Google safesearch

[rmduk]

I spoke too soon

I am not sure what is going on, but I am now having issues with Google safe search, Parental Controls (DNS filtering) and devices on my network dropping out.

What I am trying to acheive:
1. Force all devices on my network to use OpenDNS....regardless of thier local DNS settings (which I can't always control).
2. Point all devices to google safe search to eliminate image search issue.

Under Firmware 376.49:
1. I simply enabled DNS Filtering under Parental controls and select OpenDNS as the global filter mode and it worked to deliver goal 1 above. I did not try enabling the google safe search at the time.

Under Firmware 378.5
1. Following bibloSNB advice, I changed to Parental controls global filter mode to Router, and under WAN settings change "Connect to DNS Server automatically" to no and then entered the OpenDNS addresses (208.67.222.222 & 208.67.220.220)
2. I also followed RMerlins Wiki entry on enabling google safe search.

This worked to achive both my objectives.....for a few days. I then noticed that not all devices were being restricted and it appeared that devices with local DNS servers set were no longer being forced to use OpenDNS (I am 99.9% sure this was working...but doubt does start to creep in.)

Since then things have gone from bad to Worse to the point that I could not even get OpenDNS working directly from the router, let alone forcing other network devices to use it.

I have tried many steps to address changing all combinations of DNS and DNS filtering enttires; factory reset of router and reload config file (378.5 version....saved after fresh reconfig post upgrade). I even restored 376.49 version, but to no avail. Sometimes router would use OpenDNS, sometimes not (appeared random...could not corollate to change I made) The only way I have now managed to get something working is to set " -LAN - DHCP Server - Forward local domain queries to upstream DNS -" to Yes, and enter OpenDNS server address here. This is in addition to DNS filtering (router) and WAN DNS entries.

This has restored objective 1, but not objective 2. The router resolves DNS for google to safe search properly, but while it does force clients to use OpenDNS it does enforce the DNS masq entries to cover off Google safe search.

This behaviour appeared the same in both FW versions I tried (using config files saved in each FW resepectively). I am completly lost with how something that was working can stop, and that I cannot even rollback to previous working state)

I also now have an issue with a Wifi Music player on the network stopping every 10 minutes. Could be unrelated of course but I don't think so.

I would appreciate any advice out there, as I am in troubleshooting darkness and have tried so many things I no longer no which way is up. I am thinking of a factory reset and clean reconfig (not from settings file) but hesitant due to the time this takes....especially if fixes temporarily and then have same degrading performance behavour.

It would be helpful to understand the functions of the WAN DNS versus LAN DNS versus Parental CONTROL DNS fliterning settings are supposed to be and any order of precendnce.....buller...anyone....

 

[bilboSNB]

.

This worked to achive both my objectives.....for a few days. I then noticed that not all devices were being restricted and it appeared that devices with local DNS servers set were no longer being forced to use OpenDNS (I am 99.9% sure this was working...but doubt does start to creep in.)

To me this sounds as though your router is not updating opendns when its wan ip changes and hence you lose your opendns filtering.

Have you got this set up to happen under ddns?

 

[rmduk]

Hmm...good thought, didnt think of that. My DDNS is updated via OpenDNS client on my PC, not via the router (though I have just realized the router is a much better place to do it from). This said, the PC with the updater running is where I do most of my testing from, so while a possibility, not currently convinced.

I am glad to report that I have just done a factory reset (378.5), and reconfigured manually (again....ugh), and glad to say DNS filtering is now working as expected so I feel some progress being made. I am now going to try Google safe search config again.

I would still like to know how the differing DNS entry fields work (LAN / WAN) etc if anyone can point me to documentation ...

 

[bilboSNB]

DNS under wan is the dns the router uses.

DNS under Lan dhcp is the dns server that gets handed out to dhcp clients, by default it is the router ip but you can specify a different dns server eg you have a separate server on your LAN handling local dns.

DNS filtering adds firewall rules that force clients to used a specific dns server, forcing a client to use dns servers different to the router completely bypasses the routers internal dns.

This means if you specifically force the open dns servers under dns filter to a client that client will not pick up the googlesafesearch setting as this is configured on the routers internal dns.

Thats why you set the opendns servers under wan and set global dnsfilter to the router to force all users to use the router which in turn uses opendns whilst handing out the alternative ip for google as specified in the routers internal dns config (dnsmasq).

I have not tested this bit : but as far as I am aware you can then set different dns servers for mum/dad under dns filter eg custom 8.8.8.8 and this will then bypass the global filter you have put in place.

