Public DNS Servers

This forum contains discussions related to keeping families and individuals safe while making use of technology. Acceptable topics would range from how to protect families from Internet predators and online pornography, monitoring and protecting cell phone usage and text messaging, locking unwanted television and movies from various devices, protecting and monitoring computer game usage, and promoting safe Internet and technology use.
rogerscr-p40
New Member
Posts: 7
Joined: Sun Apr 12, 2009 10:56 pm
Location: St Paul, MN

Public DNS Servers

#1

Post by rogerscr-p40 »

As the stake technology specialist and the local tech in my ward I have had people ask me about options for filtering the internet in their homes. We have had General Authorities and even our local Mission President call for parents to install some filtering and people are asking questions. I have considered the options and have decided that for the basic safety net most of my friends want DNS filtering is a great option for a variety of reasons:
1. No software installation is required on the local PC. This is big as we all know Windows goes down on it's own, no need to add additional software.
2. Protects other devices. Now that the Wii, PS3, Xbox and iPods can access the web, software is not an option.
3. Protects visitors. With schools giving out laptops and some teens getting their own laptops it is nice to know that anyone on your home WiFi network is protected from accidental access.

For those who are not familiar with how this works here is my attempt at simplification. A DNS server is contacted every time you type in a website name to resolve the IP address. Think of it as the operator in the old days; you didn't know the person's phone number so you called the operator and she looked it up and patched you thru. So when you type in www.yahoo.com, your computer contacts the DNS server and asks for the IP address for the Yahoo domain, it then contacts the computer at Yahoo using the IP address the DNS server returned. There are few sites anymore that will work without this lookup process.

A filtering DNS server has a modified list of domain names. If your PC requests a website that is on the block list the server does not give your PC the IP address, it instead forwards you to a page that informs you the page has been blocked. Unless you have another way of getting the IP address you will not get to the site.

The neat thing about this is that you can choose your DNS server. Yes, you get a DNS server free with your internet service but you don't have to use it! If you have a home router for high speed internet you can simply open the settings and change the DNS server you want to use so you use one that is filtered. If you don't then you simply have to change the DNS server setting in Windows, Wii or whatever device you are using.

Currently I only know of one free service that enables you to use this method of filtering and it is OpenDNS. They currently require you to create an account, setup your filter levels and either configure your router to update them with your IP address as it changes or install a small utility to do this on one of the PCs in your house.

My hope in posting this is two-fold; first I want to let people know about this simple safety net that is available. I would also like to encourage The Church to consider setting up a pair of these servers up to make it even easier for parents to setup simple filtering. I have used the PCs at our FHC and the filtering seems to be setup similar to OpenDNS so they may already have the servers, they just need to publish the IP addresses. If The Church would make these available then the account setup process currently used with OpenDNS could be skipped and people would simply have to change the IP address of their DNS server in their router.

This is not a bullet proof solution but then again what is. It is just an idea that I think could use some attention.
russellhltn
Community Administrator
Posts: 34419
Joined: Sat Jan 20, 2007 2:53 pm
Location: U.S.

#2

Post by russellhltn »

rogerscr wrote:This is not a bullet proof solution but then again what is.
Welcome to the forum.

As you say, not bullet proof. It's probably one of the simplest systems to defeat. Just look up the IP on a website or ahead of time and use the IP address instead of the site name.

I'm not sure what the church uses, but I think it's more sophisticated then that. I don't think that trick will work on it.

You make a good point about other computer devices in the home. So a good solution would be to filter at the router.
Have you searched the Help Center? Try doing a Google search and adding "site:churchofjesuschrist.org/help" to the search criteria.

So we can better help you, please edit your Profile to include your general location.
rogerscr-p40
New Member
Posts: 7
Joined: Sun Apr 12, 2009 10:56 pm
Location: St Paul, MN

RE: Workaround

#3

Post by rogerscr-p40 »

Actually using a lookup site to get the IP is less effective than one might think. I just did a lookup of LDS.org and got 216.49.176.33, yet when I type it into my browser I get an error. As a result of shared IP addresses in datacenters most servers also request data on the domain name in your browser and when they get an IP address they quite often fail.

There are work arounds for this but I would like to avoid going into details so this thread doesn't become a 'how to avoid filtering' discussion.
scgallafent
Church Employee
Church Employee
Posts: 3025
Joined: Mon Feb 09, 2009 4:55 pm
Location: Riverton, Utah

#4

Post by scgallafent »

rogerscr wrote:Actually using a lookup site to get the IP is less effective than one might think. I just did a lookup of LDS.org and got 216.49.176.33, yet when I type it into my browser I get an error. As a result of shared IP addresses in datacenters most servers also request data on the domain name in your browser and when they get an IP address they quite often fail.

There are work arounds for this but I would like to avoid going into details so this thread doesn't become a 'how to avoid filtering' discussion.
The work around to bypass this isn't that complicated. Russell is right when he says "it's probably one of the simplest systems to defeat." I'm using the technique that would bypass this filtering right now to manage development of a web site that is being ported from one hosting company to another.

When you consider the fact that the users most likely to want to bypass the filtering are often the most technically adept users in the home, it creates a Bad Situation where you've got a non-technical user who installs a "security solution" that is ineffective and then becomes complacent because they feel they are now protected.

