I’ve talked at great length about using OpenDNS to filter in the cloud. You’re dying to know more, I can tell. Here you go. But first, the theory.

How Open DNS works

I’m sure you read my blog, right? Surely, you already know this!? Don’t call me Shirley.

At the very least, you should understand what DNS is. A good primer is here:

https://pookyandthegeek.com/2013/10/16/dns-wizardry-for-muggles/

Yeah I’ve resorted to a shameless plug for my own blog.

First, the cliff notes. I know a guy named Cliff, he’s a swell guy. And he’d approve of these notes.cliffsnotes

1. To connect to the Internet, your computer uses an IP Address, not a website address (or for the more technical of you, the DNS name).

2. To translate a website address like starwars.com to its IP Address 199.181.132.250, your computer uses DNS.

3. To see DNS in action on a Windows PC, click the start button, then type CMD and press enter. This opens a command prompt.

commandprompt

4. From within the command prompt, send some ICMP Packets (think of it like tossing a ping pong ball at something to see if it responds) to a website. You can do this by typing PING, followed by the name of the website. For example, in my screen shot, I’m pinging starwars.com by typing PING STARWARS.COM followed by pressing enter on the keyboard. Watch the magic.

pinged

Your computer uses DNS to determine that at this point in time, Starwars.com can bestormtroopers reached at the IP Address of 199.181.132.250. Yeah, with a Star Wars marathon going on right now on the TNT channel, I’m kind of biased here. Sorry.

So your computer now knows that if it wants to go to Starwars.com, behind the scenes it connects to that IP Address and botta bing. Stormtroopers.

 

That’s the magic of DNS. There are many DNS servers in use throughout the Internet. Typically, our Internet Service Provider assigns one to us and we don’t even know it’s there. But because we’re uber l33t, we want to have our computer use OpenDNS servers so the folks at OpenDNS can do some content filtering for us. How? Let me explain. Once again, cliff notes.hulk-computer

  1. The Incredible Hulk wants to purchase illegal performance enhancing green drugs off the Internet and roid out while playing virtual poker on an online gambling site. Captain America is aware of this terrible behavior taking place from the Avengers base, and as the network guy, decides to block him.
  2. He sets up an OpenDNS account and blocks the category for Drugs and Gambling.
  3. Hulk tries to access a gambling site. He types in the website name and attempts to connect.
  4. The computer connects to an OpenDNS server to translate the website name to an IP Address.
  5. The OpenDNS server sees the request coming from the Avengers base, and recognizes that traffic coming from that network shouldn’t be accessing a gambling site, based on the OpenDNS category block settings.
  6. The OpenDNS server sends Hulk an IP Address to an OpenDNS block page, instead of the gambling page.
  7. An OpenDNS block page appears in Hulk’s web browser.
  8. Hulk realizes he shouldn’t gamble, and decides to change his wayward ways. No more smash.

So now that you understand the high level, let’s get more specific.

Take note that there are a lot of numbered lists in this blog. That means I’m serious here.

I’m stepping on the toes of the setup guide OpenDNS provides, which is actually quite good. Their directions, which are much more better than mine, is here: https://support.opendns.com/entries/53936430-Configuring-OpenDNS-on-your-Network

  1. Go to https://www.opendns.com/home-internet-security/ and Sign Up for a free Personal account.
  2. captainYou’ll have to provide, at the very least, a valid email address. I highly recommend creating a generic email account for all your Spam-related sign up stuff. For example, if your normal email address is America@gmail.com, consider creating a new account called Captain.Spam.America@gmail.com and only use this account for signing up for junk on the Internet. You know, deep down, that they will send you tons of junk emails if you sign up for stuff.
  3. Log into your newly created account, and set up a network to monitor. For our sample Captain America, he wants to block the Hulk from purchasing illegal performance enhancing drugs at the Avengers base. With that goal in mind, he creates a network called TheAvengersBase.
  4. Enter the settings for your network, and you can set up your categories for Web Content Filtering.
  5. blockdrugsCaptain checks off Drugs and Gambling. The Hulk better behave now. Making and saving the changes generally takes a few minutes to take effect.
  6. Download the OpenDNS updater client. This needs to run on a computer inside your home all the time, so OpenDNS knows who you are and where you’re coming from when on the Internet. Download it here: https://support.opendns.com/entries/23282614-Where-do-I-download-an-OpenDNS-Dynamic-IP-updater-client-
  7. updaterInstall and run the updater client. It will ask you for your OpenDNS login credentials.
  8. Once you have it set up, it will periodically check in with the OpenDNS servers to make sure they know who you are, and where you are coming from.
  9. Configure your computer to use the OpenDNS servers of 208.67.222.123 and 208.67.220.123. There are several ways to do this – either on a single computer by tweaking its IP Address settings, or (better yet) by tweaking the DHCP options on your router for every computer that connects to your house and wants to hit the Internet.routerdnssettings
  10. Remember my blog post on taming your router with style and grace? Of course you do. https://pookyandthegeek.com/2013/12/01/taming-your-router-with-style-and-grace/
  11. For my home DHCP server, I forced it to use the OpenDNS servers. Now everyone who connects to my network or wireless goes through OpenDNS.
  12. Test everything to make sure it works.

An added step that OpenDNS doesn’t think about is you may want to create an Access List on your router to only allow access to the OpenDNS servers and block all other DNS traffic. This is called egress filtering (a big twelve dollar word) and prevents the Hulk from sneakily modifying his DNS Server settings to try and get around OpenDNS. Boom. Hulk smashed. Egress filtering is a topic for another post, as I haven’t done it justice at all. This basic approach above will keep most users at bay.

Something doesn’t work? Ping me. I’m here to help.

Advertisements