Your IP:

Our Forums Have Moved!

Visit our new forums at http://community.opendns.com/forums/ to post on topics and read the latest content. These forums are now read-only archives.

K-12 Forums

Talk with other K-12 network administrators in your state.

Or see all states.

Categories

Vanilla 1.1.4 is a product of Lussumo. More Information: Documentation, Community Support.

This discussion has been inactive for longer than 30 days, and is thus closed.
    • CommentAuthoropenheaven
    • CommentTimeMay 14th 2012
     permalink
    found my son's laptop COMPLETELY unblocked despite all of my categorical blocks via my router. Then I discovered how he did it. found this suggestion in Yahoo answers:
    "yes. temporarily change the dns server you are using. go to control panel>network connections and right click "local area connection" or if you are on a wireless network, right click "wireless network 1" or whatever it is called. click properties. scroll to the bottom of the box that shows up and click "tcp/ip" and click properties. now you should see two boxes for dns servers. change the first one to 216.27.175.2"

    If openDNS cannot solve this kid's workaround, opendns has been defeated!
    • CommentAuthorrotblitz
    • CommentTimeMay 14th 2012
     permalink
    OpenDNS is fine and is nothing to do with your problem.

    The problem actually is: if you let your son be admin on a computer, you already gave every control out of your hands. How can you do!
    • CommentAuthoropenheaven
    • CommentTimeMay 14th 2012
     permalink
    So you're saying openDNS has no real control over a network, since each device can choose it's own DNS server path and bypass the router?

    I was under the impression that this paid service was the solution, but apparently not. So is there any point of paying for openDNS?

    What then should enterprise users do?
    Thankful People: orangeypink
  1.  permalink
    No one can control your network but the administrator (or everyone else in the network, if you let them). It cannot be controlled from the outside. Outside services and local applications can only provide filtering, security, or whatever if you already control the network.

    If enterprise customers of OpenDNS don't control their networks, they are in far more trouble than whether internet content filtering is working or not.
    • CommentAuthoropenheaven
    • CommentTimeMay 14th 2012
     permalink
    maybe I'm not explaining the situation clearly enough. OpenDNS describes setting up filters on a ROUTER as a simple network solution. :bigsmile:

    However individual computers can get around this just by entering a different DNS address (216.27.175.2) on their computer, iPad, iPod, etc, thereby getting around any filters set up on my dashboard for the router. :shocked:

    So I'm realizing that the ONLY real control over a network is to control each and every device. Router setup is apparently not a true simple solution by itself. :sad:

    I was hoping that someone in the OpenDNS community had a solution to this but it seems there is none, except for me to own and control each and every device on the network. :cry:
    • CommentAuthorrotblitz
    • CommentTimeMay 14th 2012
     permalink
    Sure, there is a solution, several hundred times already explained here in the forum. Do you want us to repeat it again (and again)? And yes, it is to do with your responsibility to control your network, of course.
    • CommentAuthorjoelbaby
    • CommentTimeMay 14th 2012
     permalink
    Hi,
    an enterprise (business) would not allow a PC user to have administrator rights.

    As has been explained. You need to: create your own administrator user on his PC. Remove the Admin rights on the PC for his username.
    Using the Admin Username, you put the TCP setting back to how you wanted.
    A normal user won't be able to change the TCP settings.

    Setting up the router is a simple solution for most situations - but not all.


    Another idea:
    Your router may have a firewall built into it that is able to block certain IP addresses. Just find out what DNS server he is using and block it. Then reboot his PC and retest.
    • CommentAuthorrotblitz
    • CommentTimeMay 14th 2012
     permalink
    Good catch. But unfortunately not viable for iDevices...
    I was thinking about a different solution therefore.
    • CommentAuthorinfuetur
    • CommentTimeMay 14th 2012
     permalink
    If you can't or don't want to control each device and you configure opendns at the router, you can redirect dns requests from the cumpeter to opendns ips... it's an easy src-nat rule, at port 53
    Thankful People: johnniewalker, ugurpc, steveg1
    • CommentAuthortomdlgns
    • CommentTimeMay 14th 2012
     permalink
    @ openheaven

    you can purchase a new router or flash your router with tomato or ddwrt firmware that will give you some more advanced firewall options.

    one of those options is to intercept DNS servers on your network and FORCE the devices to use whatever server you enter into the firewall.

    no matter what settings your son puts on his computer, it wont matter, the firewall will ignore it and use the ones you specified in the router.

    however, as most have said, make sure he isnt an admin and he wont be able to change those settings.

    openDNS paid service will just give you more options.

    enterprise is the same way, if the admins on the enterprise dont lock down their network and let users browse as admin, they can change any settings they want.
    Thankful People: rotblitz, johnniewalker
  2.  permalink
    Here's a whacky question, and I ask it as a parent of a 16 year old and a 9 year old:

    If you are so concerned about what sites your children are surfing to that you want to employ OpenDNS, why are you so lazy to restrict Admin privileges to those same kids?