The Church system most likely filters all traffic to known Bad Places. I haven't tested it and I'm not interested in doing any penetration testing from my stake center, so I'm just going to make some educated guesses on what they put in place.

The difference is putting up a barricade so you can't get to the red light district vs. refusing to tell you where the red light district is located.
User avatar
WelchTC
Senior Member
Posts: 2085
Joined: Wed Sep 06, 2006 8:51 am
Location: Kaysville, UT, USA
Contact:

#5

Post by WelchTC »

On the LDSTech wiki, we have created a whole section on Internet safety which includes Internet filtering, etc. I would encourage everyone to review the information and add additional information for the benefit of others.

Read about it here.

Tom
rogerscr-p40
New Member
Posts: 7
Joined: Sun Apr 12, 2009 10:56 pm
Location: St Paul, MN

#6

Post by rogerscr-p40 »

I find the WIKI interesting and we may be able to transfer some of the knowledge here to the Wiki. I would have preferred to post to the prior filtering thread but it is locked.

I think it is important to recognize that there are levels of filtering and each level has a cost.

Obviously software as posted on the WIKI is the most robust but it is also generally most expensive, especially if you have multiple PCs. It will also not work with new internet devices such as the OXO OLPC and game devices. At the same time if you have someone who is actively looking this is the most effective option as some software actually scans each image before displaying it.

I like the idea of filtering at the router level as it is cheaper if not free. I have looked around and all I can find at this level is either a DNS filter as mentioned above or an enterprise level device that is cost prohibitive for home users.

We have discussed the limits of a DNS filter, though I think it is better than you think, give it a try. Most of the people I have talked to want a basic filter to prevent the <12 crowd from having an oops moment. Maybe this would work for pre-teens and then you can buy software for the teen years to minimize the cost?

As far as routers with actual software in them to do the filtering anyone know of anything affordable? I would guess that in reality they are actually the 3rd type mentioned in the wiki, a proxy server but I can't be sure.

The down side to this is that a proxy server can only work for unsecure sites. If the site offers HTTPS then the proxy can't filter unless you install a certificate on the PC/Internet device. The thing to remember is that if you install a certificate then they can look at all your secure internet traffic, i.e. banking, purchases etc so make sure you trust them. Again here there is likely a cost associated with this type of filtering but may not be at the per device cost level of software. Can anyone think of workarounds for this as well? Again don't post how to work around this we just want to generally know of there are faults in a technique.

One down side to all of these is you have to trust that the people who setup the filter have the same definition of what is offensive that you have. There will always be sites the slip thru and there will always be sites that are blocked in error. If someone has problems then it is best to limit internet access to times that other people are around and the PC is in a public space. They should also get help as instructed in this last conference. I think it is the prevention of oops moments that can lead further that we want to avoid here.

Lets discuss it here and get the info over to the wiki!
russellhltn
Community Administrator
Posts: 34419
Joined: Sat Jan 20, 2007 2:53 pm
Location: U.S.

#7

Post by russellhltn »

rogerscr wrote:One down side to all of these is you have to trust that the people who setup the filter have the same definition of what is offensive that you have.
That brings up a good point. What's appropriate filtering for a youngster may not be appropriate for a teen that needs to do some research for school. You may also have a teen that has proven trustworthy and may have access rights like the adults and you may have a teen that has proven to have issues and needs more restrictions. And all three may live in the same house.
Have you searched the Help Center? Try doing a Google search and adding "site:churchofjesuschrist.org/help" to the search criteria.

So we can better help you, please edit your Profile to include your general location.
ensign_avenger-p40
New Member
Posts: 3
Joined: Fri Mar 02, 2007 10:50 pm
Contact:

OpenDNS is fabulous for other reasons, too!

#8

Post by ensign_avenger-p40 »

Not only does OpenDNS filter content, but it can actually speeds up your web access (as opposed to slowing it down like client based solutions).

Also, if you have someone in your household that you think may try to deliberatly bypass the filter (as opposed to casually happening upon inappropraite content), I would recomend more drastic measures- such as useing the built in parental controls that come wioth most Operateing Systems to limit what can be accessed and when (and even provide reports on activity). I would recomend that such users be supervised closely when useing the Internet.

As far as filtering goes in general, I recommend always having a way to disable overzelous filters and whitelist good sites. I usually use the least restrictive settings possible, so as to avoid censoring quality communication (as opposed to the goal of preventing the casual happening upon obscenity).
cvacanti-p40
New Member
Posts: 13
Joined: Sun Feb 10, 2008 7:13 pm
Location: Omaha, NE, USA

ease of use...

#9

Post by cvacanti-p40 »

I am not personally familiar with opendns though I have heard of it...I am most familiar with software based filtering. For what it's worth I have used K9 web protection to be a great free software tool.

I noticed on the wiki that there is not much content...what is the best way to submit information for consideration?
jdlessley
Community Moderators
Posts: 9860
Joined: Mon Mar 17, 2008 12:30 am
Location: USA, TX

#10

Post by jdlessley »

cvacanti wrote:I noticed on the wiki that there is not much content...what is the best way to submit information for consideration?
You can go to the LDSTech:Community Portal to find out how to contribute. Before you can contribute you will need to create an account by clicking the create account link on the top right of any wiki page.
JD Lessley
Have you tried finding your answer on the ChurchofJesusChrist.org Help Center or Tech Wiki?
Post Reply

Return to “Family Safety with Technology”