Using DNS to block access to unwanted websites on your network.

Why block sites from your network?

Some businesses need to protect themselves from sexual harassment suits, so certain sites need to be blocked.  Just because they have a no harassment policy does not mean ALL employees are going to obey it.  Trust me, I work with some of these boneheads.  Companies also attempt to block time wasting on the computers as well.  They have the right, and some exercise it, to monitor net traffic on their network, but sometimes it’s just easier and cheaper to block certain websites.

I read a post one day where a man was allowing his daughter and deadbeat son-in-law to live in his attached apartment while the son-in-law supposedly was looking for a job.  He allowed them to use his wireless Internet connection since the son-in-law claimed it was necessary in finding a job.  The father was suspicious of the Internet activities so as the Internet provider for his daughter and son-in-law, he wanted a way in which he could limit certain activities.

Categories

Parents too may feel the need to block certain sites for obvious reasons, but then they may want to also be more specific in what’s blocked.

There are several options available.

One option is a little more involved and I hope to be able to play with it and post my experience here.  That would involve setting up a proxy server such as squid, and then setting up either SquidGuard or DansGuardian to block unwanted content.

Another option would work for windows and mac users.  That would be NetNanny.  The basic Family Pack Special at the time of this writing is under $60 for 3 Windows PCs for a year.  I’ve looked at it a while back and is quite configureable.  If you want to spend the money, this looks like a great option.  But we’ll see if we can find anything cheaper that fits the bill.

The one we’re going to look at today is OpenDNS.  Can you say “FREE“?  Okay, why are we waiting?  No, I am not paid by OpenDNS, but for a freebie, it is definitely worth interrogating.

The nice thing about OpenDNS is that it replaces your current DNS servers, so what operating system you use is a non issue.  Also, if you want your router to provide DNS listing, you’re covered there as well.  Nifty, I must say.   So, how does this work?  What do I need to do?  After reading these steps and you decide this is an option you wish to explore, go to OpenDNS, of course, and create an account.

How does OpenDNS work?

Just to recap from my post on Dynamic DNS, when you ask for a website through your browser, your computer does not know where to get it from, so it asks a DNS server, for example, where technopotomus.com resides.  The DNS server then tells your computer the IP address of the requested URL and then your computer makes a request for a web page from that particular IP address it was given.

Does it matter what DNS server you use?  Mostly yes, sometimes no.  Or is it the other way around?  Anyway, the closer to you that your DNS server is, the faster the response to your request will be.  Also, most DNS servers are constantly being updated with the IP addresses of all the domains on the Internet.  So normally, you’d want the DNS server that your Internet provider provides for you.  This is normally given to your computer or router automatically through DHCP as it also grabs its dynamic IP address.

Identification through IP address.

If now, you change your DNS server to OpenDNS’ servers, will everything work okay?  NO.  How will they be able to differentiate your requests from mine?  By your IP address.  This provides a dilemma, considering most people use dynamic IP addresses.  It changes anytime they reconnect to their Internet provider.  Even if you have a broadband connection and never disconnect, you still run that risk.  The power in your area could experience a momentary hit, causing your router to be powered off  long enough to have to reconnect, thereby getting a new assigned dynamic IP.

How do we fix this?  Dynamic DNS.  Even if you are not interested in a domain name to connect to your computer or network, it is necessary in order to use OpenDNS.  Why?  Because they said so!!  That’s why!  Oh . . . wait, no that’s not why.  It’s so when your IP address changes, your computer or router logs into your Dynamic DNS service, therefore updating with them what YOUR IP address is at any given moment (except for that moment the power went out for a minute and your computer/router logged back on to the net).  That service can be setup to then update your IP address with OpenDNS.  NOW they know your IP address. And NOW they know who is making the request for a specific web site.

Okay.  Do we have that all cleared up now?   Good.  Let’s move on.

All your base are belong to us.

Networks

What does that mean?  Okay, wikipedia has the answer to this one.  Let me rephrase that.   Now that OpenDNS knows what your IP address is, their DNS server can then give you the IP addresses of the sites and only the sites that you desire per your settings.

