Internet Filtering & Access Control Part 3: Using OpenDNS to Filter Content
This is the 3rd post in our series on controlling our kids access to the Internet, both when they can get on, and what they can reach when they are online. In the first post we discussed the basics of how computer networks function, using the analogy of a phone system at our Blog, She Wrote Headquarters (HQ) with the part of the receptionist being played by our router, and directory assistance representing the work of Domain Name System (DNS) servers. In this analogy, the router plays the part of a receptionist who handles all outgoing and incoming calls between our internal phone system (ext. 1, ext. 2, etc.) and the external phone system (the rest of the world). We also talked about how in the computer world, the IP addresses (the numbers the computers use to call one another, similar to phone numbers at our Blog, She Wrote HQ) are constantly changing (every couple of days or so), even for external websites.
To handle that, the Internet has the Domain Name System (DNS), where DNS servers are spread around to act as directory assistance for the world. Whenever your computer wants to browse a web site, like your favorite www.blogshewrote.org, your computer contacts the local DNS server to ask for the IP address of the Blog, She Wrote server, and the DNS server looks that up in a constantly updated directory. Without that service you would be stuck, since your computer would not know what the current number is for that server. Just like our receptionist, the DNS server sits in a powerful position, as without the DNS server, our computer could not find the websites we are trying to reach.
A company recognized how the position of the DNS server could be helpful for Internet filtering and has setup a business around that service. The service is called OpenDNS. The idea behind Open DNS is that by not giving out the IP addresses (phone numbers) of sites you don’t want anyone in your family to reach (www.evilsite.com), your devices won’t be able to reach it, no matter how hard they try. It won’t matter if it is an iOS device, a laptop, or a tablet, if the network won’t tell it how to reach it, it can’t. All of this is done by your computer network, not the device, so you don’t need to install software on the device itself.
Getting Started with OpenDNS
The service is free for families (they charge for businesses) and fairly easy to setup.
- Go to the OpenDNS website and setup an account.
- You then need to tell your network to use the OpenDNS DNS server instead of your local ISP DNS server. The DNS server information is given out to devices when they are assigned an IP address by the router. You can tell the router to give out the OpenDNS server information instead of the local one in the router settings.
- The OpenDNS site has a good set of instructions on how to do this for most major router models.
Using OpenDNS for Content Filtering
In your account options on the OpenDNS site, you have many different ways to select the filtering you want to do. Content filtering is often done using whitelists or blacklists. Blacklists are designed around the idea that you maintain a list of sites you want to block, and allow everything else. Whitelists are the opposite of that, where you block everything by default, and only allow sites that are on the approved list. Neither method is perfect at filtering. With a blacklist, you have to work hard to maintain an accurate list of bad sites with a constantly changing Internet. Any new bad sites are not on your excluded list until you learn about them and add them in. Whitelists suffer from blocking most of the world, and only letting in a small portion that is already approved. Many good sites will be blocked since you don’t know anything about them yet, and a previously good site can start posting bad content and be approved until you notice and remove it from the whitelist.
OpenDNS works under the blacklist mode, with their own internal categorization of sites. They assign websites to various filtering categories, and either block or allow on your network based on the options you select. So, you can choose to block all adult sites as well as social networking sites like Facebook, or only block adult sites. They work hard to maintain the lists as they are the basis for the filtering of the commercial service they sell to companies. You also have the option to add your own list of sites to either always block or always allow as well. That way you can customize it based on your individual needs. When someone on your network tries to reach a blocked site, they are redirected to an OpenDNS webpage telling them that it is blocked and what categories it is blocked under. That way you know why you cannot reach the webpage.
One last challenge to deal with is that the OpenDNS servers are getting many DNS requests from many different computers, so they need to know which requests are from your network to know what filtering to apply. To do that their computers needs to know the external IP address of your router (you can find it at www.whatismyip.com). The challenge is that this number can change every couple of days, so you will need to constantly update OpenDNS with the new number to keep the filtering correct. To make this easy, OpenDNS has created a small program that only needs to run on one computer in your network. It checks the external IP address of your network every now and then, and automatically updates OpenDNS with any changes that occur. It is better to choose a computer that spends most of the time at home, not a laptop that is taken to and from work or school regularly. Otherwise OpenDNS will be updated with the wrong IP address when the computer is off-site, and your filtering will go away until it returns home. On our home network, this is handled automatically by my router, but explaining that setup is beyond the scope of this post. The OpenDNS site would have some information on how to do that for those who are interested.
Have a Question? Leave a Comment!
I hope you have found this information useful as you work to guide your kids towards responsible use of the Internet. Feel free to post any questions or follow-ups in the comments and I will try to respond as best as I can.
Thank you for such an informative series on internet filter. We have Safeeyes and I’m less than thrilled with it. We’ve had more trouble with it over the past two years and it was recommened by a computer techie we know to set up controls via OpenDNS. Your post has definitely helped me understand a lot and hopefully I can tackle this beast soon. The internet is wonderful and awful all in the same breath.
You are welcome Melissa!
