• Categories
  • Recent
  • Tags
  • Popular
  • Users
  • Search
  • Register
  • Login
Netgate Discussion Forum
  • Categories
  • Recent
  • Tags
  • Popular
  • Users
  • Search
  • Register
  • Login

Open DNS filtering

Scheduled Pinned Locked Moved DHCP and DNS
9 Posts 2 Posters 11.1k Views
Loading More Posts
  • Oldest to Newest
  • Newest to Oldest
  • Most Votes
Reply
  • Reply as topic
Log in to reply
This topic has been deleted. Only users with topic management privileges can see it.
  • F Offline
    firestrife23
    last edited by Aug 1, 2010, 2:57 PM

    I've been searching high and low, can't seem to find a thread closely match to what I'm looking for. The problem is I'm father of three children, I'm currently using OpenDNS' filtering service set to block torrents, porn, gambling, online dating, etc. So I would like to know how to exclude certain IP address such as my own personal computer and assign ISP DNS instead to get around OpenDNS's filtering.

    Thanks

    Jason

    1 Reply Last reply Reply Quote 0
    • W Offline
      wallabybob
      last edited by Aug 1, 2010, 9:50 PM

      I presume your home computers use DHCP for configuration and pfSense as the DHCP server. In the DHCP client it is common to  use the DHCP assigned DNS but there is usually a mechanism to override that. You could configure the computers you want to bypass OpenDNS to have the ISP DNS rather than the DNS assigned by DHCP.

      I'm the father of two young men who live at home. I use OpenDNS for our home network. I think its important to set an example to my sons so my wife and I live within the same limitations I impose on our sons with respect to DNS. I appreciate your situation might be very different. (For example, the OpenDNS filtering appropriate for small children might be too restrictive.) Perhaps it might be appropriate to consider using the 'FamilyShield' OpenDNS service as default DNS on your home network and setup an OpenDNS account so you can use the more configurable OpenDNS service for particular computers.

      1 Reply Last reply Reply Quote 0
      • F Offline
        firestrife23
        last edited by Aug 2, 2010, 4:35 AM

        Thanks setting DNS manually on client's PC worked, however 1 problem just arises, what if one of my wise-ass teenager figured this out and manually setup DNS to something else… is there's a way I can setup DNS interception for  DHCP range 192.168.1.10 - 192.168.1.254

        1 Reply Last reply Reply Quote 0
        • W Offline
          wallabybob
          last edited by Aug 2, 2010, 8:37 AM

          OpenDNS can't prevent your household accessing nasty sites, especially if someone is keen enough. But, by putting some blocks in place, it can help your household make the "right" decision to not seek out nasty sites.

          I can elaborate more if you wish.

          As to your specific question, you could setup firewall rules to block particular DNS access from that IP address range to anything other than the pfSense box. (I presume the pfSense box is acting as DNS server for your LAN.)

          1 Reply Last reply Reply Quote 0
          • F Offline
            firestrife23
            last edited by Aug 2, 2010, 9:32 PM Aug 2, 2010, 9:20 PM

            I was able to do this with Tomato firmware for Linksys router, since I've switched over to pfsense for more features and such. here's script I used for init.

            iptables -t nat -I PREROUTING -p udp -i br0 -s 192.168.2.11/32 --dport 53 -j DNAT --to $(nvram get lan_ipaddr)
            
            iptables -t nat -I PREROUTING -p tcp -i br0 -s 192.168.2.11/32 --dport 53 -j DNAT --to $(nvram get lan_ipaddr)
            
            

            However I'm not too familiar with BSD derive OS, I'm an I.T. from windoze world. I've been studying Linux for about 2 years so far, and I'm learning as I go. I'm wondering if there's something similar i can do with pfsense, and I don't see where I run custom scripts.

            EDIT: forgot to answer your question, yes my pfsense is DNS server and relaying request to OpenDNS. Also I understand you're setting good example, however I would like to be able to use torrent for downloading Linux ISO, large stuffs, etc but my son have been caught downloading music/movie/tv shows and I got a warning from Time Warner… I don't want to restricting myself because of his action you know.

            1 Reply Last reply Reply Quote 0
            • W Offline
              wallabybob
              last edited by Aug 2, 2010, 9:40 PM

              From the pfSense web GUI, Firewall -> Rules click on the LAN tab and add appropriate rules. The rules are processed "top down" (as displayed by the GUI) on received packets. Rule processing stops when a packet matches a rule. So your new rules should probably begin with some rules allowing specific DNS access then a block rule for all DNS access. Rules are added by clicking on the appropriate "+" on the right hand side of the page.

              1 Reply Last reply Reply Quote 0
              • F Offline
                firestrife23
                last edited by Aug 2, 2010, 9:50 PM

                I'm thinking of a rule that set redirect 192.168.1.11/32 outbound port 53 to pfsense's DNS Server port 53, preventing it from going outside like google's dns. However, I only see option as "Pass/Block/Reject" under firewall rule.

                1 Reply Last reply Reply Quote 0
                • W Offline
                  wallabybob
                  last edited by Aug 2, 2010, 10:13 PM

                  @firestrife23:

                  however I would like to be able to use torrent for downloading Linux ISO, large stuffs, etc but my son have been caught downloading music/movie/tv shows and I got a warning from Time Warner… I don't want to restricting myself because of his action you know.

                  I suspect OpenDNS is not a very effective solution to blocking downloads of copyrighted material, especially if its available by a torrent. But I'm not very familiar with the details of how torrents work.

                  @firestrife23:

                  I'm thinking of a rule that set redirect 192.168.1.11/32 outbound port 53 to pfsense's DNS Server port 53, preventing it from going outside like google's dns. However, I only see option as "Pass/Block/Reject" under firewall rule.

                  If the client you want to block gets its configuration by DHCP its name server will be the pfSense box so it may be sufficient to block access from that computer to any other DNS because such an access attempt indicates the box has been reconfigured.

                  1 Reply Last reply Reply Quote 0
                  • W Offline
                    wallabybob
                    last edited by Aug 3, 2010, 3:22 AM

                    I suspect a configurable web filter such as Dan's Guardian (see http://dansguardian.org but no pfSense package) would be more suitable if you want to prevent download of copyright material.

                    Dan's Guardian can be configured to block downloads of particular types of files (based on the content description and/or file name extension) and can be configured to apply rules to particular users identified by IP address or login.

                    pfSense users seem to use squid and squidguard (see http://www.squid-cache.org and http://www.squidguard.org, pfSense packages available) for "web filtering" but this combination doesn't appear to provide a mechanism to block content such as MP3 files and movies.

                    I have used Dan's Guardian (which defaults to use squid) but not squid with squidguard.

                    If you have confidence in your son's sense of responsibility, it might be sufficient to explain the possible consequences of downloading copyrighted material and ask him to get your approval before downloading any audio or video or … files.

                    1 Reply Last reply Reply Quote 0
                    9 out of 9
                    • First post
                      9/9
                      Last post
                    Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.
                      This community forum collects and processes your personal information.
                      consent.not_received