Sean O'Neill's Weblog

« Centos on Solaris... | Main | OpenDNS - tweak for... »
Thursday Jul 12, 2007

OpenDNS - very kewl

I recently read an article on the New York Times about OpenDNS which describes its service as:

OpenDNS is a safer, faster, smarter and more reliable way to navigate the Internet.

Well, after reading the article on the New York Times I was intrigued to say the least so I started snopping around the OpenDNS web page and got MORE intrigued. One reason I got more and more interested is the services they offer for blocking less-then-savory web sites. What I liked about these value-add services is the price is right ... its free. Its interesting in that they have it setup where you can block various sites based on categories of adult themes: bikini vs nudity vs pornographic etc while using nothing more then DNS. So nothing to download and install on your home machines. I have enough of a selection of machines at home (FreeBSD, Solaris, Mac OS X, and Windows XP) that anything requiring installing a client on each machine type would instantly kill my interest in the service.

( While being very interested in this DNS service technically, in the end, my true motivation is that I have kids getting onto the Internet more these days and I'm looking to avoid for as long as I can the inevitable "Daddy, what are they doing ?!?!?!?!?" .... notice I said "inevitable" )

So I took the plunge and I signed up for an account. You have to signup for an account to activate the adult theme blocking service. Again ... signup is free in case you missed that part above.

One challange I had is I have a DNS server setup here at home for my internal network of machines - Its a Solaris Neveda machine no less (snv_67 currently). So how to setup my DNS server so its still authoritative for my internal domain and then push queries out to OpenDNS for DNS query resolution.  The answer = Sun's employee subscription to Safari Books Online -> DNS and BIND, 5th Edition -> Section 10.5 Forwarding.  Man, do I love that Safari subscription ...

I tweaked my /etc/named.conf file to look like the following:

options {
        directory "/var/named";
        forwarders { 208.67.222.222; 208.67.220.220; };
        forward only;
};

zone "."                        { type hint;    file "db.cache"; };
zone "0.0.127.in-addr.arpa"     { type master;  file "db.127.0.0"; forwarders {}; };
zone "nonroutable.com"          { type master;  file "db.nonroutable"; forwarders {}; };
zone "0.168.192.in-addr.arpa"   { type master;  file "db.192.168.0"; forwarders {}; };

So the interesting parts are the "forwarders", "forward only", and "forwarders {}" directives. The "forwarders" directives tells bind to forward all queries bound for external resolution to the specified DNS servers (these being the OpenDNS DNS servers). The "forward only" directive means to rely on the forwarded DNS server for everything e.g. never ask any other DNS servers for query resolution. The reason for this is I don't want my DNS cache on my name server polluted with anything that's not from OpenDNS. For each of my master authoritative zones, the empty "forwarders {}" basically disables DNS forwarding for these zones and allows my DNS server to act as an authoritative DNS server like it should for each specific master zone files.

Next issue is how do I get my DHCP clients to get the benefits of OpenDNS now that I've setup my OpenDNS account and tweaked my DNS server ? Simpe update to my DHCP configuration on my LinkSys WRT54G to put my DNS server first in the DNS server list followed by the same two OpenDNS IPs seen in my /etc/named.conf file above.

OpenDNS also supports DDNS for ISPs like mine that provide DHCP to your internet router.  Unfortunately, my WRT54G only supports DDNS to DynDNS.org and TZO.com.  I can't tweak it to support another DDNS service.  This is important because to get the benefits of the adult site filtering from OpenDNS, they have to know the source IP address of where you DNS queries are coming from.  If/When the IP provided by your ISP changes and without DDNS letting OpenDNS know your IP address has changed, then you lose your adult filtering services from OpenDNS until you log into your OpenDNS account and tweak your account configuration.  Not sure how to resolve this just yet.


 

Posted at 10:20PM Jul 12, 2007 by ldcubed in Other-Than-Solaris  |  Comments[5]

Comments:

Look up Google addresses on OpenDNS. I did that, and went back to my caching nameserver configuration.

Posted by Mikael Gueck on July 12, 2007 at 11:05 PM CDT #

Hey Michael, Not sure what you mean ... As you've indicated, I've tried multiple Google addresses and they all work just fine. Maybe you can be more explicit by what you mean.

Posted by Sean on July 12, 2007 at 11:25 PM CDT # 

host www.google.com 208.67.222.222

Using domain server:
Name: 208.67.222.222
Address: 208.67.222.222#53
Aliases: 

www.google.com is an alias for google.navigation.opendns.com.
google.navigation.opendns.com has address 208.69.34.230
google.navigation.opendns.com has address 208.69.34.231

host www.google.com 192.168.0.1

Using domain server:
Name: 192.168.0.1
Address: 192.168.0.1#53
Aliases: 

www.google.com is an alias for www.l.google.com.
www.l.google.com has address 209.85.129.147
www.l.google.com has address 209.85.129.99
www.l.google.com has address 209.85.129.104

Posted by Mikael Gueck on July 13, 2007 at 01:47 AM CDT #

Both we and Google are transparent about what's happening there. We do it to make shortcuts and other behaviors work more seamlessly. It doesn't add any perceivable latency and we are crystal clear that we don't log or datamine anything as a result of this. SSL connections are also NOT redirected through this. As with every feature we have, however, this can be turned off in your account under the shortcuts section. -david

Posted by David Ulevitch on July 13, 2007 at 08:04 PM CDT #

I'd point you to http://www.opendns.com/account/dynamic_dns/ for more about dynamic IP addresses, including software clients.

Posted by John Roberts on July 13, 2007 at 08:12 PM CDT #

Post a Comment:
Comments are closed for this entry.