User Guide - Securing DNS and using DNS-based content filtering

Overview

In this document, we examine a Wide-area Private Cloud (WPC) setup that is configured to meet the needs of a fictitious company. A startup has headquarters based in California, with virtual sales offices across the US and in Europe. Their sales team often visits or travels to and from customer sites, accessing the internet from public networks like those provided in hotels, cafés, and airports. The sales team relies on SaaS tools like Google Workspace and Salesforce.

In our example company, Owen is in charge of IT and networking. He is aware of the security risks with DNS on public internet sites and is looking for a solution that doesn’t require him to directly manage, install, and maintain servers.

Owen is also aware that two of the benefits of using OpenVPN Cloud are DNS security and DNS-based content filtering. For more details on DNS security with OpenVPN Cloud, refer to this page. Owen wants to use DNS-based content filtering to block access to Malicious websites that spread Malware.

During the OpenVPN signup process (as shown here) Owen sets technop as the Cloud ID for his WPC. This subdomain uniquely identifies Owen’s company WPC as OpenVPN Cloud. Subsequently, each WPC user must use the OpenVPN Cloud URL to import the WPC connection profile in their Connect client, which then allows connections to the OpenVPN Cloud WPC.


Setup

Owen follows these steps to verify the protection of DNS traffic and to configure content filtering:

  1. Owen connects to OpenVPN Cloud (Connecting to OpenVPN Cloud). On connection, Owen checks that the DNS servers assigned to his computer are from the 100.96.0.0/11 IP address range. This assures him that his device is bypassing the DNS servers on his local network and is sending DNS traffic through the WPC tunnel to the OpenVPN DNS servers. The actual internet traffic continues to use the local network and not the WPC.
  2. Owen navigates to the Cyber Shield section of the OpenVPN Cloud Administration portal and toggles the Domain Filtering > Monitoring switch to ON. He then clicks the edit (pencil) icon to see 4 blocking presets (Basic Protection, Safe Browsing, High Productivity, Custom), and a list of domain content categories within them. Owen clicks the Custom option and selects all categories within Malicious and Hacking and cracking groups. For more details, refer to:Configuring Cyber Shield Domain Filtering | OpenVPN Cloud
  3. Owen then opens a web browser and enters http://malware-test-domain.openvpn.com/ into the address bar. This request is blocked by OpenVPN’s DNS servers because the domain has been categorized as malware. Instead of seeing the site’s content, the error “This site can’t be reached” is displayed. 
  4. Confident that the setup is correct, Owen uses email addresses to add his company’s employees as Users. For more details, refer to: Adding a User.