Creating a safe internet environment at home –Part 3/3: OpenDNS

In my previous post I explained what DNS does. Your internet service company generally provides a default DNS service that your Wifi router automatically starts using when it connects to the internet.

If you could force all computers in your home network to use a specific DNS service, you could control which websites are visible. This post will explain how you can instruct your Wifi router to start using OpenDNS’s DNS service, which will allow you to filter and control the internet access from within your home network.

OpenDNS is a company that provides such a service. It is a freemium service, in that they provide a basic service for free and you can opt for paid options. In my experience, the free option works very well for my home and should be sufficient for most people. (Disclaimer: I don’t have any association with OpenDNS except that I am a very satisfied user).

Create an OpenDNS account

You first need to create an OpenDNS account. You can sign up for a free account at www.opendns.com. You have a choice of two types of free services, OpenDNS Home Basic and OpenDNS FamilyShield. Of the two, OpenDNS FamilyShield is much simpler to use and probably where you should start if you don’t need to fine tune or customise the content filters. OpenDNS FamilyShield has a single filtration profile that blocks most adult content, malware, phishing sites and proxies and anonymizers. OpenDNS Home is a little more complex because it allows you to fine tune what you want to control and also allows you to selectively allow access to sites that might otherwise get blocked. However it does require you to fiddle around with downloading some minimal software on your computer which will ensure that your Wifi Router’s  IP address is always known to the OpenDNS servers. We will take a quick look at both of these options. I have tried to cover this at a high level here, but you can get a lot of helpful information on OpenDNS’s web site at www.opendns.com/support

OpenDNS FamilyShield

OpenDNS maintains a global directory of sites which have adult content, malware, phishing software, scam ware, and other nasty stuff. This is updated continuously based on feedback from the large community of users around the world and other sources. When you use FamilyShield, you essentially configure your Wifi Router to start using the DNS servers with the following IP addresses:  208.67.222.123 and 208.67.220.123.

You will need to know how to configure this setting on your Wifi router. The process for this is different for different router models so you will need to look up the instructions in your user manual or ask your local techie sabjantawalla. You can also look up the OpenDNS site where they have listed instructions for some popular models: https://store.opendns.com/familyshield/setup/router

You will essentially need to connect to your wifi router using a web browser and manually update the DNS server addresses. Once you are done updating It will look something like this

Note that if you are a single computer household or your computer connects to the internet over a 3G data card, you will need to set up the OpenDNS FamilyShield DNS IP addresses directly on the computer. Depending on your computer type, the steps vary, but you can get detailed instructions at https://store.opendns.com/familyshield/setup/computer

Once you have set up OpenDNS FamilyShield, you do not need to fuss about anything else and your home network becomes a relatively safe browsing environment. Anytime a user in your home tries to access an internet web site, the OpenDNS FamilyShield DNS server will block sites that are listed in its pre-defined blacklist.

OpenDNS Home Basic

OpenDNS Home allows the technically savvy user more control over what access is blocked plus hours of enjoyment (:-)) reading detailed historical statistics about the type of traffic originating from his or her home network. Some complexity does come with this increased control. OpenDNS lets you create your own user profile and instruct it in great detail about which types of content you would like it to filter. You can also add a list of sites that you specifically would it to block or allow. In order for OpenDNS to do this, it needs you to let it know the IP address of your home network because that is how it will identify DNS messages coming from your home.  A very good tutorial is available at http://www.opendns.com/support/videos

You can easily find out the public IP address of your Wifi Router by pointing your browser to one of many websites, and OpenDNS is one of them. If you go to  

http://www.opendns.com, your wifi Router’s IP address is helpfully displayed beneath the logo. Once you have created your OpenDNS Home basic account, it will ask you to create a new network from the settings page after you have logged in to OpenDNS. Here you can enter the IP address of your Wifi Router and also pick and choose what type of networks you want to block (or allow) access to. You can even create a custom message to pop up on the web page when someone in your home network tries to access a blocked web site. You will then need to change the DNS server IP addresses on your home Wifi Router to 208.67.222.222 and 208.67.220.220. You can do this exactly as described above for OpenDNS FamilyShield (note that the IP address for OpenDNS Home Basic are different from those for OpenDNS FamilyShield).

