Content-Filtering with Private Endpoints

Written By Marissa Fegan (Super Administrator)

Updated at December 3rd, 2020

Once you have located a list of domain names or IP addresses, blocking them is easy and transparent to any users currently connected. Note that domain-name blocks may not start working immediately due to DNS caching on the user's computer.

How it Works

We can block traffic based on domain name or IPv4 address. By default, all DNS traffic is routed through your PEP while connected, allowing us to refuse to return the correct IP address for the domain name in question. Additionally, IP addresses can be null-routed to prevent users from establishing a connection to the hosts in question.

When blocking domain names, it is best to block the base domain name (e.g., "example.com" rather than "www.example.com"). When a domain name is blocked, all sub-domains are automatically blocked as well. For example,  blocking "example.com" would also cause "support.example.com" to be blocked as well.

Because it requires the ability to inspect the content of your network traffic, URLs for specific pages can't be blocked. Generally, this is undesirable and often impossible due to protocols like HTTPS that separate encryption layers.

Note that extensive lists may require extra server resources and introduce additional overhead due to the lookups involved.

Usage Examples

The examples below use public lists available at https://blocklist.site. There are many online resources available -- be sure to check the usage policies of any sources you use, especially if you plan on automating updates.

Getting Started

Once connected to your PEP via SSH, start a Bash shell inside the Encrypt.me PEP container and ensure the "pep-filter.sh" script can be found. If not, you may be using an older version of our image and need to restart the container with a newer version.

If you have cruft from previous tests, you can always reset things to a clean slate with the "reset" command. If your server reboots or the container is restarted, your lists are retained.

$ sudo docker exec -it encryptme bash
# which pep-filter.sh
/usr/bin/pep-filter.sh

# pep-filter.sh reset


Define a List using Multiple Sources

While inside the container, download a list you are interested in and choose a name to categorize it. Lists may contain a mix of domain names, IP addresses, and CIDR ranges (e.g. 1.2.3.0/24). Any lines not recognized as being one of these things are silently ignored. We will also automatically de-duplicate lists as you make changes.

In this example, we'll fetch two lists and combine them into one category named "ads-and-trackers". You can name things however you want, but we suggest grouping lists based on the content type you're trying to block.

# curl -s https://blocklist.site/app/dl/tracking | pep-filter.sh append ads-and-trackers
 Stopping...
 Stopped
 Starting...
 
 # curl -s https://blocklist.site/app/dl/ads | pep-filter.sh append ads-and-trackers
 Stopping...
 Stopped
 Starting...

Create/Refresh a List

To replace an entire list with new entries, use the "replace" command.

# curl -s https://blocklist.site/app/dl/malware | pep-filter.sh replace malware
 Stopping...
 Stopped
 Starting...

Additional Options

You can run "pep-filter.sh" without any options to get usage information and additional tips. Please don't hesitate to contact support if you have any questions or comments!