Public DNS Servers

This forum contains discussions related to keeping families and individuals safe while making use of technology. Acceptable topics would range from how to protect families from Internet predators and online pornography, monitoring and protecting cell phone usage and text messaging, locking unwanted television and movies from various devices, protecting and monitoring computer game usage, and promoting safe Internet and technology use.
housefull-p40
New Member
Posts: 1
Joined: Tue Feb 23, 2010 3:11 pm
Location: housefull

#21

Post by housefull-p40 »

scgallafent wrote:The work around to bypass this isn't that complicated. Russell is right when he says "it's probably one of the simplest systems to defeat." I'm using the technique that would bypass this filtering right now to manage development of a web site that is being ported from one hosting company to another.

When you consider the fact that the users most likely to want to bypass the filtering are often the most technically adept users in the home, it creates a Bad Situation where you've got a non-technical user who installs a "security solution" that is ineffective and then becomes complacent because they feel they are now protected.

The Church system most likely filters all traffic to known Bad Places. I haven't tested it and I'm not interested in doing any penetration testing from my stake center, so I'm just going to make some educated guesses on what they put in place.

The difference is putting up a barricade so you can't get to the red light district vs. refusing to tell you where the red light district is located.
On the LDSTech wiki, we have created a whole section on Internet safety which includes Internet filtering, etc. I would encourage everyone to review the information and add additional information for the benefit of others.
robartsd
Member
Posts: 69
Joined: Sun Apr 04, 2010 9:07 pm
Location: United States, California

OpenDNS and dynamic addresses

#22

Post by robartsd »

OpenDNS uses the same protocol for updating your IP address that DynDNS uses. Any tool that can update DynDNS can also update OpenDNS if you can manually configure the server for the tool (I've seen many that can only update pre-programed services). OpenDNS has fairly recently come up with their own client for updating on the Mac (I imagine that they also have a client for Windows - perhaps have for a while). My OpenDNS account has multiple dynamic networks (OpenDNS uses the term network for any set of addresses that are configured with custom settings - dynamic networks can only contain a single address). One network is for my home broadband account, the other is for my notebook when visiting other networks. If I am visiting a network that already has custom OpenDNS settings, I cannot override those settings with my own.

I originally decided to try open DNS when I learned about "Drive By Pharming" - the vulnerability of many routers to changes in their settings using cross site request forgery to make the setting request come from within the router's network. I knew that I could secure my router against such attacks, but I could not trust every network that I might use to serve trusted DNS servers. The domain filtering options were just a bonus to me. I have my home page set to check to see that my network settings are active (by accessing a shortcut I created).
rhusted-p40
New Member
Posts: 16
Joined: Mon Mar 17, 2008 10:00 am
Location: Madison, WI

OpenDNS

#23

Post by rhusted-p40 »

OPEN DNS
For what it's worth, I've been using OpenDNS for a couple months now and it works GREAT! In the testing I've done, entering an IP Address of a nefarious site results in a redirect to the OpenDNS denial page. I'm assuming that is a by-product of how web pages work:
1. the browser requests the page (getting the IP address from the DNS server) - if you enter the IP address in the URL, you will get the HTML page (text-only)
2. the browser parses the page and for each linked resource sends a request (images, javascript, css, etc.)
3. if the links on the page have fully-qualified URLs, the browser will contact the DNS server to resolve the domain name in the URL (myspace.com) to an IP address

CURSORY TESTING
I'm assuming that the domain name resolution always results in a redirect to the OpenDNS error page. My testing was cursory, but I was quite pleased with the fact that I couldn't circumvent the security. Should I have done more testing?

My concerns about family internet security went away after applying OpenDNS (simply pointing our router to the static OpenDNS servers, rather than the ones our ISP operates). After some initial testing, I was satisfied that the solution was working great. We apply the minimal amount of blocking (pornography only) and expect the kids to govern themselves.

If someone can tell me how to break OpenDNS, I'd be willing to try. But so far, it's not worked. If anyone is convinced that OpenDNS is breakable, I'll do some testing - but I need some ideas on what to test. Entering the IP Address of a URL did not work... the browser (on any device) redirects to the OpenDNS denial page.

FAMILY POLICY
Our family has operated under the assumption that the kids will eventually leave the nest and must learn self-governance while they're with us. So we've traditionally had computers in common areas, clear instructions on what's permitted and what's not, and no filtering. However, with the introduction of the iPod Touch and DSi this last Christmas, we were increasingly concerned about internet access in bedrooms.

OPEN DNS DOWNSIDE
When your IP address expires and the ISP gives you a new one, you have to enter that IP address in OpenDNS. That means checking occasionally and then going to OpenDNS to update your IP address and settings.

OPEN DNS UPSIDES
It protects ALL devices. NetNanny and other solutions give you a false sense of security because they only protect the single PC on which they're installed. Also, there is granular control over filtering with OpenDNS and there is logging (so you can see what site requests were denied, what sites were hit, etc.). Lastly, it's free (unless you want more robust logging).

