The Proxy Service in CyberFOX DNS Filtering provides a secure, controlled method of browsing by rewriting and sanitizing website content before it reaches the end‑user. Instead of loading a site directly, the proxy retrieves the page, removes unsafe elements, and presents a safer version to the user. This is especially valuable when browsing potentially risky sites, controlling exposure to active content, and enforcing strict security policies in sensitive environments.

Its purpose is to reduce attack surface by stripping away scripts, remote content, and dynamic components that attackers commonly use to deliver malware or exploit users. While powerful, proxy‑based browsing introduces limitations with certain websites and should be used only where appropriate.

What the Proxy Service Is

The Proxy Service acts as an intermediary between the user and the destination website. Unlike traditional DNS filtering—which blocks or allows domains—the Proxy Service actively modifies the fetched webpage to prevent unsafe or dynamic elements from executing.

Key capabilities include:

• Removing JavaScript and script‑based behaviors
• Blocking remote content loading (images, third‑party scripts, embedded widgets)
• Disabling macros and other executable content
• Rewriting internal/external links to ensure users stay within the proxy
• Automatically rendering “safe” versions of pages for end‑users

The result is a browsing experience similar to the original site, but without the components that could compromise security.

Not All Websites Can Be Proxied

Certain categories of websites contain sensitive data and therefore cannot be proxied. These restrictions prevent the exposure of confidential or regulated information during a man‑in‑the‑middle transformation process.

Hard‑blocked categories include:

• Banking and financial sites (online banking, investment platforms)
• Healthcare portals (EHR systems, medical records)
• Email providers (Gmail, Outlook.com, Yahoo Mail, etc.)
• Authentication portals or identity‑related services
• Any site that transmits confidential personal data

These blocks ensure maximum security and regulatory compliance.

When a user attempts to load a website, the Proxy Service intercepts the HTTP/HTTPS request and downloads the site content rather than forwarding the request. This ensures full control over what code is executed.

Content Prefiltering

The proxy analyzes the page and strips or modifies:

• JavaScript and inline scripts
• External scripts (CDNs, ad networks, trackers)
• Embedded objects
• Remote content loads (images, frames, asynchronous requests)
• Any macro or active components capable of executing code

This prefiltering removes the most common vectors used for phishing, malware delivery, and social engineering attacks.

Website Manipulation

All links and structures are rewritten to route back through the proxy. This prevents users from accidentally navigating away to unfiltered or unsafe content and ensures that all interactions remain sanitized.

Rendering Safe Content

Once the content is sanitized and rewritten, the proxy serves a modified safe version to the user. The site typically resembles the original but will not support dynamic or script‑based functionality.

Because the proxy removes dynamic content, some websites may:

• Render incorrectly
• Break functionality (e.g., login flows, video playback, interactive forms)
• Fail to load entirely

These limitations are expected, as the proxy's purpose is safety, not feature preservation.

Hardcoded Blocks

Certain sites—especially financial services, email platforms, and other sensitive destinations—are hardcoded to bypass the proxy entirely for security reasons. This helps prevent man‑in‑the‑middle scenarios and protects user credentials and sensitive data.

Example Scenario

A user browsing google.com through the proxy will receive a sanitized version of the homepage. Search may function, but interactive elements, personalization, and dynamic responses will not, as the proxy strips the site down to its safe core.

How to Use the Proxy

The Proxy Service is automatically applied when configured within your DNS Filtering policy. To use it:

1. Enable the proxy option within your filtering policy in the CyberFOX DNS Filtering Portal.
2. Apply the policy to the appropriate devices, locations, or roaming clients.
3. Users who attempt to access sites requiring safe rendering will be automatically routed through the proxy.
4. The modified content displays without requiring any user action or software installation.

Note: The proxy only activates on pages designated for safe rendering or categories enforced by your filtering rules.

Advanced Use Cases

• Sandboxed browsing for high‑risk users (interns, students, contractors)
• Investigating suspicious websites safely for IT or security teams
• Reducing exposure to drive‑by downloads on content-heavy sites
• Protecting unmanaged BYOD devices where endpoint security cannot be enforced
• Providing safe browsing for K–12 or public‑access environments

Best Practices

• Use the Proxy Service for risky categories: newly registered domains, suspicious sites, and known malware vectors.
• Avoid applying the proxy to business‑critical or interactive services.
• Educate users that proxied pages may look “plain” or stripped-down by design.
• Combine proxy features with DNS filtering, SSL inspection, and block page enforcement for layered protection.
• Review logs to identify pages frequently failing under the proxy—these may require explicit allow‑listing or category adjustments.

Troubleshooting

Common Issues & Resolutions

Website won’t load / appears broken

• The page may rely heavily on JavaScript or dynamic content blocked by the proxy.
• Try accessing the site without proxy enforcement or add it to an allow list.

User sees repeated redirects

• The site structure may conflict with proxy link rewriting.

Website appears plain or missing images

• Expected behavior if the proxy removes remote content.

Page loads slowly

• Proxy rendering requires downloading and sanitizing the entire page before serving it.

Site falls into a hard‑blocked category

• Financial, healthcare, and email sites will always bypass proxy.

Security & Sync Behavior

• The proxy operates as a man‑in‑the‑middle sanitizer, not a caching or syncing mechanism.
• No user credentials or session tokens are stored by the proxy beyond what is required to retrieve content.
• HTTPS content is decrypted, sanitized, and re‑encrypted before being served to the user.
• The proxy does not sync state across sessions—each page request is reprocessed independently.
• Avoid using it with applications requiring secure cookies, dynamic authentication tokens, WebSockets, or real‑time API interactions.