Google image block instructions in conjunction with opendns?

Comments

14 comments

  • Avatar
    rotblitz

    You may not need a Netgear router with OpenDNS LPC enabled at all.

    Take an older computer you still have lying around making it a server and equip it with the following applications (examples for Windows):

    Note: You do not necessarily need to install three packages. There are also combinded packages like http://sourceforge.net/projects/dhcp-dns-server/

    • You configure the DNS server as DNS forwarder to OpenDNS.
    • You configure the DHCP server to give out the server's IP address as gateway address and DNS server address.
    • You configure the proxy server to filter what you want filtered, by URLs, keywords, object types, whatever you want, including to e.g. force always SafeSearch for Google searches by appending the related parameter to the HTTP request..
    • In case of a dynamic public IP address you run an updater on this server too, e.g. http://updater.marc-hoersken.de/
      (The official OpenDNS Updater is not suitable for unattended server operation yet.)
    • You disable the DHCP server and DNS server/forwarder functionality on the router and possibly block any passthrough for outbound ports 53, 80 and 443.

    This easy thing makes it look like a high-end professional security and filtering appliance for ten thousands of dollars.

    0
    Comment actions Permalink
  • Avatar
    bkg73123

    rotblitz,

     

    Thank you for the info.

    So I assume I would still need a new wireless router that plugs into my proxy server and all the computers in my house and wireless devices will connect to that router correct? So what hardware would I need on the proxy server? How beefed up will it need to be? Is the proxy server going to slow down my service tremendously? What LAN requirements would it need (two ethernet ports minimum), RAM, etc...?  Thank you. B

    0
    Comment actions Permalink
  • Avatar
    rotblitz

    "So I assume I would still need a new wireless router that plugs into my proxy server and all the computers in my house and wireless devices will connect to that router correct?"

    You didn't mention what your current router is, so I don't know if you need another router, but most likely not. Most home type routers will do it. Depending on your configuration you may still need to give out the router's IP address as gateway address though, not the server's IP address. The proxy server IP address in the browsers would show then the server's IP address.

    For WLAN connectivity you can use a router (e.g. your current one) or a WLAN adapter on your server which is capable to serve as access point. Many WLAN adapters support this.

    "So what hardware would I need on the proxy server?"

    Minimum CPU 1.5 GHz (single core) or 1GHz (dual core),  1 GB RAM, 20 GB disk. That would be good for Windows XP Home or Pro. As I said, it can be a very old but still working computer lying around. See also the requirements for the applications you'll need to install.

    "Is the proxy server going to slow down my service tremendously?"

    Normally not unless you connect and operate more than 20 devices at a time all using the internet intensively.

    "What LAN requirements would it need (two ethernet ports minimum), RAM, etc...?"

    RAM covered above. You can connect the server to the router, anyway, with high-speed WLAN or ethernet cable. If the router still serves as your LAN router, you don't need a second NIC.

    If you want the server to action as router, you'll use a WLAN adapter with access point capability for wireless and a switch at a second NIC for the hardwired devices. You'll also install a free distro of a software (virtual) router on the server, see
    https://startpage.com/do/search?q=router+software+windows+free

    0
    Comment actions Permalink
  • Avatar
    bkg73123

    rotblitz,

    Do you think it would be possible to use a free or paid cloud proxy instead of my own? Pros Cons?

    Please look at the attached drawing and see if I understand the configuraion properly.

    Whats hould the security (firewall, etc...) settings be on the devices?

    Thank you, B




    Preliminary Config 1.jpg
    0
    Comment actions Permalink
  • Avatar
    rotblitz

    "Please look at the attached drawing and see if I understand the configuraion properly."

    Yes, the principles are right. But let's talk about this new "Wireless router":

    It must not have port 53, 80, 443 blocked, else the proxy/DHCP/DNS server cannot be reached too. And the ports do not need to be blocked, because there is no direct internet access from this router.

    Because you have DHCP and DNS server on this router too, you may not need these on the proxy server at all. See if you can configure a static DNS resolver address on the "WAN" side (direction proxy server) of the router which would be the proxy server's IP address. To configure it on the LAN side could work too. The router's DHCP server propagates the router's IP address as gateway address (anyway - must be) and the proxy server's IP address as DNS server address.

    On the proxy server you do not necessarily need a DNS server, the dnscrypt-proxy (http://dnscrypt.org/) installed on the server would already do, configured to listen on the server's IP address and forwarding to OpenDNS directly.

    "What should the security (firewall, etc...) settings be on the devices?"

    Nothing special, as far as I can think of.  You don't open any additonal holes with this configuration.

    "Do you think it would be possible to use a free or paid cloud proxy instead of my own? Pros Cons?"

    Sorry, I do not have any experience with such a 3rd party service, so don't want to comment.  Someone else maybe?

    0
    Comment actions Permalink
  • Avatar
    bkg73123

    rotblitz,

    Is this what you mean? (see attached)

     

    Thanks, B




    Preliminary Config 2.jpg
    0
    Comment actions Permalink
  • Avatar
    rotblitz

    Yes, this would be it.

    0
    Comment actions Permalink
  • Avatar
    bkg73123

    rotblitz,

    Just to clarify for me I would install the following on the proxy server: 

     

    OR

    •  The dnscrypt-proxy (http://dnscrypt.org/) installed on the server would already do, configured to listen on the server's IP address and forwarding to OpenDNS directly.

    I was reading on the DNSCrypt and it mentions something about not being a DNS Cache. Does this mean it will be slower than using the DNS Server software because it will have to resolve the DNS&IP everytime instead of keeping a cache?

     

    I think I understand it pretty well.

