Creating a safe internet environment at home –Part 3/3: OpenDNS

In my previous post I explained what DNS does. Your internet service company generally provides a default DNS service that your Wifi router automatically starts using when it connects to the internet.

If you could force all computers in your home network to use a specific DNS service, you could control which websites are visible. This post will explain how you can instruct your Wifi router to start using OpenDNS’s DNS service, which will allow you to filter and control the internet access from within your home network.

OpenDNS is a company that provides such a service. It is a freemium service, in that they provide a basic service for free and you can opt for paid options. In my experience, the free option works very well for my home and should be sufficient for most people. (Disclaimer: I don’t have any association with OpenDNS except that I am a very satisfied user).

Create an OpenDNS account

You first need to create an OpenDNS account. You can sign up for a free account at www.opendns.com. You have a choice of two types of free services, OpenDNS Home Basic and OpenDNS FamilyShield. Of the two, OpenDNS FamilyShield is much simpler to use and probably where you should start if you don’t need to fine tune or customise the content filters. OpenDNS FamilyShield has a single filtration profile that blocks most adult content, malware, phishing sites and proxies and anonymizers. OpenDNS Home is a little more complex because it allows you to fine tune what you want to control and also allows you to selectively allow access to sites that might otherwise get blocked. However it does require you to fiddle around with downloading some minimal software on your computer which will ensure that your Wifi Router’s  IP address is always known to the OpenDNS servers. We will take a quick look at both of these options. I have tried to cover this at a high level here, but you can get a lot of helpful information on OpenDNS’s web site at www.opendns.com/support

OpenDNS FamilyShield

OpenDNS maintains a global directory of sites which have adult content, malware, phishing software, scam ware, and other nasty stuff. This is updated continuously based on feedback from the large community of users around the world and other sources. When you use FamilyShield, you essentially configure your Wifi Router to start using the DNS servers with the following IP addresses:  208.67.222.123 and 208.67.220.123.

You will need to know how to configure this setting on your Wifi router. The process for this is different for different router models so you will need to look up the instructions in your user manual or ask your local techie sabjantawalla. You can also look up the OpenDNS site where they have listed instructions for some popular models: https://store.opendns.com/familyshield/setup/router

You will essentially need to connect to your wifi router using a web browser and manually update the DNS server addresses. Once you are done updating It will look something like this

DNS

Note that if you are a single computer household or your computer connects to the internet over a 3G data card, you will need to set up the OpenDNS FamilyShield DNS IP addresses directly on the computer. Depending on your computer type, the steps vary, but you can get detailed instructions at https://store.opendns.com/familyshield/setup/computer

Once you have set up OpenDNS FamilyShield, you do not need to fuss about anything else and your home network becomes a relatively safe browsing environment. Anytime a user in your home tries to access an internet web site, the OpenDNS FamilyShield DNS server will block sites that are listed in its pre-defined blacklist.

OpenDNS Home Basic

OpenDNS Home allows the technically savvy user more control over what access is blocked plus hours of enjoyment (:-)) reading detailed historical statistics about the type of traffic originating from his or her home network. Some complexity does come with this increased control. OpenDNS lets you create your own user profile and instruct it in great detail about which types of content you would like it to filter. You can also add a list of sites that you specifically would it to block or allow. In order for OpenDNS to do this, it needs you to let it know the IP address of your home network because that is how it will identify DNS messages coming from your home.  A very good tutorial is available at http://www.opendns.com/support/videos

You can easily find out the public IP address of your Wifi Router by pointing your browser to one of many websites, and OpenDNS is one of them. If you go to  openDNSIp

http://www.opendns.com, your wifi Router’s IP address is helpfully displayed beneath the logo. Once you have created your OpenDNS Home basic account, it will ask you to create a new network from the settings page after you have logged in to OpenDNS. Here you can enter the IP address of your Wifi Router and also pick and choose what type of networks you want to block (or allow) access to. You can even create a custom message to pop up on the web page when someone in your home network tries to access a blocked web site. You will then need to change the DNS server IP addresses on your home Wifi Router to 208.67.222.222 and 208.67.220.220. You can do this exactly as described above for OpenDNS FamilyShield (note that the IP address for OpenDNS Home Basic are different from those for OpenDNS FamilyShield).

