Protect Your Kids Online Using Open DNS
This week I have been covering tools to use within Windows Vista to help keep your kids safe using the PC and while being online. This article will apply will show how to use Open DNS with any Operating System to help filter undesirable web content. Simply put DNS (Domain Name System) translates IP address to an easy to remember hostname. For example if you were to type “216.239.51.99” without the quotes into your web browser you will be directed to google.com.
I wrote up an article previously that basically introduces you to Open DNS and how to add it to your router. Here we will look a bit deeper into it and show you how to best use it to your advantage. There is a lot of web content filtering possibilities which include specific sites, specific content, and adult website filtering.
The first thing you will want to do is sign up for a free account and download the OpenDNS Updater application. OpenDNS will automatically detect your IP address and will prompt you to create a name and download the Updater application.
After signing up go to your Dashboard where you can start creating rules for filtering, manage your administrator settings, and add additional networks. Basically your dashboard is where you will make all changes you need. If you ever get stuck or have questions they also have a cool support system which includes a knowledge base and user forum.
Lets take a look at filtering content. From your dashboard click on Settings. You will then be prompted to choose a basic filtering level from None to High. This might be a good choice if you want to easily filter out several categories. To view what the categories are in each level just click on View for a detailed look.
This is an example of the detailed categories in the Low filter setting. This helps you choose what types of content you want blocked.
Here is a list of all the categories available to block through OpenDNS. As you can see this service will work for your children as well as any user on your network and also for business.
You can choose a filtering level and add customized domain filtering to it, or completely customize everything. Probably one of the more publicized social sites you may want to block your child from is MySpace so I will use it as my example. Below the filtering levels you will see Manage individual domains. This is where you can get more specific in what your filtering. The two options are Never Block or Always Block.
Just type in the address of the site to block and click on the Add Domain button. You can then choose to just block the domain or better yet, block all of the categories in the sub-domain. This means although you block myspace.com if you do not block the sub-domains within the user can access some of the content. Any changes you make will take about 3 minutes to update.
Once you have created all of your filters and a user tries to go to a blocked site they will get a message telling them it is blocked and why. This is the standard message they will get.
Another cool feature is the ability to customize the message the user sees. You can customize it with say your company logo or a picture of yourself. So if you child tries to go to a pornography site and they see a picture of their parent … well … that might urge them to never try that again! This is an example of a custom message I made.
You can also get statistic logs which will show you what type of traffic was blocked and other stats to allow you to better filter content.
OpenDNS is a great way to protect your kids from undesirable Internet content but that is not all. Businesses can definitely use it in the workplace. I personally use it to improve my Internet experience. In future articles we will be covering a lot more on this incredible web service! To get an idea of how popular, effective, and trusted OpenDNS is you can check out a list of their business customers.
This is phenomenal! Thank you for posting this! What an excellent tip
I have been using this service for a while now. One of the best free services I have ever used.
I've found OpenDNS is an excellent tool for helping protect not just children from questionable content but also for protecting against basic Internet threats (Phishing, adware, DNS security issues).
Good job on the guide. I've had some friends I've suggest this exact service to for child safe filtering but they gave up a little quick. This will definitely help them feel more comfortable using this service. Thanks.
How does this block access to these sites if someone types in the IP directly?
@Ken Sykora: Being at the DNS level the IP addresses cannot be blocked.
Does this just change your DNS server? So if the kids are semi-intelligent with computers are they just able to change the TCP/IP Properties and change the DNS Server listed there?
I love the idea, but I hate to cripple peoples computer experience by putting them on limited accounts.
Or do you still have the same web control when setting it up through the router?
Is there a way to have my wireless base station use this for all the computers in my house?
@dragon_lady:
Yes. Just add it to your router.
https://www.opendns.com/start?device=linksys
To answer my own question, if you do it on a single computer, yes you would change the DNS server in the TCP/IP properties.
As for the router, all the settings on opendns.com are based off of your external IP address (the one you get from your Internet Provider). So once you have your router setup with the DNS servers you just need to have something to update your ip address (as most people have dynamic addresses, which means they change occasionally). They have many utilities for windows users and at least one for macs. I ended up creating a script so I could just have it run in the background on my linux machine. I will be posting it on my site tomorrow, and will put a link here for others in case they would like it as well.
Thank you for all your articles and especially this one. I have been looking for a decent web filtering solution for quite a while, and this seems like one of the best.
Does DynDNS.com have a similar functionality? I looked but can't seem to find it. I use that for my dynamic ip >> static address and would rather have an all-in-one solution.
hi,
does this slow down your web connection b/c it filters? If so by about how much? thank you.
