Provide a one click test link to an example site from the web-content filtering page

Comments

15 comments

  • Avatar
    mattwilson9090

    Having a one click test link would not help in the situation you describe.

    If you check or uncheck a category it is immediately (well, within that 3 minute propagation windows) blocked or unblocked. The issue you are running into is DNS caching. If the address for a test page or a domain you want to allow or disallow is already in the DNS cache (whether the "real" or "blocked" address) then it doesn't matter what your current blocking settings are. That cached address will be used.

    Changing your settings as frequently as you do, whether on a timed or some other basis only works if all caches between the device in question and the OpenDNS servers does not contain an entry for the domain, category, or test link you are concerned about. Depending on how a domain owner has configured their DNS entries that could be a long time (24 hours or more) unless you manually flush all involved DNS caches. Due to the nature of how DNS works there really is no way to automate this or use DNS on a timed basis.

    The only product that supports time based blocking and works with OpenDNS (or even frequent turning on and off of the same category) is a Netgar router with LPC (Live Parental Controls). They have no plans to add the functionality to any OpenDNS products, and have stated that multiple times, in part because of what I described above about how DNS works.

    As for testing, while testing if something works or doesn't work, what you suggest would be testing the wrong things and wouldn't provide you useful or reliable information due to DNS caching. You could click on a link to test that the Gaming category was blocked, but if the Minecraft domain was still in a cache somewhere your kids would still be able to reach it.

    0
    Comment actions Permalink
  • Avatar
    frank_carlson

    Hi Matt,

    Sorry I wasn't more clear in my explanation.  I believe it will work just fine, because when I change a setting in the web content filtering area, I flush the browser cache and then the OS cache.  If OpenDNS had a group of sites, one for each category (like they have internetbadguys), we could easily test each category to make sure they are blocked or unblocked as our settings are set.  I also find that I check the box for Video Sharing, and then go to YouTube - sometimes it's available, sometimes not.  Rather than having to go to each site in the category, and guess which ones are classified as such, it would be so convenient to just have a "test" link next to the category and be able to test to make sure that category was behaving as intended.

    0
    Comment actions Permalink
  • Avatar
    mattwilson9090

    Despite the cache flushing you say you do, you still run into problems with old cached data that essentially prevents filtering from working how you want it to work. How will adding almost 60 separate links to "test categories" solve this issue for you?

    Your issue is not with whether or not OpenDNS somehow breaks and stops working properly. Your issue is changing settings fairly frequently to apply to domains that are frequently accessed by devices on your network. The behavior you are seeing is expected. Adding a bunch of "test links" will do nothing to address that.

    The same applies to what you are doing for youtube. There are multiple DNS caches between your browser and the OpenDNS servers (which could include browser cache, OS cache, router cache, and potentially caches maintained by your ISP). DNS is not a technology that was intended to change frequently, including settings that govern how DNS is used to block domains.

    If your account is working already then if you turn on blocking for a category then it is blocked. Having a test link won't tell you anything about blocking for domains that are likely already in a cache somewhere.

    0
    Comment actions Permalink
  • Avatar
    rotblitz

    There are three test links I know about:

    "sometimes it's available, sometimes not."

    This indicates a different problem, maybe related to DNS and web caching, or also that your Updater doesn't keep up with your IP address changes.  You need to identify and eliminate the root cause.  Clicking test links would show the symptoms only and would not solve the problem.

    Also, as mattwilson9090 said, it is not supposed that you change your settings so much often.  You do not have to expect it working this way, because caches and excessive IP address changes.are hard to control.

    0
    Comment actions Permalink
  • Avatar
    frank_carlson

    @mattwilson9090 and @rotblitz.  I am amazed at how knowledgeable you guys are and how much time you've given to this community.  Thank you.

    I run an IT shop for a specialty construction company...but as you guys can tell, I'm a far cry from a network engineer.  I've spent hours on OpenDNS stuff, trying to figure out how it works and trying to implement it successfully at home.  What seems like "common sense" to experts like you, is often either confusing or not fully understood by what I believe to be the vast majority of the rest of us.  Again, thank you for all the help you give us.

    @rotblitz, you have picked up exactly what I was suggesting - test sites that users could hit to make sure the category they are concerned about is blocked or unblocked, based on settings.  I see 58 different categories in all.