    I may need help configuring the INI files and such, but this looks like a good solution.

    I will post here again when I get the new hardware.

    Probably just start with the new wireless router and switch then add the proxy last.

     

    Thanks,B

    0
    Comment actions Permalink
  • Avatar
    rotblitz

    Yes, with your last diagram you'll be installing a proxy server server.  For DNS you use either the dnscrypt-proxy or a DNS servver.

    "I was reading on the DNSCrypt and it mentions something about not being a DNS Cache. Does this mean it will be slower than using the DNS Server software because it will have to resolve the DNS&IP everytime instead of keeping a cache?"

    Not really. You didn't have a DNS cache until now, so why now worry about it? The DNS caching takes effect also on the local end devices with their local resolver cache.

    "Probably just start with the new wireless router and switch then add the proxy last."

    You cannot use this router for internet connectivity before you have installed the proxy unless you configure special routing to your Uverse Gateway.

    0
    Comment actions Permalink
  • Avatar
    bkg73123

    rotblitz,

    To start out with I was going to just get opendns up and going because I will need more time to build a proxy server.

    I was going to use the same setup as the last configuration except go from the Uverse Gateway directly to the wireless router. The wireless router DNS will point to OpenDNS.

    This should be all I need to get OpenDNS going correct?

    I will be getting the Netgear R6300v2 and Netgear GS116 Prosafe switch today.

     

    Thanks,B

    0
    Comment actions Permalink
  • Avatar
    rotblitz

    "The wireless router DNS will point to OpenDNS.

    This should be all I need to get OpenDNS going correct?"

    Yes, this should work. Don't forget the Updater running somewhere within your network.

    "I will be getting the Netgear R6300v2 and Netgear GS116 Prosafe switch today."

    Will you be using the Netgear R6300 with LPC enabled? Not sure. but this may not work behind the Uverse Gateway and may work even less behind a proxy server going further.  LPC works pretty much different if it comes to features like content filtering.  Therefore LPC uses a different dashboard and locally running programs, you get no DNS stats, and you don't run an Updater.
    http://www.opendns.com/support/article/125

    0
    Comment actions Permalink
  • Avatar
    bkg73123

    rotblitz,

     

    I got OpenDNS working with my R6300 & Uverse 3801.

    Here is what I did:

     

    Firstly, I followed these instructions -

    There is no true bridge mode on the 2Wire routers.  However, you can still configure it such that almost all functions of your own router will work properly. 

    1. Set your router's WAN interface to get an IP address via DHCP.  This is required at first so that the 2Wire recognizes your router.(Already set this way by deafult on R6300)

    2. Plug your router's WAN interface to one of the 2Wire's LAN interfaces.

    3. Restart your router, let it get an IP address via DHCP.

    4. Log into the 2Wire router's interface.  Go to Settings -> Firewall -> Applications, Pinholes, and DMZ

    5. Select your router under section (1).

    6. Click the DMZPlus button under section (2).

    7. Click the Save button.

    8. Restart your router, when it gets an address via DHCP again, it will be the public outside IP address.  At this point, you can leave your router in DHCP mode (make sure the firewall on your router allows the DHCP renewal packets, which will occur every 10 minutes), or you can change your router's IP address assignment on the WAN interface to static, and use the same settings it received via DHCP.

    9. On the 2Wire router, go to Settings -> Firewall -> Advanced Configuration

    10. Uncheck the following: Stealth Mode, Block Ping, Strict UDP Session Control.

    11. Check everything under Outbound Protocol Control except NetBIOS.

    12. Uncheck NetBIOS under Inbound Protocol Control.

    13. Uncheck all the Attack Detection checkboxes (7 of them).

    14. Click Save. 

    (This process changed my router to 10.0.0.1 which is fine because I don't need to access anything plugged directly into the Uverse gateway.)

    Your router should now be able to route as if the 2Wire was a straight bridge, for the most part. 

    Inbound port 22 might be blocked, and inbound ports 8000-8015 might also be blocked, and there's nothing that can be done about it. 

    This is how I have my 2Wire configured, and I have a Cisco 2811 behind it doing IPSec, IPv6 tunnels, etc.

    (Thanks to SomeJoe7777)

    http://forums.att.com/t5/Residential-Gateway/U-verse-for-BUSINESS-2Wire-3600HGV-bridge-mode-or-another-AT-amp/td-p/2707013

     

    Secondly, I disabled the wifi on the Uverse gateway by going to the Wireless section and choosing disabled.

     

    Thirdly, I entered in the OpenDNS server information into the R6300 under Internet settings.

     

    That's all. It works great with OpenDNS.

    All is fine except the R6300 signal range is very poor.

    I am hoping it is just a filing cabinet I have in the way, but right now it is no better than the Uverse wifi at this point. 

    5G doesn't make it but 20ft and 2.4G probably around 40ft.

     

    I will update again when I get the proxy server ready to install.

     

    Thanks for your help!

    -B 

    0
    Comment actions Permalink
  • Avatar
    rotblitz

    Sounds excellent.  Thanks a lot for the feedback.  This will certainly be of use for others in the same situation.

    0
    Comment actions Permalink
  • Avatar
    johank96

    FYI: There's a new breed of of router that deal with the incognito loophole! They appear to implement something like option 3 described in this link: (https://support.google.com/websearch/answer/186669?hl=en), and make it real easy. I found three: 1) Kibosh (www.kibosh.net) 2) Blocksi Router (http://www.blocksi.net/parental-control.php) and 3) pcWRT (http://www.pcwrt.com/).

    0
    Comment actions Permalink

Please sign in to leave a comment.