STAKE CENTER - USE OPEN DNS?
I'm wondering if we should update the router at the Stake to point to OpenDNS - since the church firewall fails open (it's my understanding that if the blacklist server the church uses is unavailable, the internet is wide open with no filtering applied). Open DNS would shore up that problem.

CELL NETWORK
I think it's worth pointing out that all this filtering and control will NOT protect CELL NETWORKS which are governed by the wireless provider. I don't know if there's a way to set the DNS server that a cell phone uses.
scgallafent
Church Employee
Church Employee
Posts: 3025
Joined: Mon Feb 09, 2009 4:55 pm
Location: Riverton, Utah

#24

Post by scgallafent »

I realize this is harsh, but here is my opinion: Promoting OpenDNS as a primary filtering method is IT malpractice. It has its place as part of an overall strategy, but it provides absolutely no protection against bypass in a typical home network.

<soapbox>When we make a recommendation in a church situation, there are going to be people who take it as gospel truth because we've got computer skillz. If someone makes a recommendation in Relief Society or a combined meeting on how to protect your family from nefarious things, someone in that room is going to go home and implement that suggestion. They will then promptly let down their guard, because they've implemented Suggestion X that they heard at church from The Guy With Skillz and their family is protected.</soapbox>

Because it is trivial to break, actively promoting OpenDNS as the solution makes me shudder.

Here are a couple of ways to break it:

Method 1 or "Server? We don't need no steenking server!"

Step 1 - Determine for yourself the IP address of a nefarious site
If you have access to an unfiltered machine, type ping nefarioussite.com and look for the response address. If your machine is filtered, open a command prompt and run nslookup. On a Windows box, you would type the following:

nslookup
server 8.8.8.8
nefarioussite.com
exit


Step 2 - Put the IP address of the nefarious site in the hosts file
Modify the hosts file and add a line with the IP address and name of the nefarious site. Something like this:

12.34.56.78 nefarioussite.com

Step 3 - Do nefarious things
Pick your favorite browser and use its private browsing mode or use a portable browser installation (Firefox Portable or something similar) that doesn't leave much of a detectable trace on the operating system.

Step 4 - Undo the hosts file change
If you've gone this far, you're probably thinking far enough ahead to undo the change to the hosts file. If you were really thinking far ahead, you made a copy of the hosts file and now you can put the copy back in place. That way the timestamp on the file doesn't change.

Method 2 or "Bring Your Own Server"

Step 1 - Change the DNS server in networking settings
Open the appropriate dialog, change the DNS server to 8.8.8.8.

Step 2 - Do nefarious things
'Nuff said.

Step 3 - Change the DNS server back
Undo change from step 1.

I realize that you can do things to make either of these methods more difficult on a PC (remove administrator access, etc.), but that just provides a little more of a challenge. You don't have physical control of the iPod Touch, so you're in trouble with that one.

Borrow your child's iPod Touch and try method #2. I believe the settings are under Settings > Wi-Fi > Choose network > Select blue arrow > DNS. The IP address I gave (8.8.8.8) is one of Google's public DNS servers. I just tested on my Android phone and was able to bypass OpenDNS without a hitch.
russellhltn
Community Administrator
Posts: 34422
Joined: Sat Jan 20, 2007 2:53 pm
Location: U.S.

#25

Post by russellhltn »

scgallafent wrote:Step 1 - Determine for yourself the IP address of a nefarious site
You can probably Google the web to find a site that would allow you to do that from the filtered machine.

While I think protecting the DNS lookup is useful for filtering against accidentally stumbling across things, I don't think it's useful against deliberate attempts to bypass it.
Have you searched the Help Center? Try doing a Google search and adding "site:churchofjesuschrist.org/help" to the search criteria.

So we can better help you, please edit your Profile to include your general location.
russellhltn
Community Administrator
Posts: 34422
Joined: Sat Jan 20, 2007 2:53 pm
Location: U.S.

#26

Post by russellhltn »

rhusted wrote:OPEN DNS DOWNSIDE
When your IP address expires and the ISP gives you a new one, you have to enter that IP address in OpenDNS. That means checking occasionally and then going to OpenDNS to update your IP address and settings.
I think there's other ways of doing that, such as running a client on a machine that's running much of the time.

rhusted wrote:STAKE CENTER - USE OPEN DNS?
I'm wondering if we should update the router at the Stake to point to OpenDNS - since the church firewall fails open (it's my understanding that if the blacklist server the church uses is unavailable, the internet is wide open with no filtering applied). Open DNS would shore up that problem.
I'm not sure how the church's filtering works. It may create problems with their filtering. It may also create problems in trying access church sites. The church-provided firewall places the stake network inside the church's network. This is necessary for some things like the FHC portal. OpenDNS will return the external IP for these services.
Have you searched the Help Center? Try doing a Google search and adding "site:churchofjesuschrist.org/help" to the search criteria.