    @mattwilson9090, you said "Despite the cache flushing you say you do, you still run into problems with old cached data that essentially prevents filtering from working how you want it to work. How will adding almost 60 separate links to "test categories" solve this issue for you?"  It won't solve the issue for me, but it will make it easier for me to test if stuff is still in cache or not and if I need to continue working to get things working properly.  I posted a response to a different thread this weekend that @rotblitz said was pretty accurate about browser and OS flushing, and so I thought I finally figured out one of my problems.  And if I flushed both the browser cache and OS cache, that all the cache was flushed, and there shouldn't be any more to flush.

    I need to change settings often.  We block YouTube, but I'm doing online courses and need it.  So, I have it blocked via OpenDNS, then have to turn it on when I do coursework.  When finished with my coursework, I have to block it again.  It seems to work pretty well, so I'm not sure why all the caution against changing things frequently.  I thought now that I understand about flushing both the browser cache and OS cache, my experience of setting a control and having it behaving how I want it to behave was going to get more consistent.  It's doable now, just takes some time and testing.  My very simple idea is to make this testing easier, by being able to hit a "Category Test Link" right next to the web category on the Dashboard Web Content Filtering page to test if the setting is working...just like we can test the other three links.

    Being in IT, friends ask me what they should do to make a safe computing environment for their kids.  I recommend OpenDNS, but know the issues I have.  I think stuff is blocked, and then my wife calls and says - "nope, not blocked".  One time it may be the ip address changed and the windows machine I have the updater on hasn't been turned on that day yet.  Another time it may be the cache.  I'm getting better and understanding things more, so this is happening less and less.

    If I were to start a consulting business helping parents set up safe home networks, which I've thought about doing, I'd look to have you two consult - 'cuz you know this stuff inside and out.  The rest of us are just struggling along, trying to figure things out, and trying to keep our kids plugged into the beneficial stuff on the web and unplugged from the junk.

    This is a totally separate question/thread, but since you guys are top notch pros, is there a thread or other reference you can provide for a recommendation on how to simply set up an easy to use, inexpensive, foolproof web content filtering system for parents?  I was thinking OpenDNS was the only game in town, because many folks, have so many different devices they use in their home.  One home may have a Mac, a Chromebook a Windows machine, a Roku, an Xbox and a TV that can browse the web.  But as I've experienced and read on other threads, I'm thinking OpenDNS has some limitations that make it part of the overall solution, but not the complete solution.

    Thanks again guys for all you do.

    0
    Comment actions Permalink
  • Avatar
    frank_carlson

    I reread the entire thread again a couple times, and sounds like the route to explore for the home recommendation is a Netgear router with LPC hitting OpenDNS...and a Raspberry Pi or something running the Updater on Linux, so it isn't reliant on a booted Windows or Mac machine when the home ip address changes. :-)  Just kidding about the Raspberry Pi...although I reached out to support about that idea a while ago and they had experimented, but I haven't followed to know if it's even viable.  Maybe the Netgear router has some functionality where the IP Updater can be installed on it or there's some other way?  Thanks guys!!

    0
    Comment actions Permalink
  • Avatar
    mattwilson9090

    You aren't understanding us.

    If OpenDNS is working properly, as tested by welcome.opendns.com, there is no reason to individually test each category. It's binary, it's either working with all of your settings or it's not working at all. That one link serves to test *all* categories at once. The other two links test other things, phishing filtering or using FamilyShield that are not covered by the first link.


    "Testing" a category, such as Gaming, will tell you nothing about whether or not DNS results for a specific domain, such as the one for Minecraft, are cached. What you need to be testing is the specific domains you care about, not an entire category. You could still test to see if Gaming is blocked, but if DNS results for minecraft are still in a cache you'll only get a false sense of security since that domain will effectively be unblocked, regardless of the status of the category it is tagged with. In other words, testing the category as a whole is meangingless and useless while according to your own words concerned with specific domains.


    As I've tried to say, there are more DNS caches than just the local browser and OS cache. There are also potential DNS caches with a local DNS server (if there is one), your router, servers your ISP is operating, and potentially other sources. Again, testing an entire category will tell you nothing about the cache status of a specific domain.


    If you need to change setting often then you are using the wrong product to do what you want. As I said earlier if you want to continue using OpenDNS you need to get a Netgear router with LPC and use that. That is the only OpenDNS product that supports rapid changing back and forth of OpenDNS settings, including time based settings.


