I just realized that some of you may be wondering who I am. I am Daniel, the new support guy here at OpenDNS.

Hi - Nice to meet you.

I see there have been a lot of views of this thread but no responses. Come on guys... :)

We want to know about your network because, chances are, many of our other users have similar setups. Anyone who sends in accurate instructions will get a shout-out on our Web site and will forever be known as the helpful contributor to the Best Practices instructions.

I look forward to hearing from you! If you would prefer to email me privately with your setup I can be reached at daniel at opendns com

Daniel

Thanks so much washuu. This is exactly what I am looking for. I would love to hear other users setups' as well. Keep them coming :)

I would be curious to hear if anyone has tested the configuration with iptables that washuu mentions, how you set it up and how it works.

Also, if you have any suggestions for how we can make the interface more manageable please let us know. Some things are already in the works, and some are on the drawing board. Thanks for your patience.

fixed my unreliable Dmax PR DNS problems!
and faster, and phishing protection

what else to say....
I wish I could set it into my hardcoded speedtouch so the weight wouldn't land on the OS... but oh well WAY better than before... that's for sure

I sysadmin for a school. I have a local machine, running Freebsd that runs maraDNS. Postie acts as primary source for machines inside the network, and refers all external requests to openDNS. Results are cached locally. While the directions don't address maraDNS directly, the 'translation' was easy enough to do.

The only problems I've had are the occassional false report.

I do wish that the 'block' screen would say exactly why it was blocked.

Hi, Daniel:

openDNS is too new to me for me to be of much use to your project, but openDNS was being used to help find some sort of trojan which I might have unknowingly approved through my firewall permissions (not sure). That didn't work (reinstalled firewall instead), but I will continue to use the service until I know more about its benefits.

Right now, I have two PCs connected through the home router (dynamic IPs) which is set for the DNS service, along with a farm of PlayStation consoles and everything is working normally. I have already used up the 50 IP blocks and I now need to sort out which ones take priority (sorted by volumes of requests, ad.doubleclick.net is the worst offender, so far), so that I can keep the ones that get requested most frequently. I would really prefer to be able to block ad domains (atdmt.com or 2o7.net) vs individual IPs (switch.atdmt.com or pandasoftware.112.2o7.net). Having this ability would free up various blocks _for the same ad domain_.

I haven't dealt with blocking adult content or maybe some other features that I have no clue how to do with openDNS yet. Self-education takes time.

OT: How do I choose a domain to block when I am only shown subdomains?

I haven't looked for instructions yet; it's just that I haven't seen how to edit blocked listings when given a subdomain in the list.

I use OpenDNS on my home network to provide a clean and safe browsing experience for my family.

I run a FreeBSD gateway having a caching DNS server which forwards to OpenDNS. Your recent change of protocol to be more dyndns2 compliant means I can now use ddclient out-of-the-box to maintain my network IP information.

So far I've found OpenDNS to be extremely useful and I've even contributed a few samples to phishtank.com as a gesture of thanks.

I am an IT consultant and up to the moment I have three different uses for OpenDNS.

1. I've installed as my main DNS resource at home. I'm planning to put in the firewall/gateway so that I rest assured that children will be safe-browsing. No complains so far. Computers are Windows XP, using Windows Internet Connection Sharing (through 1mbps ADSL) and Ubuntu.

2. I've configured OpenDNS in a medium size company as a forwarder to the main DNS servers. It's been doing a great job! All that Squid ACL filters can't grab (and I've got to admit, it's becoming impossible to manage Blocked Sites ACL lists)I've seen OpenDNS blocking for me. Main DNS server runs BIND in SuSE Linux, and acess to Internet is made through 2x1mbps links.

3. I'm in test-phase at a large company. In this scenario I'm also using OpenDNS as a forwarder to the main DNS servers. As this will affect thousand of users, we're still evaluating the impacts of the only problem we met so far. And it's not an technical issue. Main DNS servers runs BIND in CentOS Linux. Access through 4x2mbps redundant-ospf balanced-links.

The problem: Language.

Most of the users are having a hard time with the English messages they get.
I strongly suggest, for a wider acceptance of the service, that you consider translating the messages pages. This does not, and I think should not, be automatically browser-selected. It should be something we configure in Dashboard, according to the networks we configure.

-----

Update: The above text was already written when I got a new problem in one of my clients. A few sites that take a little too long to load, when accessed thru OpenDNS address resolution are returning with the 'Timeout-Try again in a few minutes' message from OpenDNS. When accessing without OpenDNS, it took some time, but eventually the sites loaded. I know that raising the timeout threshold, when you have billions of requisitions to solve, may bring some ohter issues. But I think that some monitoring and evaluation of the actual timeout seems necessary.