    Taken another way, the best home security system is useless if you leave the key and passcode under the door mat.
    • CommentAuthorshwick2
    • CommentTimeMay 14th 2012 edited
     permalink
    openheaven you are starting an arms race with your son you won't win.

    eventually he'll use vpns/encrypted proxies to bypass your dns filtering and get anything he wants

    unless you create small ip whitelist of approved sites and block all encrypted traffic people will be able to bypass internet filters

    and even then they could send the data through stenography and other means but i digress
    • CommentAuthoropenheaven
    • CommentTimeMay 14th 2012
     permalink
    Cindicato,
    It wasn't so much laziness as much as it was naïveté over what openDNS was capable of doing. Its a confirmation for trusting God moreso than technology.

    BTW I try also not to judge the motivations of others, because that tends to reveal more about what's in my heart rather than theirs. I also find that chatty sites like this can foster less civility than is present in human interactions. Hope your day is going well.

    Aloha
    Thankful People: orangeypink
    • CommentAuthoropenheaven
    • CommentTimeMay 15th 2012
     permalink
    Shwick2,
    You are very correct, playing techno chess with my teen is not where the battle can be won. This episode was helpful for revealing something that was hidden that needed to come to light. The solution is at the heart level, not in the bowels of DNS sphincter control.
    God bless
    :bigsmile:
  3.  permalink
    I think that a simple way to do it is to set up the computer where the account the said person is using is either the guest account or a limited standard user account. Then do the DNS settings on the router with opendns, set a strong password for accessing the router control panel, and you have a safe system! Also the firewall method might be useful as well if he figures out a way to bypass that or if you need to block internet on ipods and other devices.
    • CommentAuthoropenheaven
    • CommentTimeMay 15th 2012
     permalink
    Thank you Janderson123. I was once a technogeek but became too busy with other issues to keep up. In the meantime, have been left in the dust, behind savvy kids. Will look into those suggestions.
    Blessings:bigsmile:
    • CommentAuthoragfa-ics
    • CommentTimeMay 15th 2012
     permalink
    If you have a firewall on your internet router, block internal hosts from using port 53 (this is DNS) then eveybody is forced to use the DNS server in the router, and this server is forwarding everything to opendns. This is how it is done in enterprise environments. You need to limit DNS queries to specific machines you have control of. Then giving admin access to an internal host will not give unlimited access. Next time the kids will boot with a linux on usb or dvd and still have unrestricted access, so shutting off windows admin access is not the holy grail.
    Thankful People: rotblitz, taylorgray., aromsdal
    • CommentAuthoralonseal
    • CommentTimeMay 15th 2012
     permalink
    1. restrict computer administrator access to just YOU.
    2. set firewall to only allow out traffic of port 80 and 443 (which effectively disables the ability to use their own DNS ip address) (this would affect all networked computers)
    3. make sure you have OpenDNS block Proxy and Anonimizer

    And none of this will stop a person from buying a virgin mobile / prepaid du jour hotspot, and getting his own internet access for $40/mo. Or, root their android and install hotspot software, or... or... or...
    Thankful People: rotblitz, cindelicato
  4.  permalink
    @OpenHeaven

    My heart has nothing to do with the discussion, thank you (but on balance, it's quite well).

    Based on my own experience helping neighbors and friends, parents often given kids Admin access because they cannot/do-not-wish-to-be-bothered with typing a password whenever their kids want to install new software. As the bard once said "With great power comes great responsibility" (OK, maybe that wasn't the bard, maybe it was Uncle Ben). Parents who grant such power to children and then question why they defeat other protections are all too common, in my experience, and the parents always seek other ways to control data content that doesn't take up their own time while at the same time allow their kids autonomy. As others have said, it is often a losing battle.

    I do not know, @OpenHeaven, whether you are like the parents I have just described; regardless, I meant no harm or foul in my post. Many people take advice given here (free of charge) and never acknowlege it, while others thank the posters for their insight and assistance. Either way, a person's civility is their own guide, and one that can be hard to discern.

    Thanks for your response, all the same.
    Thankful People: rotblitz
    • CommentAuthorpapertrail
    • CommentTimeMay 19th 2012 edited
     permalink
    if you have dd-wrt fw installed on your router you can specify rules to only allow opendns on your network

    http://www.dd-wrt.com/wiki/index.php/OpenDNS

    go to 'Intercept DNS Port' section.

    simply just copy this into Administration > Commands.

    iptables -t nat -A PREROUTING -i br0 -p udp --dport 53 -j DNAT --to $(nvram get lan_ipaddr)
    iptables -t nat -A PREROUTING -i br0 -p tcp --dport 53 -j DNAT --to $(nvram get lan_ipaddr)

    then click 'save firewall' wan should restart & if anyone attempts to use their own dns then it won't work, this means whatever device is on your network, it will only work through opendns.
    • CommentAuthoryoast
    • CommentTimeMay 22nd 2012
     permalink
    Most routers will allow you to redirect all dns traffic to a dns provider of your choosing. It usually can be found under something like "firewall rules" "port forwarding" and you will just inercept all calls to port 53 (used by all dns-servers) and send those on to opendns (208.67.222.222 for example).

    That is how most SMEs, Schools etc. have affordable means of protection.

    Of Course, if your kids have the password to configure your router than they can quickly learn to disable this. :-(

    Now all I wish for is that my own BT-Homehub allowed this.
    • CommentAuthorrotblitz
    • CommentTimeMay 22nd 2012
     permalink
    "Most routers will allow you to redirect all dns traffic to a dns provider of your choosing."

    Oops, really? This is the first thing I'm hearing! :confused:

This discussion has been inactive for longer than 30 days, and is thus closed.