Your IP:

Our Forums Have Moved!

Visit our new forums at http://community.opendns.com/forums/ to post on topics and read the latest content. These forums are now read-only archives.

K-12 Forums

Talk with other K-12 network administrators in your state.

Or see all states.

Categories

Vanilla 1.1.4 is a product of Lussumo. More Information: Documentation, Community Support.

This discussion has been inactive for longer than 30 days, and is thus closed.
    • CommentAuthorJohn
    • CommentTimeOct 29th 2008
     permalink
    I thought I can use OpenDNS to prevent users from accessing bad sites. But it is trivial to bypass. All the user has to do is: Open Network Connections, Open TCP/IP Properties, Select "Use the following DNS Server Addresses" and type in a different DNS server.

    Is there any way I can prevent users from doing that? Can I set my router to reject any external DNS requests? I am using DD-WRT.

    Thanks, John
    Thankful People: leonardobag
    • CommentAuthorJohn
    • CommentTimeOct 29th 2008
     permalink
    I just learned DNS requests use port 53. perhaps i can block that in the router. I'll try...
    • CommentAuthorrotblitz
    • CommentTimeOct 29th 2008
     permalink
    As I can see, your users seem to have administrative rights on their computers, else they would not be able to change their TCP/IP properties. As long as this is the case, they also can circumvent your router settings, e.g. while entering the IP address instead of the domain name, or just using a free proxy server or similar service or application program. There is no way around to make them "normal" users only.
  1.  permalink
    aside from putting it on at the server or router level, having users with elivated rights means that you wont truly be able to control them, at least not with OpenDNS alone. if they can install programs they could simply use something like HotSpotShield or other servies and programs. infact, since there isnt a way to opt people out of going through opendns filters (or setting users with different privilage levels) on the server side (yet) I use HotSpotShield frequently, then again i am the IT admin for my company.

    best practice: never give your standard user, in a coroprate environment, full admin rights.
    • CommentAuthormiked
    • CommentTimeOct 29th 2008 edited
     permalink
    We highly recommend, as others have noted, that you prevent users from making changes to settings with group policies or other enforcements.

    Check out the DD-WRT page on OpenDNS [1], they have an option to intercept all DNS traffic and route it to OpenDNS.


    1. http://www.dd-wrt.com/wiki/index.php/OpenDNS
    Thankful People: harrv
    • CommentAuthordocbill
    • CommentTimeNov 12th 2008
     permalink
    There several ways you can do this on your DD-WRT router. One way is just to set the router to use OpenDNS and be the local DNS server. Then block all traffic to port 53. Another, is to redirect all traffic to port 53 to OpenDNS.

This discussion has been inactive for longer than 30 days, and is thus closed.