How to redirect ALL DNS traffic to OpenDNS

Comments

35 comments

  • Avatar
    bruce.thorton

    Go to your firewall custom screen. You  may be able to block access to ip address 8.8.8.8 and any other address there.

    1
    Comment actions Permalink
  • Avatar
    swemic

    Depending on what your modem / firewall could do, you might be able to do a STATIC NAT all UDP:53 traffic to OpenDNS server(s), guess that would be the best way to be absolutely sure that no other DNS service is used.

    With this said, this means that you would alter both the source IP and the destination IP, which means that your modem / firewall need to be somewhat advanced capable to be able to handle such S-NAT:ing. 

    However, if your modem / firewall is more of a home-user model, you should as stated previous
    1. Create an Allow Rules for UDP/TCP port 53 to OpenDNS servers
    2. Next in line of rules, create a Block All UDP/TCP port 53

    Thats a semi-functional solution as well. 

     

    1
    Comment actions Permalink
  • Avatar
    rotblitz

    You may be able to block other DNS services (like Google's) more explicitly.

    If not, you may need another router to do what you want if your current router doesn't have this capabilities you're looking for.

    0
    Comment actions Permalink
  • Avatar
    mattwilson9090

    Without knowing what you actually did, it's hard to say what you did wrong.

    However, if what you did was to block ALL port 53 traffic you will disable all DNS functionality, including OpenDNS. A rule to block all port 53 traffic generally also needs a rule to allow port 53 traffic to OpenDNS to process BEFORE the blocking rule. The effects of this are to allow port 53 traffic to OpenDNS, but nowhere else.

    Since you apparently can't implement an allow rule this might not be possible with your current combination of router hardware and firmware. You will likely need to change the firmware and/or hardware to something that allows this.

    0
    Comment actions Permalink
  • Avatar
    stanthemam

    Is there an external firewall I could use to implement this? Or do you know of any firmware that is simple enough for a newby to use to implement such a command?

    0
    Comment actions Permalink
  • Avatar
    rotblitz

    External firewalls are not a viable solution for home environments.

    We cannot point you at an alternatively available firmware, because you missed to say what exact router model you have.

    0
    Comment actions Permalink
  • Avatar
    stanthemam

    Oops! So I have a Hitron CGMN 3552. It is a modem and router in one. I do not have a separate router.

    0
    Comment actions Permalink
  • Avatar
    rotblitz

    Ah yes, you mentioned this in another thread.  As I said there, I cannot help you with this device.

    0
    Comment actions Permalink
  • Avatar
    stanthemam

    You had mentioned that I may need to allow OpenDNS explicitly? Do you mind elaborating on that? And also you mentioned that I may need to block Google DNS service. Do you know of a way to do this?

    0
    Comment actions Permalink
  • Avatar
    stanthemam

    Do you mean my routers firewall or does the firewall on my computer work for the entire network? I am sorry if that is a terribly stupid question, I am new at this. The firewall on my modem is very limited and unfortunately does not allow for many changes.

    0
    Comment actions Permalink
  • Avatar
    rotblitz (Edited )

    "You had mentioned that I may need to allow OpenDNS explicitly?"

    This has been explained by mattwilson9090 in the other thread.

    "to block Google DNS service. Do you know of a way to do this?"

    This is what bruce.thorton explained.  And yes, he means your router, because firewall rules on the computer are effective only on this computer.

    0
    Comment actions Permalink
  • Avatar
    stanthemam

    Unfortunately all of the above is not possible to do with the modem/router combo that I have. The firewall settings are very minimal. They allow for a block port rule request, but they do not allow for an "allow" rule. So all I am able to do is turn off the port completely. It does not allow for any IP blocks either so blocking the google DNS will not work. This modem also does not allow any changes in the NAT settings so I am also at a loss there. So I'm at square one again. I feel like I have tried everything and nothing is working in my favour unfortunately.

    0
    Comment actions Permalink
  • Avatar
    rotblitz

    If you want, you may post screen shots of the related router page(s) here. I may then run into new ideas.  Or if you have an electronic version of your router manual, you can attach it here.

