Your IP:

Our Forums Have Moved!

Visit our new forums at https://community.opendns.com/forums/ to post on topics and read the latest content. These forums are now read-only archives.

K-12 Forums

Talk with other K-12 network administrators in your state.

Or see all states.

Categories

Vanilla 1.1.4 is a product of Lussumo. More Information: Documentation, Community Support.

This discussion has been inactive for longer than 30 days, and is thus closed.
    • CommentAuthorjdwalley
    • CommentTimeJul 13th 2012
     permalink
    Brand new member here. Went into the page for my Belkin router as described in the instructions here, changed DNS settings from "automatic from ISP" to 208.67.222.222 and 208.67.220.220. Tried to check the page on clearing the cache, but got an error that Chrome couldn't access that page. Tried the "Next; Check your new settings" link -- same result. It seems as if entering OpenDNS's DNS numbers either keeps me from getting on-line at all, or is simply blocking OpenDNS's own site; I suspect the former.

    Any advice? FWIW, I'm using CenturyLink DSL service.
  1.  permalink
    CenturyLink customers do not appear to have issues with OpenDNS, but who knows?

    If you lookup a domain name and it comes up with the right IP addresses, the problem is the browser.

    nslookup google.com.

    And paste the results here.

    Also, who knows with Chrome? Have you flushed your browser (and local resolver) caches yet? I would also suggest turning off the options 'Use a web service to help resolve navigation errors' or 'Show suggestions for navigation errors' and the two Predictive services, Network and Search. Usually these allow Chrome to ignore (Open)DNS entirely, as the clicked links or what you type in the address bar goes straight to google, where google decides whether to just serve you with something, or to allow the browser to make a DNS request. This may cause your issues as well.
    • CommentAuthorjdwalley
    • CommentTimeJul 13th 2012
     permalink
    When I try what you suggest, I get the following result:

    >nslookup google.com

    Server:
    Address: 192.168.0.2

    DNS request timed out.
    timeout was 2 seconds.
    DNS request timed out.
    timeout was 2 seconds.
    *** Request to timed-out

    >

    Incidentally, when I disconnect the Belkin router, and plug the DSL modem (Actiontec M1000) directly into my desktop, I can run OpenDNS just fine (but, obviously, that loses the wi-fi network). It's only when I connect the modem to the Belkin router and the router to my computer that things stop working.

    Incidentally, as to your last paragraph: given that most of us use OpenDNS to filter objectionable content from being accessed by our children, doesn't this simply mean that a child determined to bypass OpenDNS could simply invoke those features on Chrome to enable the browser to ignore any OpenDNS blocks we might set?
    • CommentAuthorrotblitz
    • CommentTimeJul 13th 2012
     permalink
    It seems your Belkin router does not properly act as DNS forwarder, or you configured it wrongly.

    Try again: nslookup -timeout=12 -d google.com.

    Yes, your children may bypass OpenDNS with Chrome, but nobody forces you to use such a proprietary browser. You may use Chromium without the Google "features" instead, e.g. SRware Iron.
    • CommentAuthorjdwalley
    • CommentTimeJul 13th 2012
     permalink
    "Nobody forces you to use such a proprietary browser."

    With all due respect, that's a pointless response. Our children can download and install Chrome if they want (my teen already has it on her laptop) and certainly they have the ability to look up how to use Chrome to bypass filters; so, that means it's easy for them to do so whenever they want. It's a little like keeping your alcohol locked up in a cabinet, when you already know your children have the keys to that cabinet. The only thing I can think of would be to delete Chrome from their systems; but what's to stop them from simply re-installing it whenever they want?
    • CommentAuthorrotblitz
    • CommentTimeJul 13th 2012
     permalink
    Your children do not have admin accounts, do they? :shocked:
    Therefore they cannot install anything except maybe portable apps.
    If they do have admin accounts, you even don't need to think about controlling anything. You already gave everything out of your hands... :sad:

    Another external service like OpenDNS cannot compensate such local mistakes.
    Thankful People: cindelicato
    • CommentAuthorjdwalley
    • CommentTimeJul 13th 2012
     permalink
    My teen has long had an admin account on her own laptop. She does not have admin access to the network or the router, or the desktop computer connected directly to the router. At the time, it seemed to me that there would be no reason not to trust her; also, I was not aware that Chrome could be used to bypass any protections applied at router level.
  2.  permalink
    A couple points:

    No one should ever use an admin account for normal use. This is how bad things happen with viruses/malware, etc., among other things.

