Your IP:

Our Forums Have Moved!

Visit our new forums at http://community.opendns.com/forums/ to post on topics and read the latest content. These forums are now read-only archives.

K-12 Forums

Talk with other K-12 network administrators in your state.

Or see all states.

Categories

Vanilla 1.1.4 is a product of Lussumo. More Information: Documentation, Community Support.

This discussion has been inactive for longer than 30 days, and is thus closed.
    • CommentAuthordavidb12
    • CommentTimeApr 25th 2012
     permalink
    I've been using OpenDNS for a long time and am a big fan. However, I recently had an issue which highlighted a chink in the armour. This is a bit of a grumble and mostly a feature request...

    Since switching to BT Broadband our IP address changes many times per day. When this happens the OpenDNS filtering stops and my children have unrestricted internet access. My question: why can't it fail "safe", that is, switch to a high filtering level (as per the simple family option) when the incoming IP isn't recognised?

    I suspect that many parents configure and test the brilliant OpenDNS filtering without realising that the protection could disappear at a random time!

    Now, I know I can (a) use the basic family option (just discovered it, but has no logging/customisation), (b) use an updater (but I'd have to leave the PC on constantly with this running very frequently), (c)get a static IP (not available with BT!) or (d) configure some multi-layered DynDNS option (which is supported by the Home Hub 2, but I haven't figured out how to get it working yet).

    But in the meantime, please OpenDNS make your service fail-safe and protect our children! If you added a different DNS for this behaviour that'd be fine. Hell, I'd even pay for this! :wink:
    Cheers,
    Dave
    • CommentAuthordavidb12
    • CommentTimeApr 25th 2012
     permalink
    Oh, and a side benefit of this idea would be that portable devices configured to use OpenDNS would *still* be protected on other networks! :bigsmile:
    • CommentAuthorrotblitz
    • CommentTimeApr 25th 2012
     permalink
    "why can't it fail "safe", that is, switch to a high filtering level (as per the simple family option) when the incoming IP isn't recognised?"

    Simply do it! Configure the FamilyShield addresses 208.67.222.123 and 208.67.220.123 instead of the "normal" ones, and you exactly get this effect. As long as your IP address is registered, your settings take place, else the FamilyShield default settings take effect.

    "(b) use an updater (but I'd have to leave the PC on constantly with this running very frequently)"

    Do exactly this. You don't leave a PC constantly running, because if no PC is running, nothing needs to be blocked. If you want to completely hide the Updater from other users, use this Updater instead: http://updater.marc-hoersken.de/

    You see: nothing to request, just do it!

    "Oh, and a side benefit of this idea would be that portable devices configured to use OpenDNS would *still* be protected on other networks!"

    No, not at all. You didn't get the concept. OpenDNS is for networks you own and can control, not for your devices in other networks you have no power over, never.
    Thankful People: zelus
    • CommentAuthordavidb12
    • CommentTimeApr 25th 2012 edited
     permalink
    Many thanks for the quick response.

    If I understand correctly then: I use the FamilyShield IP addresses and whilst my IP is up-to-date my custom settings, logging, whitelist etc are used, but when it's out-of-date the standard FamilyShield defaults are used? If so, that is BRILLIANT (and should be well publicised - why would anyone use the other IPs?).

    One the subject of updaters: currently our home contains PCs, iPad, iPods, iPhone and Wii and I need filtering to be running whenever any are used. I am reluctant to leave a PC on all of the time running an updater as this seems inefficient and maybe even dangerous (unless I get a server-grade machine just for this purpose?), but this seems the only way for the IP to be (almost) up-to-date whenever any of the devices listed are used. However, using the system above, I don't mind a less frequent updater cycle. :)

    On my final point: maybe I've missed something. I figured that if I configure the DNS of a mobile device to point to OpenDNS e.g. the FamilyShield IP, the filtering will apply whichever network the device is on (until a user changes it). I appreciate that the primary aim here is protection of my own network, but am I missing a point on mobile devices?

    Thanks,
    Dave
    • CommentAuthorrotblitz
    • CommentTimeApr 25th 2012
     permalink
    "If I understand correctly then:..."

    You do!

    "why would anyone use the other IPs?"

    Because what you want may not be wanted by everyone!? Also, some devices require more than two DNS server addresses, and there are four "normal" ones, but only two FamilyShield ones.

    "this seems the only way for the IP to be (almost) up-to-date whenever any of the devices listed are used"

    Well, there are routers with a built-in update client supporting also OpenDNS.

    "I figured that if I configure the DNS of a mobile device to point to OpenDNS e.g. the FamilyShield IP, the filtering will apply whichever network the device is on"

    This observation is right. The pre-defined settings of FamilyShield take place then.