From this point on everytime a computer on your home network tries to access a website, its DNS request will be sent by your Wifi Router to OpenDNS’s servers. These servers will be able to identify that the request has come from your home network by looking at the return IP address on the DNS messages. It will then apply the filtration rules defined in your account settings on OpenDNS. You now have a customised internet access control engine!

So you’re almost there… but not quite

Dynamic IP addresses

If you are using OpenDNS FamilyShield, you don’t need to bother with this section-you are done for now.

Unfortunately, if you are like most home users, the IP address of your Wifi router could change anytime, though it typically happens once every few days. This happens because most ISPs have a limited number of public IP addresses and keep allocating these to their home users on a need to use basis. What this means is that you need to constantly keep  OpenDNS updated about about your Wifi Router’s IP address. To do this, you need to first enable “Dynamic IP Update” from the advanced settings section of the settings tab on your OpenDNS dashboard. You will then need to run a program on a computer on your network that will connect to OpenDNS and keep it updated about your Wifi Router’s IP address. You can download a free OpenDNS Dynamic IP updater application from http://www.opendns.com/support/dynamic_ip/ for Windows or MacOS.

The important thing is this program must be always running on your computer because your Wifi Router’s IP address could change without notice. So you have to set it to be part of your startup applications on your computer (programs that are automatically started when your computer boots up). You can take your local techie’s help on how to do this. Ideally this computer should be running all the time so that your network is always protected.

Some Wifi Routers support this dynamic updating directly in the router, so you don’t need an always-on computer to be running the Dynamic IP updater. Some new models of Netgear and D-Link support OpenDNS. For the truly adventurous, it is possible to write small programs on routers running Linux or an open source software called DD-WRT or Tomato to directly update OpenDNS with the dynamic IP addresses. That, however is a topic for another time.

Gotchas

Like all security solutions — there are important tradeoffs to be made between freedom/usability and protection. No system is fool proof, far from it. What is important is to know the tradeoffs involved and adjust one’s behaviour and expectations accordingly. OpenDNS is one of many solutions available and is a starting point to gaining control over what goes on in your home network. It is not a substitute for good parenting and common sense. You will not achieve 100% control and neither is it desirable – after all you cannot follow your kids into the wider world over which you have no control. It is likely that a determined kid will work his or her way around your firewall. The idea is to let them know what is and what isn’t desirable and to protect younger kids from accidental exposure to the bad stuff. I’m going to list down here a few ways where the OpenDNS system is vulnerable so you are aware.

• Use of device specific DNS. The default behaviour of most internet connected devices like laptops, desktop computers, iPads, smartphones etc. when connecting to a Wifi network is to send all DNS messages to the Wifi Router in your home. However, most users can also modify the settings on their device to bypass the Wifi Router and send DNS messages directly to some publicly available DNS services such as those provided by Google at 8.8.8.8. Kids over the age of 11 should be able to figure this out if they are looking to do so. The way to protect against this is to block port 53 on your Wifi Router. See the following article on OpenDNS.
• Use of VPN services. A user on your network can create a virtual connection (VPN) directly to a server on a remote network and acquire a public IP address from there, bypassing your local router. There are commonly available VPN services like Hotspot Shield and HideMyAss but most require payment with a credit card or through Paypal. OpenDNS can also block these sites to some extent, though there are always methods to get around them. VPN services have legitimate uses, such as allowing people in countries with government run political firewalls (such as China) to access otherwise unavailable web sites.
• Connecting via the 3G or cellular network. Most smartphones today have 3G access as well as a “hotspot” mode that allows them to share their internet access with other devices. So a user in your home could connect his or her computer to the internet over the 3G connection on a smartphone, bypassing your home wifi router. There is not much you can do about this except to keep an eye on the 3G bill!
• Proxying by your ISP. You ISP may be routing all your internet traffic through a proxy, or forcing all your DNS messages to be redirected to their DNS servers. This is not so common, but can happen. You will need to need to speak to your ISP about it – if this happens my recommendation is to switch to a different ISP! I wouldn’t put up with a service where the ISP controls how I connect to the internet.

Creating a safe internet environment at home – Part2/3: Tech Basics

Most households today have a fixed internet service in their home-typically provided by an Internet Service Provider (ISP) that could be your phone company or a cable company or some such provider. There is typically an internet router that connects to the internet on one side through the modem provided by the ISP and on the other side creates a Wifi network to which multiple computers, smartphones and other devices in the home can connect. To effectively control internet access in your home network, it is important to understand two concepts – IP address and DNS.

