Monday, March 05, 2007

ScrubIT - Good Protection & Free

When you get something for free, Great is asking too much. So I was not disappointed when the ScrubIT DNS service turned out to be good not great. I was expecting a product that would be delivered a fair rating, instead I am relieved to say "No, it was Good!"

Allow me to explain what makes this service good.
  1. A fair balance of blocking and permitting - I have used and paid for some services that feel 2/3 of the internet is bad. Yes it's true people can post inappropriate pictures in Yahoo groups. This is not a reason to block all of Yahoo Groups. The ScubIT folks seem to agree. Blatantly pornographic sites are blocked, while sites like Yahoo Groups, and YouTube where porn slips into a much larger net, are open. This alone earned Scrubit a great deal of satisfaction from my book.
  2. No Impact on Speed - This is HUGE for me. I pay good money to surf the internet at high speed. I do not want to be crippled by proxies and other services that slow my connection down. I had no visible impact on my surfing, and my benchmark and traceroutes had no noticeable speed differences either.
  3. On the border of of necessity but intentionally ignored in my assessment is the need for a third DNS server. I had to code in a dead local address to my Linksys router to keep it from acquiring and therefore assigning a non-protected DNS server to my DHCP nodes. This simple step would offer a great functional improvement.
Now allow me to opine on how I see the future for ScrubIT. Using a modified version of the GPL code for the WRT54G the ScrubIT folks should sell their own firmware. This firmware would add 3 essential processes that would catapult this service past great into the arena of perfect.
  1. Refusing to pass traffic traveling across the TOR network. Since the service is merely a DNS server my queries were passed onto the FreeDNS servers when encrypted with TOR. This meant the average 16 year old tech geek could easily circumvent the security added by mapping these protected DNS servers.
  2. Policy that blocks all traffic on port 53 to servers other than the ScrubIT assigned servers. By encoding this policy into the Firmware itself, it forms a VERY secure bond to the sites protected by the ScubIT servers. The ability to set a policy like this is available on most office routers, it is not however available on the stock Linksys firmware.
  3. Using DDNS to identify registered routers and allow customized DNS filtering based on user preferences. I requested to be included in their Beta of their paid service, however as of today (3 days since requesting) I have not been granted beta access. I assume that their Beta is a software installed on the machine, rather than a service provided at the router level. However by building a customized firmware this service could be moved to the router level and therefore protect ALL NODES on that network.

Overall, this was a very positive experience and I will be leaving their free service in place on my home network. I also would recommend that small step to anyone concerned about a good protection solution for their home network. I will post in the next day or two a step by step tutorial on using ScrubIT with a Linksys router.

UPDATE:03/07/2007 - They are blocking Moviephone a popular site for viewing trailers for upcoming movies. This is the first "false positive" I have come across. If you are a movie fan you should keep this in mind.

UPDATE:03/10/2007 - They have added Blogger to their block list. I am appealing it using their service. That will be a "no deal" for me.

UPDATE:03/13/2007- Blogger is back online through the ScrubIT servers.

1 comment:

David Ulevitch said...

Have you given my service called OpenDNS a shot? We provide granular controls for allowing and blocking sites and categories of sites that you can block.

I'd be interested to hear about your experiences with it, and learn about how we can improve.