Even if you set all computers and the gateway to use OpenDNS servers, it may be possible for savvy users to change the configuration on their computers, which will bypass the settings on the gateway. In a domain environment, this can be prevented through Group Policy. In a workgroup or home setting where computers are running on Windows XP, most users will be operating with administrative privileges. This makes for poor security, but in many environments users find that running as a limited user in XP is just too limiting and will be running as administrator. There are, however, ways to prevent users (or the kids) from bypassing the OpenDNS settings:

1) More advanced gateways and routers (e.g. Astaro, Untangle, Cisco, and most business-class devices) will allow you to configure an Access Control List (ACL), or a firewall rule that will block all DNS traffic (on UDP port 53). Of course, this will also block traffic to the OpenDNS servers, so this rule must be PRECEDED by one that will ALLOW UDP port 53 traffic to the OpenDNS server IP addresses (208.67.220.220 and 208.67.222.222). Remember: "first hit, not best fit" on firewall rules. Some newer home / SOHO routers also have the ability to set rules based on port numbers.

2) Even if the router does not have a way to set rules based on port numbers, it may allow you to block specific IP addresses. You cannot block the address of every DNS server on the internet, but if you block the addresses of the ISP's DNS servers, this will prevent users from bypassing OpenDNS by choosing to obtain DNS setting automatically in Windows. You might also want to block 4.2.2.1 through 4.2.2.6, since lots of people know these addresses (because they are easy to remember). This does not always work and all it does is raise the bar a bit for those who want to circumvent the rules. Since the user cannot see why the traffic is being blocked, they may give up after a few tries and assume that all DNS traffic to sites other than OpenDNS is being blocked.

3) Finally, you may be able to log the traffic to see who is violating policy (there is a written policy, right?), but this can be a time-consuming proposition.

If this is an important issue in a business setting, you have a strong case for installing a UTM, which will allows much greater control over all web traffic and can positively lock down DNS traffic.

Certainly in business settings, and possibly in homes as well, there should be a WRITTEN policy prohibiting visits to unacceptable web sites, as well as prohibiting tampering with network settings (policies are great, but UTMs provide POLICY ENFORCEMENT).

Another cool feature of OpenDNS is that you can insert a logo or picture and custom text into the page that comes up to show that a sight has been blocked. At my house, it is a picture of me with my arms crossed and the text says: "FORGETABOUTIT"

Bear in mind that if the router or gateway can be accessed physically, the reset button can be pressed to gain access. If you keep your password secret and use a strong one, at least you will know that someone has tampered with the device.

Dennis Houseknecht - July 15, 2008

What benefits does web filtering have for our SME, SOHO, and residential clients?

1) Protection from phishing sites - OpenDNS keeps a list of addresses associated with phishing sites that is constantly being updated and warns users about them.

2) Control over where business users or family members can go by category. These categories are very granular and are kept updated by thousands of volunteers worldwide. Blocking job-hunting sites, social networking sites, gambling sites, porn sites, and any other sites that are deemed inappropriate can save employers hundreds or thousands of dollars per month in lost productivity. Parents also want this control over which sites their children can access.

3) Protection from accidental exposure to pornography or malware sites for children. Mis-typing a URL can take you to some pretty nasty places if you are using the ISP's DNS servers. OpenDNS will intercept these requests, block the URLs (if configured to do so), and present you with a list of likely options for the site you were actually looking for. OpenDNS will even automatically correct many typing errors.

How should you configure client networks to use OpenDNS? That depends upon the type of network. If there is an internal DNS server running on the network, you want to set all the individual workstations to continue using that DNS server (so internal addresses will resolve properly) and then configure the OpenDNS servers as the DNS forwarders. In home networks with a wireless router or gateway, you should configure the router/gateway to use OpenDNS and then set the computers to use the router/gateway as both the default gateway and the DNS server. When using a public network, you can set your computer's DNS settings to use OpenDNS directly, rather than obtaining DNS settings from the gateway.

Of course, savvy users and teenagers can thwart this strategy by re-configuring the DNS servers on a local machine (especially on XP, where it is hard to run as a limited user). Tomorrow we will look at some of the counter-measures that you can take, even on many home routers to make this more difficult.

The OpenDNS server addresses are 208.67.220.220 and 208.67.222.222. Setting up an account with OpenDNS is free and there is client that works with DynDNS, which is also free. This means that anyone can use OpenDNS - a fixed IP address is not required.

Dennis Houseknecht  - July 14, 2008