Which ADSL, N router for OpenDNS use?
- Thread starter bledd
- Start date
Associate
- Joined
- 3 Sep 2005
- Posts
- 1,670
- Location
- Glasgow, Scotland
Any router you can manually input DNS servers works, I know at the very least the netgear DG series ADSL routers have remote access, probably linksys too, you won't really need to spend much.
Indeed.
Make sure the clients don't have local admin on their machines otherwise they will be able to use custom DNS servers.
I'm not sure of the term, but I was sure there is a settings you can tick in some routers so anyone connected to it MUST use the DNS setting provided.
This isn't a corporate environment, rented cottage. Would just like to block certain things
This isn't a corporate environment, rented cottage. Would just like to block certain things
dd-wrt and tomato firmwares have the option to intercept traffic on UDP port 53 and use their own internal dns servers.
Sure. Many ways around it. Fact is you won't be able to stop them from using another DNS server.
Course you can, you just block outbound UDP on port 53 to anything but the OpenDns servers... Then even if they manually change it, the requests will be dropped.
Firefox, PuTTy and DNS requests set to go through the SSH tunnel.
Block SSH then.
This is hardly common knowledge and despite being fairly easy to do I can't see it being a major issue.
It's for guest wireless too so I'd lock down outbound ports to limited list anyway.
sshd listening on port 443?
Your point is valid. I just dislike the "do X to block everything" approach.
Tunneling DNS through SSH has downsides though... performance impact. DNS was conceived as a UDP based protocol for a reason: to make it lightweight and fast.
Yes you could tunnel DNS via various methods but that's not really the point. You can tunnel just about any traffic if you know how and have the time and resources to set it up.
Fact is, blocking all UDP 53 traffic at firewall level and then only allowing UDP 53 traffic to your desired DNS servers (e.g. OpenDNS, Google DNS, etc) is a decent solution.
The main reason for doing this is so that if a PC inside the network gets infected with malware. That malware can't then change the PC's DNS servers to something else. It is very common that this happens with malware nowadays. As it allows the malware authors to capture your surfing habits and poison your DNS i.e. for blocking access to Windows Updates and AV update servers. Some malware are advanced to capture passwords through logon attempts to popular sites via DNS poisoning.
Yes you could tunnel DNS via various methods but that's not really the point. You can tunnel just about any traffic if you know how and have the time and resources to set it up.
Fact is, blocking all UDP 53 traffic at firewall level and then only allowing UDP 53 traffic to your desired DNS servers (e.g. OpenDNS, Google DNS, etc) is a decent solution.
The main reason for doing this is so that if a PC inside the network gets infected with malware. That malware can't then change the PC's DNS servers to something else. It is very common that this happens with malware nowadays. As it allows the malware authors to capture your surfing habits and poison your DNS i.e. for blocking access to Windows Updates and AV update servers. Some malware are advanced to capture passwords through logon attempts to popular sites via DNS poisoning.