RADIUS Block Lists and Parental Controls

I’m in the planning stages of setting up a business to provide parents and grandparents greater control over their internet, and what their kids/grandkids consume. One of the key features requires the use of a Pi-Hole like DNS filter. this filter would require the use of a RADIUS server to implement this type of control, i’m wondering if anyone has thought about using RADIUS to filter specific sites for certain users or specifically white list sites for those specific users?

I’m not asking this as a feature request and i’m genuinely curious about what the Pi-Hole community actually thinks about this.

Other features that i would try to implement for this business are:

  • greylist filters, or sites that aren’t white or black listed so that when someone tries to access such a site a notification can be sent to the parent for screening and approval of the site.
  • per user/device filters. specific black and white lists for parrents can manage their internet access independently from their kids, such that they can enjoy mommy and daddy entertainment while their kids are locked to Crunchyroll and Hulu for the 14 year old, and Disney kids for the 8 year old.
  • new site logging so that any new query is logged for analysis for the monitoring team and the parents.
  • fake/misleading/polarizing news filtering, where sites like the Huffington Post, Salon, InfoWars, Braitbart, and plenty of others, would be filtered based on factual reporting, observable bias and misleading content, newsguard certification, journalistic ethics among others. Sites like Reason(a libertarian outlet) the Associated Press, probably the BBC and CNN, and Fox News, likely would not be filtered, but that would depend on an independent review of specified criteria.
  • one click list features, so you can with one click enable ad/tracker blocking, adult content filtering, social media filtering, popular site filtering, and fake/misleading/polarizing news filtering.

My question to you all, what would you want on your parents network (or your family network) to better help them, and what do you think about the DNS part of the service i’m planning on providing?

also first post here, looking forward to seeking help in the future when i need it for making my business a reality.

The ideas are all great but in order to have “per device” blocking or per group blocking with how the project is written you would likely need to run multiple local instances of whatever DNS solution Pi-hole or otherwise that you decide to use.

That may be prohibitive in terms of the flexibility you are looking for based on what i understand from your post

okay, I was pretty sure that as the system is written i would have to run multiple instances, which is why I was planning on forking Pi-Hole and adding the RADIUS functionality that I want.

After thinking about it a bit more i’m wondering if it’s technically possible, the first way i was going to implement it was to

  • have the DNS check with the RADIUS server to validate the IP of the device with a particular usergroup, then store this information (or another option is to have the RADIUS server send this information to the DNS upon authentication)
  • and then based on the settings for that usergroup on the DNS check if the request is in a particular list that user is subject to, white, or black,
  • and if not check to see if the user is in the grey listing group and then send the notification to the parent to authorize if they are.

the thing is that adds latency and i’m not even sure that the RADIUS server would be able to store that IP, will likely have to tweak that as well.

unless there is core functionality that i would need to override or change i’m not sure that the adding the RADIUS functionality is all that impractical. however if i need to run a DNS instance for each list and send requests through those then it might be “prohibitive in terms of flexibility” for lack of better words.

Any specific criticisms or suggestions or any ideas on how i can implement these ideas more effectively? Do I have a grave misinterpretation of how DNS and RADIUS work, cause that’s also possible?

I don’t know RADIUS very well but as long as you can assign DNS servers based on groupings or IP’s you will be able to utilize pi-hole

one concern i would have would be having firewall rules to prevent users locally setting a DNS server other than the one obtained from the DHCP

1 Like

That’s one thing that i didn’t think about, but if the kid’s smart enough to set a DNS on their own, they can probably bypass the network anyway. The solution will only work so long and the children are willing to deal with it. Parental rules and control apply here, my goal isn’t to control what the kids see, but make it such that it’s easier for parents to manage what their kids see and do, and also protect them from privacy concerns and other factors. No solution will be perfect but no solution needs to be perfect, it just needs to work for what it’s intended to do, preferably efficiently but that’s not always an option.