Content Filtering - OpenDNS Family Shield on OpenWRT

Fri 19 October 2018
Tags: openwrt / dnsmasq / content filtering / opendns

I've written about content filtering recently. To rehash: There is no technology silver bullet to filter out all the bad while leaving the good. There is no substitute for parental presence and conversations with your kids. But that doesn't mean we can't use technology to try to prevent accidents. My previous article discussed using some DNS tricks to filter results in Google, YouTube, and Bing. But there are other options that we can use in addition for better defense-in-depth.

OpenDNS provides a free Family Shield service. And they provide setup instructions for a variety of devices. This service provides a number of nice benefits: * It's free * Blocks known malicious and phishing sites * It's free * Filters out known adult content domains * Did I mention it's free?

The only downside I've seen with this service is that OpenDNS used to not return NXDOMAIN messages when a domain didn't exist. Instead, they redirected you to their server which presents a search page and advertising. This breaks some apps and scripts when domains are typo-ed because they appear to succeed. OpenDNS has stopped this practice recently (my observation, I didn't see any announcements about it). I've left the config in to tell dnsmasq to turn any references to that OpenDNS IP into NXDOMAIN responses.

Here's a shell snippet to update your dnsmasq config for OpenDNS. The first command creates /etc/resolv.conf.opendns to point at the family shield servers. The remaining commands tell dnsmasq to point to those DNS servers and to ignore OpenDNS's NXDOMAIN page. When we replace the resolvfile option, we tell dnsmasq to ignore what DHCP on the WAN interface provides (usually your ISP's DNS server). And uci commit saves the settings back to disk.

cat > /etc/resolv.conf.opendns <<EOF
nameserver 208.67.222.123
nameserver 208.67.220.123
EOF
uci set "dhcp.@dnsmasq[0].resolvfile=/etc/resolv.conf.opendns"
uci set "dhcp.@dnsmasq[0].bogusnxdomain=67.215.65.132"
uci commit

Bounce dnsmasq for this setting change to apply:

/etc/init.d/dnsmasq stop
/etc/init.d/dnsmasq start

OpenDNS provides a convenient test site at https://welcome.opendns.com/ and at http://www.internetbadguys.com/ so you can verify that your setup is working.