SafeDNS

 

Installing a stand-alone parental control product on the family PC isn’t so effective when the kids can just switch to surfing the Web on a smartphone, tablet, or gaming console. For $19.95 per year, SafeDNS filters out nasty or dangerous websites for any device connected to your home router. In my testing, it proved effective at basic content filtering, but it didn’t show an actual ability to block real-world fraudulent or malicious websites.

In addition to the $19.95 home plan, SafeDNS offers small-business plans for 10, 25, or 50 users; businesses with more users than that need to negotiate an enterprise-level plan. Installing a content filter for business could be a good idea. If one employee is offended by another’s porn-surfing, you could conceivably face a hostile workplace lawsuit. However, for the purposes of this review I’m sticking to the home edition.

Simple Startup
You can test-drive any of the predefined pricing plans free for 15 days, without having to enter a credit card number. Just register your email address and create a password. As with the similarOpenDNS Home VIP, you next need to configure your router to use SafeDNS’s servers. The company’s website includes detailed instructions for routers that support DD-WRT or OpenWRT, as well as generic instructions for tweaking DNS on any router.

From the online dashboard, you can choose to allow or block access to websites matching any of over 50 categories, organized into five groups. You can also create two profiles beyond the basic Default profile. For those non-default profiles, you can enable the time-scheduling feature; more about that later.

Changing my main router’s DNS settings would have wreaked havoc on other projects that I have running. Fortunately, you can install the SafeDNS Agent locally on any Windows box. I used the local agent for testing, rather than make changes that would affect every single device on my network.

SafeDNS Agent
The SafeDNS Agent installs in a flash, and it immediately announces that “The Internet is under control.” You’ll want to dig into the settings and create a password for the agent; otherwise the kids can just click a button to turn SafeDNS off.

You can use the agent to create profiles and define which categories should be blocked for each. Any changes sync with the online dashboard right away. As noted, there’s a limit of three profiles, including the built-in default profile. However, you can associate any number of Windows user accounts with each profile, so that a specific profile becomes active automatically when the user logs in.

When you use the SafeDNS Agent without setting your router to use the SafeDNS servers, your configuration affects only the local Windows system. If you’ve also configured SafeDNS at the router level, your actions affect all connected devices, whether you use the local agent or the online dashboard.

Content Filtering
By default, SafeDNS blocks all the categories listed under Adult Related, and almost all listed under Illegal Activity. In testing, I couldn’t find any inappropriate websites that slipped past SafeDNS. Categorization is list-based; you won’t find the kind of real-time analysis that you get withContentWatch Net Nanny 7 or Qustodio Parental Control 2015.

One of the categories under Illegal Activities is Proxies & Anonymizers. This one is important, because SafeDNS doesn’t have the ability to filter HTTPS traffic the way Net Nanny, Qustodio, and WebWatcher can. It can only filter based on DNS requests it receives. If a clever teen managed to connect with a secure anonymizing proxy, that would be the end of SafeDNS’s power. Note that SafeDNS handles HTTPS sites a bit differently. Instead of displaying a warning message, it simply blocks access to the page, generating an error message.

I did observe one minor weakness of this DNS-based filtering. If you visit a page with SafeDNS turned off, that page will remain available as long as it’s in the cache, because the browser doesn’t have to request a DNS lookup. If you share a single Windows user account with little ones, you’d be well advised to clear your browsing history when you finish your turn.

Here’s a feature that businesses might find useful. From the online dashboard, you can change the product’s site blocking behavior to use your own image and admonitory text, if you wish; perhaps a company logo and a link to the Internet use policy. You can also set it to simply return a browser error, or to treat blocked sites as non-existent.

Time Scheduling
McAfee Family Protection 2.0 and many other parental control utilities implement a system for scheduling just when the kids can use the Internet. A few other products, among them PC Pandora 7.0 and Qustodio, allow scheduling of computer use overall. Some even apply time-scheduling to individual programs; WebWatcher is an example.

SafeDNS’s time-scheduling system looks similar to what others offer, on the surface, but it’s actually quite a different thing. The schedule option is only available for non-default profiles, so you’ll have to define one of those before you can use it. For each day of the week, you define the profile’s “activity time” either by dragging with the mouse or entering the start and end time, in 15-minute increments. Note that this is not the full weekly grid that you get with most scheduling systems. You only get one active time period per day.

Outside the specified “activity time” the default profile becomes active. If you actually want control over Internet usage, you have to tweak the default profile, so it offers no access. First, make sure the whitelist is empty. Then bring up the default profile’s settings and check the box for Allow Sites from white list only. Create a Child profile that blocks whatever collection of categories you wish. Finally, create an Adult profile that allows all categories you want. Do be sure to keep blocking dangerous categories such as Virus Propagation, Phishing, and Botnets even in the Adult profile.