    0
    Comment actions Permalink
  • Avatar
    stanthemam

    Sure. Here are a few screenshots of the modem/router combo that I am using. There are also screenshots of my firewall settings. I can not seem to find a manual.

    http://www.screencapture.ru/file/4df0531f

    http://www.screencapture.ru/file/cBF11748

    http://www.screencapture.ru/file/1d528c46

    http://www.screencapture.ru/file/e26F7AE5

    0
    Comment actions Permalink
  • Avatar
    rotblitz

    Still no idea.  This didn't enlighten me. :(

    0
    Comment actions Permalink
  • Avatar
    stanthemam

    I am sorry! I wasn't just trying to show you that there are minimal options to change via the modem. Is there any type of universality compatible firewall I could download and use to add rules for my network? This is affecting my anxiety and would just like to find a solution.

    0
    Comment actions Permalink
  • Avatar
    stanthemam

    I also have an unrelated question, if i disable port forwarding will that disable SSH Tunelling? And if I disable VPN passthrough, does it disable the use of any outgoing VPNs? I apologize for all the questions.

    0
    Comment actions Permalink
  • Avatar
    swemic

    First one, 

    yes, you could check out a more advanced Firewall like pfSense, which you will install on a device infront of you ISP modem / router. I.e [ your LAN] - [ pfSense ] - [ISP modem/router] - [ Internet ]

    pfSense has a lot of advanced features and configuration options. But read up on it before you even try to start configure it unless you are very familiar to firewalling and routing. 

    Second one, that actually depends on you router / firewall. I assume port forwarding at your modem / router means that you have a rule configured that states all TCP:22 hitting your public IP should be forwarded to a local IP within your LAN? Then yes, if you disable that rule, that means you will loose you SSH tunneling from elsewhere into your LAN.

    Disable VPN passthrough does not mean that you will loose outgoing VPN, it means that you will most likely have trouble to connect with two or more IPSec-VPN clients from you LAN to your work for instance. But, if you use any kind of SSL VPN, the VPN Passthrough disable will not have any effect.

    0
    Comment actions Permalink
  • Avatar
    stanthemam

    Thank you for your reply. I have disabled port 22 completely, will that deny accesss to any outgoing SSH tunneling? And as for the VPNs, is there a way to completely disable the use of them? And is there also a way to disable editing of the host file to redirect traffic? My end goal is to ultimately stop my son from bypassing any blocking by OpenDNS and to have everything logged in my domain stats. I feel he has been bypassing my settings in some way.

    0
    Comment actions Permalink
  • Avatar
    rotblitz

    "My end goal is to ultimately stop my son from bypassing any blocking by OpenDNS and to have everything logged in my domain stats."

    How old is your son?  Well, the first step is that you'll provide him only with a regular user account on the computers he's using.  If he has admin accounts, then you simply can forget to block him from anything, because he has hundreds of options circumventing anything you do on the router or otherwise.

    With a regular user account he cannot change network settings like using another non-OpenDNS DNS service.  And he cannot install and use most programs (VPN clients, etc.) for restriction circumvention.  This eliminates already more than 90% of your concerns and issues.

    Also, think about, not every problem can be resolved with technology.  You better have a word or more with him, making your policies clear and discussing what needs to be discussed.  Just oldfashioned education, else he may feel like a prisoner at home.

    "I have disabled port 22 completely, will that deny accesss to any outgoing SSH tunneling?"

    SSH is rarely used to establish (VPN) tunnels or such.  It is mainly used to login to dedicated servers for remote maintenance.  The default port for SSH is 22, but one can use any port, even multiple ports.  So no, this is rather a useless measure.  Not sure what you want to achieve with this.

    "And as for the VPNs, is there a way to completely disable the use of them? "

    Not really unless you also impact other services sharing the same port and protocol like web services and such.  Same as with SSH, there are certain preferred ports which you may block.  But many VPN services use alternative ports in addition.

    There is one fully successful measure for access restriction to the internet: cut the internet connection!

