How to protect your family from bad websites.

Apple have built in website filtering into OS X under the ‘System Preferences’ – ‘Parental Controls’ but Parental Control cannot be enabled for administrator accounts (which is probably the account you are running from) and  Parental Controls also becomes hard to manage if you have multiple users because you need to set it up for each one.  Here’s how to set up internet filtering on your whole home network at once using a free service called OpenDNS. Once it’s set up this can help block unsuitable content from reaching any computer, iphone, ipad etc connected to your internet. This approach can be used at home, school, or the workplace.

DNS Stands for domain name server. A DNS  is like a big phonebook and every time your computer or iPad or iPhone goes to a webpage (e.g. apple.com) it looks up the name you have given it (apple.com)  and converts it to a number  (e.g. 192.124.1.2) which it then uses to find the webpage.

This what you do when you phone someone.  You look up their name in a phone book to get their phone number  and then you ring their phone number.  A simple way  of limiting the people who you could ring would be to not give you their phone number. That’s how web filtering with Open DNS works.

A DNS is like a big internet phonebook where your computer looks up webpage addresses.

 

When you signed up for Internet access with your local Internet Provider  they gave you a DNS number to put into your computer – something like 192.231.203.132.  This number is the place your computer goes to look up the address of every page you visit.

Open DNS is a free DNS service, but it has settings to restrict what sites you can access. It’s like a phonebook with all the ‘unwanted’ phone numbers missing.  To use open DNS you replace  the DNS numbers on your computer with the  Open DNS numbers.   Your computer will be unable to find  some websites because open DNS  won’t give your computer the address when it asks for it.

I’ve tried to explain the concepts clearly, but getting it running can be tricky, so read on and you may need to get a computer friend to help you out!

Here’s how to set it up.
1. Have a look at this image. It should say “Use Open DNS”. After you switch to Open DNS the image will change and it will say “You’re using Open DNS”!

Use OpenDNS

2. Go to opendns.com and set up a free account.  Go to the open DNS dashboard and select Internet filtering, and the level of filtering you require. Here are what some of the options look like (click to enlarge):

 

3. Open your Router settings (the Router is the device that plugs into your internet connection and shares it with all your computers). We are setting this up on your router so that  it will affect all your computers. Find the setting that says DNS Servers and put in the Open DNS server numbers.  (Before you do this make a note of the old DNS settings, you will need them later when you are testing.) The Open DNS numbers are 208.67.222.222 and 208.67.220.220

Here are the DNS settings on my wireless router.

4. Restart  your computer and your router, and come back to this page and a little button in step one should have changed to show you that you are now using OpenDNS.

5. Go to www.internetbadguys.com (a test site) and you should get a blocked message something like this:

 

 

6.  Securing it.

What we had just done is we have made the default DNS  server  the server that your computer goes to.  The problem is that if you manually type in DNS settings in your computer network settings it will bypass the Open DNS settings.  So what we need to do now is to help your router not to allow any other DNS  settings through.  To do this go to the firewall settings on your router (not your computer)  and block all outgoing TCP  and UDP  requests on port 53  that are not going to Open DNS.  This can be a little bit tricky, but here’s how I did it on my router,  which is a Draytek Vigor 2700.

I had to add three rules.

1.  allow DNS lookups that are going to open DNS 208.67.222.222

2.  allow DNS lookups that are going to open DNS 208.67.220.220

3.  block any other  DNS lookups.

 

Here’s where I added the rules:

On the Draytek modem the firewall settings are set up under default data filter

Here are the three rules I added:

I added rules two, three, and four.

Rule 1 & 2 (called rule 1 and 2 because there was already a rule in there)

Rule 2 allows any traffic going to the Open DNS server. Rule 3 was the same as rule to accept it used the second DNS number.

Rule 3 (called rule 4).

Rule 4 comes after rule 1 and 2 and it blocks any remaining DNS requests.

 

Testing.

Type in your old DNS settings into your Macintosh system preferences, ( system preferences –  network settings- DNS Server) and press apply.

Open Safari and type in an address (eg apple.com) – you should not be able to go to any websites at all.

Delete the DNS address  from your Macintosh system preferences, the open DNS settings should reappear, and you should be able to browse the web, but not restricted sites.

The only way I can think of getting round this without the router password is to reset the router to the default factory settings, but then OpenDNS will stop altogether, and you’ll notice someone is playing with things!

Posted

Comments

12 responses to “How to protect your family from bad websites.”

  1. OpenDNS have a standard test site which tells you whether it is working or not. This will work regardless of the filter settings you choose on OpenDNS and it avoids the risk of seeing offensive material when you are testing.

    http://www.internetbadguys.com

    Also, web browsers often cache material. So if you change to OpenDNS and it is not working straight away, clear the cache in your web browser or try the page in a different browser.

    We use OpenDNS and like it. It’s very simple and they update the list of blocked sites so we don’t have to. But it isn’t perfect and we now have our own filtering software as well.

    1. Thanks Glen for the internetbadguys.com test site! I’ve put it in the article. I searched and couldn’t find it but thought there must be such a test site somewhere.

  2. Wayne,

    What a great blog post! Thanks for sharing how OpenDNS, when set on the home routers, will secure every device on the network, anywhere they travel. We are lucky to have lots of Australian users helping make OpenDNS the worlds fastest-growing Internet security and DNS service.

    We’d love to send you a t-shirt as thanks for helping us spread the word about OpenDNS. Send me your size and an address when you can.

    Thanks again!

  3. Brian

    Ahhh… OpenDNS is soooo close to being *THE* solution we need to stop a nagging problem we’re having with our son. We absolutely need the control and security OpenDNS provides… BUT we need it when he’s away from our home network.