    When using this in other networks there is a risk you'll have no DNS at all. It will look as no internet connection at all. The network admins determine what is allowed in their network. They may prevent you from using 3rd party DNS like OpenDNS or may redirect any DNS lookups to a DNS service of their choice, no matter what you have configured. It's their choice and decision, same as it is your choice in networks you own.
  1.  permalink
    Mobile devices frequently use networks you do not own and do not get their very own IP address, so yes, Family Shield would be the method to use. However, you cannot count on using the FS servers absolutely depending on the network to which the device is connected (including the mobile ISP). But do not use the regular addresses on mobile devices and expect them to be filtered according to your settings. And never run an Updater in networks not your own.

    No, you don't need a server grade machine to leave on all the time.

    "If I understand correctly then: I use the FamilyShield IP addresses and whilst my IP is up-to-date my custom settings, logging, whitelist etc are used, but when it's out-of-date the standard FamilyShield defaults are used?"

    Yep. And when mobile devices leave your network, they have the default FS filtering as long as the network lets DNS requests go where the user wants.
    • CommentAuthorRed Prince
    • CommentTimeApr 26th 2012
     permalink
    “And when mobile devices leave your network, they have the default FS filtering as long as the network lets DNS requests go where the user wants.”

    Actually, it will have that network’s OpenDNS settings if it allows 3rd party DNS. And only if the network does not have its own OpenDNS filtering configured, will the mobile devices default to FS. But you certainly cannot assume that being the case.
    • CommentAuthordavidb12
    • CommentTimeApr 26th 2012 edited
     permalink
    Many thanks both - this has been most interesting and illuminating! A couple of final points, then:

    1. I would recommend that you point people to the FamilyShield IPs by default as this "fails safe" if the home IP changes then advise that for the opposite behaviour or 3rd/4th DNS IPs they can use the normal IP addresses.

    2. If you can name any routers that can auto-update OpenDNS when my IP changes that'd be great! The BT router can only do it via DynDNS (I think) which seems very complex but it does have a nice mac address time limit facility that we use a lot.

    Thanks again guys! :bigsmile:
    • CommentAuthorrotblitz
    • CommentTimeApr 26th 2012 edited
     permalink
    "that you point people"

    We don't have the power to point, we're users like you.

    1. As I already said, this cannot be a general recommendation, for example for me. With the FamilyShield settings too many things are not blocked which I want to have blocked, and visa versa, it blocks too many things which I don't want to have blocked.
    Also, mixing FamilyShield and normal IP addresses is a bad idea, the settings would be used randomly only, not consistently and reliably.

    2. This question has been raised more often here. I believe some Netgear and AVM routers have an OpenDNS Updater built-in, same as any routers which can be flashed with alternative firmware like OpenWRT, DD-WRT, Tomato, ..., further SpeedTouch routers with a CLI feature via telnet, and possibly more.
    • CommentAuthordavidb12
    • CommentTimeApr 26th 2012 edited
     permalink
    Apologies rotblitz, I should've said "that *OpenDNS* point people". I guess I saw the "maintenance" user and assumed I was talking to OpenDNS staff.:shamed:

    I guess we're just not going to agree on this one. My experience was this: By the time I discovered that changes in my dynamic IP left me with no protection at all the damage had been done (that's how I found out). I was stunned to find that, not long after carefully setting it all up, the protection just vanished and it took me a while to figure out why. Why am I going on about this? Because I worry other people are in the process of making the same mistake I did.

    Perhaps we can agree that it'd be great if OpenDNS more actively promote the two options side-by-side with the reasons why you might choose one over the other? After all, both approaches have their merits and it's a good thing that OpenDNS offer them both.

    I'll check out the routers and if I find a decent, simple option to get this working with BT I'll post again! I used to have a Netgear which worked like a charm ... but that was before I was with BT. <sigh>

    Many thanks,
    Dave
    • CommentAuthorrotblitz
    • CommentTimeApr 26th 2012 edited
     permalink
    "By the time I discovered that changes in my dynamic IP left me with no protection at all the damage had been done"

    I cannot understand why you think FamilyShield is a kind of "protection". I believe this is pure overestimation and overexpectation. Against what should it protect, and what would the damage be?

    I have far better ways of protection: an internal configurable DNS server (with forwarders set to OpenDNS), a hosts file with some 300000 domains to block, automatically updated serveral times daily, AV real-time software and software firewall in addition to the router's hardware firewall, and some more. *This* is protection! OpenDNS is just a useful add-on on top of all the other stuff.

    And yes, I have my (AVM) router performing the DDNS updates, not only against OpenDNS, but to several DDNS services through DNS-O-Matic. This guarantees that all my DDNS services are updated real-time when my IP address changes which is at least once daily.

    I also run Marc's Updater, because it supports now a DDNS service not supported by DNS-O-Matic.

This discussion has been inactive for longer than 30 days, and is thus closed.