OpenDNS on OpenWRT with several VLAN zones

Comments

12 comments

  • Avatar
    rotblitz

    Your configuration looks right.

    "the parent network should not be"  -  This assumption is partially wrong.

    With your configuration both VLANs are bound to your dashboard settings, because it is your public IP address associating your DNS queries with your settings.  For the kids'  VLAN, adult and proxy/anonymizer domains are blocked in addition, no matter what the dashboard settings are.

    It looks like that this is what you want, right?  If the results are not as expected, you must adapt the dashboard settings to your needs, e.g. not blocking adult categories and/or proxy/anomymizer.  These will remain blocked for the kids'  VLAN nevertheless.  And you do not block domains individually which the parents are to visit.

  • Avatar
    double-u-k

    "With your configuration both VLANs are bound to your dashboard settings, because it is your public IP address associating your DNS queries with your settings.  For the kids'  VLAN, adult and proxy/anonymizer domains are blocked in addition, no matter what the dashboard settings are."

    That may well be the mistake I made: I knew that I can set the level of filtering in the dashboard, but I also thought that the difference of filtering or no filtering is just a matter of which DNS servers I use for a network.

    Let's see if I understand this correctly: it is not enough to just assign different DNS servers to the different networks, I also have to set filtering explicitly to "none" in the dashboard for the parent network not to get filtered. Is that right?

     

     

     

  • Avatar
    rotblitz

    Yes, if you want the parents' network not be filtered, you must set the category level to "none" at your dashboard.  For the kids' network only adult and proxy/anonymizer domains are blocked then, because you used the FamilyShield addresses 208.67.220.123 and 208.67.222.123 for their VLAN.

    If you want something else, you may consider to use a different (non-OpenDNS) DNS service on the parents' VLAN.

  • Avatar
    double-u-k
    Thank you very much for explaining! I totally misinterpreted the instructions on OpenDNS: if I am not wrong again, I think it would have been enough, if I had just used the two different sets of DNS *without* creating an account with personal settings. But by doing so, I assigned the filters to my *hole* network's external IP. And of course, this can not work as I expected it to. I have now set the filtering level to "none" in my account's settings, and until now I have not stumbled upon any glitch in the networks. Let's hope it stays this way. :) Thanks again for your help!
  • Avatar
    rotblitz

    "I think it would have been enough, if I had just used the two different sets of DNS *without* creating an account with personal settings."

    No, this is wrong.  If you don't keep updated your IP address at https://dashboard.opendns.com/settings/ you risk that another OpenDNS user inherits and registers this IP address, or you inherit an IP address still being registered with another OpenDNS user's dashboard network, and you would be bound to the dashboard settings this other user which is certainly not what you want.

    "And of course, this can not work as I expected it to."

    You still have the option of configuring another (non-OpenDNS) DNS service for the parents' VLAN, as I already said.

  • Avatar
    double-u-k

    And there goes my understanding... now you confused me even more. ;)

    Let's assume I didn't know about the possibility to create an account on OpenDNS, I just red about the two different sets of name servers: the family shields and the standard ones, that are advertised as a faster and more reliable name service. Let's also assume, I only had one network and I assigned of of these sets to my router. What would happen? Would I get no filtering, regardless which name server set I used? Or would I get filtering anyway, even if I used the normal name servers? Does OpenDNS only work in the first place, if I create an account, no matter whether or not I want filtering?

     

     

     

  • Avatar
    mattwilson9090

    Without a dashboard account OpenDNS provides only recursive DNS service, with some very minimal anti-phishing and anti-malware filtering. If you use the Family Shield addresses instead of the standard addresses you will be filtered for those categories that Family Shield blocks. It's a good service this way, but you run the risk that the public IP address that you are using is associated with someone else's dashboard account even if they aren't still using that address or account for some reason, and "inheriting" their settings.

    The advantage of creating and updating a dashboard account is that you will always get the OpenDNS settings you choose, even if those filtering settings are "none".

  • Avatar
    double-u-k

    I see...

    ...but you run the risk that the public IP address that you are using is associated with someone else's dashboard account even if they aren't still using that address or account for some reason, and "inheriting" their settings."

    Hmmm... to me this looks like the snake eating its own tail: because some people have associated their IP with the name service, everyone else need to do this, too, if they want the service to work properly for them as well. If no one had an account with personal settings and every one would just use the two sets of name servers as they are, all would get the same, without the need to distinguish themselves from the others. 

    Sounds a bit like: "some people carry guns, so, obviously, if you want security, you need a gun, too!". ;)

     

  • Avatar
    Daniel Cheung

    Hello double-u-k!

    Registering your network address in your account helps us keep our system accurate and it exists to help with the fact that many internet service providers (ISPs) will utilize dynamic IP address allocation in their networks. In an ideal world, all of our users would register their networks with us so that we can better associate their accounts with us to ensure that we are not filtering where we don't need to be.

    Otherwise, mattwilson9090 and rotblitz has done an excellent job of explaining this for us!

     

  • Avatar
    rotblitz

    Yes, but exactly this individually configurable DNS service is what the people demanded, so OpenDNS (and other companies) offer it.  And some 50 million people like OpenDNS which is more than 2% of the internet users.  If you don't want any individual configuration, you can configure the one VLAN with another DNS service, as I say now the 3rd time.  Or you delete your network at https://dashboard.opendns.com/settings/ and use the normal OpenDNS resolver addresses in the hope that nobody else has registered or will register your dynamic IP address at any point of time.  (If everybody does it right, it will work.)

    And no, you don't need a gun.  ;-)  You have other choices.

  • Avatar
    double-u-k

    "If you don't want any individual configuration, you can configure the one VLAN with another DNS service, as I say now the 3rd time."

     

    Sorry, if I gave you the impression that I did not read it the first time you said it. I have read it and I have understood your statement there.

    What I did not understand then was why there is the possibility to create personal accounts anyway. Now I know that this is just to give the users the choice which level of filtering they want. I was not aware that the filters are associated with individuel IP numbers, thus associated with individual users/networks. I was under the impression that there two choices when I use OpenDNS: either I just use it as an alternative DNS, that claims to be much quicker than the one my ISP provides, or I use the one that does the child protection. Now I know better. ;)

     

    And about the gun: you know that there are people who claim that weapons increase security and that children were much safer if there were armed guard at each school and every kindergarten? I totally do not agree to this, and that's why I tried to make a joke about it. Sorry if that failed.

     

     

     

     

     

  • Avatar
    double-u-k

    Hello again!

     

    For 10 days I didn't have any reason to believe that something is wrong, but now I think I do. I followed your advice and set up filtering level to "none" in my dashboard, and I also set up ddclient to do the DynDNS stuff. And as described further above, I set up the kids' zone to use different names servers. After the setup I checked by trying to call an "adult only" site from within the kids' zone, and it was blocked. Great!

     

    Now I googled for information about my BluRay player and I wanted to visit the page "bluray-disc.de" from the parents' zone.And guess what: this site is blocked because according to OpenDNS: "This site was categorized in: Pornography".

     

    Now, I am really, really, really puzzled, at least 150%. How can this be?

     

    (Secondary question: is it possible to get a bigger editor box when writing a post? It's quite annoying to see only 4 lines of text when writing.)

Please sign in to leave a comment.