Your IP:

Our Forums Have Moved!

Visit our new forums at http://community.opendns.com/forums/ to post on topics and read the latest content. These forums are now read-only archives.

K-12 Forums

Talk with other K-12 network administrators in your state.

Or see all states.

Categories

Vanilla 1.1.4 is a product of Lussumo. More Information: Documentation, Community Support.

This discussion has been inactive for longer than 30 days, and is thus closed.
    • CommentAuthorbrian_e
    • CommentTimeSep 30th 2012
     permalink
    I have configured my existing OpenDNS account to work with my new Netgear WNDR4500 N900 router and set up some bypass accounts for various users on the network. On testing the setup using my own PC, I noted that the router logs contained entries from OpenDNS in connection with messages received warning that a site had been blocked. So far so good. However, I note that when my son uses his laptop, no such messages from OpenDNS are appearing in the router's log. All that appears is entries like this:-

    [Site allowed: clients1.google.co.uk] from source 192.168.1.4, Sunday, Sep 30,2012 12:37:40
    [Site allowed: game.cartown.com] from source 192.168.1.4, Sunday, Sep 30,2012 12:37:32
    [Site allowed: clients1.google.co.uk] from source 192.168.1.4, Sunday, Sep 30,2012 12:37:32

    Does this mean that he is somehow circumventing the restrictions? If so, has anyone any idea how he is managing to do this? I have blocked port 53 (DNS) as advised in various forums and also set up fixed IP addresses for each PC on the network. I have also restricted network access to the MAC codes on the network.
    • CommentAuthorbrian_e
    • CommentTimeSep 30th 2012
     permalink
    PS. Not sure whether I have put this in the right forum or not. Also, I have contacted Netgear and the only suggestion they can make is to reset and reconfigure the router. I have tried this, but it hasn't made any difference.
    • CommentAuthorsimbaha2
    • CommentTimeOct 1st 2012
     permalink
    I have NETGEAR WNR2000v3 and OpenDNS.
    Netgear Live Parental Controls all you need is wait.
    • CommentAuthorbirkita
    • CommentTimeOct 1st 2012
     permalink
    Are you sure your son's laptop is visiting sites that are blocked and would therefore show up as blocked in the log or is he just visiting sites you have allowed?
  1.  permalink
    Well, the log says "site allowed", so that wouldn't be circumventing the restrictions in place for that user account. That account your son uses doesn't have any of the LPC utilities installed, does it? You know the bypass utility already, but filtering can also be set per Windows and OS X user account, so look into those settings as well.

    But maybe this is also part of a larger issue, being the symptom you first noticed. You say you are using Netgear LPC, but you also say, "I have configured my existing OpenDNS account to work with my new Netgear WNDR4500 N900 router and set up some bypass accounts for various users on the network." You cannot use LPC with a regular OpenDNS account and have things to work as expected. You should be using an LPC account at OpenDNS. https://netgear.opendns.com/sign_in.php
    • CommentAuthorbrian_e
    • CommentTimeOct 1st 2012
     permalink
    "You cannot use LPC with a regular OpenDNS account and have things to work as expected." - I converted my existing OpenDNS account when I first started using my Netgear router. I now have to configure OpenDNS via the router and not via the direct log-in on the OpenDNS website.

    "Well, the log says "site allowed", so that wouldn't be circumventing the restrictions in place for that user account. That account your son uses doesn't have any of the LPC utilities installed, does it?" - LPC is installed on my son's computer (it has to be to allow site blocking to be reduced at certain times or for certain users). I have set up several bypass accounts for use on the 3 PCs on our network and each has been configured via the Netgear management utility. The problem is, no stats are available for LPC users, so I can only make inferences based on what appears in the router's log. It's not the "site allowed" entries that I am querying, it's the lack of any entries such as the following when my son is using his PC:-

    [Site allowed: www.blocked-website.com] from source 192.168.1.2, Saturday, Sep 29,2012 15:23:17
    [Site allowed: block.opendns.com] from source 192.168.1.2, Saturday, Sep 29,2012 15:23:17
    [Site allowed: block.a.id.opendns.com] from source

    These tell me that a site has been blocked by OpenDNS and OpenDNS has sent a response back to the user to say so.
  2.  permalink
    You are using the correct account-type then. Stats kept by OpenDNS wouldn't help, as they are aggregate stats for your network, not individual users.

    Is it possible that your son simply has not hit any blocked domains? If this can't be the case, could he be using a proxy IP, or a VPN? A browser like Opera which uses a proxy when turbo mode is turned on? Using another open wireless connection?

