot parameters that kick them into a root shell:
DNS blocking is still nonsense that won't work. Forget about that. Entirely. This is not how the internet works.
You'd want to use the filtering proxy and enforce it w/ iptables.
Don't complain if your kids still get root access on the device. They have physical access, there is a way.

Also keep in mind that your children most likely will have
1. internet access outside your control (school etc.)
2. access to porn by other means (friends - you can share data on ad-hoc connections… or usb keys)
3. at least one friend or friend with an older brother who already knows more about network/system security than you

Don't try to fix social issues with technical means.
You can control and secure a particular network, but not human behavior.
The internet isn't a nice place.
If you can no longer keep your children away from it, it's your job to prepare them along their, err…, desires.

The parental control stuff works to protect children from accidentally stumbling over "content".
Not against a horny teenager.

--------
Semi-OT: Isn't porn opt-in by the ISP in the UK anyway?

ad4ms3 · 2023-01-13 16:56:22

So, I totally agree with what you say. But, we were once young and wild. Our parents taught us righteous ways, but we rebelled often. Teaching them is one thing, but doing also everything to stop them from accessing inappropriate content is another..
Nevertheless.. They have no knowledge or willing to learn how to run a live distro, share data on ad-hoc etc. They always ask me to solve technical issues with system. They don't even know that there is something like pacman -S They are only using Brave browser and MS Teams. But.. they know that VPN bypasses all of the DNS settings.
All of their homework is done via MS Teams on Arch. Yes, it was a big fight, but they got used it, and don't complain anymore. I can't let them use Windows, as they would destroy the system within days.
My aim is to secure their internet access, without them knowing how I have done it, and without access to su/sudo (just in case). As said, they won't run live distro, or arch-chroot.
We are not talking about porn in this instance, but no, gov has not blocked it yet.

Managing services as per user in Windows is way too complicated.

Last edited by ad4ms3 (2023-01-13 16:57:24)

seth · 2023-01-13 22:11:22

Afaics brave uses DoH by default anyway - and relies on internal settings for the DNS server.
You can configure any DNS server there, but just as much the kids can un-configure it (or figure the IP otherwise and enter that)

If your only concern is the browser, there's also a whole slew of parental control extensions on https://chrome.google.com/webstore/sear … extensions
But I cannot comment on or recommend any of them.

If you want to usably constrain the entire system but are not overly concerned w/ their hacking skills, e2guardian sounds like a realistic approach (iptables grants only the proxy network access and the proxy is a system service - both will require root permissions to be altered)
For future readers skipping the above rant I'll though stress again that this isn't bulletproof and will not be able to keep a somewhat tech savvy 13-year old away from porn on the internet.

Trilby · 2023-01-13 22:21:28

ad4ms3 wrote:

They have no knowledge or willing to learn how to run a live distro, share data on ad-hoc etc.

Not yet. The strategies discussed in this thread might be more effective at motivating them to learn about computers / networking than at preventing them from accessing blocked content.

ad4ms3 · 2023-01-14 10:24:43

They are girls.. they are not interested how computer works. I showed them how laptop looks inside, tried to teach them basics of programming. They were not interested at all how to install an operating system, even as trivial as Windows.

Anyway.. Once I find a way to set it up the way it ia described in the first thread, I will post solution here.

seth · 2023-01-14 11:57:05

1. It's 2023 - girls can figure how to make their browsers show them internet porn, too.
2. They don't need to be "interested how computer works" - they need to be interested to "access inappropriate websites"
3. I linked you in my initial response how to set up per connection DNS servers and pointed out that you need to need to have individual connections per user
4. I'll stress that DNS blocking isn't very reliable. You could try a netfilter/iptables rule to block port 53 to all but the desired DNS server, but there's still DoH and manual host resolution.
5. I also pointed out existing content filtering proxies (which will likely be harder to evade than DNS approaches) - but you know your kids, at least better than us. So, while not necessarily accurate (the day will come where you see their search history and start to cry… and it'll come probably sooner than you think), your verdict is more relevant here.

cfr · 2023-01-15 04:32:24

ad4ms3 wrote:

They are girls.. they are not interested how computer works. I showed them how laptop looks inside, tried to teach them basics of programming. They were not interested at all how to install an operating system, even as trivial as Windows.

They may well not be interested, but that has nothing to do with their being girls. Not all girls are alike. Trust me, girls can be extremely interested.

Last edited by cfr (2023-01-15 04:41:27)

Tétrapyle · 2023-01-15 13:00:00

Hi,

In my opinion, you need to do two things. I mean you have to do these things as a parent:
– use stuff [that] works to protect children from accidentally stumbling over "content" (quotation from seth above);
– talk and educate your kids to limit the harm.

In the world we live you can't prevent them to grow up and look for content, there's just no way, but you can try to make it not too harmful.

The first point is necessary because right now there's not enough being done to prevent bad people from showing unwanted "content", e.g. to earn money with clickbait or for harrassing. It's really annoying that you might need technical knowledge to prevent it.

Arch Linux

#1 2023-01-13 14:30:18

Different DNS for Standard User

#2 2023-01-13 16:15:05

Re: Different DNS for Standard User

#3 2023-01-13 16:56:22

Re: Different DNS for Standard User

#4 2023-01-13 22:11:22

Re: Different DNS for Standard User

#5 2023-01-13 22:21:28

Re: Different DNS for Standard User

#6 2023-01-14 10:24:43

Re: Different DNS for Standard User

#7 2023-01-14 11:57:05

Re: Different DNS for Standard User

#8 2023-01-15 04:32:24

Re: Different DNS for Standard User

#9 2023-01-15 13:00:00

Re: Different DNS for Standard User

Board footer