So we can better help you, please edit your Profile to include your general location.
Hagothsen
Member
Posts: 100
Joined: Thu Aug 12, 2010 12:30 pm
Location: Henderson, NV USA

#27

Post by Hagothsen »

scgallafent wrote:
Method 2 or "Bring Your Own Server"

Step 1 - Change the DNS server in networking settings
Open the appropriate dialog, change the DNS server to 8.8.8.8.

Step 2 - Do nefarious things
'Nuff said.

Step 3 - Change the DNS server back
Undo change from step 1.

I realize that you can do things to make either of these methods more difficult on a PC (remove administrator access, etc.), but that just provides a little more of a challenge. You don't have physical control of the iPod Touch, so you're in trouble with that one.

Borrow your child's iPod Touch and try method #2. I believe the settings are under Settings > Wi-Fi > Choose network > Select blue arrow > DNS. The IP address I gave (8.8.8.8) is one of Google's public DNS servers. I just tested on my Android phone and was able to bypass OpenDNS without a hitch.
I have had success in combating Method#2. Sure, this is a tad more "techy" than most people's ability, but it works nonetheless.

If you happen to be running a router with the tomato firmware, it's super easy to block DNS requests through port 53.

If you have a router than can run dd-wrt, you can get good information from THIS THREAD

I'm sure there are other options for other routers, but not all consumer routers will help you block port 53. There are other 3rd party firmware solutions also. The two I've had success with are Tomato and dd-wrt
robartsd
Member
Posts: 69
Joined: Sun Apr 04, 2010 9:07 pm
Location: United States, California

#28

Post by robartsd »

RussellHltn wrote: It may also create problems in trying access church sites.

My OpenDNS use on my notebook has given me some experience with this problem: at the public library, I was not able to access the library's website while using OpenDNS; at my university, I was not able to access certain university servers while using OpenDNS; at the institute I experienced no difficulty accessing public church websites while using OpenDNS.
mahgig
New Member
Posts: 8
Joined: Sun Jan 23, 2011 5:55 pm

#29

Post by mahgig »

scgallafent wrote:I realize this is harsh, but here is my opinion: Promoting OpenDNS as a primary filtering method is IT malpractice. It has its place as part of an overall strategy, but it provides absolutely no protection against bypass in a typical home network.

<soapbox>When we make a recommendation in a church situation, there are going to be people who take it as gospel truth because we've got computer skillz. If someone makes a recommendation in Relief Society or a combined meeting on how to protect your family from nefarious things, someone in that room is going to go home and implement that suggestion. They will then promptly let down their guard, because they've implemented Suggestion X that they heard at church from The Guy With Skillz and their family is protected.</soapbox>

Because it is trivial to break, actively promoting OpenDNS as the solution makes me shudder.

Here are a couple of ways to break it:

Method 1 or "Server? We don't need no steenking server!"

Step 1 - Determine for yourself the IP address of a nefarious site
If you have access to an unfiltered machine, type ping nefarioussite.com and look for the response address. If your machine is filtered, open a command prompt and run nslookup. On a Windows box, you would type the following:

nslookup
server 8.8.8.8
nefarioussite.com
exit


Step 2 - Put the IP address of the nefarious site in the hosts file
Modify the hosts file and add a line with the IP address and name of the nefarious site. Something like this:

12.34.56.78 nefarioussite.com

Step 3 - Do nefarious things
Pick your favorite browser and use its private browsing mode or use a portable browser installation (Firefox Portable or something similar) that doesn't leave much of a detectable trace on the operating system.

Step 4 - Undo the hosts file change
If you've gone this far, you're probably thinking far enough ahead to undo the change to the hosts file. If you were really thinking far ahead, you made a copy of the hosts file and now you can put the copy back in place. That way the timestamp on the file doesn't change.

Method 2 or "Bring Your Own Server"

Step 1 - Change the DNS server in networking settings
Open the appropriate dialog, change the DNS server to 8.8.8.8.

Step 2 - Do nefarious things
'Nuff said.

Step 3 - Change the DNS server back
Undo change from step 1.

I realize that you can do things to make either of these methods more difficult on a PC (remove administrator access, etc.), but that just provides a little more of a challenge. You don't have physical control of the iPod Touch, so you're in trouble with that one.

Borrow your child's iPod Touch and try method #2. I believe the settings are under Settings > Wi-Fi > Choose network > Select blue arrow > DNS. The IP address I gave (8.8.8.8) is one of Google's public DNS servers. I just tested on my Android phone and was able to bypass OpenDNS without a hitch.

Anyone with both physical access to the box and the know how is going to be able to bypass any filter. Thanks for just providing the how-to.

In seriousness, the intent the vast majority of cases is going to be to limit casual use. A 10 year old kid isn't going to understand what you just explained. The 15 year old brother might, but he will already have easier ways to go about it. Chillax.

To help resolve the comments about dynamic IPs and OpenDNS, remember they have an applet that will sync to your account and update your IP periodicly. Most ISPs are goign to be changing it willynilly anyway. Just install the app on one of the computers in the network, doesn't matter which one, and it will handle it for you.
Post Reply

Return to “Family Safety with Technology”