User Guide - Securing DNS and using DNS-based content filtering
In this document we examine a VPN setup that is configured to meet the needs of a fictitious company. A startup has headquarters based in California, with virtual sales offices across the US and in Europe. Their sales team often visits or travels to and from customer sites, accessing the internet from public networks like those provided in hotels, cafés, and airports. The sales team relies on SaaS tools like Google Workspace and Salesforce.
In our example company, Owen is in charge of IT and networking. He is aware of the security risks with DNS on public internet sites and is looking for a solution that doesn’t require him to directly manage, install, and maintain servers.
Owen is also aware that two of the benefits of using OpenVPN Cloud are DNS security and DNS-based content filtering. For more details on DNS security with OpenVPN Cloud, refer to this page. Owen wants to use DNS-based content filtering to block access to malicious websites that spread malware.
During the OpenVPN signup process (as shown here) Owen sets technop as the OpenVPN ID for his VPN. This subdomain uniquely identifies Owen’s company VPN as technop.openvpn.com. Subsequently, each VPN user must use the https://technop.openvpn.com URL to import the VPN connection profile in their Connect client, which then allows connections to the technop.openvpn.com VPN.
Owen follows these steps to verify the protection of DNS traffic and to configure content filtering:
- Owen connects to the OpenVPN Cloud administration portal at https://cloud.openvpn.com/.
On connection, Owen checks that the DNS servers assigned to his computer are from the 100.96.0.0/11 IP address range. This assures him that his device is bypassing the DNS servers on his local network and is sending DNS traffic through the VPN tunnel to the OpenVPN DNS servers. The actual internet traffic continues to use the local network and not the VPN.
To make this check, Owen uses the nslookup command:
- Owen navigates to the Cyber Shield section of the OpenVPN Cloud Administration portal and toggles the Domain Filtering > Monitoring switch to on.
He then clicks the edit (pencil) icon to see a list of domain filter categories and selects the Malware and Hacking and Cracking categories. For more details, refer to: Configuring Cyber Shield Domain Filtering
- Owen then opens a web browser and enters http://alasxxxxxxxx.ae into the address bar.
The request is blocked by OpenVPN’s DNS servers because the domain has been categorized as malware. Instead of seeing the site’s content, the error “This site can’t be reached” is displayed.
- Confident that the setup is correct, Owen uses email addresses to add his company’s employees as Users. For more details, refer to: Adding a User.