Separate DNS IP addresses for Parental Control to ensure continued protection during IP address change
After talking to you about Parental Control becoming inactive for a period following an IP address change I've realised that the DNS addresses you publish are shared, for enhanced DNS as well as Parental Control. It now makes sense that while my IP update is filtering through it acts like an unfiltered DNS.
Remember that people using this service are looking for protection, having that protection disappear for potentially quite long periods is not really acceptable. How long would it take a child to realise that they just have to reboot their broadband router to get 5 minutes unfiltered access?
Really you need a different pair of DNS addresses for Parental Control which responds appropriately when it doesn't recognise the IP address (ie blocks all sites) - it seems really simple!
-
These additional resolver addresses exist, and therefore there is no need to request it. It seems you missed that.
You'll be using the OpenDNS FamilyShield addresses 208.67.222.123 and 2068.67.220.123 instead of the normal OpenDNS resolver addresses.
https://store.opendns.com/setup/#/familyshield -
Hi Rotblitz - I didn't miss it, those IP addresses provide a different service to the OpenDNS Home configurable filtering which I use.
I could use those IPs but would not be able to use the excellent facilities of blocking additional groups of sites and setting personal exceptions/additional blocks.
I really think it makes sense to have different IP addresses for the OpenDNS Home configurable filtering so that there are no gaps in the filtering. If my antivirus software became ineffective for a few minutes after I reset my router I wouldn't say that was okay, should be the same for the OpenDNS Home configurable filtering service too.
-
"would not be able to use the excellent facilities of blocking additional groups of sites and setting personal exceptions/additional blocks"
This is where you are in error. You can use every feature of your dashboard at https://dashboard.opendns.com/settings/ also with the FamilyShield addresses. There is one exception: you will not be easily able to whitelist anything blocked by the FamilyShield categories (Pornography, Tasteless, Proxy/Anonymizer, and Sexuality). But there are ways around this if you need...
From the official https://support.opendns.com/entries/53936430 :
If you create an account you can also configure additional custom category filtering at the network level, but the 4 categories Pornography, Tastelessness, Proxy/Anonymizer, and Sexuality will always be blocked on your network when using FamilyShield.It looked to me as if it is exactly this what you were asking for. If not, please clarify.
-
Assuming that this delay is indeed due to a delay in processing after OpenDNS has registered an updated address for your network, and not a delay in whatever software you are using to register the updated address with OpenDNS (the two really are very different things). How would having a different set of DNS server settings help?
OpenDNS Home works by receiving a request at a set of addresses, checking the address where the request was sent from against it's list of registered addresses, and then applying any settings for that network. If after receiving an update it takes time for processing something and thus temporarily "turning off" your filtering having a different set of addresses wouldn't help since that delay would still be there. If on the other hand, there is a delay in getting your new address registered against your network, then when it checks the sending address against the networks it won't find anything so you won't get any filtering until that registration process completes. In that case I'd suggest changing whatever method you are using to detect and register address changes to something else that is more prompt in getting your address changes registered.
Of course, like rotblitz said, if you use the Family Shield addresses, regardless of what is going on those categories blocked by Family Shield will always be blocked. As rotblitz said you can whitelist any domains that are in the categories that you manually blacklisted, but you cannot whitelist anything that belongs to the 4 categories that Family Shield always blocks.
-
"Is there a way to Whitelist sites then? I do have a few sites in my "Never Block" list.."
You cannot whitelist or blacklist "sites" with a DNS service, just domain names. This is a huge difference.
Well, if the domain names in your "never block" list do not belong to any of the four mentioned categories covered by FamilyShield, then this whitelisting will take effect, else not.
However, if you want to whitelist also domain names from the four FamilyShield categories, you can do that more granular per device, i.e.
- You configure the FamilyShield addresses on the router and configure the normal OpenDNS resolver addresses on those devices which you want to exempt from the strict FamilyShield filtering of the four categories.
- Or you configure the normal OpenDNS resolver addresses on the router and configure the FamilyShield addresses on those devices where you strictly want to block the four categories covered by FamilyShield.
- Any mixture of the two options above is possible as well, but don't mix FamilyShield addresses and normal OpenDNS resolver addresses on the same device.
- Another option, alone or in addition, would be to use the devices' local hosts files to allow or block domain names of your choice.
- Not to forget, you'll have even far more options with running an own internal DNS server / forwarder.
Please sign in to leave a comment.
Comments
8 comments