WikiDevi.Wi-Cat.RU:DD-WRT/OpenDNS

From WikiDevi.Wi-Cat.RU
Jump to navigation Jump to search
OpenDNS
Opendns-logo.png
Wikipedia OpenDNS
Homepage http://www.opendns.com
dd-wrt OpenDNS


Source

Source

OpenDNS @ dd-wrt

Introduction

OpenDNS is a free DNS (Domain Name Server) service which makes internet browsing safer and allegedly faster. By simply using their DNS servers instead of your ISP's you are automatically protected from their list of Phishing websites. However, in order to restrict a variety of adult website content you will need to create a free account with them, register your IP address and select the categories you want restricted (i.e. sexuality, nude, pornography, lingerie, grotesque, etc...). Since most of us have DHCP assigned WAN IP addresses that change periodically we need to instruct our router to tell OpenDNS what our new IP address is when it changes. We will go over that below.

Basic Setup

  1. On the Setup tab under Network Address Server Settings (DHCP) look for Static DNS 1 and Static DNS 2
  2. Set Static DNS 1 to 208.67.222.222 and set Static DNS 2 to 208.67.220.220
  3. Apply Settings and go to the Services tab
  4. Under DNSMasq put strict-order in the Additional DNSMasq Options text box
  5. Apply Settings again

OpenDns with DNS-O-Matic for users with a Dynamic IP

OpenDNS provides an additional service for users with Dynamic DNSs. Their DNS-O-Matic will relay the request to OpenDNS and also optionally forward this to any number of additional Dynamic DNS providers.

  1. Follow instructions for basic setup above.
    DNS-O-Matic with dd-wrt
  2. Setup an account with OpenDns and Enable dynamic IP update under the settings tab on the OpenDNS website. Also enable any filtering options you want.
  3. Log into DNS-O-Matic. It shares the same username and password for OpenDNS.
  4. Add OpenDNS as a service on DNS-O-Matic
  5. Also add account information for any other Dynamic DNS providers you have.
  6. Now click the "Update Info" radio buttion
  7. On the DDNS tab under Setup in dd-wrt set DDNS Service to Custom.
  8. Set DYNDNS Server to updates.dnsomatic.com
  9. Fill in your Username and Password for OpenDNS/DNS-O-Matic
  10. Set Host Name to all.dnsomatic.com
  11. Put /nic/update? in the URL text box.
    • If that doesn't work, use:
      http://updates.dnsomatic.com/nic/update?
    • If you get a badauth error from dnsomatic, it could be that you need to use https instead of http, so try:
      https://updates.dnsomatic.com/nic/update?
  12. Apply

Intercept DNS Port

You can prevent users from using their own DNS servers (and hence get around content filtering) by intercepting DNS queries and forcing them to use the DNS servers you specify.

  1. Go to the Commands tab under Administration.
  2. In the Commands box paste the following:
 iptables -t nat -A PREROUTING -p udp -i br0 --dport 53 -j DNAT --to $(nvram get lan_ipaddr)
 iptables -t nat -A PREROUTING -p tcp -i br0 --dport 53 -j DNAT --to $(nvram get lan_ipaddr)
  1. Click Save Firewall (note: your WAN interface will be restarted)

Intercept DNS Port Specific Ip/Range

Same as above but for a specific IP address/Range

  1. Go to the Commands tab under Administration.
  2. In the Commands box paste the following:
 iptables -t nat -A PREROUTING -i br0 -s 192.168.1.128/25 -p udp --dport 53 -j DNAT --to $(nvram get lan_ipaddr)
 iptables -t nat -A PREROUTING -i br0 -s 192.168.1.128/25 -p tcp --dport 53 -j DNAT --to $(nvram get lan_ipaddr)

Or

 iptables -t nat -I PREROUTING -i br0 -s 192.168.1.128/25 -p udp --dport 53 -j DNAT --to 208.67.222.222
 iptables -t nat -I PREROUTING -i br0 -s 192.168.1.128/25 -p tcp --dport 53 -j DNAT --to 208.67.222.222
  1. Click Save Firewall (note: your WAN interface will be restarted)

Intercept DNS port to specific mac address with DNSMasq

 dhcp-mac=opendns,**:**:**:**:**:** (first mac)
 dhcp-mac=opendns,**:**:**:**:**:** (second mac)
 dhcp-mac=opendns,**:**:**:**:**:** (third mac)
 dhcp-mac=opendns,**:**:**:**:**:** (fourth mac)
 dhcp-option=opendns,6,208.67.220.220,208.67.222.222

Performance Impact

Do note that many major websites, download hosts and media sites are now using content delivery network. These network will resolve an IP that is closest to you for performance. Typically, when you use your ISP's DNS server, you will get an IP address within or close to your ISP's network.

If you choose to use OpenDNS, you will get IP addresses that are optimal to OpenDNS' network but maybe far away from your network. This will have performance impact for sites that are using content delivery networks.

Additional OpenDNS nameserver addresses

OpenDNS nameserver IP addresses are:

   208.67.220.220
   208.67.222.222

Some routers and devices need a third or fourth nameserver IP address. Use these if necessary (identical service to the original two):

   208.67.220.222
   208.67.222.220