IP Address

An IP address is simply a unique number that any computer or device in your home acquires when it connects to your Wifi router. When you connect to a website on the internet, your computer needs to send messages to the remote computer server on which the website is running. At the same time the remote web server needs to send the website data back to your computer. IP addresses are how the two computers identify and connect to each other over the internet. The Internet is essentially a global network of computers that can route messages from one computer to another based on the IP address of the sender and the recipient (a little bit like a virtual version of  the global postal system that routes letters from one postal address to another).

DNS

DNS stands for Domain Name System and is a method by which your computer can lookup a human readable internet address for a computer server on which a website is running, (like “www.google.com”) in a directory or address book and associate it with an IP address. So when you ask your browser to go to a website (for example http://www.google.com) it uses DNS to convert “www.google.com” to the IP address of the computer server on which the web site is running. Once it knows the IP address, your computer can shoot a message into cyberspace with the IP address of  the remote server. All the internet then does is ensure your computer’s message reaches the target computer no matter where in the world it is located and routes the reply back to your computer. Everything happens in less than a second and you are “browsing” the internet! DNS works as a service running on bunch of computers on the internet that can keep a very up to date global address book of all internet connected computers in the world. When your computer wants to translate a human readable web address to an IP address it simply sends a message to a computer running DNS (known as a DNS server) and receives a response in a split second.

Why is DNS important?

Without the DNS system, your computer would not know how to send a message to any website and  would require you to instead remember every website’s IP address. Obviously this is impractical for many reasons. Firstly, each webpage might contain data that is actually residing on multiple different computer servers and you would have to remember the IP address of dozens of websites just to load a single web page. Secondly, in order to optimise data traffic over the internet the companies that run these websites often keep updating and shuffling around the IP addresses all the time rendering your private address book completely out of date very quickly.

Controlling internet access

One very innovative way then to control access to websites from your home network is to start using a DNS service that can filter out the desirable from the undesirable sites on the internet. Thus when any computer on your network wants to connect to a website you consider undesirable, the DNS service would simply refuse to provide the IP address, making it impossible for you to access the website. In my next post I will describe how you can force users on your home network to use a DNS service from a company called OpenDNS that provides the control you require and allows you to be the decider of what is and isn’t desirable.

Creating a safe internet environment at home – Part 1/3

The Internet has truly changed how we interact with the world around us. A hard bound encyclopedia seems like a concept as antiquated as stone tablets. Email? We all know what that is, but our kids will probably ask us someday what was meant by “Mail”-did you  write letters by hand and actually get news about your friends from something that took a week to move from one city to another??

The world our kids are growing up is very different and for them to thrive, they need to be connected to google, skype, whatsapp, facebook, wikipedia, twitter, flickr, scribd, burrp (!) whatever. We need to allow our kids to access all the good stuff the internet has to offer yet, somehow we also need to protect them from the seamy side of the internet – porn, malware, phishing sites, etc.

This is more difficult than one would think.

For one, technology evolves very quickly and for various reasons, we are generationally challenged in keeping up with changes as compared to our children. In other words, as far as internet technology is concerned, they tend to be smarter than us and the gap, unfortunately keeps getting wider as the years go by.

Secondly every parent has a different view on what type of protection their kids need. There is no one-size-fits-all solution and that makes it necessary for parents to more than just install a piece of software and forget about it.

Third, the open and unstructured nature of the internet implies that a perfect solution is just about impossible to implement. There is no automated solution that can filter out everything a parent might consider objectionable and yet leave the internet usable. Technology just hasn’t evolved to that level and may never do so. One can get close, but can never achieve complete protection. Just like in the real world-you can make it difficult for your children to be exposed to bad stuff but you cannot completely prevent it without locking  them up, which of course, is undesirable.

So what does a busy parent do who wants to ensure his family can make the best of the internet, yet stay safe? I have been confronted with this problem as I see my kids growing up. I have looked hard on the internet but have not found any completely satisfactory solution that a non technical parent could easily adopt. There are good solutions and bad ones and it takes a lot of effort sorting through the jargon and technology to understand what works.

In my subsequent post I will try to share how I have tried to address this problem. My aim is to present the solution in a manner that is easily understandable to most parents.

I hope this will be helpful to harried parents who want a safer internet environment in their homes.