Products Firewalla Gold SE Firewalla Gold Pro Firewalla Gold Plus Firewalla Purple Firewalla Purple SE Firewalla Wi-Fi SD Product Comparison Product Reviews

Family Protect Native - Not Blocking on First Access

Follow
Avatar
Michael Huttinger

Hello!

Have a Firewalla Gold 1.9750 and iOS app 1.53.  I've enabled Family Protect Native on my entire network after having used the 3rd party mode since first getting my Firewalla over a year ago.  An odd thing I notice while testing:

On first access, say to a gambling site or whatever, the DNS is resolved and the browser access the site - no blocking!  If I flush the DNS cache on my PC, the DNS will not resolve after the first attempt and then properly block the site.

Trying another way, I did a search for a site that should be blocked.  Then did a NSLOOKUP on the site which resolves the first time, and then is blocked on the next attempt:

C:\>nslookup betus.com.pa
Server:  firewalla.lan
Address:  192.168.21.1

Non-authoritative answer:
Name:    betus.com.pa
Addresses:  104.18.29.79
          104.18.28.79


C:\>nslookup betus.com.pa
Server:  firewalla.lan
Address:  192.168.21.1

*** No internal type for both IPv4 and IPv6 Addresses (A+AAAA) records available for betus.com.pa

Seems like this should have been blocked on first attempt!  Please let me know if I need to do anything on my end.

Thanks!

0

Comments

3 comments

Sort by Date Votes
  • Avatar
    Support Team

    This is because on the first attempt, box will dynamically check with cloud if this domain is a gambling site. Before it's confirmed by cloud, the DNS request is allowed.

    This is a trade-off between user experience and block effectiveness.

    For security blocking, e.g. "Active Protect", it will by default block when confirming with cloud.

    0
    Comment actions Permalink
  • Avatar
    Michael Huttinger

    Well, that is less than ideal.  Why force the "experience" and assume what I find effective? Please make it optional so those of us that want the block can get it working immediately.  I can determine what's important - an initial delay, or faster response.  Otherwise this isn't really all that effective - it's kind of, sort of, home protect.

    I'm going back to 3rd party since I didn't have this nonsense.  Yeah, it loses some features, but for me the blocking takes precedence.  I may review again if this is updated at a later time.

    0
    Comment actions Permalink
  • Avatar
    Support Team

    Thanks for the feedback.

    The reason to do this is because it's difficult to pull all gambling websites around the world to local box with acceptable performance & cost. So dynamic update is used. (The most famous gambling sites are pulled to box up-front and blocked at the first place). And even if dynamic update is used and first attempt succeeds, gambling sites can not be functional as a real user experience.

    We are planning to work on an algorithm to significant reduce the local memory usage to support large amount of websites, potentially can be used for all gambling sites.

    0
    Comment actions Permalink

Please sign in to leave a comment.

Didn't find what you were looking for?

New post