    The caution about changing things rapidly all comes down to how DNS functions, and how DNS caching works. Some DNS results have a cache value over 24 hours, meaning that unless all caches that have a bearing on your results are flushed, or specific results have expired then you will continue to get those results from cache instead of a fresh lookup from the OpenDNS servers. I have no idea what the youtube DNS cache numbers are set at, but it's likely that they are set at minutes, rather than hours or days. That could mean you could change those settings rapidly with no visible impact, but another domain with longer cache times wouldn't work so well. That seems to be exactly what you are describing with Minecraft.


    Besides, as you can already see by how you change the Gaming category, this method is NOT WORKING for you. That is all due to DNS caching. No matter how many test buttons OpenDNS adds, nothing will change that reality. You need to address reality, instead of wishful thinking, which is what you are doing now. You are trying to test the wrong thing, dealing with a symptom, but not testing what your actual problem is, or trying to solve that problem.

    OpenDNS is a wonderful product for protecting against things that you don't want on your network. But it needs to be used in accorandance with how it was designed to work. Rapidly changing settings, especially changing them back and forth on a regular basis, will produce inconsistent results, as you've already seen. Adding a bunch of links to test entire categories will do nothing to mitigate that, again, because of DNS works and how OpenDNS was designed to work.


    You say that you're amazed at our knowledge regarding all of this, and all of the time that we've devoted to this, and that you'd even want to use us as consultants in setting up a business, but then effectively tell us that we're wrong, that we don't know what we're talking about, and that you know better than us. I am a consultant, and I have "fired" clients for precisely that kind of thing. Regardless of how well they pay me, it's not worth my time or energy. It certainly isn't when I'm offering my time and expertise for free.

    There is no easy to use, inexpensive, foolproof web content filtering system for parents. Many claim that they have one, and I know of several products that are working towards that, but none are there yet. Frankly, I don't think it's possible. To paraphrase a saying from NASA's moonshot program, you can have fast, simple, or cheap. Choose two.

    If you want relatively cheap and easy to use I'd suggest the Netgear router with LPC. It has it's limitations, but overall it's pretty solid and I'd estimate it covers 90-95% of the situations that someone is going to be concerned about. If you add foolproof to that requirement, I'd go with a different solution (different hardware, software, and web services), but it would probably cost at least $200 more to setup (probably closer to $400), and would require ongoining maintenance and checking, which would mean a monthly fee to someone. Depending on what was offered and how it was provided that monthly fee would range from $20 to $50.

    0
    Comment actions Permalink
  • Avatar
    mattwilson9090

    If you use a Netgear router with LPC you do not need to update your IP address with OpenDNS. In fact you want to delete the network that you already have defined at the OpenDNS dashboard. The two are different products that are not compatible with each other, and at best will return inconsistent or unreliable results. At worst it will appear as if OpenDNS is doing no filtering at all.

    If you stay with OpenDNS Home I always suggest running the updater on the router in some form. Some routers (especially 3rd party firmware) have the ability to directly udpate OpenDNS, but many more are able to update with DNS-O-Matic (another OpenDNS offering) that then can update OpenDNS as well as other services for you.

    If you want to use a raspberry pie for that updating you could experiment with the Pi and Windows 10 iOT. I'm pretty sure the Windows IP Updater would work with it, but I haven't done anything with that product yet.

    0
    Comment actions Permalink
  • Avatar
    frank_carlson

    @mattwilson9090 - Thank you very much for all this wonderful information.  I'm very genuine in my thanks.

    Obviously I miscommunicated something, which made you feel that what I wrote "effectively tell us that we're wrong, that we don't know what we're talking about, and that you know better than us."  I don't know what I wrote to communicate that, because that's the farthest from the truth.  Maybe it was the paragraph where I was explaining what I was trying to do with the flushing, and I thought it would work, and it seemed to be working - but that was not trying to say I was right, just trying to explain what I was doing and how I thought it would be easier to test.  Admittedly, I don't know how this DNS stuff fully works, so I was just trying to communicate what I thought would make my testing easier.  I was in no way trying to suggest that I knew what I was talking about and I knew better than you guys.  My apologies for not being more clear.  As I said, those like you and @rotblitz who understand these inner workings of DNS are few and far between...the rest of us are just trying to figure this out as best we can...and obviously we're pretty bad at it.  Your patience with us is appreciated.

    Thank you again for all your help!!

