Open DNS filtering



  • I've been searching high and low, can't seem to find a thread closely match to what I'm looking for. The problem is I'm father of three children, I'm currently using OpenDNS' filtering service set to block torrents, porn, gambling, online dating, etc. So I would like to know how to exclude certain IP address such as my own personal computer and assign ISP DNS instead to get around OpenDNS's filtering.

    Thanks

    Jason



  • I presume your home computers use DHCP for configuration and pfSense as the DHCP server. In the DHCP client it is common to  use the DHCP assigned DNS but there is usually a mechanism to override that. You could configure the computers you want to bypass OpenDNS to have the ISP DNS rather than the DNS assigned by DHCP.

    I'm the father of two young men who live at home. I use OpenDNS for our home network. I think its important to set an example to my sons so my wife and I live within the same limitations I impose on our sons with respect to DNS. I appreciate your situation might be very different. (For example, the OpenDNS filtering appropriate for small children might be too restrictive.) Perhaps it might be appropriate to consider using the 'FamilyShield' OpenDNS service as default DNS on your home network and setup an OpenDNS account so you can use the more configurable OpenDNS service for particular computers.



  • Thanks setting DNS manually on client's PC worked, however 1 problem just arises, what if one of my wise-ass teenager figured this out and manually setup DNS to something else… is there's a way I can setup DNS interception for  DHCP range 192.168.1.10 - 192.168.1.254



  • OpenDNS can't prevent your household accessing nasty sites, especially if someone is keen enough. But, by putting some blocks in place, it can help your household make the "right" decision to not seek out nasty sites.

    I can elaborate more if you wish.

    As to your specific question, you could setup firewall rules to block particular DNS access from that IP address range to anything other than the pfSense box. (I presume the pfSense box is acting as DNS server for your LAN.)



  • I was able to do this with Tomato firmware for Linksys router, since I've switched over to pfsense for more features and such. here's script I used for init.

    iptables -t nat -I PREROUTING -p udp -i br0 -s 192.168.2.11/32 --dport 53 -j DNAT --to $(nvram get lan_ipaddr)
    
    iptables -t nat -I PREROUTING -p tcp -i br0 -s 192.168.2.11/32 --dport 53 -j DNAT --to $(nvram get lan_ipaddr)
    
    

    However I'm not too familiar with BSD derive OS, I'm an I.T. from windoze world. I've been studying Linux for about 2 years so far, and I'm learning as I go. I'm wondering if there's something similar i can do with pfsense, and I don't see where I run custom scripts.

    EDIT: forgot to answer your question, yes my pfsense is DNS server and relaying request to OpenDNS. Also I understand you're setting good example, however I would like to be able to use torrent for downloading Linux ISO, large stuffs, etc but my son have been caught downloading music/movie/tv shows and I got a warning from Time Warner… I don't want to restricting myself because of his action you know.



  • From the pfSense web GUI, Firewall -> Rules click on the LAN tab and add appropriate rules. The rules are processed "top down" (as displayed by the GUI) on received packets. Rule processing stops when a packet matches a rule. So your new rules should probably begin with some rules allowing specific DNS access then a block rule for all DNS access. Rules are added by clicking on the appropriate "+" on the right hand side of the page.



  • I'm thinking of a rule that set redirect 192.168.1.11/32 outbound port 53 to pfsense's DNS Server port 53, preventing it from going outside like google's dns. However, I only see option as "Pass/Block/Reject" under firewall rule.



  • @firestrife23:

    however I would like to be able to use torrent for downloading Linux ISO, large stuffs, etc but my son have been caught downloading music/movie/tv shows and I got a warning from Time Warner… I don't want to restricting myself because of his action you know.

    I suspect OpenDNS is not a very effective solution to blocking downloads of copyrighted material, especially if its available by a torrent. But I'm not very familiar with the details of how torrents work.

    @firestrife23:

    I'm thinking of a rule that set redirect 192.168.1.11/32 outbound port 53 to pfsense's DNS Server port 53, preventing it from going outside like google's dns. However, I only see option as "Pass/Block/Reject" under firewall rule.

    If the client you want to block gets its configuration by DHCP its name server will be the pfSense box so it may be sufficient to block access from that computer to any other DNS because such an access attempt indicates the box has been reconfigured.



  • I suspect a configurable web filter such as Dan's Guardian (see http://dansguardian.org but no pfSense package) would be more suitable if you want to prevent download of copyright material.

    Dan's Guardian can be configured to block downloads of particular types of files (based on the content description and/or file name extension) and can be configured to apply rules to particular users identified by IP address or login.

    pfSense users seem to use squid and squidguard (see http://www.squid-cache.org and http://www.squidguard.org, pfSense packages available) for "web filtering" but this combination doesn't appear to provide a mechanism to block content such as MP3 files and movies.

    I have used Dan's Guardian (which defaults to use squid) but not squid with squidguard.

    If you have confidence in your son's sense of responsibility, it might be sufficient to explain the possible consequences of downloading copyrighted material and ask him to get your approval before downloading any audio or video or … files.


Log in to reply