Saturday, August 6, 2011

Digg this

Restricting Access to Home Networks with DNS

Home Router
If you want to ensure that only acceptable websites are being browsed on your network then you may want to consider restricting sites using either your own DNS server or OpenDNS.

Before I go any further, allow me to explain the concept of DNS.  DNS stands for Domain Name System and it is basically what takes a name like or and translates it into an address like so that a computer connected to the Internet can find websites and other things.  The specifics of how DNS works in detail are beyond the scope of this post.  But
essentially, DNS determines what you can find on the Internet.

So, given that DNS is how you find things on the Internet, if you control your DNS then you control what you or other people on your network can find.  If you are a technology enthusiast then you might want to setup your own DNS server.  But if you want a simpler solution then consider using OpenDNS (

OpenDNS is a DNS provider that allows you to you create custom DNS settings based on how much security you want to enforce on your network.

To start using OpenDNS, create an account on their site, specify a network (Home, for example). And set up your router.  I have a Linksys router, so my configuration is as shown below (use the exact IPs that I have entered below for the DNS settings; they are the same as those listed on OpenDNS).

Notice that my router is configured for DHCP, that means I get a dynamic IP address.  OpenDNS matches up your account settings with your IP address, so if my IP address changes then OpenDNS will not know how to match up my settings.  Fortunately, OpenDNS has thought of that too and they allow you to download a client that communicates IP address updates from a computer in your network to OpenDNS.  And the client is available on Mac, Windows, Linux and UNIX systems.

Once you have the client installed and the DNS settings on your home router are configured like the settings above then you are using OpenDNS.  To configure the sites available in your home network, you can select from 3 pre-configured settings (High, Medium or Low), select no filter or create a custom filter (see the picture above).  You can even block individual websites that my not be included in the specific setting that you selected.

Another cool feature of OpenDNS is that you can get stats on the websites that people on your network are attempting browse.  This feature is disabled by default, but it can be turned on by going into settings, selecting Stats and Logs and then clicking Enable Stats and Logs.  Also, if you really want to have fun with it, you can create custom messages that come up in the browser of anyone who tries to access a blocked site.  In settings, select Customization and add your own custom blocked message.

You can have one network added to OpenDNS for free.  There is a charge for additional networks and for more advanced features.  But for most people, the basic feature set and the single network restriction will not be major constraints.

Finally, there is one thing that you should know about site restrictions with DNS: sites are not actually blocked with DNS; only their name resolution is blocked.  That is, if if a site is blocked in DNS then it can still be accessed by using the IP address.  Less technically savvy people would either (1) not know this or (2) consider it to be too much of a burden to try to circumvent DNS restrictions.  But there is another option.  If someone REALLY wanted to bypass DNS restrictions then they could configure their computer to use a public DNS server or a DNS server from your Internet Service Provider (ISP) instead of just taking the DNS server assigned by your home network.

In summary, OpenDNS is a good option for people looking to restrict the websites/domains accessible from their home networks, but it is not infallible.  A dedicated tech savvy person could bypass OpenDNS restrictions.  But I would say the odds of that happening are pretty minimal... unless, of course, they read this post ;)

No comments:

Post a Comment