How to force use of OpenDNS for ALL Connected Users

Comments

6 comments

  • Avatar
    mattwilson9090

    Elements of this have been addressed over time in this forum, but I'm not sure if this particular set of circumstances has even been addressed in it's entirety in one thread.

    First, just so you know, I'm not an OpenDNS employee, but I am a long term user/customer and have been an Enterprise MSP Partner almost from the beginning. I'm not an Umbrella Partner, but that's for reasons completely unrelated to your posting. I've actually been using them since before the Enterprise MSP program was created, when the basic free service was still free to business to use. Basically I'm very experienced with OpenDNS and the various ways you can use.

    I have no idea what CIPA is, and though I could do a search for the acronym I won't since I won't know if the results are the CIPA you mean, or even if I'm looking at information for the correct country. It's entirely possible that any DNS based service will not be able to provide CIPA compliance for you. In that case you'll probably be used to go with a hardware based solution, but even then I'm not certain if one of them could provide what you need.

    First, there is no way to force absolutely every user or bit of traffic to use OpenDNS and no other DNS service. Especially in an environment where you do not exclusive administrative control over all devices, and cannot install software there is no practical way to protect against all intentional or unintentional bypassing of your desired DNS solution.

     

    More on that below, but first, a quick analysis of what you're facing. It has been my experience that the vast majority of users (probably 90% or more) with mobile devices (be they laptops, tablets, or smarthphones) are using DHCP when they connect and will thus automatically get your DNS as well as other settings automatically assigned to them. Of all of the mobile device users probably much less than 10% of them either know how to (or are not afraid to) change DNS settings, or can change DNS settings either because their device lets them change them or because their IT department has configured things so that users cannot change them. Bottom line, very few people using a hotspot in a coffee shop or airport, for various reasons are even going to manually change DNS settings to bypass something like OpenDNS.

    Basically what I'm saying is that DHCP alone will go a very long way towards forcing your users to use OpenDNS, and it may not be worthwhile for your users to manually bypass it anyway.

    I'm sure there are some consumer grade routers out there that can block or redirect UDP Port 53 requests, but other than repurposing a few of them to provide WiFi to a handful of users behind the regular perimeter firewall I don't really use those. They just don't provide the other features and security I need for my clients. For those purposes I just use the stock firmware. However, I do have a higher end "consumer" router made by ASUS (about $150 on Amazon, instead of the more typical $50-$75) which I've flashed with Tomato firmware for my own WiFi hotspot and as the endpoint for an IPv6 tunnel that I'm testing. This version of the firmware, and I think pretty much all versions for the last few years, are capable of intercepting UDP Port 53 traffic. I could probably script intercepting TCP Port 53 (the UDP port is controlled with a checkbox in the GUI) but I don't have a need to do that.

    That said, I'm not sure that this type of router or firmware is sufficient for your needs, especially if you're providing WiFI coverage to an entire airport of coffee shop with a lot of users. For something like that you might need the additional horsepower, features, and control provided by someone like SonicWall, Juniper, Calyptix, or one of the even bigger providers.

    Regardless of whether you use router hardware or firmware that supports this kind of port 53 intercept/redirection, that won't provide 100% certainty.

    For example, at least one version of Avast's security packages has an "enhanced DNS" option that creates an encrypted tunnel to Avast's own DNS servers. It's been discussed multiple times in this forum in the last few months, but it effectively bypasses port 53 intercepts even if the user hadn't intended to do that. If someone is using a VPN connection, whether provided by their employer, or because they want to for their own reasons, any router you put in likely will not see their DNS traffic, so couldn't intercept it anyway. On the plus side, since all of their internet traffic will likely be going through the encrypted VPN tunnel you might not need to worry about filtering it and could still remain CIPA compliant. I'm not sure, but I think something like DNSCrypt that encrypts DNS traffic could evade evade port 53 intercepts. For that matter I think there are ways that more advanced users could send their DNS traffic out via a port other than 53 (assuming the server they use will accept it) but I've never had the need to dig into it.

    Summary: To answer your most important question " Is there ANYTHING that will force the use of a specific DNS server when a stranger picks up your Wifi signal?" Yes, there is, but there a number of ways to sidestep that deliberately or inadvertently. Honestly, the number of users who would actually do that in the type of environment you describe is very small, but it might not be a practical concern for you, even factoring in your need for CIPA compliance.

    0
    Comment actions Permalink
  • Avatar
    rotblitz

    The short answer:

    Either block port 53 passthrough through the router with an outgoing firewall rule, or redirect all DNS traffic on the router to OpenDNS.  These options depend on the capabilities of your router.

    0
    Comment actions Permalink
  • Avatar
    Daniel Cheung

    Hello manxe!

    Thanks for your interest in OpenDNS. I would type out all of what mattwilson9090 and rotblitz said, but then that would be covering all of the same things again.

    Depending on the size of deployment you wish to do, our sales team would be glad to help out - they are assisted by our very capable sales engineers and can answer questions you may have about your deployment. 

    0
    Comment actions Permalink
  • Avatar
    Eden

    Hi Manxe,

    To second danielch's response, OpenDNS offers an Umbrella Hotspot solution for enterprise users who wish to protect their guest network. For more information, you can visit https://www.opendns.com/enterprise-security/solutions/wifi/. Do contact our Sales Team regarding this, as many business users are happy with this service.

    Good luck!

    0
    Comment actions Permalink
  • Avatar
    magdiel1975

    This has been an on going subject on these OpenDns forums.. Even if you get a router capable of intercepting port 53 which forces users to use OpenDns server.. all the user has to do is download a vpn plugin from either Chrome or Firefox (which does NOT require admin rights) and they can bypass any and ALL router settings.

    So yeah..nowadays it is extremely easy to bypass almost all filtering with just a few mouse clicks. This OpenDns Umbrella will NOT be able to block a user that has access to your internet connection and uses a vpn connection to navigate the internet... so don't waste your money on that as it will not help you with what you want.

    0
    Comment actions Permalink
  • Avatar
    rotblitz

    This was pretty off-topic.  This thread was not about VPN browser plugins, but about the measures to take for preventing users from changing their DNS server network settings on end user devices.

    Blocking VPNs and the likes is a totally different thing.

    0
    Comment actions Permalink

Please sign in to leave a comment.