Web Content Filtering with OpenDNS
Once in a while, you come across a gem that you just want to share with others. I recently stumbled upon OpenDNS, and I've had such a good experience with it, I thought I'd write a bit about it. For the record, I have no affiliation with OpenDNS, except that I'm a happy user of this free service.
I week or so ago, I volunteered to do some networking for a small local church that runs a coffee shop as a community outreach program. In addition to having the best coffee in town, the church wanted to provide free Wi-Fi. But, because this is primarily a church outreach, the project leaders obviously were concerned about being able to filter inappropriate Web activity. My plan was to install a WRT54 router and flash it with DD-WRT or OpenWRT, so that I could install a content filter such as DansGuardian. I wasn't very excited about having to maintain the content blocking mechanism though. Content blocking is a difficult, sometimes ugly job, and the church didn't have a budget to pay for even an inexpensive filtering service.
While researching the final configuration, I came upon a link to OpenDNS. I like “Open” and I like “DNS,” so I clicked on the link out of curiosity, never expecting that this service would be a simple and complete solution to my content filtering problem. OpenDNS is a free service that enables you to block content you deem inappropriate at the DNS level. There's no need for any proxy configuration on either the client or the server. All you have to do is arrange for your servers and clients to use the OpenDNS DNS servers instead of the DNS servers provided by your Internet provider. Once that is done, if users try to access a Web site that provides inappropriate content, they are redirected to an OpenDNS Web site that tells them the site has been blocked and why.
OpenDNS categorizes content into more than 50 categories that can be blocked on an individual basis. In addition to the obvious categories, OpenDNS also can block video sharing, classifieds, games, p2p and so on. The categories are pretty self-explanatory, and the Web site is easy to use. By selecting which categories to block, you can implement almost any content filtering policy you can imagine. In fact, the Web site indicates that this service is targeted at corporations and schools that can't afford to...um...expose themselves to potential litigation.
If the established categories are too restrictive, or too broad, OpenDNS provides a whitelist and blacklist capability that can be applied to individual domains. For example, I had created a policy for the church that blocked access to all video sharing sites, only to find that the Pastor uses YouTube to download teaching materials. So the solution was to keep the video sharing block in place, but to whitelist youtube.com explicitly. This was a simple operation that I performed while he watched.
To start using OpenDNS, you have to sign up as a user. You then associate networks to your user account, and each network can have a separate filtering policy. Once I had signed up, I created a separate policy for the church, for my home and for my business. The OpenDNS servers use the source IP address of each DNS request to determine from which network the request comes and, thus, which policy to apply to the request. If the name resolution request is for a site that isn't being blocked, OpenDNS returns the appropriate address just like any other DNS server. On the other hand, if the request is for a domain that provides content contrary to the policy in effect, the OpenDNS server returns an address that points to a Web site explaining that the request has been blocked.
Another nice bonus to using OpenDNS is that it fixes mistyped URLs. For example, if you try to visit http://www.google.con (note the last character of the name is an “n” and not an “m”), OpenDNS is smart enough to figure out that you really meant to go to a search engine, not a “con” engine. OpenDNS simply redirects your request, and you end up where you intended to be. If you try to visit http://www.google.gov, OpenDNS knows that there is no such domain name and presents you with a list of suggested destinations. It works amazingly well.
If that wasn't enough, it has one more interesting feature: shortcuts. The shortcut feature allows you to define mnemonic shortcuts for Web sites you use frequently. For example, I created a shortcut, “gg”, that takes me to Google. So all I have to do is type two gs on the URL toolbar and press Enter, and soon enough, I'm at Google. You even can map a shortcut to a more complex URL, including full path or cgi form parameters.
The OpenDNS Web site claims that because its servers are geographically distributed, OpenDNS can make Web sites load noticeably faster. I can't honestly say it seems that much faster, but it sure isn't any slower (even though it's enforcing a content filtering policy with each request). The transition to OpenDNS was completely seamless, and in normal, appropriate browsing, you'd never know the difference.
I don't think anyone would be surprised to hear that OpenDNS also provides detailed statistics and graphs that show where your users are trying to go on the Internet. By clicking on the STATS tab on the OpenDNS Web site's dashboard, you can get a list of all the domains that were resolved for your networks by OpenDNS, and which ones were blocked according to your filtering policy. You also can see graphs showing how many requests were made each hour or each day.
As mentioned previously, when you try to access a Web site that violates policy, you are redirected to an OpenDNS Web site explaining that the site you tried to access has been blocked because it belongs to one or more blocked categories. You also are presented with a couple innocuous advertisements; these ads are the ONLY way OpenDNS makes money. It's ironic that the more people violate your filtering policy, the more money OpenDNS makes! For the most part though, OpenDNS is completely unintrusive and most users will never know they are using it.