Lucien Raven

This might be an unusual setup. It will at least be a little different that what the norm would be. I have a Linksys wireless router. I am using a DSL modem provided by my phone company. The DCHP server provided by the Linksys router is disabled. I use the DCHP server that is provided through the DSL modem instead. Essentially I have setup my Linksys router as a wireless switch. This has proven to be the most reliable setup that gives me the control I need. I have 4 wired systems, 2 wireless systems, 1 XBox 360, and 2 NintendoDS systems that all connect through the Linksys router. One of my wired systems is an Apache server. I use it as a test server for web development.

OpenDNS has worked very well thus far. I do have several feature requests. I would love to have the ability to block P2P file sharing as well as instant messaging. Maybe even restrictions based on time of day or MAC address.

Maybe this was what you were looking for.

I just found out about this site after reading on Tech Republic why my BellSouth DSL was out the other day. Someone commented that it was their DNS servers and because they were using OpenDNS their DSL still worked.

So I went through the setup to figure out how to change mine and the only problem I encountered was it still said I wasn't using your DNS even after I made the changes on my D-Link 624. I tried changing the DNS on my work station and that still didn't seem to make it work.

So I thought...Maybe rebooting would do it. Oh-Oh...then I couldn't go anywhere, blank pages on every Web site I tried. So I rechecked my settings and saw that the IP number was checked as "Dynamic PPPoE". I've never paid attention to that since when I first got the router it has worked on everything for years with it being that way and the setup wizard set it up that way.

Anyway, to make this long story shorter...Changing it to "Static PPPoE" did the trick immediately. Maybe your setup "Wizard" should ask people to check that the Static button is pressed if in fact their IP number stays the same. Many of us dummies don't really understand "dynamic" or "static" but do understand "Does your IP number stay the same or change each time you log on?". I knew the difference but just didn't think to look for that status since the router has always worked fine.

So far I'm happy with your free service on my home network and would like to thank you for offering this service along with the "Settings" to control where users go on the Net. I just hope your definition of "porn" is the same as mine. :)

Edited to add: I forgot to mention that my network along with the D-Link DI-624 router is made up 2 desktops, one laptop, one media server that is runing Windows Home Server, a Slingbox, a D-Link DSM-320 Media Lounge, and a D-Link DSM-600 Network Storage device (1 internal & 2 USB HD's).

@lucienraven:

Squid is forcing clients to use OpenDNS ONLY in HTTP traffic. HTTPS should not be redirected (we had some issues with such solution), not to say other traffic. And sometimes people (especially youngsters) are smart enough to bypass Squid redrection - but DNS would be one step ahead of them :).

We haven't tested DNS redirection yet, because lack of time - we have ISO audit right now and whoever already have had this, should know what time consuming it can be :)

After hearing about OpenDNS from one of our corporate network architects who set up a network for a training and conference that was held and he used OpenDNS for the entire 5,000 person conference, I thought I would give it a try.

I first tried it at home since I had no filtering there. I have a cable modem and then a wireless router attached to that. Initially the wireless router I had would not allow me to assign DNS servers separately from what was being received dynamically from the cable modem. So, I entered the DNS info on my Mac and my wife's Windows machines. It worked great. Not long after that I got the opportunity to switch out my wireless router which allowed manual entry of DNS instead of only taking what was being issued dynamically from my cable modem. (I currently use on my Mac "OpenDNS Updater" application to catch any changes in my cable modem's dynamic IP address. For example, after a power failure.)

Following that, I installed OpenDNS at work. We are a sub-ministry headquarters of a worldwide ministry with approximately 80 users. We previously had in place Microsoft's ISA server (which serves as our gateway) and had placed a subscription based filtering on that. The filtering was too tight and too difficult to maintain. It filtered things that we really weren't concerned about, but not having any full-time network administrators, we couldn't invest the time in trying to get it figured out, so we just had users report blocked sites that they wanted unblocked and we configured an exception.

With OpenDNS, I entered OpenDNS's DNS info on the external NIC on the ISA server (we only have one line to the internet through our DSL which goes to the ISA). In just minutes we were up and running and I've not had a single user request to open up a blocked site. My executive director was THRILLED with the results and couldn't believe that it was free. OpenDNS does exactly what we were trying to accomplish with the expensive filtering system, does it for free, and is MUCH more intuitive, and doesn't need to download subscription updates each day (or several times a day).

@washuu

I got DNS redirection working with pf... pretty much with an one liner like:

rdr on $internal_if inet proto {tcp udp} to port domain -> localhost

It basically redirects all traffic from the $internal_if interface on port domain, that is, port 53, tcp and udp, to localhost where I am running a local DNS cache with bind. I have tested this by `dig @<my ISP's DNS> internetbadguys.com`, and yea it returns the IP given by OpenDNS!!

But if someone runs a DNS server on port 80 this probably won't work?

P.S. I am still working on the Squid thing! (You know, to catch Skype traffic.)