    From what I’ve seen we can block and control everything we ever wanted when we’re at HOME using our HOME network. But we need to extend that blocking to MOBILE devices like the IPAD. One of our older sons is away at a very expensive, very strict school. We’ve had to supply him with an IPAD. Although the school is pretty tough with IT security, our son and his peers keep downloading different texting and social networking apps until they find one that’s not blocked. Their persistence always pays off and they’re able to skirt school security.

    This is a huge pain in the neck. I’ll skip the commentary about sneaky kids… but what we really need is a solution. It would be fantastic to “program” the IPAD itself to go directly to OpenDNS but so far, we don’t have that option. I can configure my home network to use OpenDNS, but that still leaves his IPAD wide open when he’s away.

    Any ideas (short of convincing the school to use OpenDNS enterprise) for implementing this type of blocking? We cannot block the ITunes App Store (required for classes). We cannot implement restrictions on installing new Apps (again, required for classes). We cannot Jailbreak the IPAD. We can totally SEE all of these nefarious apps because we have control over the ITunes account… but he’s 500 miles away so we can’t physically get to the device.

    It’s a tough problem… but we’re spending $30K a year on a prestigious school just so our lunkhead kid can screw around and try to weasel around the rules. Anything we can do with OpenDNS to thwart him would be fantastic.

    Thanks for the blog post… I just wish we had that final missing piece to solve our problem.

  4. It is very important to monitor your children when they are in the internet. First thing to do is to tell them what you expect of them when they are online, which sites you don’t what them to go to. But even when you remind them, you still need to always keep eye on them. One thing you can do is not allow them to have the computer in their room . Leave the computer in the living room or family room so there is more control.

  5. Nicholas Bull

    Worked really well, thank you. Had to adapt it to my router but dead chuffed with the the result. WIth the Draytek 2130 just leave that a space blank, no need to put ‘any’ in.

  6. POOR SOLUTION FOR QUESTIONABLE CONTENT

    After extensive testing, we’ve found that OpenDNS is *not* a suitable filtering solution for questionable content. If you want to keep people away from it who might go looking for it, you need something else.

    1) Easy to bypass. It is very easy for the average teenager to get around OpenDNS on must home or SOHO routers. All they need to do is set their own DNS address (like 4.2.2.1 or 8.8.8.8) on their computer. Ask Google how to bypass OpenDNS and these YouTube instructions are the #1 result: http://www.youtube.com/watch?v=F_Q2WyffZNI

    (Some routers [like the NetGear WNDR4500] will enforce the OpenDNS servers for DNS access, so the local user can’t get around it. But ours does not log blocked requests properly, and see issue #2…)

    2) Anti-family-friendly filtering policy. OpenDNS filtering policy (their own internal standards) now only blocks nudity, pornography, adult themes sites based on the “primary purpose” of a site. So many, many sites that contain significant sources of pornography, lingerie/bikini, and/or nudity are never blocked, even when a simple search will display it all.

    Note that this isn’t about the technical limitations of DNS filtering (can’t block by page, only by site), it’s about a mindset that OpenDNS engineers adopted and now vigorously guard.They could change their policies to block sites that aggregate or act as gateways to pornography, or they could add a special category for that level of filtering, but they refuse to do so and belittle requests for it. (Search their support forums for the word “rejected” or “taliban” and read the discussion threads. If the main page of a site doesn’t shove bad content in your face, the site will not be blocked 90% of the time. So any teenager willing to enter one search term to search for these images will find boatloads of them. What good is that?

    Examples from bypasses we encountered in a teenager-frequented environment:

    Example 1: imgur.com is specifically and deliberately not blocked for all these categories, but it contains lots of offensive material. (You can prove this by doing a Google Image search (Settings > explicit filtering off) for “site:imgur.com bikini” without the quotes (or worse search terms). This shows you that the material is there. If you click any of those images to go to the site, OpenDNS does not block you, and it takes you to pages filled with nothing but that content. Most kids would go there another way, but this is a fast way to see the content.

    Example 2: vimeo.com (search for blonde or readhead and the problem is immediately obvious).

    Example 3: tumblr.com (nter any search term on the home page, even explicit images from blocked subdomains appear here.)

    OpenDNS provides no way to fliter out aggregation sites like this: no option, nothing. Not even the more mild “adult themes” filter works for them.

    We really wanted to like OpenDNS and recommend it to the world, but the strong anti-censorship element/attitude inside the company is insurmountable. When they will not create more stringent categories or categorize gateway sites for the kind of offensive content they can aggregate, we’re left without options.

    Time to look elsewhere.

    1. Thanks Kevin,
      (1) My article describes how to stop this – the last bit about blocking DNS requests means people can’t bypass the DNS.

      (2) Thanks for pointing this out. You are correct there are ways round it. Covenant eyes, X3 watch and so on are a step up if you want something a bit stronger. Do you have any other recommendations? In my case I trust myself and my kids to be wise in what we look at, and just want something to stop obvious obscene sites.

      (3) Open DNS has the additional problem in that it makes iTunes downloads slow.

    2. Macster

      in order to avoid users (kids) from bypassing this using a different dns, is to block port 53 on your router. I have done so in my router and even if you use any other router you are forced to use OpenDNS…this also blocks proxies too.

  7. George

    Very nice. How did you get the Draytek to update your IP without running the OpenDNS updater on one of your computers?

    1. You just put the DNS settings straight into the Draytek router as per the article.

  8. Paulo

    Hello,
    I find this very interesting but i cant understand how can it use the open dns with your personal settings!
    You just give the router the dns… And how about the account details?
    How cannthe router translate from the open dns your personal settings?
    Thanks,

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.