Internet monitor/filter solution for home network

3

3

I am looking for a simple and cheap way to monitor/filter internet usage on my home network. The solution should not be machine or OS specific, and it needs to be somewhat difficult to circumvent. I'd like for it to filter for all devices on the network. I would like to use OpenDNS on the router for this, but I'm not sure how to make it hard to bypass. Is there a way that I can set up OpenDNS in the router DNS settings and force all of the machines on the network to use those settings? I don't want a solution where you can just change the DNS settings on the machine or just boot to something like an Ubuntu Live CD to get around it. Any suggestions?

user4110

Posted 2009-09-17T22:24:50.180

Reputation:

Answers

2

You should be able to easily go into your router settings and set it up so that OpenDNS is the default dns server and all machines which connect through your router will get that by default. I say by default, as a different DNS can easily be set on each machine individually.

Just remember to often check your ip address to see if it changed or not, and if it has, to log into opendns and update your mapping. Most broadband ISP's will continue to serve the same IP address for a very long time, but any outage can easily cause the ip address to change and this just might cause your OpenDNS filters to fail.

The other methods of restricting traffic (proxy servers, for instance) would require additional hardware and management and I personally wouldn't recommend them for home use. There is a way around just about every system, so in the end its going to come down to your home network policy. Place the roadblocks to stop the "accidental" stumbling, and then make sure that all users know the risk of "going around" them. In my household its a mac address block on that machine which disables the network (this works good for the gaming consoles too).

skamradt

Posted 2009-09-17T22:24:50.180

Reputation: 371

1I think they now offer solutions that keep your ip address updated using dynamic dns services – Col – 2009-09-18T08:17:31.893

1

If you have a spare computer, you may use it as a hardware firewall/router/VPN gateway.

SmoothWall Express and Viatta Community Edition are free and powerful solutions, far beyond a simple NAT router.

alt text

Tutorial (based on SmoothWall)

Molly7244

Posted 2009-09-17T22:24:50.180

Reputation:

1

I've had great success at home with an old box, 2 nics and the free version of Untangle. Untangle is the "appliance" and helps manage and report on just about everything I need to worry about with 3 kids from 9 - 17.

I have it configured to use OpenDNS and, in an admittedly belt and suspenders fashion, also use OpenDNS for filtering as well.

Chris_K

Posted 2009-09-17T22:24:50.180

Reputation: 7 943

0

Is there a way that I can set up OpenDNS in the router DNS settings and force all of the machines on the network to use those settings?

Yes, after signing up for an account at OpenDNS,

  • set up your router to use the OpenDNS servers: 208.67.222.222, 208.67.220.220
  • set the DNS servers on each PC to be your router's internal LAN IP address. Usually that's something like 192.168.1.1. This means they will use the DNS servers on your router.
  • disable outbound UDP 53 traffic for your internal LAN. Users who change their DNS settings (e.g., to ISP's, 8.8.8.8, etc.) will not be able to resolve addresses, and will be forced to go through the OpenDNS filtering.

I've done this with a router using DD-WRT and this writer did it using a different router, but other routers should be able to accomplish it. Make liberal use of ipconfig /flushdns when setting up.

Consider restricting physical access to the DSL/cable modem, as a user could just jack into it directly and circumvent this setup.

Some note that a user could still access forbidden sites using a direct IP address. Virtual hosting which requires host headers makes this impossible for some sites. For the remainders, the main content may not be blocked, but there are often references to external content (ads, CDN's) which use FQDN's instead of relative links. Not only will they be blocked, but they will be shown as accessed content. How you deal with the transgressor is at your discretion.

Though these measures are just deterrence, they serve their purpose well. My locked and bolted house door is no match for a determined demolitions expert, and yet...I think I'll still lock it at night.

hyperslug

Posted 2009-09-17T22:24:50.180

Reputation: 12 882

Asked: 2009-09-17T22:24:50.180

Viewed: 2 863 times

Active: 2011-08-18T08:36:56.037