OpenDNS provides Internet users with a free Domain Name System service accessible from any host, regardless of the network IP address used to send the request. This DNS system is gaining popularity with millions of users since it offers a series of advantages not supplied by traditional DNS services offered by Internet Service Providers.
This document lists the advantages of using OpenDNS and provides configuration instructions for Zeroshell Router/Firewall. Additionally, Zeroshell has an updater that updates OpenDNS with the dynamic IP assigned to the router. Thanks to this feature you can customize functions on the OpenDNS web dashboard to fully exploit the advanced features such as, for example, web content filter and parent control.
This document is broken into the following sections:
- OpenDNS to improve Web navigation response time
- OpenDNS and Anti Phishing protection
- Web content filter and parental control
- Internet use statistics
- URL spelling check
- URL shortcuts
- Setting up Zeroshell for OpenDNS
- Setting the Dynamic DNS Updater for OpenDNS
- Firewall setup to prevent non OpenDNS DNS use
One of the reasons for slow web navigation and other Internet service use is slow DNS response speed. Having to satisfy such a large number of requests, OpenDNS has a extremely large and updated cache. This means that if a client asks for the resolution of a name in IP, OpenDNS most probably already knows the answer, without having to ask the authoritative DNS to receive it. Moreover, OpenDNS provides recursive DNS that can directly respond to client requests. Not having to receive responses for subsequent loops helps to reduce client wait time.
One of the most dangerous navigation traps is called Phishing. A user may be tricked into providing sensitive data such as credit card information or online bank account login credentials on sites that appear to be the originals but are really only intended to acquire this information for illicit use. The names of these Phishing sites are almost exactly the same as the original ones to confuse users. They are opened by clicking hyperlinks in spam messages or by incorrectly entering address names in your web browser. Obviously, these sites do not use encrypted https protocol and thus the user doesn’t even receive invalid digital certificate warnings. Since OpenDNS has a database that contains an accurate list of sites used for Phishing, it helps you to prevent Phishing since it blocks IP address resolution and thus its display.
Simply use the two DNS, 126.96.36.199 and 188.8.131.52 to use OpenDNS to improve response time and get anti Phishing ptotection without any other worries. However, you can create an OpenDNS account to open the web dashboard where you can set the service to best meet your needs and use advanced OpenDNS services. Specifically, you can filter websites dividing them into categories deemed inappropriate for your Internet users. For example, you can disable the resolution of site names classified as containing pornographic material, that discuss illegal subjects or social networks like Facebook or instant messaging just using the dashboard. In addition to controlling content using the default categories, you can setup your own blacklist and whitelist to block or permit access to certain sites.
Obviously, if you want to use these advanced OpenDNS features, you must create a link between your personal OpenDNS account and internet users’ IP addresses. If IP addresses are static, just set them on the Dashboard. Otherwise you can use a DNS updater for dynamic IP addresses to send IP address changes to the OpenDNS database. Zeroshell can perform these tasks and we will see how to set it up below.
One of the best ways to see which Internet services are most used on your LAN is to obtain statistics on domain resolution requests. Obviously, whatever the requested service is (WWW, e-mail, VoIP, etc.), it is hard to access services via the IP address, which is difficult to remember and may even change dynamically, but are almost always accessible via a hostname.
OpenDNS lets you view domain access statistics. Remember that statistics must be activated on the dashboard following OpenDNS registration.
Another helpful although unessential OpenDNS feature is the hostname spelling check. If you enter an inexistent URL, OpenDNS attempts to interpret the user’s request and, when possible, automatically corrects it before responding with its web search page.
With an OpenDNS account you can create shortcuts on the dashboard to assign easy to remember nicknames to long and complex web addresses. You will be automatically redirected to the linked website when you enter the shortcuts in the browser address bar. This feature is not essential but may be a helpful web navigation tool.
In order to take advantage of OpenDNS features, simply add the two DNS (184.108.40.206 and 220.127.116.11) to the settings on each internet user client. Otherwise, you can set up the DHCP server to automatically set them. Another possibility, if you have a DNS server on your LAN, is to have the server work as a DNS cache set to use OpenDNS as Forwarders to resolve any non authoritative domain. This way, when the client response is not in the LAN DNS cache, just forwards the request to the OpenDNS server instead of ROOT DNS. In addition to having local cache, this solution lets you manage advanced OpenDNS features, creating a single account and and only updating the local DNS server IP address in the OpenDNS database.
To set up the Zeroshell DNS server as described to use OpenDNS as forwarders, simply display the [DNS][Forwarders] section and update services with IP 18.104.22.168 and 22.214.171.124 separated by a comma and specifying ANY as the domain. The result is the one illustrated above.
At this point, once two DNS forwarders are set, OpenDNS is already used by LAN clients. However, as already mentioned, to use advanced services such as customized web filters and parent control, Internet access statistics and shortcuts, you must inform OpenDNS of the IP addresses used to send requests. If you have a static IP address, you only have to set it once on the OpenDNS dashboard while you should use a Dynamic DNS Updater for dynamic IP addresses.
Zeroshell has a dynamic DNS client compatible with OpenDNS. To set it, simply select OpenDNS as the domain in the [DNS][Dynamic DNS] section (as illustrated above), enter your OpenDNS account username and password and activate the service.
If you intend to enable web filters to prevent access to certain site categories, you should make sure that the only DNS clients use is the Zeroshell one that uses OpenDNS as a forwarder. This way, users cannot change their client DNS to avoid restrictions. To do this, if Zeroshell is the Internet access default gateway or transparent bridge, block communications to port 53 UDP/TCP in the Firewall.
This block should be set in the FORWARD chain to process router traffic. The Zeroshell DNS server can still contact OpenDNS servers since traffic generated by a local process is not influenced by the FORWARD chain.