    Have you tried visiting a site you know should be blocked with this laptop? Not sure how to further test if you don't do it from the laptop.
    Thankful People: zelus, simbaha2
    • CommentAuthorbrian_e
    • CommentTimeOct 1st 2012
     permalink
    "Have you tried visiting a site you know should be blocked with this laptop?" It's my son's own computer and he has sole use of it with administrative rights. The aggregate stats would show me if blocking were occurring as there are many sites that my son visits that I never or rarely go to, so if there were any stats showing those sites being blocked, I would know it was working. How could I obtain some stats for my account since I can no longer access them via the OpenDNS website?

    How would he set up a proxy (sorry, I'm not too familiar with how this could be set up to circumvent traffic passing through OpenDNS)?
    • CommentAuthorbrian_e
    • CommentTimeOct 1st 2012
     permalink
    I have just checked the logs and router status. The router status shows just my PC connected (192.168.1.2) and my wireless printer (192.168.1.254) and yet the logs (if I am reading them correctly) show entries for sites I have not been to against my IP address. For example:-

    [Site allowed: p.twitter.com] from source 192.168.1.2, Monday, Oct 01,2012 20:55:41
    [Site allowed: www.linkedin.com] from source 192.168.1.2, Monday, Oct 01,2012 20:55:41
    [Site allowed: buttons.reddit.com] from source 192.168.1.2, Monday, Oct 01,2012 20:55:41
    [Site allowed: b.scorecardresearch.com] from source 192.168.1.2, Monday, Oct 01,2012 20:55:40
    [Site allowed: www.facebook.com] from source 192.168.1.2, Monday, Oct 01,2012 20:55:40

    I have certainly been nowhere near facebook this evening and I don't ever use twitter, but in addition to the above, there are entries such as these in the log:-

    [Site allowed: cdn.api.twitter.com] from source 192.168.1.2, Monday, Oct 01,2012 20:55:41
    [Site allowed: p.twitter.com] from source 192.168.1.2, Monday, Oct 01,2012 20:55:41

    Any idea what may be going on here?
  3.  permalink
    Second bit first, DNS lookups and other traffic is never limited to the sites you intentionally visit. Most websites load content and scripts from many domains, whether from CDNs, for ads or for those little social buttons on web pages (this one is right in the domain name: buttons.reddit.com). Scorecard Research is a web stats company which counts hits on websites and such.

    Never mind applications that draw content or function from the internet, OS/application updates, internet time sync, OS/router connectivity tests...

    As to the first bit: "It's my son's own computer and he has sole use of it with administrative rights." Never mind trying to filter or control his computer or internet usage then, you're done.
    • CommentAuthorbrian_e
    • CommentTimeOct 2nd 2012
     permalink
    "Never mind trying to filter or control his computer or internet usage then, you're done." - I'm not too bothered about what he actually has on his computer as he's old enough to be responsible for that. I just want to ensure that anything illegal or offensive does not come in via my network for which I am ultimately responsible. I have the router settings locked down quite tight (password protected access, blocked port 53, fixed IP addresses to each MAC code, access restricted to designated MAC addresses, all services blocked on unused IP addresses). Despite this, could my son still be bypassing the OpenDNS filters?
  4.  permalink
    Yes, of course. He could use a proxy, VPN, whatever. If you don't have an enterprise-class router/firewall/packet filter/security appliance, there will always be ways to avoid your router and OpenDNS filtering. Just using a proxy IP address will do it.
    • CommentAuthorbrian_e
    • CommentTimeOct 3rd 2012
     permalink
    Would a router running on dd-wrt get around this problem (my TP-Link router which I still have was configured to use OpenDNS and I followed precisely the instructions about how to set it up on the dd-wrt wiki)? Failing that, do you think that a Draytek router with their Globalview parental controls system could be a solution?
    • CommentAuthorbirkita
    • CommentTimeOct 3rd 2012
     permalink
    I have a dd-wrt powered router and use wallwatcher to scan the logs and alert me to any activity that I think should not be allowed. I also have K9 installed on all the machines. Plus with the various access controls in the router I can run a pretty type ship. It is not hands free but it allows my children to have a feeling of freedom without really letting them loose on the internet and means I am involved in what they are doing online. If the children have a site they wish to visit that is not allowed by default then I will check it first and unlock what is suitable.
    • CommentAuthorbrian_e
    • CommentTimeOct 11th 2012
     permalink
    I had to ditch my Netgear router in the end as my son soon found a way round the filtering (I only bought it to try to have some flexibility for different users on the network, which I didn't have with my dd-wrt-enabled router). I have purchased a Draytek Vigor 2110n, which, although it doesn't have free parental controls like OpenDNS, nevertheless, is much harder to circumvent (no searching by IP addresses, no by-passing by altering local DNS addresses, port 53 blocked as standard). So far so good - my son has made numerous attempts to by-pass the filtering and all have been blocked.
    • CommentAuthorbirkita
    • CommentTimeOct 11th 2012
     permalink
    If your son attempts to bypass your filtering then block his internet access altogether.

This discussion has been inactive for longer than 30 days, and is thus closed.