Bulit-in OpenDNS Client


#1

In the past I have used OpenDNS which is an excellent service that protects users/families/businesses from pornography and other undesirable stuff. It’s very simple, you use their DNS servers and they don’t hold entries for the ‘rude/bad’ stuff.

I know it can be circumnavigated by changing the DNS server that the PC/Mac in question is using (but there are ways to prevent this).

One issue with the OpenDNS service is that if you have a dynamic public IP address (like most domestic Internet connections) then the OpenDNS service can recognise your DNS queries as ‘yours’ so can’t provide the level of filtering you desire.

This is normally cured by having a small app/utility installed on your PC/Mac which keeps checking your public IP address and passes that information to the OpenDNS service in the cloud.

The problem is with my B30 I have two Internet connections, so two public IP addresses. The app doesn’t seem to be able to cope with this.

So I think it would be an excellent idea to have the OpenDNS update client embedded in the Balance so it can provide the updates for all public IP addresses and also negate the need to have said application running on a PC/Mac on the LAN.


#2

Yes! I would very much list to see this feature also.


#3

This is a good idea. We briefly checked out OpenDNS and it seems it has a limitation of supporting one dynamic public IP at a time - which is obviously an issue for multi-WAN environments.

Reference:

We will research more into this. Thanks for the feedback.


#4

Any updates in this?


#5

I currently have 1 static and 1 dynamic IP so what I’m doing is just setting an outbound rule to make all DNS requests go out over the WAN port with a static IP unless that WAN port is at full copacity or down and then at witch point the DNS requests will overflow to the port with Dynamic IP.

This is fine in my case since there are not to many users. Would be nice to see something like whats being asked though.


#6

Peplink is certainly looking for something really simple for users.

Regarding OpenDNS limitation, I would say it like this: If you use OpenDNS, then you already have a fixed address that you registered at OpenDNS. You may even have two and have registered both (be careful, OpenDNS check your confirmation is really comming from the IP your registered). If you are used with this tool, it’s really a shame you’re force to build a box outside of peplink just for that. Peplink is such a good product !

The lovely interface I’d like to have in “DNS Proxy Settings” in “LAN” settings is:
“Use External DNS Servers”, if checked, then appear :

  • DNS Server 1 :
  • DNS Server 2 :
  • “Connection” like for “SMTP Forwarding Setup” in “Service Forwarding” but just with checkbox to select those connections we have registered at OpenDNS
  • The list of IP concerned or not concerned by this setting (maybe a tool like the one called “Additional Public IP Settings” in WAN settings)

Controls can be done and report to dashboard:

  • if DNS requests always fail on a given connection (“Are you sure you have registered your connection fixed IP at OpenDNS ?”)
  • if given IP adresses are not in local or localy routed networks

If I can help more I will do. If peplink had been open-source it certainly would have already been there.


#7

I go on thinking about it and as I recently worked on my “Potato” WRT54G, I think I can give better ideas about possible implementation assuming Linux is inside.

Solution 1 (my favorite):

  • If “DNS Forwarding Setup” is enable. Everything is done without change.
  • If under-setting “Use External DNS Servers” is checked, it gives an under-under-setting pane in the interface and ask for a second dnsmasq server listening on 5353 or whatever to start.
  • The fields of under-under-settings “External DNS Server 1” and “External DNS Server 2” are given to this second dnsmasq instance. Specifying particular DNS servers (like those of OpenVPN) for DNSMasq is not hard.
  • The under-under-setting “Connection enabler” just adds iptables rules to forward all requests to those Externel DNS Server through one or the other(s) WAN connection(s) (if several then balance) depending on what has been declared to OpenDNS. In fact, it could be also done through Outbound Policy.
  • The under-under-setting list of “Concerned IP addresses” is used for iptables port forwarding. I suppose default for “DNS Service forward” is to intercept the 53 packets and redirect them localy. Here, it just would be to better select 53 packets looking at their IP source and send them localy but on port 5353, other ones keep going to 53.

Solution 2:

  • If “DNS Forwarding Setup” is enable. Everything is done without change.
  • If under-setting “Use External DNS Servers” is checked, It just give an under-under-setting pane in the interface but do nothing else.
  • The fields of under-under-settings “External DNS Server 1” and “External DNS Server 2” replace those used by dnsmasq.
  • The under-under-setting “Connection enabler” just adds iptables rules to forward all requests to those Externel DNS Server through one or the other(s) WAN connection(s) (if several then balance) depending on what has been declared to OpenDNS. In fact, it could be also done through Outbound Policy.
  • The under-under-setting list of “Concerned IP addresses” is used for iptables port forwarding. I suppose default for “DNS Service forward” is to intercept the 53 packets and redirect them localy. Here, it just would be to better select 53 packets looking at their IP source before to send them localy, other ones would have manage the DNS resolution by themself going through the Balance.

#8

Hi!

Just checking if anything was done regarding this issue? I, too, have one dynamic and one static address.

Thanks!


#9

OpenDNS has a special relationship with Netgear, and
some models have firmware that works with OpenDNS to provide different
filtering levels by time of day. I would call that a ‘built-in client’.
Is it possible to build something like that into pep?