    If you can trust someone with full rights on their computer, you can trust them to use the internet as they see fit. Else not.

    It doesn't matter how anything is connected, the computers/devices always have precedence over settings in the router, unless the router has other capabilities, like setting firewall rules blocking port 53 traffic (which would be the relevant thing here).

    You aren't the firs person to use the concept of "protections applied at router level", which has a couple layers of misunderstanding. First, refer to the previous paragraph. Second, protection (or whatever) at the router level means that the protection exists inside the router. Firewalls, keyword or URL filtering, time limiting, and other things may exist in the router firmware, which would be protection at the router level. A couple of addresses is not. OpenDNS does not live in your router. It is a remote (cloud, in the popular parlance of recent years) service which isn't used if DNS lookups are not directed there. This is protection at the internet DNS level.

    Now, your router may be able to block DNS requests or redirect them to OpenDNS, but this won't matter if computer users can install or configure proxies, VPNs, browsers that use proxies or ignore standard network behavior, and ten thousand other things.

    If you don't want to enforce normal network practices, but do want to use OpenDNS, you may want to look into Netgear LPC. You can control a lot from the router this way. No updater needed, either. Differential filtering per Windows and OS X user accounts. http://countries.netgear.com/lpc See the FAQ for a list of supported routers. (If you already own a Netgear router, you may be able to download and install the firmware and software.)
    • CommentAuthorjdwalley
    • CommentTimeJul 13th 2012
     permalink
    ...and, in the long run, it really doesn't matter, because I caught her bypassing the controls I'd set by stealing bandwidth from a neighbor's unsecured Wi-Fi network; her laptop has now been confiscated. :(
    Thankful People: cindelicato
    • CommentAuthorjdwalley
    • CommentTimeJul 14th 2012
     permalink
    "No one should ever use an admin account for normal use. This is how bad things happen with viruses/malware, etc., among other things.

    If you can trust someone with full rights on their computer, you can trust them to use the internet as they see fit. Else not."

    You know what the problem is there? Sims 3. It requires it be both installed AND RUN on an Admin account.

    In retrospect, that's why I allowed my daughter admin privileges on her laptop; she had been a big-time Sims 2 fan, and we had gotten her Sims 3 for Christmas a year or so ago, only to find that she couldn't run it.

    Unfortunate...I wonder how many parents have wound up giving their children Admin rights they shouldn't have because of that game?
  3.  permalink
    Actually, you should be able to run software built like that* as administrator from the limited user account. Right-click the executable and choose RunAs from the menu and select Other Account, Administrator.

    *Yeah, I know. Windows did us a great disservice by having default administrator privileges for so long, in many ways. People also wrote software poorly in requiring it to assume administrator-level privileges. But Vista and later don't work this way, so at some point you will have to cross this bridge.

    Most people have admin rights by default if they use Windows XP or earlier. Parents "giving" children admin accounts** was likely not a conscious choice. Most people never create a new user account, since who goes out of their way to find these things, and the OS vendor wanted to make things as user-friendly and easy as possible by keeping most choices under the radar. But does it ever make a difference, just from a malware perspective. One limited user account gets infected? No big deal. Administrator account infected? It's got the whole machine, with system-level privileges.

    Whatever, I understand your frustration, but this is something that a remote DNS server with filtering capabilities can fix. You would have to use something more intrusive, like installed software. Which would generally require the user not be an admin, or they can uninstall it.

    **There are, indeed, office environments that operate like this. No kidding.
    • CommentAuthormrkriegar
    • CommentTimeJul 16th 2012
     permalink
    Since, *ahem* as some of us well know, teens are quite handy at writing their own rules , I would suggest using the above suggestion regarding the "Run As" shortcut, and then installing hidden software, accessible only by password.


    I know of at least one keylogger out there like that, and administrator privileges be damned, it does not uninstall without the password.

    I'm sure there are some "Net Nanny" programs out there that have that feature as well.

This discussion has been inactive for longer than 30 days, and is thus closed.