    0
    Comment actions Permalink
  • Avatar
    stanthemam

    Ah none of this is good news. My son is 12 years old but he knows way more about this stuff than I do. Ok so if none of those options will work for me... If I were to purchase a router which allows URL logging, would it log all entries entered even if my son were to use a proxy or a VPN or edits the host name or any other means of trying to bypass OpenDNS? I am so sorry to keep bothering you with my so many questions! I can not seem to find any clear answers anywhere though.

    0
    Comment actions Permalink
  • Avatar
    stanthemam

    Also I forgot to mention, I am not concerned about the home pc as it is in my bedroom and he rarely has access to it. He uses his mobile for 95% of his web browsing which is a blackberry z10. I have done some research and he is able to access a VPN on his device as well as a proxy. 2 of which are my biggest concerns.

    0
    Comment actions Permalink
  • Avatar
    rotblitz (Edited )

    Well, that's all easy.  If your current router does not do what you expect it to do, you get another router which can do it.

    But please note, some of your requirements are technically impossible.  No router or other device or service in the world can do it.

    The reason: The internet was made for accessing it - without limits, because we are a free society with the right of freedom of speech and to unrestricted information.  There are exactly two viable options:

    1. Access to the internet
    2. No access to the internet

    It's your choice!

    0
    Comment actions Permalink
  • Avatar
    stanthemam

    You are right. Maybe I am being overly paranoid. One last question, if I block port 53 will it block use of proxies as well, or does it simply not allow for other DNS traffic? Thanks again for all of your help!

    0
    Comment actions Permalink
  • Avatar
    stanthemam

    Also a subquestion (last one, for real this time). How long does a proxy typically last? I don't mean the web ones, I mean the ones with ports that you have to look up and manually enter. Is there a time limit on them or are they permanent?

    0
    Comment actions Permalink
  • Avatar
    rotblitz

    "if I block port 53 will it block use of proxies as well, or does it simply not allow for other DNS traffic"

    The latter.  I have explained this in another thread and have nothing to add.
    https://support.opendns.com/hc/en-us/community/posts/244978147

    "How long does a proxy typically last?"

    I don't understand this question.  It doesn't seem to apply to anything.

    0
    Comment actions Permalink
  • Avatar
    stanthemam

    Sorry about that, let me elaborate. If my son were to already have an http proxy programmed in his phone (or if he simply knows of one and manually enters it each time he uses it) along with the port number, is this something that he can use long term? Or do the public proxies eventually shut down? I know now that he will not be able to pull up any proxy lists online as all proxy webpages are blocked, so if he doesn't already know of a proxy, he will not be able to connect to any new ones. It would bring some peace of mind if I know he can not use the old one long term as now he has no access to new ones!

    0
    Comment actions Permalink
  • Avatar
    rotblitz

    Some web proxies may last for years, others for days, same as other web sites too.  There's no general rule.  Not sure why you mention port numbers. Web proxies usually use the default web ports 80 and 443.  And they do not require programming or configuration.  They are accessed like any other web site.

    "I know now that he will not be able to pull up any proxy lists online as all proxy webpages are blocked"

    This view is too optimistic.  How can you know?

    0
    Comment actions Permalink
  • Avatar
    stanthemam

    In searching the web I found that I can manually enter a proxy as well as a port number into my sons blackberry to connect to a proxy which is why I keep mentioning port numbers. I am not sure if it is considered a "web proxy" or not, but I pulled up a list and tried for myself and it did work. I have provided some screen shots for reference. I would love to be able to find a way to disable this feature but have had no luck.

    http://www.screencapture.ru/file/1E90d915

    http://www.screencapture.ru/file/0ba50890

    0
    Comment actions Permalink
  • Avatar
    rotblitz (Edited )

    If you use OpenDNS and have the Proxy/Anonymizer category blocked, you should not be able to pull the list you show in your second screen shot.
    https://domain.opendns.com/proxynova.com
    https://block.opendns.com/main?url=81838089907980876615688078&ablock=

    If the list shows up nevertheless, you don't use OpenDNS, or you don't have blocked the Proxy/Anonymizer category, or you may use another WLAN, not yours.

    Start with visiting http://welcome.opendns.com/ with this smart device to see if you use OpenDNS at all.

    0
    Comment actions Permalink

Please sign in to leave a comment.