Yes, this is pretty awkward. If you really want full control over Internet or computer usage times, perhaps with a daily or weekly limit, SafeDNS may not be the product for you. On the plus side, kids won’t fool the scheduler by tweaking the system clock, as it relies on matching the time in your stated time zone. You may need to tweak the time zone from the online dashboard before you can use this feature. OpenDNS doesn’t attempt time scheduling, which may be just as well.

Additional Protection
The SafeDNS website promises that the service will “protect you from malware, phishing, and botnets,” but in testing I didn’t see evidence of this protection. To be clear, SafeDNS isn’t promising the kind of active protection you’d get from running an antivirus utility on your devices. It just aims to prevent access to dangerous sites. But it didn’t even do that.

I started one test by grabbing a feed of recently-discovered malware-hosting URLs supplied by MRG-Effitas. Next I filtered the list to include only those pointing directly to malicious executables. Finally I launched them, one after another, and noted how many were blocked by SafeDNS.

Of 100 distinct malware-hosting URLs, SafeDNS blocked access to just five. OpenDNS doesn’t promise as much in the malware protection area, and indeed, it didn’t block any of the sample URLs. McAfee AntiVirus Plus 2015 holds the current record in this test, with 85 percent protection.

SafeDNS Antiphishing Chart

I also ran SafeDNS through my standard phishing test, comparing its behavior with that of Symantec Norton Security and also with the phishing protection built into Chrome, Firefox, and Internet Explorer. I even gave SafeDNS credit for blocking a couple of sites as porn rather than explicitly calling them phishing sites.

Even so, SafeDNS’s detection rate lagged 90 percentage points behind Norton’s. It came in 40 percentage points behind Chrome, 45 behind Firefox, and 63 behind Internet Explorer. It seems very clear that SafeDNS isn’t equipped to handle the very newest phishing websites. OpenDNS did a bit better, coming in 76 percentage points behind Norton, but even so, it’s clear that protection against the newest frauds requires the kind of real-time analysis Norton uses.

See How We Test Antiphishing

Reporting and Monitoring
From the SafeDNS dashboard, you can view a collection of statistics and usage data, updated once per hour. The activity chart simply graphs the number of DNS requests over time. You can view stats for today, yesterday, this week, this month, or a custom range. If you see a spike in the wee hours, when you thought the kids were asleep, it may be time for a family meeting.

A report listing popular sites is ordered by descending number of hits, along with associated categories. I found this chart less useful, as every single access counts as a hit. That means sites that nobody actively visited still count. On my test system, api.bing.com was at the top, followed by wpad.localdomain. Neither of these is actually a website. Note, too, that all access by all users on any device gets recorded here, even your own surfing activities.

The list of blocked sites may be of more interest to parents. This one also shows sites by descending number of hits, along with associated categories. But even if you do find many attempts to reach forbidden sites, the report doesn’t identify the user, or even the device, that was involved.

A pie chart of most-visited categories rounds out the set of reports. I’m not sure how useful this is, but it’s pretty. On my test system almost half the pie was owned by top categories Banner Ads and Computers & Internet. The report does note that SafeDNS focuses on categorizing dangerous sites, so the breakdown of safe sites may not be entirely correct.

What’s Not Here
Because it functions at the DNS level, SafeDNS can control access for every device on your home network, but this also limits its power on specific devices. It doesn’t attempt the kind of social media tracking you get with uKnowKids, MinorMonitor, and others. It doesn’t monitor IM or email conversations, notify parents of violations, or limit games based on ESRB ratings.

Free Edition
As noted, you can start a 15-day trial of SafeDNS without supplying any credit card information. You’ll start getting expiry warnings the very next day, explaining that if you don’t renew “you will be switched to the free SafeDNS subscription with less features.” What features will vanish? I sure couldn’t find out by perusing the SafeDNS website.

My contact at the company explained, “Free SafeDNS subscription has for the most part the same features as the paid plan except for several ones. Free plan users have no ad blocking, they have only one profile, and shorter white/black lists. The free plan is not available for users with dynamic IP addresses.” I was pleasantly surprised to find that the free edition does include the Windows-based local agent.

Network Protection

The one thing SafeDNS offers that most parental control systems don’t is network-wide content filtering. It’s still possible your kids could evade filtering by switching to the cellular data network, or mooching a neighbor’s unsecured Wi-Fi, but when content filtering happens at the router level it cuts off most avenues for avoiding content filtering.

Net Nanny 7 and Qustodio Parental Control 2015 are Editors’ Choice products for parental control. While they won’t crawl into your router and work there, each offers a comprehensive and powerful set of parental control features, including remote management and multi-device support. Either of these will be a good choice for most families, perhaps with a free installation of SafeDNS or OpenDNS as a second line of defense.