 

[rmduk]

Thanks...seems obvious now I read it, but this is how one learns. Thanks for the support, much appreciated. One more question though if you don't mind. Is this the correct way to configure DDNS updates from the router for openDNS?

http://forums.smallnetbuilder.com/showthread.php?t=13148&highlight=OpenDNS+DDNS#goto_threadtools

 

[bilboSNB]

Thats what I use, dnsomatic which then updates opendns.

There's also the option to use custom scripts now.

https://github.com/RMerl/asuswrt-merlin/wiki/Custom-DDNS

 

[rmduk]

Narrowig ddwn the issues

Okay, trying to take the next step to enable Google safe search and this is what I have found. It would appear to me that when changing the DNS filter from "OpenDSN" to "Router", it stops enforcing the DNS setting on the network clients. I have set the WAN DNS to Open DNS server IPs, and I can confirm this is working via nslookups run on the router itself (return Open DNS block IP address) However nslookups on network clients are returning site IP's that should be blocked. I have rebooted the router and the clients with the same result.
I also added a custom client DNS filter to point one client back to OpenDNS which then restored the OpenDNS functionaltiy.

 

[bilboSNB]

Looks like you may have found a BUG then.

Try setting the routers lan ip eg 192.168.1.1 as custom 1 and set that as the global filter.

Edit: I have been able to duplicate this behaviour so it is confimed, and using my suggestion ie custom entry of the routers ip as global filter DOES work.

 

[rmduk]

Looks like you may have found a BUG then.

Try setting the routers lan ip eg 192.168.1.1 as custom 1 and set that as the global filter.

Edit: I have been able to duplicate this behaviour so it is confimed, and using my suggestion ie custom entry of the routers ip as global filter DOES work.

Yup, that works now. And hopefully will stay working!

I do suspect that there may by another bug associated with changing settings and then re-saving a backup config file which is somehow causing corruption or abnormal state in the nvram or configuration file itself. I definitely got to a point where DNS filtering was not working at all which needed a factory reset to address. That said, I would expect something like that to be almost impossible to confirm / track down. The important thing is all is working now, and that that through your support; Merlins firmware (and OpenDNS) I have found what I believe to be the best possible solution to protecting my family, in a way that my tech savy teenagers will struggle to bypass.

Many Thanks.....

 

[eric777]

Please note google have made this slightly easier to do now if all you want to do is enforce safesearch rather than re-write the search url and it can be done without the need for a proxy as per the wiki article:

https://github.com/RMerl/asuswrt-merlin/wiki/Enforce-Safesearch

cheers.

Nice Tuto!

I did:

cat /jffs/configs/dnsmasq.conf.add

no-resolv
strict-order
address=/www.google.com/216.239.38.120
address=/www.google.fr/216.239.38.120
address=/google.com/216.239.38.120
address=/google.fr/216.239.38.120
address=/explicit.bing.net/216.239.38.120
address=/www.bing.com/216.239.38.120
address=/search.yahoo.com/216.239.38.120
address=/fr.search.yahoo.com/216.239.38.120
server=199.85.126.30
server=199.85.127.30


Do you know how to force any body to use my dns 199.85.126.30 and 199.85.127.30.
Is there a iptables recipie?

Waiting for an answer, I do the following with the GUI : see enclosed file

 

[Zirescu]

Nice Tuto!

I did:

cat /jffs/configs/dnsmasq.conf.add

no-resolv
strict-order
address=/www.google.com/216.239.38.120
address=/www.google.fr/216.239.38.120
address=/google.com/216.239.38.120
address=/google.fr/216.239.38.120
address=/explicit.bing.net/216.239.38.120
address=/www.bing.com/216.239.38.120
address=/search.yahoo.com/216.239.38.120
address=/fr.search.yahoo.com/216.239.38.120
server=199.85.126.30
server=199.85.127.30


Do you know how to force any body to use my dns 199.85.126.30 and 199.85.127.30.
Is there a iptables recipie?

Waiting for an answer, I do the following with the GUI : see enclosed file

If they're getting a DHCP address from your LAN you could enter the values under the DHCP server tab on the LAN page. Other option is to enter it on the WAN-> Internet Connection tab assuming you want the router to also use your DNS servers.

 

[eric777]

Hi zirescu, does your solution prevent PCs of my lan from changing manually their dns IP? like

cat /etc/resolv.conf
nameserver 8.8.8.8

 

[ColinTaylor]

Do you know how to force any body to use my dns 199.85.126.30 and 199.85.127.30.
Is there a iptables recipie?

You need to use Parental control > DNS filtering and set Global Filter Mode = Router.

This will create to correct iptables rules.

 

[eric777]

You need to use Parental control > DNS filtering and set Global Filter Mode = Router.

This will create to correct iptables rules.

