Your IP:

Our Forums Have Moved!

Visit our new forums at http://community.opendns.com/forums/ to post on topics and read the latest content. These forums are now read-only archives.

K-12 Forums

Talk with other K-12 network administrators in your state.

Or see all states.

Categories

Vanilla 1.1.4 is a product of Lussumo. More Information: Documentation, Community Support.

This discussion has been inactive for longer than 30 days, and is thus closed.
  1.  permalink
    I think you should provide a program for families who want the wife/mom to be the "Internet Boss" which would lock the DNS settings from being changed or bypassed by husbands or smart children.

    This would make the internet a welcomed guest and tool for the family instead of a possible threat the childrens innocence or the marriages fidelity.

    Also you should work with Google or any other Open Alliance, that will help to make the same programs available for download on mobile phones so that the data plans on them will be safe as well. I know there is a lot of fear in giving too much power to "Big Brother" or the Government, but where is the Free Open-Source technology that puts Mom's and Dad's back in control?
    • CommentAuthorsunnz
    • CommentTimeDec 10th 2007
     permalink
    Maybe it is possible for the wife/mum just to block all DNS traffic except for DNS request to OpenDNS? Like a setting on the firewall? Would that work?
    • CommentAuthorjoefar
    • CommentTimeDec 10th 2007
     permalink
    Well if you are using Windows XP you could create a user account on the computer and create separate logins within the 'Users' group. Then they wouldn't be able to change the DNS settings. Search Google for "user account control windows xp" to find instructions on how to do this.

    As well, you could set up your router (if you are using high-speed) with OpenDNS settings and the lock the router with an admin password. You will be able to find instructions on how to do this in the documentation that came with the router, or on the manufactures' web-site.

    Good Luck,
    Mike
    • CommentAuthorsunnz
    • CommentTimeDec 10th 2007
     permalink
    If you set up DNS on your router and lock it, wouldn't the user still be able to use a different DNS server on their computer?
    • CommentAuthorjoefar
    • CommentTimeDec 10th 2007
     permalink
    Well, I guess you are right. So then you would have to setup user accounts on the computer and restrict their rights to change those settings.
    • CommentAuthorsunnz
    • CommentTimeDec 10th 2007
     permalink
    What if you want to allow laptop users or if you have "smart children" who uses a different OS? I think in this situation you would need to block DNS traffics except for the ones to OpenDNS servers.
  2.  permalink
    So blocking "Non-OpenDNS" traffic on a firewall works for 1 PC or OS only, and doing it through your router is not possible(in dns settings but not in the firewall sense). Locking DNS settings using Windows U.A.C. works for 1 OS only and doing it through the Router works but if DNS settings on PC can be changed it is moot.

    The above only highlights my point. We need some way of easily blocking things even if the kid uses a wireless laptop or another OS (like a version of linux booted from a thumb drive).

    Not sure how to approach this. Could an ISP that used Open DNS as their default automatically route traffic through open DNS? Even if they did wouldn't changing the DNS settings on the PC circumvent?
    • CommentAuthorpdabr
    • CommentTimeDec 10th 2007
     permalink
    <Could an ISP that used Open DNS as their default automatically route traffic through open DNS? Even if they did wouldn't changing the DNS settings on the PC circumvent?>

    yes, many ISP's (particularly the wireless ones) block any UDP port 53 traffic outside their networks.

    You may be able to achieve something like that if your router could act as a DNS proxy of sorts and not allow requests except for it's own forwarding requests.
    • CommentAuthorsunnz
    • CommentTimeDec 11th 2007 edited
     permalink
    <So blocking "Non-OpenDNS" traffic on a firewall works for 1 PC or OS only>

    That's why you should block "Non-OpenDNS" traffic on your router that is acting as the gateway. Of course it would mean your router would need to have a firewall that supports this kind of blocking in the first place!!
  3.  permalink
    So are there in fact routers that do this?
    Would OpenDNS need to lobby with these router manufacturers to make this happen?
    Would Open DNS create software that you could run on your actual router like a "DD-WRT" router?

    I think in acheiving the above results we are far behind in technology.
    • CommentAuthorsunnz
    • CommentTimeDec 12th 2007
     permalink
    I think some higher end CISCO router can do that kind of filtering, but they cost above $1000...

    Or you could build a firewall out of an old computer that sits filters traffic before they reach to your router.
    • CommentAuthorwashuu
    • CommentTimeDec 12th 2007 edited
     permalink
    Every cisco router can do simple filtering based on layer 3/4 data, even those cheap like 800 series (for 10-30 $ on ebay).
    And most of today routers can do this kind of filtering. I use linksys wireless router, with OpenWRT software, and this works great.

    If someone need help with setting the rules on Linksys, Cisco, 3com or similar hardware I can help. Also with iptables rules.

    Generally, it can be a few simple rules, put in the incoming ACL of internal (LAN) interface:
    - allow DNS requests for OpenDNS servers
    - deny all remaining DNS requests.

    You should also block use of proxy servers, because they are doing DNS resolution on their own.
    Thankful People: wewillservethelord, markoe
    • CommentAuthorsunnz
    • CommentTimeDec 12th 2007
     permalink
    Oh sh... I wasn't thinking right about the Cisco router, sorry.
  4.  permalink
    Thanks a lot washuu!
    I see that you are talking about only allowing DNS to-from openDNS.
    Doesn't one of the OpenDNS filter settings include blocking of proxy sites?

    And do any native firmwares support this w/o using the Opensource WRT firmware.

