Discussion stats
  • 4 replies
  • 4429 views
  • 0 kudos
  • 3 in conversation
Announcements

Top Contributors
Reply
Highlighted
Luminary

How to prevent circumvention of OpenDNS

Hi all,

 

Does anyone know how to prevent network clients circumventing the OpenDNS parental controls by manually changing the DNS server on their device?

Message 1 of 5

Accepted Solutions
Highlighted

Re: How to prevent circumvention of OpenDNS

simple answer is you cant

 

 

 

View solution in original post

Message 2 of 5

All Replies
Highlighted

Re: How to prevent circumvention of OpenDNS

simple answer is you cant

 

 

 

View solution in original post

Message 2 of 5
Highlighted
Luminary

Re: How to prevent circumvention of OpenDNS


@peteytesting wrote:

simple answer is you cant

 

Thought so.

Thanks for confirming.

Message 3 of 5
Highlighted
Luminary

Re: How to prevent circumvention of OpenDNS

Per opendns
If your network security allows users to change the local DNS IP server address to something other than OpenDNS' IP addresses, savvy users may try to bypass OpenDNS in this way. However, it should be possible to not allow those other DNS services through your network firewall to the Internet, which will prevent these users from circumventing the protection.

Most routers and firewalls will allow you to force all DNS traffic over port 53 on the router, thus requiring everyone on the network to use the DNS settings defined on the router (in this case, OpenDNS). The preferred recommendation is to forward all DNS requests to of non-opendns IP's to go to the openDNS IP's listed below instead. This way, you simply forward' people's DNS requests without them knowing, instead of having the possibility of someone manually configuring DNS and having it just not work.

Alternately, you create a firewall rule to only allow DNS (TCP/UDP) to OpenDNS' servers and restrict all other DNS traffic to any other IPs.

Essentially, add the following filter or rule to the firewall that is at the edge of the network:

ALLOW TCP/UDP IN/OUT to 208.67.222.222 or 208.67.220.220 on Port 53

and

BLOCK TCP/UDP IN/OUT all IP addresses on Port 53

The first rule trumps the second rule, so anything requests to OpenDNS are allowed but any DNS requests to any other IP are blocked.

Depending on your firewall configuration interface, you may need to configure a separate rule for each of these protocols or one rule which covers them both.
The rule can be applied on either the firewall or the router, but normally is best placed on the device most at network edge. A similar rule could be applied to software firewalls installed on a workstation as well, such as the built-in firewall on Windows or Mac OS/X.
Unfortunately, individual configurations are not something OpenDNS is able to assist in supporting, as each firewall or router has a unique configuration interface and these vary greatly. If you are uncertain, you should check your router or firewall documentation or contact the manufacturer to see if this is possible with your device.
Message 4 of 5
Highlighted
Luminary

Re: How to prevent circumvention of OpenDNS


@OrbiMan wrote:


 

Thanks for replying, I'm aware of ip filter setups but my question is about the Orbi router.

 

The only way these rules could be implemented on an Orbi router is manually via telnet (assuming the ipfilter program is even available) and would need to be re-done after every reboot.

 

Given the ease of use focus of the Orbi system what should be done is an option to "restrict network name resoution to Orbi system", or some similar wording, that adds these filter rules.

 

Certainly putting the Orbi router into AP mode would allow a different router to be used which could be chosen such that filter rules like this could be used but that's not my question either.

 

So, as far as my question is concerned, @peteytesting is correct in what he says.

 

Ian

Message 5 of 5