Yes but this disables the google safe search enforcemement, I have achieved by using the following lines:

cat /jffs/configs/dnsmasq.conf.add

no-resolv
strict-order
address=/www.google.com/216.239.38.120
address=/www.google.fr/216.239.38.120
address=/google.com/216.239.38.120
address=/google.fr/216.239.38.120
address=/explicit.bing.net/216.239.38.120
address=/www.bing.com/216.239.38.120
address=/search.yahoo.com/216.239.38.120
address=/fr.search.yahoo.com/216.239.38.120
server=199.85.126.30 (norton safe dns)
server=199.85.127.30 (norton safe dns)

 

[ColinTaylor]

Yes but this disables the google safe search enforcemement, I have achieved by using the following lines:

Really? I wouldn't have thought so. Remember that you are forcing the clients to use the routers DNS server (dnsmasq), which has your modifications. You are not forcing them to go to 199.85.126.30/199.85.127.30 directly.

Global Filter Mode = Router

 

[eric777]

Really? I wouldn't have thought so. Remember that you are forcing the clients to use the routers DNS server (dnsmasq), which has your modifications. You are not forcing them to go to 199.85.126.30/199.85.127.30 directly.

Global Filter Mode = Router

Look I have enabled dns filtering:

But look google safe searching is disabled: the answer should be 216.239.38.120

parent@duveau-MS-7751:~$ dig @8.8.8.8 www.google.com

; <<>> DiG 9.9.5-3ubuntu0.8-Ubuntu <<>> @8.8.8.8 www.google.com
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 38760
;; flags: qr rd ra; QUERY: 1, ANSWER: 8, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 512
;; QUESTION SECTION:
;www.google.com.            IN    A

;; ANSWER SECTION:
www.google.com.        282    IN    A    77.154.227.214
www.google.com.        282    IN    A    77.154.227.218
www.google.com.        282    IN    A    77.154.227.217
www.google.com.        282    IN    A    77.154.227.212
www.google.com.        282    IN    A    77.154.227.216
www.google.com.        282    IN    A    77.154.227.213
www.google.com.        282    IN    A    77.154.227.219
www.google.com.        282    IN    A    77.154.227.215

;; Query time: 9 msec
;; SERVER: 8.8.8.8#53(8.8.8.8)
;; WHEN: Tue Apr 12 22:59:43 CEST 2016
;; MSG SIZE  rcvd: 171

parent@duveau-MS-7751:~$

Now I disable DNS filtering with the GUI:

safe searching is enabled again:

parent@duveau-MS-7751:~$ dig  www.google.com

; <<>> DiG 9.9.5-3ubuntu0.8-Ubuntu <<>> www.google.com
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 23447
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0

;; QUESTION SECTION:
;www.google.com.            IN    A

;; ANSWER SECTION:
www.google.com.        0    IN    A   216.239.38.120

;; Query time: 0 msec
;; SERVER: 127.0.1.1#53(127.0.1.1)
;; WHEN: Tue Apr 12 22:57:26 CEST 2016
;; MSG SIZE  rcvd: 48

parent@duveau-MS-7751:~$

But it can easily be got around using a local dns like:

cat /etc/resolv.conf
nameserver 8.8.8.8

parent@duveau-MS-7751:~$ dig @8.8.8.8 www.google.com

; <<>> DiG 9.9.5-3ubuntu0.8-Ubuntu <<>> @8.8.8.8 www.google.com
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 38760
;; flags: qr rd ra; QUERY: 1, ANSWER: 8, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 512
;; QUESTION SECTION:
;www.google.com.            IN    A

;; ANSWER SECTION:
www.google.com.        282    IN    A    77.154.227.214
www.google.com.        282    IN    A    77.154.227.218
www.google.com.        282    IN    A    77.154.227.217
www.google.com.        282    IN    A    77.154.227.212
www.google.com.        282    IN    A    77.154.227.216
www.google.com.        282    IN    A    77.154.227.213
www.google.com.        282    IN    A    77.154.227.219
www.google.com.        282    IN    A    77.154.227.215

;; Query time: 9 msec
;; SERVER: 8.8.8.8#53(8.8.8.8)
;; WHEN: Tue Apr 12 22:59:43 CEST 2016
;; MSG SIZE  rcvd: 171

 

[ColinTaylor]

You haven't done what I said.

Set the Global Filter Mode to "Router".

"No Filtering" will disable/bypass the filter, and "Router" will force clients to use the DNS provided by the router's DHCP server (or, the router itself if it's not defined).

 

[eric777]

You haven't done what I said.

Set the Global Filter Mode to "Router".

Excuse me, Where is this option on the GUI?

 

[ColinTaylor]

DNS-based Filtering

Enable DNS-based Filtering = On
Global Filter Mode = Router

 

[eric777]

Ok I think that is it: