User comments on ISPs
  >> Sky Broadband


Register (or login) on our website and you will not see this ad.


  Print Thread
Standard User Oliver341
(eat-sleep-adslguide) Mon 27-Jan-14 12:07:09
Print Post

Sky Broadband Shield - technical implementation


[link to this post]
 
I'm interested in the technical implementation of the Sky Broadband Shield (I hope this thread does not divert on to the rights or wrongs of filtering).

If the filter is enabled and a blocked site is looked up in DNS, the returned A record is spoofed to a Sky IP address in order to provide a "site blocked" page.

If the filter is disabled, the normal A record is returned.

How does the DNS server know which source IP addresses should get the spoofed result, and which source IP addresses should get the real IP address?

All I can think of is that the DNS server is being continually fed a list of IP address along with their chosen level of filtering. Then, when the source IP address requests an A record, the DNS server decides whether a spoofed result is needed or not. The trouble is of course is that Sky IP addresses are dynamic. So every time a customer's IP address changes, the new IP address has to be fed into the DNS server along with the customer's chosen level of filtering.

I would be interested to know how this is done. My guess is that it works somewhat like OpenDNS whereby a dynamic IP address update client runs and updates the system with the customer's username and IP current address. However this dynamic IP address update client must be sitting on the Sky network somewhere since of course there is no update client running on the customer side. It's definitely not customer router based since several Sky routers have had no firmware update in two years or more.

The other way it could be done is that the DNS server hooks into a database which is continually updated every time a customer changes their IP address. The source IP address can be looked up to see if it should have a filtered result or not.

However this system was set up, it seems like it might have been an interesting technical challenge.

Oliver.
Administrator MrSaffron
(staff) Mon 27-Jan-14 12:26:15
Print Post

Re: Sky Broadband Shield - technical implementation


[re: Oliver341] [link to this post]
 
As a guide I find it takes about a minute after changing the settings on the shield for them to come into effect, i.e. usually by the time you get the email about changes to your settings.

Andrew Ferguson, andrew@thinkbroadband.com
www.thinkbroadband.com - formerly known as ADSLguide.org.uk
The author of the above post is a thinkbroadband staff member. It may not constitute an official statement on behalf of thinkbroadband.
Standard User mr_mojo
(knowledge is power) Wed 29-Jan-14 09:41:26
Print Post

Re: Sky Broadband Shield - technical implementation


[re: Oliver341] [link to this post]
 
Yes, it's fairly easy to have DNS return different results based on IP address. This is often used to provide geolocation-aware DNS (eg: you have a server cluster in Europe, NYC and LA and want to direct customers to the closest server).

Eg:

1) Client connects to DNS
2) DNS looks at source IP address of packet
3) DNS geolocates IP and finds closest server to that region
4) DNS provides that specific IP back

It's pretty trivial to replace step 3 with 'look up this source IP + domain in filter database and filter as appropriate', so I don't think Sky would of had any big problems sorting this out.


Register (or login) on our website and you will not see this ad.

  Print Thread

Jump to