Filtering by DNS (?) for my son's inet (with Genode)

My son’s growing up, he’s getting his own PC on christmas.

Initially it will be “air-gapped”, but from early feedback, it’s clear this is not gonna fly for long, I sense a revolt brewing ^^. Yet I don’t want him out on the big wild web out there with zero sense of what’s happening to him.

My Orange router/modem doesn’t provide anything useful in that department… Well their marketing dpt. mentions some for-pay “controle parental” stuff, but I’m dubious. So I give myself a few months to come up with something.

One thing that comes to mind to this noob, is DNS-based filtering, on an extra device I would insert “in the middle”, on which I would control a strict white list of allowed DNS addresses. That is,

  • don’t give him the WiFi key to our router
  • instead, come up with another small-ish wifi server (preferably running Genode)
  • he then connects to that WiFi server, with its WPA access key
  • that server connects to my Orange router, and forwards my kid’s traffic to it
  • I have full control of the in-the-middle device, i.e. I can configure it to filter by DNS, allow only access to his middle-school website so he can do his homework, plus anything we agree to add later on (some online games I have vetted etc).

Ever since I started looking at Genode’s router component I’ve noted how feature rich it is. Maybe it could help, provided I find an SoC with WiFi or other device that can run Genode and do the WiFi “routing” ? And later that device would serve as my NFS and FTPd server too. It’s something I planned to do for many years, but my kids’s need for inet access is kinda forcing the issue to the fore.

Thoughts ? Hare-brained scheme, or is there a precedent I can draw inspiration from ? Any better alternative out there ? Or have none of you faced that issue yet ?
Thanks.

EDIT: Alternatively, I could go a (much much) easier route, working on the client side: I could partition my son’s HDD, setup a Genode partition with Falkon, and define as ground rules that he has to reboot from Windoze to Genode if he wants web access. The WiFi key can be hardwired into the image. Falkon won’t run his online games (so he’ll continue to hog his mom’s computer for that ^^) but at least that’ll give him access to whatever I white-list in the nic-router config. Heck, that Genode image might even run as a VirtualBox or qemu guest from within Windows, without rebooting, if I find out how to connect it to the host’s internet access.

1 Like

Whilst not able to help with building your project I was thinking today whether you could start him off with browsing “Gemini” rather than the proper web for a bit; Gemini being just like the internet that captivated many of us in the late 1990s. It probably would not take long to knock up a client for Genode!

Would you be thinking of this computer running Windows - mentioned in the last para? I suspect you have given the OS some thought, and that you must have considered Haiku? Reasonably mature platform with diverse array of apps to play with and capable of doing all the things we like, and without the big blockbuster games. If you have your genode based security then the vulnerability of Haiku as an internet connected OS should be amliorated. Plus you can dogfood Haiku-on-Genode at home when it is sufficiently ready!

Going off on a tangent, I am a fan of non-QWERTY keyboards myself and recommend for somebody getting their first computer a different format to start with. You will grow up to be more efficient at typing than your peers! I am curently using Keyboardio Atreus running RSTHD, which is the layout I settled on.

1 Like

This somehow reminds me of Pi-hole.

It would be very cool to have a virtual Pi-hole as component for Sculpt OS, redirecting all DNS queries of Falkon to this component.

2 Likes

Howdy squizzler,

My first step whenever I receive a new/used computer, which typically has one Win partition, is to run an old (freeware) build of Easeus Partition Master to split the main partition into three (for triple-booting), and I suspect this computer will be no exception ^^
With that said, I’m not sure he’ll spend any time in Haiku, at least not at first. But ever since he started using his mom’s Win10 I’ve been gently pushing/suggesting various ideas about Win’s inefficiencies (to put it mildly), trying to give some technical background for his various frustrations (e.g. the dang thing is still swapping like crazy even after upgrading its RAM from 4 GB to 8 GB) and as time goes by I’ll suggest using the boot menu more (wink nudge). Win is good as a “consumer” of other people’s code… But for a year or two he’s been moving from pure consumer to producer. The middle school curicula got him started on ‘Scratch’ (MIT’s visual programming language, I have to admit it’s nifty). He absolutely loves Scratch. That one is heavily dependant on FireFox… But when/if he grows an interest in V or C, I’ll try to make that happen on the Haiku partition instead. Heck, I suspect C itself could happen on Genode too, with a tiny compiler like TCC. It’s hard to get youngsters excited these days with simple things though… What with all the shiny bling bling they see around, WebGL games in the browser, and so on. Will have to be careful and find a way to compete with that.

