Web Content Filtering with OpenDNS

Once in a while, you come across a gem that you just want to share with others. I recently stumbled upon OpenDNS, and I've had such a good experience with it, I thought I'd write a bit about it. For the record, I have no affiliation with OpenDNS, except that I'm a happy user of this free service.

I week or so ago, I volunteered to do some networking for a small local church that runs a coffee shop as a community outreach program. In addition to having the best coffee in town, the church wanted to provide free Wi-Fi. But, because this is primarily a church outreach, the project leaders obviously were concerned about being able to filter inappropriate Web activity. My plan was to install a WRT54 router and flash it with DD-WRT or OpenWRT, so that I could install a content filter such as DansGuardian. I wasn't very excited about having to maintain the content blocking mechanism though. Content blocking is a difficult, sometimes ugly job, and the church didn't have a budget to pay for even an inexpensive filtering service.

While researching the final configuration, I came upon a link to OpenDNS. I like “Open” and I like “DNS,” so I clicked on the link out of curiosity, never expecting that this service would be a simple and complete solution to my content filtering problem. OpenDNS is a free service that enables you to block content you deem inappropriate at the DNS level. There's no need for any proxy configuration on either the client or the server. All you have to do is arrange for your servers and clients to use the OpenDNS DNS servers instead of the DNS servers provided by your Internet provider. Once that is done, if users try to access a Web site that provides inappropriate content, they are redirected to an OpenDNS Web site that tells them the site has been blocked and why.

OpenDNS categorizes content into more than 50 categories that can be blocked on an individual basis. In addition to the obvious categories, OpenDNS also can block video sharing, classifieds, games, p2p and so on. The categories are pretty self-explanatory, and the Web site is easy to use. By selecting which categories to block, you can implement almost any content filtering policy you can imagine. In fact, the Web site indicates that this service is targeted at corporations and schools that can't afford to...um...expose themselves to potential litigation.

If the established categories are too restrictive, or too broad, OpenDNS provides a whitelist and blacklist capability that can be applied to individual domains. For example, I had created a policy for the church that blocked access to all video sharing sites, only to find that the Pastor uses YouTube to download teaching materials. So the solution was to keep the video sharing block in place, but to whitelist youtube.com explicitly. This was a simple operation that I performed while he watched.

To start using OpenDNS, you have to sign up as a user. You then associate networks to your user account, and each network can have a separate filtering policy. Once I had signed up, I created a separate policy for the church, for my home and for my business. The OpenDNS servers use the source IP address of each DNS request to determine from which network the request comes and, thus, which policy to apply to the request. If the name resolution request is for a site that isn't being blocked, OpenDNS returns the appropriate address just like any other DNS server. On the other hand, if the request is for a domain that provides content contrary to the policy in effect, the OpenDNS server returns an address that points to a Web site explaining that the request has been blocked.

Another nice bonus to using OpenDNS is that it fixes mistyped URLs. For example, if you try to visit http://www.google.con (note the last character of the name is an “n” and not an “m”), OpenDNS is smart enough to figure out that you really meant to go to a search engine, not a “con” engine. OpenDNS simply redirects your request, and you end up where you intended to be. If you try to visit http://www.google.gov, OpenDNS knows that there is no such domain name and presents you with a list of suggested destinations. It works amazingly well.

If that wasn't enough, it has one more interesting feature: shortcuts. The shortcut feature allows you to define mnemonic shortcuts for Web sites you use frequently. For example, I created a shortcut, “gg”, that takes me to Google. So all I have to do is type two gs on the URL toolbar and press Enter, and soon enough, I'm at Google. You even can map a shortcut to a more complex URL, including full path or cgi form parameters.

The OpenDNS Web site claims that because its servers are geographically distributed, OpenDNS can make Web sites load noticeably faster. I can't honestly say it seems that much faster, but it sure isn't any slower (even though it's enforcing a content filtering policy with each request). The transition to OpenDNS was completely seamless, and in normal, appropriate browsing, you'd never know the difference.

I don't think anyone would be surprised to hear that OpenDNS also provides detailed statistics and graphs that show where your users are trying to go on the Internet. By clicking on the STATS tab on the OpenDNS Web site's dashboard, you can get a list of all the domains that were resolved for your networks by OpenDNS, and which ones were blocked according to your filtering policy. You also can see graphs showing how many requests were made each hour or each day.

As mentioned previously, when you try to access a Web site that violates policy, you are redirected to an OpenDNS Web site explaining that the site you tried to access has been blocked because it belongs to one or more blocked categories. You also are presented with a couple innocuous advertisements; these ads are the ONLY way OpenDNS makes money. It's ironic that the more people violate your filtering policy, the more money OpenDNS makes! For the most part though, OpenDNS is completely unintrusive and most users will never know they are using it.

Configuring my servers to use OpenDNS was easy. I simply modified my /etc/resolv.conf file and replaced the nameserver entries that were there with:

nameserver 208.67.222.222
nameserver 208.67.220.220

However, you have to configure your DHCP client to not overwrite the /etc/resolv.conf file with DNS information from the DHCP server. This is well documented in the manual, but might not be something you'd think about.

I use DHCP to point my home clients to my main DNS server for name resolution services, where I run bind. So, in order to get my name server to use OpenDNS, I changed /etc/bind/named.conf to contain a paragraph like this:

options {

forwarders {

208.67.222.222;

208.67.220.220;

};

}

On the other hand, if I wanted to point my DHCP clients directly to OpenDNS, I'd change /etc/dhcp/dhcpd.conf so that it contained a line like the following:

option domain-name-servers 208.67.222.222, 208.67.220.220;

If you're using a consumer-grade router as your Internet gateway, configuring it to use OpenDNS is usually trivial.

One final configuration note is in order though. In a potentially hostile network environment, such as a public Wi-Fi cafe like the one I described earlier, you MUST configure a firewall that blocks DNS traffic to any address other than the OpenDNS servers. Otherwise, you may find yourself telling a church Pastor that no one can access porn on his network, only to find out that they can—I don't even want to be in the same room when that demonstration fails.

So there you have it. If you spend about five minutes doing configuration work, you'll have the beginnings of a very solid content filtering capability, and it won't cost you a dime.