OpenDNS Forums
The official support and discussion site of OpenDNS
Support
K-12 Forums
Categories
- Administrative
- Adult site blocking
- DNS-O-Matic / dynamic IPs
- Domain blocking
- Domain Name System (DNS) troubles
- Mobile instructions
- OpenDNS services
- Proxies, accelerators, and more
- Router instructions
- Satellite
- Shortcuts
- Wishlists and feature requests
-
Feeds
Vanilla 1.1.4 is a product of Lussumo. More Information: Documentation, Community Support.
This discussion has been inactive for longer than 30 days, and is thus closed.
-
I like how this works. I have a Belkin router which I have put the DNS entries in.
Everything is working great. But if somebody wanted to bypass OPpen DNS all they'd have to do is find IP addresses of different DNS servers and set their PC's to use those DNS servers.
How do I prevent this from happening? -
Oh, you are the very first one raising this.
http://forums.opendns.com/search.php?PostBackAction=Search&Keywords=redirect+53&Type=Comments&btnSubmit=Search
In brief: Because your users aren't admins on their computers, they cannot change their TCP/IP settings anyway. If they are admins, they can do anyway what they want - no need to restrict them. Also, many routers allow introducing an outbound rule to redirect or block udp/53 traffic other than to a specific DNS service.Thankful People: Eric Gillette -
rot,
Thank you for your help. I did find where I can block port 53 traffic on my router.
I like OpenDNS - what a great concept! -
P.S. You said "Because your users aren't admins on their computers, they cannot change their TCP/IP settings anyway."
Well - my son found a way to hack the Admin account and bypass the password. Now I've since changed it so he can't run CMD - and he can't run REGEDIT ... but never underestimate the creativity of a teen... LOL -
- CommentAuthormaintenance
- CommentTimeAug 21st 2009
Sure - if you don't limit the user account, privilege escalation is always an option. And for the creative or determined individual with local access to a machine, there are quite a large number of options for defeating access control/security.
You don't happen to be running XP SP1 or lower, do you? (Just guessing.)
-
Yeah, like burning a live-cd, booting it, and then browsing the web with his own settings, or worse formatting your harddrive, and making himself the admin, and restricting your access. Even if you have the computer locked down physically, the router better be too, else he could always press that hard reset button, thereby deleting the OpenDNS settings that are keeping him from the bad stuff.
In short: If you don't fully trust [as in, trust enough to let them be an admin] your user [in this case your son] do *not* let them have physical access to the equipment. Let him use a screen keyboard and mouse, if you so desire, but keep the tower under lock and key. Same with modem, router, any hardware firewall, etc.
If you want to force all traffic on port 53 to go to OpenDNS, there are several options. Some routers have such options, afaik most residential models don't. There are ways of setting up a firewall to do this. -
@rmarquiss
"Well - my son found a way to hack the Admin account and bypass the password."
He likely hasn't this done via cmd or regedit, but via a simple boot diskette...
"he can't run CMD"
Be ensured, he can. There is a kind of bug in all MS Windows', which allows you to easily circumvent this restriction... -
@joe262
"Yeah, like burning a live-cd, booting it, and then browsing the web with his own settings"
Go into your bios, set up a system password to keep him from getting into your bios, then disable boot from anything other than the hard drive. -
"You don't happen to be running XP SP1 or lower, do you? (Just guessing.)"
No - SP3.
""he can't run CMD"
Be ensured, he can. There is a kind of bug in all MS Windows', which allows you to easily circumvent this restriction... "
Well - Windows security is an oxymoron - there's a reason why I tell people that Windows is just a virus with documentation.
I just did the registry change to restrict CMD and Regedit. My son is inquisitive, not vindictive - I'm not really too concerned about him resetting the router or that type of stuff, though I use the computer daily and I would notice difference in behaviour there anyway. -
"I just did the registry change to restrict CMD and Regedit."
As I said before, he likely hasn't this done via cmd or regedit, but via a simple boot diskette. And the policy can't prevent from using cmd nevertheless. So, this was not really necessary. And with cmd and regedit he cannot change TCP/IP settings, as long as he's a non-admin user. Not sure about netsh, however, this would be the tool to do this. Have you included this as well, if ever possible?
"Windows is just a virus with documentation."
No, not really so bad. Today's Windows' (XP-SP3, Vista, 7) are pretty mature. MS have learnt a lot from *x, and occasionally they even do things better. Same as *x have learnt a lot from Windows, else a "normal" human would still not be able to use it, just experts... -
If using DD-WRT router firmware, then force DNS requests to be translated to OpenDNS servers.
http://www.dd-wrt.com/wiki/index.php/OpenDNS#Intercept_DNS_Port
1 to 11 of 11
This discussion has been inactive for longer than 30 days, and is thus closed.
