Re: how to bypass Web Content Filtering?

ctang · ‎03-06-2015

I have a couple of computers at home. For the ones used by my kids, I want to block certain sites (e.g. youtube), but for my own Win8 PC, I want it open. So my plan is to set up opendns on the router, but on my PC, I would manually set DNS to google's.

So far, youtube blocking works fine on the kids PCs, but somehow my PC is also blocked, despite my using a manual DNS. In fact, nslookup on my PC does show 8.8.8.8 as the DNS, but youtube.com resolves to opendns' blocking address. I have tried flushing DNS cache, but no joy.

Any ideas?

mattwilson9090 · ‎03-06-2015

If your DNS settings are set to one set of DNS servers but you are set getting results that originate with another set of DNS servers it sounds like you still have some caching at play here. Flush the DNS cache again, as well as the browsers cache. Also flush the cache on the router (should only need to reboot the router).

Is it possible that DNSCrypt is running on that computer or another in your network?

It's also possible that your router is configured to intercept DNS requests and send them to whatever DNS servers are configured for the router, which in this case sound like they are the OpenDNS servers. Without knowing what router hardware or firmware you have I can't really give any guidance as to where to look, but look in all of the router's settings and see if anything in there refers to DNS intercepts or redirections.

greenfrogct · ‎03-07-2015

Matt is most likely correct with his third response: Your router is most likely intercepting outbound requests on port 53 and routing them to OpenDNS regardless of the static settings in an individual computer. When you invoke NSLookup it pulls the reads the default DNS server setting from your active interface which is what shows in the command prompt, but when it sends a lookup request your router sees the request coming in on port 53 and sends it to 208.67.222.222 (or 220.220 depending on which server you have set for primary.) Unless you have a router that supports vLANS where the grown-ups computers could be on their own network with their own DHCP scope (not likely in the home-router world) your best bet would be to set the DNS in each of the kid's computers to OpenDNS and yours to Google DNS or your own ISP.

The other option would be to replace your router with one that allows a host to override the DNS settings.

ctang · ‎03-07-2015

Thanks for the replies. My router is D-Link DIR-645, hardware version A1, firmware 1.04.

I suspect it is indeed intercepting DNS requests as other suggested.

The router has a specific PARENTAL CONTROL feature so the router integrates with OpenDNS. To enable this feature, I had to provide the router my OpenDNS account info, and it auto created some entries in OpenDNS. I guess it is a good thing so people can't go around the router config. Although specific for my needs, I need to get a diff router...

ctang · ‎03-07-2015

BTW, this is what I see on my PC. Even though I am using google DNS, youtube still resolves to opendns...

Also, I found this article on SOHO routers intercepting DNS requests... http://www.ckollars.org/dns-intercepting.html

---

C:\Windows\System32>ipconfig /flushdns

Windows IP Configuration

Successfully flushed the DNS Resolver Cache.

C:\Windows\System32>nslookup
Default Server: google-public-dns-a.google.com
Address: 8.8.8.8

> youtube.com
Server: google-public-dns-a.google.com
Address: 8.8.8.8

Non-authoritative answer:
Name: youtube.com
Addresses: 67.215.65.130
67.215.65.130

> 67.215.65.130
Server: google-public-dns-a.google.com
Address: 8.8.8.8

Name: hit-adult.opendns.com
Address: 67.215.65.130

---

rotblitz · ‎03-08-2015

"I suspect it is indeed intercepting DNS requests as other suggested."

Yes, it does. To allow the DNS settings on individual devices taking effect, like Google DNS in your case, you have to select "None" as Parental Control option.

Instead you enter the OpenDNS resolver addresses into the "Primary DNS Server" and "Secondary DNS Server" fields. Alternatively, you configure the OpenDNS resolver addresses only on the devices you want to be controlled by OpenDNS and leave the router alone.

greenfrogct · ‎03-08-2015

ctang -

As rotblitz said, if you are looking to bypass OpenDNS for some machines but use it for others, do the following:

1. Go in to your router setup and change the Parental Control settings to "None". This disables the integration between your DLink and OpenDNS. You cannot use this integration if you want to have some machines (your "grown-up" computer) bypass OpenDNS.

2. In the DHCP server setting for your router set the Primary DNS to 208.67.222.222 and the Secondary DNS to 208.67.220.220

3. Go to the OpenDNS dashboard, and under your network settings make sure you have selected the High (or Custom) category - and if you are using custom settings select the categories you wish to have blocked from the children's computers.

Your own computer can now be set statically to use Google DNS and will be able to bypass the router DHCP settings.

Make sure that one of the computers on your network is running the automatic IP address updater software so that when your ISP rotates your address OpenDNS will stay informed and your settings will continue to work.

ctang · ‎03-08-2015

Great, the suggestions worked. Thanks!

rotblitz · ‎03-09-2015

"Make sure that one of the computers on your network is running the automatic IP address updater software so that when your ISP rotates your address OpenDNS will stay informed and your settings will continue to work."

It may well be that the DDNS updater of the router can do this job too if it supports one of OpenDNS, DNS-O-Matic or "user defined".