I hope the directions will help you to set it up. If you have questions, feel free to email for some help.
Heather
Thank you both for this article causing me to ask questions and heighten my awareness of web discernment. I’ve been trying to have less paper printed for our daily, homeschool assignments. So have created a “dashboard” blog site where each kid can see assignments and embedded youtube videos etc. I’d like to lock down that url on each of the desktop computers with access most of the time, but I’m not sure the above is the method by which to use. I’m thinking it’s a firewall, but that isn’t something I’m sure how to do, yet. Is that diagnosis correct? Chrome says it can be locked, but not all the way. I haven’t checked other browsers. Plus, my kids have kindle fires and a wireless only samsung galaxy 3 with various browsers I’d have to figure out how to lock during certain hours of the day/week.
Oh the joy of the internet…
Thanks again.
Hi Dee- Here is Dan’s response for you!
The challenge with your proposed locking down of a computer is that even your blog will require the computer to reach content outside of your blog. For example, if you want to only have the blog accessible, you could set OpenDNS to block everything but your site. But, if you embed a YouTube video on your site, that means the video shows up on your blog page, but the content (the video) still exists and is played from the YouTube servers. So, none of the videos would show since YouTube was blocked. If you allowed access to YouTube in OpenDNS, the embedded videos would appear, but direct access to YouTube would also be available. Additionally, OpenDNS would be all or nothing, not on a timed basis. Using the router to do the blocking would allow you to control the times when they were available, but the first problem would still be there. I am not sure you will be able to lock down the computer to only your blog while still allowing embedded content from other sites (i.e. YouTube). I believe that issue will exist no matter how you try to solve it (OpenDNS, router, or other methods).
You mentioned Firewalls in your comment, as they can be used for this type of function, but I avoid using them. A firewall is a set of software rules that exist on a computer to control the flow in and out of data on the device’s network connection. If we take my office phone system analogy a bit further, where the router takes the place of the phone operator for your home, the firewall would be your personal receptionist who screens your incoming and outgoing calls for each phone (1 for each phone). Firewalls are generally used for security reasons, not access filtering. Their main job is to keep viruses and other programs from dialing in and out without permission. The basic firewalls that come built in to modern operating systems (iOS or Windows) are generally not designed to filter on varying schedules, but instead run with a set of rules 24/7 like OpenDNS. You can purchase specialized filtering software that would offer more functionality, but I prefer to do that work at the network level. The reason is that the portable devices you mentioned (Kindles, Samsung Galaxy 3, etc.) generally can’t run that software so your solution becomes very fragmented. By doing it at the network level, all devices you specify, independent of what software they run, are affected.
Good luck on getting the Internet and your homeschooling to coexist peacefully!
Dan
What a great and informative series of posts!! Kudos to you! It’s not easy to write about such technical stuff and make it understandable to the masses as well as a pleasure to read. I do have a question for your hubby. My husband and I have a very similar set up with our network. At this time we use AirPort Utility to manage the times our kids can be online. We have also tried Open DNS. The issue that I am running into is that we have 4 kids here during the day who all work on separate computers to do online school. What I would love to be able to do is block access to sites other than their school sites during school time. The problem is that I still need to be able to access social media and other sites during school time for my work. Is there a way that I can block only the kids’ computers from those sites for set times without blocking myself?
Btw, I love these posts so much that I’m sharing them with a Facebook community I belong to: https://www.facebook.com/groups/t4lhs/permalink/1019083204787373/
Yes! We block specific sites that our kids like to visit. I think you have to name the sites on your router, but I will let my husband know about this comment and ask him to answer you. Thanks Dee!
Here you go Dee- from Dan:
That would be done through router access restrictions. Most routers have the ability to do that, but you need to be able to identify the computers you wanted blocked. That is usually through the MAC address, which is hardware specific. On our system I have the router giving the same IP addresses to all of our computers, so I can block by IP address instead of MAC address, but the method is the same. My part 2 of the series covers that detail but if she is lost on how to do that from those directions then some other posts on that can be found at:
http://www.ianswerguy.com/limit-internet-access-using-router-settings/
Also suggest doing a search on their router model number and “access restrictions” for information specific to their device. Important part is to try and filter by MAC address not IP address since IP address will change from day to day but MAC address will not.
Great explanations! Is it possible to extend greater access to sites for just one computer at home while keeping the dns router blocking active for the rest of the house?
Thanks!
Eric
From Dan himself:
Yes, but it basically bypasses the OpenDNS filtering entirely. There currently is no middle ground. That can be done by setting your DNS settings manually on the computers you want unfiltered access on. Instructions for changing DNS settings can be found below:
Windows: http://windows.microsoft.com/en-us/windows/change-tcp-ip-settings#1TC=windows-7
Mac: http://www.plus.net/support/software/dns/changing_dns_mac.shtml
You can lookup your normal DNS server addresses using Google (“{Your ISP Name} DNS server address”) or you can simply use Google’s DNS servers which are 8.8.8.8 and 8.8.4.4.
Dan