-
Notifications
You must be signed in to change notification settings - Fork 13
Ultimate parental control, an introduction to sentry
The idea behind the ultimate parental control is simple - it only allows the user to access Kano World, update, send us feedback and keeps their clock correct (that most essential of tasks).
Normally when you access the internet, your computer checks /etc/resolv.conf to see which server to use to translate human-friendly domain names into the numeric IP addresses. By default we use 8.8.8.8 and 8.8.4.4, the google servers.
When you switch on the Ultimate Parental Control, it launches a DNS proxy, for which we use the sentry server (original repo is here https://github.com/rferreira/sentry, thank you so much guys, I couldn't have done this otherwise). This genius server allows you to block, redirect, or look up the IP addresses of certain domain names using specific servers.
So the idea is we configure the sentry server to look up all kano-related domains using 8.8.8.8, 8.8.4.4, and everything else it blocks. We then launch the server on 127.0.0.1:53, and change resolv.conf to contain nameserver 127.0.0.1 (by default it looks at port 53). This way, all DNS lookups go via the sentry server.
To make it simpler for us to edit, we have a whitelist in /usr/share/kano-settings/config/WHITELIST, which looks something like:
# This allows kano.me
kano.me
This is then processed by kano-settings into a sentry config of the form
{
"port" : 53,
"host" : "127.0.0.1",
"rules" : [
"resolve ^(.*)kano.me using 8.8.4.4, 8.8.8.8",
"block ^(.*)"
]
}
To keep the whitelist up to date, the whitelist should be updated after a reboot. On booting up, the system will check the parental control. If it's is set to the highest (3.0), the online version of the whitelist is checked. This way we can adjust the parental controls without updating (in case we've forgotten some vital website, or conversely, if we discover one can get porn from the timezone website.)