From this point on everytime a computer on your home network tries to access a website, its DNS request will be sent by your Wifi Router to OpenDNS’s servers. These servers will be able to identify that the request has come from your home network by looking at the return IP address on the DNS messages. It will then apply the filtration rules defined in your account settings on OpenDNS. You now have a customised internet access control engine!

So you’re almost there… but not quite

Dynamic IP addresses

If you are using OpenDNS FamilyShield, you don’t need to bother with this section-you are done for now.

Unfortunately, if you are like most home users, the IP address of your Wifi router could change anytime, though it typically happens once every few days. This happens because most ISPs have a limited number of public IP addresses and keep allocating these to their home users on a need to use basis. What this means is that you need to constantly keep  OpenDNS updated about about your Wifi Router’s IP address. To do this, you need to first enable “Dynamic IP Update” from the advanced settings section of the settings tab on your OpenDNS dashboard. You will then need to run a program on a computer on your network that will connect to OpenDNS and keep it updated about your Wifi Router’s IP address. You can download a free OpenDNS Dynamic IP updater application from http://www.opendns.com/support/dynamic_ip/ for Windows or MacOS.

The important thing is this program must be always running on your computer because your Wifi Router’s IP address could change without notice. So you have to set it to be part of your startup applications on your computer (programs that are automatically started when your computer boots up). You can take your local techie’s help on how to do this. Ideally this computer should be running all the time so that your network is always protected.

Some Wifi Routers support this dynamic updating directly in the router, so you don’t need an always-on computer to be running the Dynamic IP updater. Some new models of Netgear and D-Link support OpenDNS. For the truly adventurous, it is possible to write small programs on routers running Linux or an open source software called DD-WRT or Tomato to directly update OpenDNS with the dynamic IP addresses. That, however is a topic for another time.

Gotchas

Like all security solutions — there are important tradeoffs to be made between freedom/usability and protection. No system is fool proof, far from it. What is important is to know the tradeoffs involved and adjust one’s behaviour and expectations accordingly. OpenDNS is one of many solutions available and is a starting point to gaining control over what goes on in your home network. It is not a substitute for good parenting and common sense. You will not achieve 100% control and neither is it desirable – after all you cannot follow your kids into the wider world over which you have no control. It is likely that a determined kid will work his or her way around your firewall. The idea is to let them know what is and what isn’t desirable and to protect younger kids from accidental exposure to the bad stuff. I’m going to list down here a few ways where the OpenDNS system is vulnerable so you are aware.

  • Use of device specific DNS. The default behaviour of most internet connected devices like laptops, desktop computers, iPads, smartphones etc. when connecting to a Wifi network is to send all DNS messages to the Wifi Router in your home. However, most users can also modify the settings on their device to bypass the Wifi Router and send DNS messages directly to some publicly available DNS services such as those provided by Google at 8.8.8.8. Kids over the age of 11 should be able to figure this out if they are looking to do so. The way to protect against this is to block port 53 on your Wifi Router. See the following article on OpenDNS.
  • Use of VPN services. A user on your network can create a virtual connection (VPN) directly to a server on a remote network and acquire a public IP address from there, bypassing your local router. There are commonly available VPN services like Hotspot Shield and HideMyAss but most require payment with a credit card or through Paypal. OpenDNS can also block these sites to some extent, though there are always methods to get around them. VPN services have legitimate uses, such as allowing people in countries with government run political firewalls (such as China) to access otherwise unavailable web sites.
  • Connecting via the 3G or cellular network. Most smartphones today have 3G access as well as a “hotspot” mode that allows them to share their internet access with other devices. So a user in your home could connect his or her computer to the internet over the 3G connection on a smartphone, bypassing your home wifi router. There is not much you can do about this except to keep an eye on the 3G bill!
  • Proxying by your ISP. You ISP may be routing all your internet traffic through a proxy, or forcing all your DNS messages to be redirected to their DNS servers. This is not so common, but can happen. You will need to need to speak to your ISP about it – if this happens my recommendation is to switch to a different ISP! I wouldn’t put up with a service where the ISP controls how I connect to the internet.
Advertisements