Even if you have more than one IP address, you can add it and configure different settings for any computers using that address.  It is quite configurable I must say.  This opens up a larger number of possible scenarios.

Create a Shortcut

Another nice customization they offer is that of shortcuts.  Let’s say you have a URL that you go to alot, but it’s a long one to type.  Say for instance TECHNOPOTOMUS.COM.  Now that’s too many letters for your tired fingers and of course you don’t know how to user bookmarks in your browser, right?   Okay, sarcasm aside, this is still a cool little feature.  Instead of typing in the URL you want, you pre configure a shorter version, say in this instance: TECH.   Now all you have to do is type in TECH in your brower and click send, hit enter, do whatever it is you desire to send those bits in a blazing flash to the DNS server so that you can recieve your data at light speed.

Managing and Reporting

Manage your account

Now that you have everything all set up, you can enjoy being able to see that it’s working.  Of course, one way is to try to access a site that should deny you access.  You should get a page from OpenDNS telling you why the page was denied.  That is if everything is setup right.  Of course don’t test it out by visiting a site you don’t want the kids to see while they’re standing there.  Just in case you forgot to change your DNS servers.   Oh yeah, we didn’t get to that did we?  In a minute.

Top Domain List

With your account all setup, you can access the dashboard to manage your account and check stats.  The stats can show you all the web traffic from you network including what was blocked.  What’s nice is being able to specify a range of days, type of domain and then filter what you want your report to display.

Action

Once that’s done, you can go through the list and click on action for a particular URL to either block it in the future, or unblock it if the site was originally blocked and you desire it not to be.  It’s these individual exceptions that are nice to have easy access to.

Configuring your DNS servers.

Normally, as was mentioned earlier, your computer or router gets the DNS server information automatically through DHCP.  However, if you are using different DNS servers than what your ISP wants to assign to you, you’ll need to configure them on your device manually.

LINUX – Yeah, this is easy.  Change the nameservers listed in your /etc/resolv.conf file to your new OpenDNS DNS server addresses.

DNS settings

Windows – Access the properties for your network card, be it wired or wireless, then click on Internet Protocol in the list of items your connection uses, then click on the properties button.  At the bottom of this new panel you should have an option to obtain your DNS server addresses automatically or you can set them yourself.  Are you reading ahead?  No?  Then how did you know I was going to tell you to click on the “Use the following DNS server addresses” option?   You are one smart cookie.  Okay, then configure the addresses, smarty.

Mac –  Mmmm, sorry, as nice as Macs are, my exposure to them is about every six months.  Just long enough to be reminded that I don’t know my way around one very well.  I’ll bet if you don’t know how to change your DNS settings on your Mac, you could find information on the Internet.  Oops, I guess this page is on the internet.  Okay, elsewhere on the Interntet.  One day I will have a Mac and you can teach me.

Linksys setup

Linksys Router –  Okay, I only have information for Linksys Routers.  Mainly because it’s the more common one out there.  If your router is a different brand, you too should be able to find the info you look for by searching Google.  However, you may be able to find it easy enough on your own.  Now on the Linksys main setup page, there should be settings toware the bottom for entering in your DNS server addresses.  Wow, could it be any harder?

Summing up.

OpenDNS does allow you to make exceptions to the rules.  So if you wanted to block ALL blogs, except this one, you would select blogs in your categories to block, but then at the bottom of the page add whatever exceptions you want.

I have experienced a site that should not have come through.  This is possible seeing as how someone has to maintain the database and it will not be 100% perfect.  But I do know it’s more thorough than a business hiring someone to sift through a gazillion web pages to determine what category they belong to.  If you do hit a site that should’ve been blocked, OpenDNS provides a means to enter that in so that others can benefit from your find.  You can search for sites and see what category they fit into, if any.

Keep in mind though, they are a free service and you can expect to get what you pay for.  However I do believe here you’re getting alot more.

They do though have this little quip on their site.  Read into it however you wish.

Note: Domain blocking is not intended to be a category blocking service, like phishing or adult site blocking. It’s intended to give you pinpoint control over what’s on your network.