How to redirect ALL DNS traffic to OpenDNS
I am so lost at the moment. I have been searching the web for hours and can not manage to find a clear answer. I am trying to redirect all DNS traffic to OpenDNS. I have a son who is somewhat tech savvy and believe he has been using a google DNS (or some alternate form of DNS) to bypass the blocks I have in place with OpenDNS. I was told that I could disable port 53 on my modem, but when I did it blocked ALL outbound DNS traffic, including OpenDNS and denied any access to the internet. My modem only has a setting to block, not to allow, and it will not allow me to put a setting in place where all DNS traffic is rerouted to OpenDNS. Is there ANYTHING else I can do at all to resolve this issue? it has been driving me crazy all day.
-
Depending on what your modem / firewall could do, you might be able to do a STATIC NAT all UDP:53 traffic to OpenDNS server(s), guess that would be the best way to be absolutely sure that no other DNS service is used.
With this said, this means that you would alter both the source IP and the destination IP, which means that your modem / firewall need to be somewhat advanced capable to be able to handle such S-NAT:ing.
However, if your modem / firewall is more of a home-user model, you should as stated previous
1. Create an Allow Rules for UDP/TCP port 53 to OpenDNS servers
2. Next in line of rules, create a Block All UDP/TCP port 53Thats a semi-functional solution as well.
-
Without knowing what you actually did, it's hard to say what you did wrong.
However, if what you did was to block ALL port 53 traffic you will disable all DNS functionality, including OpenDNS. A rule to block all port 53 traffic generally also needs a rule to allow port 53 traffic to OpenDNS to process BEFORE the blocking rule. The effects of this are to allow port 53 traffic to OpenDNS, but nowhere else.
Since you apparently can't implement an allow rule this might not be possible with your current combination of router hardware and firmware. You will likely need to change the firmware and/or hardware to something that allows this.
-
"You had mentioned that I may need to allow OpenDNS explicitly?"
This has been explained by mattwilson9090 in the other thread.
"to block Google DNS service. Do you know of a way to do this?"
This is what bruce.thorton explained. And yes, he means your router, because firewall rules on the computer are effective only on this computer.
-
Unfortunately all of the above is not possible to do with the modem/router combo that I have. The firewall settings are very minimal. They allow for a block port rule request, but they do not allow for an "allow" rule. So all I am able to do is turn off the port completely. It does not allow for any IP blocks either so blocking the google DNS will not work. This modem also does not allow any changes in the NAT settings so I am also at a loss there. So I'm at square one again. I feel like I have tried everything and nothing is working in my favour unfortunately.
-
Sure. Here are a few screenshots of the modem/router combo that I am using. There are also screenshots of my firewall settings. I can not seem to find a manual.
http://www.screencapture.ru/file/4df0531f
http://www.screencapture.ru/file/cBF11748
-
First one,
yes, you could check out a more advanced Firewall like pfSense, which you will install on a device infront of you ISP modem / router. I.e [ your LAN] - [ pfSense ] - [ISP modem/router] - [ Internet ]
pfSense has a lot of advanced features and configuration options. But read up on it before you even try to start configure it unless you are very familiar to firewalling and routing.
Second one, that actually depends on you router / firewall. I assume port forwarding at your modem / router means that you have a rule configured that states all TCP:22 hitting your public IP should be forwarded to a local IP within your LAN? Then yes, if you disable that rule, that means you will loose you SSH tunneling from elsewhere into your LAN.
Disable VPN passthrough does not mean that you will loose outgoing VPN, it means that you will most likely have trouble to connect with two or more IPSec-VPN clients from you LAN to your work for instance. But, if you use any kind of SSL VPN, the VPN Passthrough disable will not have any effect.
-
Thank you for your reply. I have disabled port 22 completely, will that deny accesss to any outgoing SSH tunneling? And as for the VPNs, is there a way to completely disable the use of them? And is there also a way to disable editing of the host file to redirect traffic? My end goal is to ultimately stop my son from bypassing any blocking by OpenDNS and to have everything logged in my domain stats. I feel he has been bypassing my settings in some way.
-
"My end goal is to ultimately stop my son from bypassing any blocking by OpenDNS and to have everything logged in my domain stats."
