Bjørn Jensen · December 21, 2016
For quite some time now we have been offering content filtering with our pre-configured network solutions. In fact, we have some of the most robust ways to do this but when you take it to a higher level it is very intrusive for a homeowner, forcing them to install SSL certificates on every browser, and there is no way they can manage this themselves.
I’ve been searching for a better solution, or at least a complementary solution, for quite some time now. There are always many ways to skin a cat and there are already companies like Router Limits that have gone a long way in making this easier for you to sell to your clients.
One day, while doing a little research into this problem of ours, I stumbled across OpenDNS (acquired by Cisco last year) which I had already been familiar with but not necessarily for home use.
It turns out they have a free service which allows folks to use their name servers to provide a level of protection and filtering automatically.
I decided to set this up for my own kids because I get concerned about what they have access to on the internet and I worry their young minds will be horrified to see some of the stuff out there. They are only 5 and 9 after all.
Using this instead of our SonicWALL content filtering will also allow the lovely wife the ability to make changes on the fly should she feel the need.
It works so well I thought I should share it to the world.
We get asked all the time for a solution like this, where a homeowner can take action themselves and manage their kids’ internet usage without having to call an integrator or call us, so I thought this solution would be helpful to empower them with that ability.
You can even view reports and stats of where users have been navigating the web, in case you’re worried they’ve been up to no good.
OpenDNS works by redirecting all domain-name (DNS) traffic to specific servers provided by them, which will not forward traffic to sites that have been known to have malware, botnets, porn, illegal activity, or just about anything you don’t want your kids to see or have access to.
It’s a simple and very graceful solution to a usually complicated problem.
OpenDNS offers three plans. The “Family Shield” plan requires that you simply enter the specified name server on your child’s device – no registration required. But you do lose some management features with that version. OpenDNS Home is also free, but it works through your router for more universal control.
Setting Up OpenDNS
Here is a step-by-step tutorial on how to get a slightly more robust solution than just entering some DNS entries onto a device.
First, navigate to their website at http://www.opendns.com
On the OpenDNS homepage, select the “Personal” option at the top. From there you can either choose an option for servers I mentioned earlier that need no configuration at all, or you can choose to open a free account that gives you the ability to manage it even better.
Let’s look at “OpenDNS Home.”
From here, simply create your new, free account. You will be given the name servers that you will be pushing out to the devices you would like protected. These are:
Under “Choose your Device” click on “Home Routers,” as we’re going to configure this to work with your home router, which is what is giving out the DNS settings. There is a list of home router configuration guides to help most people set this up by themselves; however, in the case of many of our clients, they will have something more robust or more industry-specific that may not be listed here.
Now you’ll need to login to your newly created account to set up the system. You should have received an email confirmation that will take you to the login page.
Once logged in you’ll be asked to “Add a network.” This is where it gets a bit tricky. If you or your client has a dynamic IP address, meaning it will change from time to time, you will need to have a computer in the house to install OpenDNS’s Dynamic IP updater client. This is a simple and small app that runs in the background and is linked to your OpenDNS account. That way your account is always listed correctly with your current public IP.
Either way, you’re going to have to find your current public IP and enter it into the field provided. If you don’t know what your current IP is just look at the top of the browser window, where OpenDNS provides it for you.
Next you’ll have to give it a friendly name so it’s easy to remember. I suggest the client’s name. Click whether or not your address is dynamic and then click “Done.”
Now that you have created your account and set up your network, it’s time to set up content filtering. Click on your network, then choose “Web Content Filtering.”
Here is where the magic happens. You can choose any of the pre-propagated security levels, or you can create your own. I found that none of the filter levels suited me so I made a custom one. When I chose HIGH security it wouldn’t allow access to YouTube, Webmail, or even a Comcast account. Yes, I want my kids to have access to YouTube because they look up DIY things all the time and I want them to have the ability to do that. Here is how I have mine set up in case you’d like to copy it:
Once that’s done you can move on to the security page which gives you Malware/Botnet protection, phishing protection, and even suspicious responses from your internal network. Very cool!
All this is done without the need for an expensive firewall and once the account is set up your clients can make these changes easily themselves. They can even “always allow” or “always block” individual domains. Just poke around the interface and you’ll see there are a lot of options, most of them relatively easy to understand. This is aimed at homeowners after all.
Now, you have probably realized that any enterprising young kid who knows the first thing about DNS will know that he can manually assign himself a new DNS to circumvent these settings. That’s where a robust firewall comes into play.
For my scenario I wanted my kids to have their own SSID and network to log into that always gave them the name servers provided by OpenDNS and would not allow them to browse the internet without them.
I created a new VLAN on our SonicWALL firewall, applied it to the trunk ports and AP ports on the switches, and then created a new wireless network (KidsZone) on our Ruckus system along with the VLAN tag I had just created.
In the SonicWALL I manually set the DNS for that new network’s DHCP server to use the name servers provided by OpenDNS.
Now any time the kids log onto that network they will receive the DNS handed out by the firewall. That still doesn’t keep them from just manually assigning Google’s DNS or some other DNS themselves.
To keep this from happening I had to create a firewall rule that would only allow DNS traffic to be forwarded to those name servers provided and NO WHERE ELSE. This consisted of a few quick rules:
As you can see in the image above, I had created an address group out of the name servers that were provided. You can see my source is the new VLAN I had created (Vlan 7). Destination is the address group. Then I allowed all DNS traffic to those servers.
I created another rule denying any DNS traffic anywhere. The fact that my first rule is a higher priority than the second rule, means that even though I’m denying DNS traffic to any destination, it’s still allowed to the DNS Address group I had created. Voila!
Now the only way they can browse the internet is to use the new name servers. Yes, there are some other interesting ways to get around this, but for most people it would be very difficult. I’m sure when my nine-year-old turns 14 I’ll have to revisit this.
I hope this helps. Of course, if you’d rather just have someone else set this up for you I welcome you to give us a call (whyreboot.com) any time and we’ll be happy to help you out!
This article first appeared in CEPro here.