I recently read a blog post on the How-To Geek about setting up OpenDNS and the options it gives you to secure your internet browsing. I have found I love the OpenDNS service and the filtering control it gives me. But I tend to try and fight the system. Rather, I try to figure out ways to bypass the filtering service. This way I can find out ways that others would be able to get around services I set up.
Well OpenDNS is fairly straightforward. You add their DNS Server IP’s to your static IP’s in your router, then any computer behind that router will automatically use those DNS servers. So what if you were to change the DNS servers on your local machine? It would bypass your router for those queries and in turn bypass OpenDNS. This doesn’t cut it for me. It is way to easy to change that, and enough people know how to change their IP settings that this is too unsecure for me. So I did some research online and found an easy way to bypass that. Block port 53 on your router. Some routers may not have this functionality by default, so I can highly recommend checking out if your router is supported by DD-WRT. They support quite a few routers, and I personally love their firmware.
Since I am running DD-WRT that is what this guide will be based on, but it should apply for any router based on linux that you can have it run your own code.
Once you login into your router, go to Administration -> Commands.
From here you just need to paste this in:
[code]iptables -I FORWARD 1 -p tcp –dport 53 -j DROP; iptables -I FORWARD 2 -p udp –dport 53 -j DROP[/code]
Then at the bottom hit the Run Command button. This should block any attempts for the computer to go to another server to resolve names.
This should apply to any router that uses iptables and allows you to run your own code. This is also able to be done through ssh/telnet if your router supports it.
I use opendns to block my kids PCs from bad sites (they hate me), but now I cant go anywhere on my own PC.
I don’t use the dns daemon onboard the dd-wrt, my dd-wrt router hands out IP addresses and the opendns servers via DHCP. static dns entry can defeat my filters.
I would like to hijack/redirect/forward port 53 traffic to openDNS servers (188.8.131.52 & 184.108.40.206), unless it is coming from my PC (192.168.1.100) then I want it forwarded to my ISP dns (unfiltered).
I would also like to block outbound WAN traffic on any port other than 80, and 443 because one day they will figure out how to proxy or vpn out.
Can anyone help me compose the iptables rules?
Thank you i was looking for something like this whit easy to follow indications because im not a experimented user.
Very good article.
Did anyone every find a way to do this. Is there an iptables script/rule that would direct certain clients (mine and my wife’s) to my ISP’s standard DNS and let all other’s go to the openDNS DNS. Or frankly, the other way around would work as well . . .and would actually be better . . . let everyone else use the ISP’s DNS and point two clients (my 2 kid’s clients) to the openDNS DNS. THANKS!