    0
    Comment actions Permalink
  • Avatar
    frank_carlson

    After re-reading your response several times, I thought the lightbulb of understanding was starting to go on in my head.

    Then I read @rotblitz's reply again and saw the test site for adult related categories.  This seems to me to be the same thing I was suggesting for the other categories?

    When I click this link http://www.exampleadultsite.com/ , I get this reply:

    This domain is blocked due to content filtering.

    Site blocked. www.exampleadultsite.com is not allowed on this network. Please talk to Dad if you want it allowed. Love you!!

    If you think this shouldn't be blocked, please contact your network administrator.

    This site was categorized in: Nudity, Pornography

    Diagnostic Info
    IP Address: 74.36.231.185
    Server: chi15
    Pref Flags:  
    Domain Tagging:  

    I'm so frustrated at trying to figure this stuff out!!!!

    I don't know who gets more frustrated, you guys trying to explain it to us, or us trying to figure it out.  I tell you, I typically don't give up very easily, but I certainly feel like giving up on trying to figure out how OpenDNS works...and just chalk it up to "I'll never understand".  You don't have to spend any more time trying to get the bulb all the way lit for me. I'll have to wait for one of you guys to write an OpenDNS for Dummies book or a YouTube channel - then I might have a fighting chance!  Although I'd have to turn YouTube back on to watch it, and turn it back off after.  Hahaha :-)

    Many thanks guys!!!

    0
    Comment actions Permalink
  • Avatar
    mattwilson9090

    The test site for adult related categories is not there specifically to test if the categories you choose to block are working. It's largely there for those who are using FamilyShield, but have no other portions of OpenDNS configured and want to test if FamilyShield is working. It does serve to test those sets of categories as well, but that's not the main reason for it. In fact, if it weren't for FamilyShield there really wouldn't be a need to have it at all

    0
    Comment actions Permalink
  • Avatar
    frank_carlson

    I kept reading both your comments over and over and thinking them through...and I think I'm closer to "getting it".

    Since I just tested the exampleadultsite.com site, what is cached is the block page.  If I changed my Web Content Filtering settings right now and allowed nudity and pornography, depending on the TTL of the site, the dns record for exampleadultsite.com may be cached as the block page and I still wouldn't be able to get there, even though the rest of my family could get to any other site in that category - giving me a false sense of security that everything was blocked, when it's not.

    So, testing of a site needs to be on a specific site, rather than one site representing an entire category.  Therefore, my idea of a test site for each category would only serve to give a false sense of security.  Got it!

    Such a seemingly simple concept, but so many ways to misunderstand how it actually works.

    Thank you again for all your work in helping the community truly understand how this awesome service works.

    0
    Comment actions Permalink
  • Avatar
    mattwilson9090

    Second paragraph: yes

    Third paragraph: Precisely. With the caveat that any testing you do with a specific site needs to be with the cache cleared. Otherwise your test results can be misleading.

    DNS at it's basics is actually pretty simple. Aside from implementing a DNS server I've found that most DNS related things are fairly simple, though you sometimes have to step back and step through everything a step at a time. The biggest difficulty with DNS is that if you're in a hurry you're going to trip yourself up due to caches and waiting on propagation. That time element is what trips most people up.

    For most people using OpenDNS that's not really a problem, they make changes pretty rarely, so never get tripped up by caching or other issues. I have clients using OpenDNS and periodically receive an email asking me to unblock a specific domain. In most cases I don't have to worry about anything because time has passed, but I also let them know that it might not work right away and if they still have problems to let me know.

    0
    Comment actions Permalink
  • Avatar
    cobalt-phoenix

    "I need to change settings often.  We block YouTube, but I'm doing online courses and need it.  So, I have it blocked via OpenDNS, then have to turn it on when I do coursework.  When finished with my coursework, I have to block it again."

    This is exactly not what you shall be doing to achieve what you want.  All the written above is nice to know to see why it would not work and what could maybe work under what circumstances, but it does not provide the immediate solution.  The solution is so simple:

    You configure a different (non-OpenDNS) DNS service on that computer where you do your online courses.  Case closed!  It covers everything you're expecting.

    If you said earlier what you want to achieve, I came up immediately with this solution.

    0
    Comment actions Permalink
  • Avatar
    rotblitz

    I should mention that cobalt-phoenix is an alias of mine...

    0
    Comment actions Permalink

Please sign in to leave a comment.