Keyboard-wise, well. He’s very hard-headed (like father, like son ^^) and won’t even take to proper typing – regardless of the keyboard layout, which would be yet another can of worms. My daughter would be a better candidate: she listens to my advice, and practices proper typing (fingers on F and J as starting position, move your fingers but not your hands, each key has an assigned finger, etc).


Thanks Norman – Looking at Pi-hole.

I see it can be installed on Linux, so as a starting point, I could set it up on my Linux (Debian) box and configure my son’s computer primary DNS to it. I probably shouldn’t worry about him changing the DNS settings at this point, it will be a few years before he even looks at that. Starting with my Debian as server will be a good starting point for when/if I decide to build upon it for something even more elaborate.

Seems that, although it normally works in everything-allowed-except-if-black-listed mode, Pi-hole could also easily do the opposite (allow nothing except domains from a white-list), if the black-list is a full wildcard and some later white-listing occurs:

https://docs.pi-hole.net/regex/overview/

FTL DNS uses a specific hierarchy to ensure regex filters work as you expect them to. Whitelisting always has priority over blacklisting.

Re. porting to SculptOS,

its dependancies include PHP and dnsmasq. Apparently when installed out of the box, it acts as a DNS hole for outside (not local) DNS requests only. In order to also filter local (e.g. Falkon) requests it takes some extra configuration steps.

So to summarize – I think I’m going to give that a try on Debian and see where that takes me.

3 Likes

So christmas came early, meaning I unboxed the “gamer PC” with my kid, and immediately went to work.
Got Pi-hole working in Debian, had to go through a few hoops though.

  • install Pi-hole , following the “wget” steps (not curl, which does not ship with Debian out of the box it seems)
    (note: don’t scroll back terminal while it’s working, otherwise you’ll get a black/void/empty terminal once it reaches the ncurses interface and you’ll have to start over, odd bug)
    (note: don’t try to Select-All to capture the install history for future reference, it does not work)

From now on you there’s a “pihole” command available in Terminal.

  • Use it to set a password for the web dashboard

  • Access the dashboard at http://localhost/admin (that was not specified anywhere in the doc, I kept trying http://localhost and hitting “403: Forbidden”, had to duckduckgo to find out about the URL)

Now let’s get serious and try DNS filtering!

  • Add “*” (in regex mode, not in plain-domain mode) domain black-listing
  • Add a domain white-list or ten for testing purposes (at a minimum, microsoft.com seems to be obligatory, otherwise Win10 concludes that the network is down and shuts down wifi…)

Uh… Nothing works, even via Ethernet ?! How come ? After digging for an hour or two, I found out that if I disabled rate-limiting (click “Settings” at the bottom of the left column, then DNS, Rate limiting, set to 0/0 to disable), Ethernet would work.

WiFi still didn’t work though. Digging through search engine results, I saw that Pi-hole was not the culprit for that one – the problem is that my Orange router has two wi-fi modes: “normal”, and “invited” (guest). Guest-mode wifi clients are not allowed to contact each other, they can only talk to the router/box. So I moved my son’s computer to ‘normal’ wifi, and yep, it works, it makes DNS queries to my Debian laptop now.

Last hurdle – given the amount of domains that have to be white-listed, I thought sorting them in groups would be a nice, welcome feature, but each time I did so, the domain’s white-listing would come to an end, it would return to being black-listed. Fiddling with that stuff, I realized that when moving domains around, they have to remain in the “Default” group, so e.g. domain “my-middle-school.foo” can belong to group “MiddleSchool”, but it must also continue to belong to group “Default”.

Also found a couple other bugs, e.g. when you rename a group the white-list domain items inside get assigned to a random other group… But let’s be honest, I’m grateful this thing exists, and it’s clear a huge amount of work went into it.


OS and software wise, also got my son to install dosbox (to play classics like Blue Bytes “Settlers”, X-COM UFO etc) and later started installing Linux and Haiku. Linux somehow installed and set up GRUB and its boot menu silently (there was no GRUB interaction at install stage)… The magic of EFI I guess ? Didn’t find how to configure it yet, the GRUB files do not seem to be in /boot/grub, will dig deeper.


So bottom line, we got in a routine now, each day my kid wants me to start up Debian so he can have internet access… I guess in a few months the need for an SoC running Genode will be a little more pressing, and I’ll look for something that can run at least dnsseq (if not the PHP admin interface). Maybe I’ll make a brief mention of that in the traditional end-of-year mailing-list discussion ^^. In the meantime, gotta consolidate the setup.

So far I’m seeing 60% blocked DNS requests so yea, there’s lots of “noise” among the signal on today’s internet ^^

1 Like

Very interesting… Thanks for the detailed info!

1 Like