OpenDNS Forums
The official support and discussion site of OpenDNS
Support
K-12 Forums
Categories
- Administrative
- Adult site blocking
- DNS-O-Matic / dynamic IPs
- Domain blocking
- Domain Name System (DNS) troubles
- Mobile instructions
- OpenDNS services
- Proxies, accelerators, and more
- Router instructions
- Satellite
- Shortcuts
- Wishlists and feature requests
-
Feeds
Vanilla 1.1.4 is a product of Lussumo. More Information: Documentation, Community Support.
This discussion has been inactive for longer than 30 days, and is thus closed.
-
Is it really that easy to bypass the OpenDNS settings I've placed in my router?
I've done all of the necessary changes and the OpenDNS filtering is working great. I've had such a sense of security with two tech savvy teenagers using our home network. That is until I discovered that all they have to do to get around all of my filtering is to simply change the DNS entries in their individual Windows XP network settings?
So I guess the parental controls are only good to block myself? ...or visiting kids that don't know what a DNS setting is? ...or spouses that don't know how to change those entries?
Or am I missing a major piece (peace) here? -
- CommentAuthorLuiz Fellipe Carneiro
- CommentTimeMar 31st 2008
garydesk...
You should not let the teenagers know the admin user password... If they have normal users accounts they can't change the DNS settings -
- CommentAuthorLuiz Fellipe Carneiro
- CommentTimeMar 31st 2008
sorry, I forgot...
you may also block port 53 tcp and udp in your router... so they will can't use anothr DNS, and will need to use router's internal one. -
If you run in Administrator privilege, all controls can be bypassed/changed, not just OpenDNS. You need to add User accounts with limited access to have any safeguards. That would solve this problem and others you don't even know about yet.Thankful People: bill fumerola
-
- CommentAuthorbill fumerola
- CommentTimeMar 31st 2008
as garyrw points out, if you don't control access to the machine itself, it is "really that easy". it would be "really that easy" with administrator access to download massive amounts of virus software and adware. it would be "really that easy" to use anonymizers/proxies if you haven't used the category blocking to block those sites as well (that may come w/ adult filtering enabled, i'd have to check).
root or administrator privileges on a computer are the keys to the kingdom.
use guest/limited access accounts. limit machines that can access your wireless to computers you know are locked down.
to paraphrase, OpenDNS helps those who help themselves ;-) plenty of school districts and professional IT departments are able to use our service with faith because they know the machines that access their network cannot use other DNS servers as a matter of machine policy, router/firewall policy, or both.
home users typically have less options in this area (or those options are technically difficult). if you used a proxy and your child has admin, [s]he could change it. if you used software and your child has admin, [s]he could disable it.
TVs, Tivos, DVRs, etc all have parental filtering control. to draw a simile, like all of those TV parental controls, they can't be faulted if you give your children the override PIN or don't set one. -
- CommentAuthorRed Prince
- CommentTimeMar 31st 2008
That's the problem with the DOS vs. Unix mentality. Unix was designed as a multiuser system from ground up and every Unix admin was trained about the importance of only using root access when necessary and of protecting its security by password, etc.
MS DOS was designed as a single-user system with absolutely no security, which was deemed unnecessary for a single user (foolishly so, but that is a historical fact). MS Windows evolved from MS DOS and even after it became a multi-user system and finally started adding the much needed security protection, the *mentality* of its users has remained that of a single-user system to this day.
When dealing with security issues it is essential to switch that mind set. Only have a single password-protected admin account and only log into it when administering. At all other times, use your regular *user* account. That way, even if you walk away from the computer for a while, no one can come in and change your settings.
And do the same with your children's (or employees') computers: You install the system as an admin, you protect it by a good password and you create a regular user account for them. That way only *you* can change things around.
It is more work, obviously, and it requires you to learn a bit more about computers than how to turn them on and play Solitaire, but it is necessary. A computer is not an appliance, it is a very serious and complicated system and needs to be treated as such.Thankful People: mnordhoff -
Luiz's comment above re: blocking port 53 on the router is the key. This will reject all network requests for DNS. If they want to resolve host names, they will have to keep the default DNS.
If you want to take a step further, look into linksys routers enhanced with open-source firmware such as dd-wrt.
1 to 7 of 7
This discussion has been inactive for longer than 30 days, and is thus closed.