How old is your son? Well, the first step is that you'll provide him only with a regular user account on the computers he's using. If he has admin accounts, then you simply can forget to block him from anything, because he has hundreds of options circumventing anything you do on the router or otherwise.
With a regular user account he cannot change network settings like using another non-OpenDNS DNS service. And he cannot install and use most programs (VPN clients, etc.) for restriction circumvention. This eliminates already more than 90% of your concerns and issues.
Also, think about, not every problem can be resolved with technology. You better have a word or more with him, making your policies clear and discussing what needs to be discussed. Just oldfashioned education, else he may feel like a prisoner at home.
"I have disabled port 22 completely, will that deny accesss to any outgoing SSH tunneling?"
SSH is rarely used to establish (VPN) tunnels or such. It is mainly used to login to dedicated servers for remote maintenance. The default port for SSH is 22, but one can use any port, even multiple ports. So no, this is rather a useless measure. Not sure what you want to achieve with this.
"And as for the VPNs, is there a way to completely disable the use of them? "
Not really unless you also impact other services sharing the same port and protocol like web services and such. Same as with SSH, there are certain preferred ports which you may block. But many VPN services use alternative ports in addition.
There is one fully successful measure for access restriction to the internet: cut the internet connection!
-
Ah none of this is good news. My son is 12 years old but he knows way more about this stuff than I do. Ok so if none of those options will work for me... If I were to purchase a router which allows URL logging, would it log all entries entered even if my son were to use a proxy or a VPN or edits the host name or any other means of trying to bypass OpenDNS? I am so sorry to keep bothering you with my so many questions! I can not seem to find any clear answers anywhere though.
-
Also I forgot to mention, I am not concerned about the home pc as it is in my bedroom and he rarely has access to it. He uses his mobile for 95% of his web browsing which is a blackberry z10. I have done some research and he is able to access a VPN on his device as well as a proxy. 2 of which are my biggest concerns.
-
Well, that's all easy. If your current router does not do what you expect it to do, you get another router which can do it.
But please note, some of your requirements are technically impossible. No router or other device or service in the world can do it.
The reason: The internet was made for accessing it - without limits, because we are a free society with the right of freedom of speech and to unrestricted information. There are exactly two viable options:
- Access to the internet
- No access to the internet
It's your choice!
-
"if I block port 53 will it block use of proxies as well, or does it simply not allow for other DNS traffic"
The latter. I have explained this in another thread and have nothing to add.
https://support.opendns.com/hc/en-us/community/posts/244978147"How long does a proxy typically last?"
I don't understand this question. It doesn't seem to apply to anything.
-
Sorry about that, let me elaborate. If my son were to already have an http proxy programmed in his phone (or if he simply knows of one and manually enters it each time he uses it) along with the port number, is this something that he can use long term? Or do the public proxies eventually shut down? I know now that he will not be able to pull up any proxy lists online as all proxy webpages are blocked, so if he doesn't already know of a proxy, he will not be able to connect to any new ones. It would bring some peace of mind if I know he can not use the old one long term as now he has no access to new ones!
-
Some web proxies may last for years, others for days, same as other web sites too. There's no general rule. Not sure why you mention port numbers. Web proxies usually use the default web ports 80 and 443. And they do not require programming or configuration. They are accessed like any other web site.
"I know now that he will not be able to pull up any proxy lists online as all proxy webpages are blocked"
This view is too optimistic. How can you know?
-
In searching the web I found that I can manually enter a proxy as well as a port number into my sons blackberry to connect to a proxy which is why I keep mentioning port numbers. I am not sure if it is considered a "web proxy" or not, but I pulled up a list and tried for myself and it did work. I have provided some screen shots for reference. I would love to be able to find a way to disable this feature but have had no luck.
-
If you use OpenDNS and have the Proxy/Anonymizer category blocked, you should not be able to pull the list you show in your second screen shot.
https://domain.opendns.com/proxynova.com
https://block.opendns.com/main?url=81838089907980876615688078&ablock=
If the list shows up nevertheless, you don't use OpenDNS, or you don't have blocked the Proxy/Anonymizer category, or you may use another WLAN, not yours.
Start with visiting http://welcome.opendns.com/ with this smart device to see if you use OpenDNS at all.
Please sign in to leave a comment.
Comments
35 comments