DNS Filter

[stephan04]

Hi all, will the DNS filter if turned on ie create actual firewall rules to prevent bypassing it , ie in case a smart teenager tries to manually change his dns on his pc? And will this force guest networks to use this dns filter ie opendns family shield. Thanks

 

[dave14305]

DNSFilter does indeed add firewall rules to reroute all DNS traffic (port 53 tcp or udp) to your desired service. Can’t answer definitively about guest networks since I don’t have any configured. My DNSFilter firewall rules will take traffic from my primary 192.168.1.0/24 subnet. Not sure if guest networks have a different subnet.

 

[martinr]

Hi all, will the DNS filter if turned on ie create actual firewall rules to prevent bypassing it , ie in case a smart teenager tries to manually change his dns on his pc? And will this force guest networks to use this dns filter ie opendns family shield. Thanks

Yes, works for guest network.

Are you happy you have DNS Filter set up properly?

And you have Intranet Access turned off for guest networks of course.

There’s probably a way for you to test that you are protected by Opendns Family Shield; you could then jump onto the guest network and reassure yourself not only that DNS Filter is working but also that no amount of fiddling with device DNS settings can defeat it.

 

[Zonkd]

Yes. To block the kids:
Go to LAN / DNS Filter
Enable DNS base filter: ON
Global Filter Mode: Router

Go to WAN / WAN DNS SETTING
Connect to DNS server automatically: no
Specify the dns servers manually: 208.67.222.123 and 208.67.220.123 for OpenDNS Family

This will force all clients to use OpenDNS. The only way from kids to get around it would be VPN or encrypting their dns (probably easy for them to do on their phones if they discover the new cloudflare 1.1.1.1 app).

For this reason it’s also worth considering installing a blocklist of unsafe and rude domains directly on the router. A script called Diversion created by @thelonelycoder can do this. You would need to enable JFFS, get a little USB flash drive and connect via ssh to install and manage it. There are free public blocklists you can get Diversion to automatically download. This should prevent those sites from loading even with encrypted DNS. Then the only other way for them to get access would be VPN (which you could block the common protocols by their port). You can also block any VPN website using a opendns home account configured correctly, but that requires ddns to keep opendns synced with your current WAN IP.)

Edit: yes I’m also doing this myself!

Edit2: read here how to test if opendns is working https://support.opendns.com/hc/en-u...to-Test-for-Successful-OpenDNS-Configuration-