WikiDevi.Wi-Cat.RU:DD-WRT/OpenDNS
OpenDNS | |
---|---|
Wikipedia | OpenDNS |
Homepage | http://www.opendns.com |
dd-wrt | OpenDNS |
Introduction
OpenDNS is a free DNS (Domain Name Server) service which makes internet browsing safer and allegedly faster. By simply using their DNS servers instead of your ISP's you are automatically protected from their list of Phishing websites. However, in order to restrict a variety of adult website content you will need to create a free account with them, register your IP address and select the categories you want restricted (i.e. sexuality, nude, pornography, lingerie, grotesque, etc...). Since most of us have DHCP assigned WAN IP addresses that change periodically we need to instruct our router to tell OpenDNS what our new IP address is when it changes. We will go over that below.
Basic Setup
- On the Setup tab under Network Address Server Settings (DHCP) look for Static DNS 1 and Static DNS 2
- Set Static DNS 1 to 208.67.222.222 and set Static DNS 2 to 208.67.220.220
- Apply Settings and go to the Services tab
- Under DNSMasq put strict-order in the Additional DNSMasq Options text box
- Apply Settings again
OpenDns with DNS-O-Matic for users with a Dynamic IP
OpenDNS provides an additional service for users with Dynamic DNSs. Their DNS-O-Matic will relay the request to OpenDNS and also optionally forward this to any number of additional Dynamic DNS providers.
- Follow instructions for basic setup above.
- Setup an account with OpenDns and Enable dynamic IP update under the settings tab on the OpenDNS website. Also enable any filtering options you want.
- Log into DNS-O-Matic. It shares the same username and password for OpenDNS.
- Add OpenDNS as a service on DNS-O-Matic
- Also add account information for any other Dynamic DNS providers you have.
- Now click the "Update Info" radio buttion
- On the DDNS tab under Setup in dd-wrt set DDNS Service to Custom.
- Set DYNDNS Server to updates.dnsomatic.com
- Fill in your Username and Password for OpenDNS/DNS-O-Matic
- Set Host Name to all.dnsomatic.com
- See this tip to update multiple hosts.
- Put /nic/update? in the URL text box.
- If that doesn't work, use:
http://updates.dnsomatic.com/nic/update?
- If you get a badauth error from dnsomatic, it could be that you need to use https instead of http, so try:
https://updates.dnsomatic.com/nic/update?
- If that doesn't work, use:
- Apply
Intercept DNS Port
You can prevent users from using their own DNS servers (and hence get around content filtering) by intercepting DNS queries and forcing them to use the DNS servers you specify.
- Go to the Commands tab under Administration.
- In the Commands box paste the following:
iptables -t nat -A PREROUTING -p udp -i br0 --dport 53 -j DNAT --to $(nvram get lan_ipaddr)
iptables -t nat -A PREROUTING -p tcp -i br0 --dport 53 -j DNAT --to $(nvram get lan_ipaddr)
- Click Save Firewall (note: your WAN interface will be restarted)
Intercept DNS Port Specific Ip/Range
Same as above but for a specific IP address/Range
- Go to the Commands tab under Administration.
- In the Commands box paste the following:
iptables -t nat -A PREROUTING -i br0 -s 192.168.1.128/25 -p udp --dport 53 -j DNAT --to $(nvram get lan_ipaddr)
iptables -t nat -A PREROUTING -i br0 -s 192.168.1.128/25 -p tcp --dport 53 -j DNAT --to $(nvram get lan_ipaddr)
Or
iptables -t nat -I PREROUTING -i br0 -s 192.168.1.128/25 -p udp --dport 53 -j DNAT --to 208.67.222.222
iptables -t nat -I PREROUTING -i br0 -s 192.168.1.128/25 -p tcp --dport 53 -j DNAT --to 208.67.222.222
- Click Save Firewall (note: your WAN interface will be restarted)
Intercept DNS port to specific mac address with DNSMasq
dhcp-mac=opendns,**:**:**:**:**:** (first mac)
dhcp-mac=opendns,**:**:**:**:**:** (second mac)
dhcp-mac=opendns,**:**:**:**:**:** (third mac)
dhcp-mac=opendns,**:**:**:**:**:** (fourth mac)
dhcp-option=opendns,6,208.67.220.220,208.67.222.222
Performance Impact
Do note that many major websites, download hosts and media sites are now using content delivery network. These network will resolve an IP that is closest to you for performance. Typically, when you use your ISP's DNS server, you will get an IP address within or close to your ISP's network.
If you choose to use OpenDNS, you will get IP addresses that are optimal to OpenDNS' network but maybe far away from your network. This will have performance impact for sites that are using content delivery networks.
Additional OpenDNS nameserver addresses
OpenDNS nameserver IP addresses are:
208.67.220.220 208.67.222.222
Some routers and devices need a third or fourth nameserver IP address. Use these if necessary (identical service to the original two):
208.67.220.222 208.67.222.220