I recently read a blog post on the How-To Geek about setting up OpenDNS and the options it gives you to secure your internet browsing. I have found I love the OpenDNS service and the filtering control it gives me. But I tend to try and fight the system. Rather, I try to figure out ways to bypass the filtering service. This way I can find out ways that others would be able to get around services I set up.
Well OpenDNS is fairly straightforward. You add their DNS Server IP’s to your static IP’s in your router, then any computer behind that router will automatically use those DNS servers. So what if you were to change the DNS servers on your local machine? It would bypass your router for those queries and in turn bypass OpenDNS. This doesn’t cut it for me. It is way to easy to change that, and enough people know how to change their IP settings that this is too unsecure for me. So I did some research online and found an easy way to bypass that. Block port 53 on your router. Some routers may not have this functionality by default, so I can highly recommend checking out if your router is supported by DD-WRT. They support quite a few routers, and I personally love their firmware.
Since I am running DD-WRT that is what this guide will be based on, but it should apply for any router based on linux that you can have it run your own code.
Once you login into your router, go to Administration -> Commands.
From here you just need to paste this in:
[code]iptables -I FORWARD 1 -p tcp –dport 53 -j DROP; iptables -I FORWARD 2 -p udp –dport 53 -j DROP[/code]
Then at the bottom hit the Run Command button. This should block any attempts for the computer to go to another server to resolve names.
This should apply to any router that uses iptables and allows you to run your own code. This is also able to be done through ssh/telnet if your router supports it.
I recently read a blog post on the How-To Geek about setting up OpenDNS and the options it gives you to secure your internet browsing. They have quite a few filtering options including Phishing sites, along with blocking adult-related sites, and about 50 other categories along with a fully redundant DNS nameserver resolving. I decided to try it and set it up on my home network. The problem is that if you have an internet provider that provides you with a dynamic IP (IP address changes occasionally, if you aren’t sure what you have you probably have a dynamic address), you need to update the IP with OpenDNS. They have a lot of clients out there to do it, but as far as I found there were no linux clients. So I created a short linux script to do just that.
# Copyright (C) 2006 Jeremy Brent Hansen
# These are for your OpenDNS username and password. At this time, I do
# not know how to hide this info, so you will need to make sure you have the
# correct file permissions.
# This is where the log file will be stored. Currently it only logs the current IP
# and the response back from OpenDNS. The log will keep one backup. I
# just used a folder in my home directory (make sure the folder exists).
# Revolves the log file. Keeps one backup.
mv $log_dir/log $log_dir/log.1
while [ 1 ]
date >> $log_dir/log
/usr/bin/curl -i -m 60 -k -u $username:$passwd ‘https://updates.opendns.com/account/ddns.php?’ -silent >> $log_dir/log
echo -e “\n” >> $log_dir/log
# Resends the info after 5 minutes. Eventually I plan on changing it,
# so it only updates when your IP changes.
So, there you have it. No root permissions are required, so I just have it in my .profile for my normal user. Just run it with the & at the end, so it will background the process.