Synology RT1900ac Review – Intelligent DNS-based Web-filter

Devices accessing blocked sites will see this page instead.
Devices accessing blocked sites will see this page instead.

Under Parental Control, there is a web-filter feature that blocks access to websites base on the their content categories (i.e. adult, gambling, drugs). For each of the device, you can choose either basic, protected or custom filter. Only one custom filter can be configured.

 


 

Configuring the Web-Filter

The Web-filter feature is under Parental Control. But first, you got to add the device to be controlled to the list.
The Web-filter feature is under Parental Control. But first, you got to add the device to be controlled to the list.

The Web-filter feature can be found under the Parental Control section. In order to use the web-filter, the device has to be added to the list. Once it has been added to the list, the schedule for Internet allowed time also kicks in. Under the web-filter column on the right, you can choose the level of filter (basic, protected or custom) to be applied to the selected device.

The settings for the Web-filter.
The settings for the Web-filter.

Under the settings for Web-filter, you can whitelist websites, blacklist websites on top of the existing content categories or customise your own filter by choosing from the available content categories.

You can also customise the block list such that you get to choose the items that are to be blocked.
You can also customise the block list such that you get to choose the items that are to be blocked.

The content categories are quite extensive. I am curious if the websites under each categories are updated periodically.

 

Accessing blocked websites

Devices accessing blocked sites will see this page instead.
Devices accessing blocked sites will see this page instead.

If one try to access a website that is on the blocked list, they will see the above “Oops! Website blocked” page. From this page, the admin have the option to whitelist the page.

 

Behind the scene

The Web-filter launches a instance of dnsmasq that listens on port 5452.
The Web-filter launches a instance of dnsmasq that listens on port 5452.

The DNS server on the Synology RT1900ac resolves blocked hostname to another IP (10.192.168.2).
The DNS server on the Synology RT1900ac resolves blocked hostname to another IP (10.192.168.2).

Behind the entire web-filter magic is the work of dnsmasq and iptables. A dnsmasq instance that resolves blocked hostnames/ website to an IP address (in this case is 10.192.168.2) that hosts the “Oops! Website blocked” page.

Next is the clever use of iptables to route DNS requests from the web-filtered devices (based on their MAC address) to that dnsmasq instance. The next set of iptables rules directs devices to a http instance on the Synology RT1900ac hosting the “Oops! Website blocked” page.

So meaning to say, changing DNS server on the web-filtered device won’t bypass the web-filtering feature. Using a VPN will help as long as the DNS traffic doesn’t go through the iptables (on the Synology RT1900ac). Lastly, using the local hosts file should work too.