Definitive Guide to Content Filtering Circumvention: Lessons Learned in Prevention

Prior to starting DNSFilter, I spent most of my career in Information Security, working for companies like ITA Software (acquired by Google) and Veracode, finding ways to get around normal system behaviors. As a result, I have a lot of experience in getting around and through networks.

I’m going to step through various methods of getting around network restrictions, whether it's content filtering appliances, firewalls, captive portal, etc. I’ll explain the method, why it works, and what to do to prevent it.

Tunnel your traffic via VPN

This is probably the first method users think about using. It’s simple and effective; when it works. Negatives are that it adds latency to your traffic, as you’re going through the intermediary network, and the farther away it is from where you are, the slower your Internet usage will be.

Typical ports to firewall:
TCP 1723
UDP 500
TCP 1701
TCP 80
TCP 443
UDP 1194

These cover most commercial VPN services, but realistically, the VPN could be operating on any port., especially if you roll your own, on a VPS like DigitalOcean


Basic prevention would be to block VPN ports which are not being used for other purposes (You can’t block 80 or 443 in this easy manner).

You can also block access to the providers websites (and VPN end-point hostnames) using DNSFilter’s “Proxy and Filter Avoidance” Threat Category

Tunnel your traffic via SSH SOCKS proxy

If you have a linux box on the net — whether an inexpensive VPS, or easy-to-use Provider like DigitalOcean, you should be able to ssh -D 8080 user@server and have a conveniently encrypted SOCKS 5 proxy listening on port 8080. Configure your browser of choice, and you’re off to the races.


Most SSH daemons listen on the default port 22; though port 2222 is also becoming a popular alternative to avoid brute-force password attempts. Firewalling these outbound ports will eliminate most attempts; but keep in mind that SSHD can be configured to listen on any port.

Using an HTTP or SOCKS Proxy

There are many websites out there which will either list random, anonymous proxies (These come and go quickly!) or provide you a proxy service, similar to VPN providers. These typically provide less security protection than an ssh tunneled proxy; but are easier to set up, as they don’t require you to have a pre-configured server outside the network.


Common TCP ports to firewall are: 8080, 1080, 3128, 8081, 843.

These can also be blocked with DNSFilter’s “Proxy and Filter Avoidance” Threat Category.

Using a web-based Proxy site

Quickly searching the Internet, you can come across websites which will proxy other website content for you. Alternative versions of this include, google cache, and translation services.

This typically only works for text and image-based site content; and not interactive applications which require authentication.


These services cannot be "firewalled", as they operate on ports 80 and 443, but you can restrict access to some of them with DNSFilter’s “Translation Sites” Threat Category.

DNS Tunnels, ICMP tunnels, etc.

As a last-ditch effort on very restrictive networks, some folks will try to tunnel their traffic through other protocols not designed to handle traffic.

In my experience these are fun to play with, and you could leak small amounts of data, but they’re impractical for standard Internet use due to low bandwidth and high latency.


DNSFilter's content filtering can detect and block DNS Tunneling attempts through our recursive resolvers.


Certainly there are other prevention measures, and other means of getting around protected networks, but this covers the most common methods. Keep in mind that Security is typically best in an onion-layers of security model: One prevention method will not be 100% effective 100% of the time, but you can increase the hurdles you put in front of malicious users or attackers by implementing some of these methods.

  • There are no suggestions because the search field is empty.
Latest posts
Fall 2023 G2 Awards Are Here: 29 Badges and Counting For DNSFilter Fall 2023 G2 Awards Are Here: 29 Badges and Counting For DNSFilter

DNSFilter has been named a leader in Secure Web Gateway, DNS Security, and Web Security categories on G2, earning an impressive 29 badges and named in 29 reports. This includes new badges such as High Performer EMEA and Leader Americas in the Web Security category. 

These accolades are a testament to our commitment to our customers. We are particularly proud of our badges for ease of implementation, administration, and quality support. Providing ...

DNSFilter CEO Reacts to France’s “Bill to Secure and Regulate the Digital Space” DNSFilter CEO Reacts to France’s “Bill to Secure and Regulate the Digital Space”

At the end of June, Vint Cerf, one of the “fathers of the internet” published an article on Medium in response to a drafted bill by the French Republic. You can read the original French proposal here, but we’ll also include a version translated into English at the bottom of this article.

First, let me provide a quick summary of what the bill is proposing:

Spurred on by the proliferation of cyber threats and attacks, the government of France is pr...

Your Security Stack & Fantasy Football Team Have More in Common Than You'd Think Your Security Stack & Fantasy Football Team Have More in Common Than You'd Think

If you’re a football fan like many of us at DNSFilter, it’s possible you have a fantasy league in the office or with your friends. Our #sportsball slack channel is keeping many of us going as the weather cools down and the days get shorter. It’s a fun way to discuss and track the football season (and potentially win bragging rights and the respect of your fantasy prowess). 

Now you might be thinking, “How on Earth could fantasy football possibly ...

Explore More Content

Ready to brush up on something new? We've got even more for you to discover.