    I am looking for a solution that is Mac-Simple for your everyday non-tech Mom & Dad, that the hacker kids would not be able to circumvent, and would not require advance software configuration or flashing any Bios

    If this is possible they (OpenDNS) should include a little write-up about it in their Adult Site blocking area
    • CommentAuthorahoier
    • CommentTimeDec 13th 2007
     permalink
    The only problem is, it's so easy to bypass....simply using Tor, or even "Google Web Accelerator" - I believe bypasses the system-set DNS servers... in the case of The Onion Router - it would consult the machine that you are being anonymized through, to ask for the correct DNS.

    As far as GWA, it would use Google's DNS servers....

    But I do believe you could get a firewall (even software....) on your computer(s) that would block all DNS, except for OpenDNS....
    • CommentAuthorsunnz
    • CommentTimeDec 13th 2007
     permalink
    poqwlkasmnzx, what's your current set up like? Do you have your router to use OpenDNS and have all your computer on the router to use your router as their DNS?

    So like...

    Router's DNS setting: OpenDNS's IP
    Computer's DNS setting: Router's IP

    If so, I believe you just have to block DNS on your router, set up a rule in "IP filter" or "firewall" to block Port 53 of UDP and/or TCP.
  5.  permalink
    @ahoier= Are you sure they will be able to use tor or GWA with the above setup since the router is blocking non- "OpenDNS DNS request"? I know they couldn't download them If I have proxy avoidance set in my domain blocking.

    Firewall(Software) doesn't work unless I block either, thumb drives CD drives, or Bios changes, which I could do, but I'm looking for something for the non-techie 85% of Moms out there who don't want to learn about their Bios. Hopefully a router only solution that would block all traffic so other wireless laptops, or OS's are also blocked.

    @sunnz
    My current setup is one PC with DSL (password protected) and I make sure I am with the kids or in the next room. But I would like to get a router and allow them more freedom w/o having to worry bout stuff and then also I would like a simple bullet-proof method I can tell my friends about so they won't have these issues either.
    • CommentAuthorsunnz
    • CommentTimeDec 14th 2007
     permalink
    poqwlkasmnzx,

    So I guess you would like to get a wireless router and just hook it up to your existing DSL modem?

    Well just make sure that it supports NAT, allows you to set up DNS servers IPs on the router itself, and has a firewall which you can configure to block certain traffic (TCP & UDP) by its port number.

    That way you just set your router to block all DNS traffic by blocking port 53 UDP, the router itself can still use any DNS server, like OpenDNS, so make sure your router has a secure password and your kids can't log in and change your router's settings...

    Actually I do that right now and see how well it works.
    Thankful People: Dirk
    • CommentAuthorsunnz
    • CommentTimeDec 14th 2007
     permalink
    Ok it seem to work well with my router (OpenNetwork iConnect624w)

    Here's the setting of my router:
    IP: 192.168.2.254
    DNS: 208.67.222.222 208.67.220.220
    IP Filter: Blocks port 53 UDP
    A very strong password for its admin page

    Here's what nslookup is like:
    First I try use the router's IP as the DNS:
    > server 192.168.2.254
    Default server: 192.168.2.254
    Address: 192.168.2.254#53
    > google.com.
    Server: 192.168.2.254
    Address: 192.168.2.254#53

    Non-authoritative answer:
    Name: google.com
    Address: 64.233.187.99
    Name: google.com
    Address: 64.233.167.99
    Name: google.com
    Address: 72.14.207.99

    Now I try use something other than my router's IP... like OpenDNS's IP!
    > server 208.67.222.222
    Default server: 208.67.222.222
    Address: 208.67.222.222#53
    > google.com.
    ;; connection timed out; no servers could be reached

    So now I can't use anything else but the router's IP as my DNS server... and the router has been locked to only use OpenDNS. I hope that's what you wanted?
    Thankful People: wewillservethelord
    • CommentAuthorwashuu
    • CommentTimeDec 14th 2007 edited
     permalink
    Personally, I would put the rule of passing traffic to port 53 for OpenDNS servers before blocking the rest, at least for testing purposes. Also find another public DNS servers and unblock it too (without reconfiguring your router DNS settings), comparing results is sometimes needed.
    Thankful People: markoe
  6.  permalink
    Sounds perfect sunnz. Will I be able to that with any/most routers without a firmware upgrade?
    • CommentAuthorsunnz
    • CommentTimeDec 15th 2007 edited
     permalink
    poqwlkasmnzx,

    I haven't seen any routers that wouldn't do that... but again my experience is rather limited so I cannot tell you for sure.

    If you make sure the router you are going to purchase supports NAT, DNS, and has a configurable firewall then it all should be fine.
    • CommentAuthorSkip
    • CommentTimeJan 17th 2008
     permalink
    I use a Netscreen SSG-5 router at home and at the office, I have it simply redirect all DNS traffic to the OpenDNS servers.
    • CommentAuthorSkip
    • CommentTimeJan 17th 2008
     permalink
    Oh, also you could easily do this with any linux/unix type system that you would use as a firewall and router.

    If you have a less fancy type firewall device you just need to do two things:

    1) Allow DNS (tcp/udp port 53) out to the OpenDNS servers.
    2) Block DNS out to anything else.
    • CommentAuthormike240se
    • CommentTimeMar 9th 2008
     permalink
    with cisco, you could setup an acl that only allows your dns server through right? what would the ios code be to just log any requests that dont come from the dns server.

    like if 192.168.1.100 was your dns server, how would you allow all dns traffic through, but log any dns traffic NOT coming from 192.168.1.100, so i can track down pc's that are using their own dns settings so i can fix it. i dont want to block it till i have a chance to fix any of them, so they dont experience outages.

    Also, is it safe enough to only allow opendns's two servers? i have been too scared to do this and basically add my isp's dns servers as #3 and #4 just in case. i know they have their awesome system of redundancy and redirects but i gues its possible for them to go down completely right?

This discussion has been inactive for longer than 30 days, and is thus closed.