MISSION: Block troublesome websites with minimal effort
EXECUTION TIME: 90 seconds
TOOLS: Requires use of OpenDNS.com name servers

This is Jason, the new guy at Special Ops Security, and I'll be posting blog items that are more of your "basic training" type than the other guys. In light of the recent DoD blocking prominent websites, I wanted to post a very quick and easy way to block sites on your corporate network. Now, this is definitely not a 100% solution; for that, you need to blacklist the URL in your firewall, router, WebSense device, or other content filtering technology.

Even then, your users can use proxy server to get around the blocking. Think of this as an 80% solution that takes seconds versus opening up your firewall and needing more skilled engineers to change rulesets.

OpenDNS provides these really fast DNS resolvers that have really large caches. These guys are great and you should definitely use them for your corporate network's DNS resolver instead of your ISP's. I guarantee they are faster. More on that in another posting.

If you're a current OpenDNS user, the graphic above should confirm that by saying "Sweet!" If the graphic above says "Get Started" then your network does not use OpenDNS yet and that is a pre-requisite for this great feature to work.

Once you've signed up with OpenDNS (it's free and takes just a couple of minutes), you can login to your account and add sites to the "blocked" list. If you block craigslist.org then you’ll also be blocking la.craigslist.org (Craigslist Los Angeles) and sfbay.craigslist.org (Craigslist San Francisco), etc. If, instead, you just blocked newyork.craigslist.org then the rest of the Craigslist properties would load just fine.

When you try to visit a domain that is blocked you’ll see a page that looks like the one to the left. The nice part about this is that it lets the user know the site is blocked and gives them the feedback that they shouldn't be accessing it. You can even replace the OpenDNS logo with your company's own. This feedback page is much better than a browser error ("web server not responding") that would result from firewall or router blocking.

This feature can be used to steer employees away from social networking sites at work or to preemptively block malicious malware sites. Hopefully I haven't alienated all of the really technical subscribers to our blog--just want to have content for the experts as well as the beginners.