I've written about content filtering recently. To rehash: There is no technology silver bullet to filter out all the bad while leaving the good. There is no substitute for parental presence and conversations with your kids. But that doesn't mean we can't use technology to try to prevent accidents. My previous article discussed using some DNS tricks to filter results in Google, YouTube, and Bing. But there are other options that we can use in addition for better defense-in-depth.
OpenDNS provides a free Family Shield service. And they provide setup instructions for a variety of devices. This service provides a number of nice benefits: * It's free * Blocks known malicious and phishing sites * It's free * Filters out known adult content domains * Did I mention it's free?
The only downside I've seen with this service is that OpenDNS used to not return
NXDOMAIN messages when a domain didn't exist. Instead, they redirected you to their server which presents a search page and advertising. This breaks some apps and scripts when domains are typo-ed because they appear to succeed. OpenDNS has stopped this practice recently (my observation, I didn't see any announcements about it). I've left the config in to tell
dnsmasq to turn any references to that OpenDNS IP into NXDOMAIN responses.
Here's a shell snippet to update your
dnsmasq config for OpenDNS. The first command creates
/etc/resolv.conf.opendns to point at the family shield servers. The remaining commands tell
dnsmasq to point to those DNS servers and to ignore OpenDNS's NXDOMAIN page. When we replace the
resolvfile option, we tell dnsmasq to ignore what DHCP on the WAN interface provides (usually your ISP's DNS server). And
uci commit saves the settings back to disk.
cat > /etc/resolv.conf.opendns <<EOF nameserver 18.104.22.168 nameserver 22.214.171.124 EOF uci set "[email protected].resolvfile=/etc/resolv.conf.opendns" uci set "[email protected].bogusnxdomain=126.96.36.199" uci commit
dnsmasq for this setting change to apply:
/etc/init.d/dnsmasq stop /etc/init.d/dnsmasq start