Jump to: navigation, search

Internet Content Filtering in SECN

Introduction

For those who are implementing Internet connected systems in schools and similar organisations, there is often a need to deal with the issue of limiting access to inappropriate Internet content.

A simple way to deal with the issue is to direct DNS requests to a DNS server that will only respond with URLs that meet a specified content classification. A number of organisations provide this type of service in various forms.

A good example of such a service is OpenDNS (http://www.opendns.com) which provides a range of services including a free service called "OpenDNS Family Shield" (https://www.opendns.com/home-internet-security/)

There are many alternative services and some are listed here: https://www.topalternativeto.com/opendns/

To achieve this filtering, the local DHCP server is configured to set up the client device's network configuration to point to a suitable DNS server. The OpenDNS service is used in the following example set up.

Ref: https://wiki.openwrt.org/doc/howto/netfilter

Setting up DNS Filtering in SECN Firmware

1. Setting Up DNS Server Addresses

In the SECN firmware, the DHCP Server configuration is located on the Advanced page, in the DHCP section towards the bottom of the page. The DNS Server IP addresses which will be assigned to requesting clients are in the "DNS Server1" and "DNS Server 2" fields.

The default DNS server addresses used by the SECN firmware are for the Google servers at 8.8.8.8 and 8.8.4.4

The DNS server addresses used for the OpenDNS Family Shield service are 208.67.222.123 and 208.67.220.123

To change the DNS server operation, edit the two fields with the new IP addresses, Save, and restart the SECN device.

Any client device making a new connection to the SECN router will be pointed to the OpenDNS Family Shield servers.


2. Capturing Other DNS Requests

A client device which has a static network profile that has been set up manually will likely be pointing to some other DNS server addresses and so will not be subject to filtering.

To address this issue, the firewall can be configured to intercept any DNS request (on port 53) and redirect it to the required filtered DNS server. To achieve this, make the following changes to the SECN configuration:

2.1 Set the LAN DNS

Set the LAN DNS setting (on the SECN Basic page in the top Network section) to point to one of the OpenDNS servers e.g 208.67.222.123

Edit the field with the new IP address, Save and restart the router.

2.2 Add Firewall Rules

Add firewall rules to intercept DNS requests on port 53 by editing the file "/etc/firewall.user" to add the following rule set:

   iptables -t nat -A PREROUTING  -i br-lan   -p udp   --dport 53   -j REDIRECT  --to-port 53
   iptables -t nat -A PREROUTING  -i br-lan   -p tcp   --dport 53   -j REDIRECT  --to-port 53

After editing and saving the file, restart the router.


3. Testing

To test the filter, connect a client device such as a laptop to the SECN router using DHCP and point its web browser to http://welcome.opendns.com

The page returned will indicate whether or not the filtering is working.

To test the DNS Request capture rules, set up the client device with a static IP address in the same range as the SECN router, set its Default Router (or Gateway) IP address to point to the SECN router, and set its DNS IP address to point to the Google DNS server at 8.8.8.8.

Restart the client device to ensure its network configuration is refreshed, and point its web browser to: http://welcome.opendns.com

The page returned will indicate whether or not the filtering is working.

Note that you may have to force refresh the browser page to ensure that it is not displaying a cached version of the page.