Configuring my servers to use OpenDNS was easy. I simply modified my /etc/resolv.conf file and replaced the nameserver entries that were there with:
However, you have to configure your DHCP client to not overwrite the /etc/resolv.conf file with DNS information from the DHCP server. This is well documented in the manual, but might not be something you'd think about.
I use DHCP to point my home clients to my main DNS server for name resolution services, where I run bind. So, in order to get my name server to use OpenDNS, I changed /etc/bind/named.conf to contain a paragraph like this:
On the other hand, if I wanted to point my DHCP clients directly to OpenDNS, I'd change /etc/dhcp/dhcpd.conf so that it contained a line like the following:
option domain-name-servers 188.8.131.52, 184.108.40.206;
If you're using a consumer-grade router as your Internet gateway, configuring it to use OpenDNS is usually trivial.
One final configuration note is in order though. In a potentially hostile network environment, such as a public Wi-Fi cafe like the one I described earlier, you MUST configure a firewall that blocks DNS traffic to any address other than the OpenDNS servers. Otherwise, you may find yourself telling a church Pastor that no one can access porn on his network, only to find out that they can—I don't even want to be in the same room when that demonstration fails.
So there you have it. If you spend about five minutes doing configuration work, you'll have the beginnings of a very solid content filtering capability, and it won't cost you a dime.
Mike Diehl is a freelance Computer Nerd specializing in Linux administration, programing, and VoIP. Mike lives in Albuquerque, NM. with his wife and 3 sons. He can be reached at email@example.com
|Designing Electronics with Linux||May 22, 2013|
|Dynamic DNS—an Object Lesson in Problem Solving||May 21, 2013|
|Using Salt Stack and Vagrant for Drupal Development||May 20, 2013|
|Making Linux and Android Get Along (It's Not as Hard as It Sounds)||May 16, 2013|
|Drupal Is a Framework: Why Everyone Needs to Understand This||May 15, 2013|
|Home, My Backup Data Center||May 13, 2013|
- New Products
- Linux Systems Administrator
- Senior Perl Developer
- Technical Support Rep
- UX Designer
- Designing Electronics with Linux
- Dynamic DNS—an Object Lesson in Problem Solving
- Using Salt Stack and Vagrant for Drupal Development
- Making Linux and Android Get Along (It's Not as Hard as It Sounds)
- another very interesting
1 hour 37 min ago
- Reply to comment | Linux Journal
3 hours 31 min ago
- Reply to comment | Linux Journal
10 hours 25 min ago
- Reply to comment | Linux Journal
10 hours 41 min ago
- Favorite (and easily brute-forced) pw's
12 hours 32 min ago
- Have you tried Boxen? It's a
18 hours 24 min ago
- seo services in india
22 hours 55 min ago
- For KDE install kio-mtp
22 hours 56 min ago
- Evernote is much more...
1 day 56 min ago
- Reply to comment | Linux Journal
1 day 9 hours ago
Enter to Win an Adafruit Pi Cobbler Breakout Kit for Raspberry Pi
It's Raspberry Pi month at Linux Journal. Each week in May, Adafruit will be giving away a Pi-related prize to a lucky, randomly drawn LJ reader. Winners will be announced weekly.
Fill out the fields below to enter to win this week's prize-- a Pi Cobbler Breakout Kit for Raspberry Pi.
Congratulations to our winners so far:
- 5-8-13, Pi Starter Pack: Jack Davis
- 5-15-13, Pi Model B 512MB RAM: Patrick Dunn
- 5-21-13, Prototyping Pi Plate Kit: Philip Kirby
- Next winner announced on 5-27-13!
Free Webinar: Hadoop
How to Build an Optimal Hadoop Cluster to Store and Maintain Unlimited Amounts of Data Using Microservers
Realizing the promise of Apache® Hadoop® requires the effective deployment of compute, memory, storage and networking to achieve optimal results. With its flexibility and multitude of options, it is easy to over or under provision the server infrastructure, resulting in poor performance and high TCO. Join us for an in depth, technical discussion with industry experts from leading Hadoop and server companies who will provide insights into the key considerations for designing and deploying an optimal Hadoop cluster.
Some of key questions to be discussed are:
- What is the “typical” Hadoop cluster and what should be installed on the different machine types?
- Why should you consider the typical workload patterns when making your hardware decisions?
- Are all microservers created equal for Hadoop deployments?
- How do I plan for expansion if I require more compute, memory, storage or networking?