Will this help me get around a port 25 email block by comcast? I have a legitimate, double opt-in newsletter and they still blocked me.
@Russell: No. DNS has nothing to do with port blocks.
@Russell: Try ultrasurf
@rubro: it doesn't slow down your connection at all because it actually doesn't filter in the traditional "web filtering" sense. All it does is resolve DNS requests, and then rejects those that lead to "bad" sites.
In fact, many people use OpenDNS to make their internet perform faster than it would with their normal ISP DNS service.
This is great! Thanks for the post. I'm going to use this on my mom and my younger brother to make sure they don't visit any inappropriate websites.
Over the last 12 months I have setup OpenDNS filtering on a number of client sites as well as my own home network.
During that time I have found the OpenDNS service to be ultra reliable, and the filtering keeps getting better and better. The original categories were very limited, however these were significantly expanded earlier this year and it is now an enterprise-ready service.
Note that for sophisticated users, a firewall would need to enforce rules blocking usage to DNS servers other than the OpenDSN servers.
Bottom line - a fantastic and very valuable free service.
I agree with bassmadrigal:
kids will figure out how to change the DNS server… when a bunch of web pages can't be loaded.
or use one of the many proxies..
@ anon
1. if you configure your router with these settings (rather than just on the PC), changing the DNS servers on the PC level won't help (I think). do this on a password protected router and I think that solves that issue
2. you can block proxies using opendns too. I think it's one of the categories
Proxies can be filtered by OpenDNS. But as others mention, if the kids are smart enough to bypass the DNS settings then they can get round the filter. Another thing to consider is giving them a non-administrative account and don't allow configuration changes through group policy. That would hog tie them.
@Russell, call Comcast and ask to opt out of port 25 blocking.
Thank you for this tip, I have searched around…what if I only want to block one or two PCs in this fashion but not the others?
Yes, tech-saavy kids will always find a way around EVERYTHING, but, you can at least make it harder for them.
You could set up a firewall rule that would block all DNS traffic between your computer and everything EXCEPT OpenDNS, which force your computers to use OpenDNS.
Well I finally got around to getting the linux script up on my site. Here is the link
http://bassmadrigal.com/blog/2008/08/17/opendns-dynamic-ip-update-script-through-linux/
Also… I have found a way for people to block the ability of users within the network to use there own nameservers. Essentially you need to block port 53 at the router end. I will be making a new post to cover this with DD-WRT based routers. Basically, it is use the OpenDNS nameservers or learn all your blocked websites IP Addresses. I will be posting more on this on my blog.
@anon Proxies are one of the things you can block access to.
Here is the write up for blocking the kids from changing the DNS server through DD-WRT based routers. (Or any that you can input iptables commands).
http://bassmadrigal.com/blog/2008/08/17/disabling-secondary-dns-server-in-dd-wrt-for-opendns/
Of course if your kids really wanted to bypass that they could just reset the router or plug directly into the modem, but notwithstanding that this is the most secure way to do it.
Awesome tools. Thanks to share with us.
@bassmadrigal:
Thank you for the Linux tips on Open DNS!
@bassmadrigal
"Of course if your kids really wanted to bypass that they could just reset the router or plug directly into the modem, but notwithstanding that this is the most secure way to do it."
Best practice is that the login is handled by the router rather than the modem, e.g. the modem operates in pass-thru mode.
Resetting the router would take out the connection unless "your kids" knew the ISP login username and password. Hence, these would need to be kept secure from "the kids".
With the combination of blocking of DNS queries to non-OpenDNS servers and the above procedures, physical access to the modem and router still does not allow them to bypass the OpenDNS setup because as you've already noted, Proxies can be blocked in teh OpenDNS settings.
@Frank Daley
That is true for some internet connections. Most cable based connections do not deal with usernames and passwords. The ISP bases your connection off of the MAC of the Cable Modem and the router is just set to Auto grab an IP. But I didn't think of that for DSL users.
Lets say I use this to block sites for my kids, but maybe there are time I wish to frequent the sites….how does this work?
Depending on how smart your kids are, you could allow proxies, and then browse through the sites using one of the many free proxy services out there. Or you could change your dns server on your computer to the one that your internet provider uses (you can typically see this in your router status page). If you were to do it on one specific computer and your kids would use another one, you can block all DNS queries (specifying a different DNS server on a local computer) except to certain IP's, and that would be a slight modification to one of the commands on a post I referenced to above.