ZeroShell    Forum
   Feed RSS Feed
EnglishEnglish     ItalianoItaliano     French     Spanish                Zeroshell on LinkedIn LinkedIn       Facebook      Twitter ZeroTruth an interface for Captive Portal


      What is it?
      Screenshots
      License
      Announcements
      Mailing List
      Forum
      Documentation  
      FAQ
      Hardware
      Download
      On-line Updates
      Kerberos Tutorial  
      Terms of use
      Contact me


  In greater details:
      Hotspot Router
      RADIUS Accounting
      Shibboleth SP
      Performances
      Net Balancer
      UMTS Router
      Soekris Net5501
      Proxy with Antivirus
      WiFi Access Point
      OpenVPN Client
      OpenVPN Server
      QoS
      OpenDNS
      Kerberos 5
      NIS and LDAP
      X.509 Certificates
      RADIUS
      VPN
      Firewall


Valid HTML 4.01 Transitional

OpenDNS setup

OpenDNS provides Internet users with a free Domain Name System service accessible from any host, regardless of the network IP address used to send the request. This DNS system is gaining popularity with millions of users since it offers a series of advantages not supplied by traditional DNS services offered by Internet Service Providers.
This document lists the advantages of using OpenDNS and provides configuration instructions for Zeroshell Router/Firewall. Additionally, Zeroshell has an updater that updates OpenDNS with the dynamic IP assigned to the router. Thanks to this feature you can customize functions on the OpenDNS web dashboard to fully exploit the advanced features such as, for example, web content filter and parent control.

This document is broken into the following sections:

OpenDNS to improve Web navigation response time

One of the reasons for slow web navigation and other Internet service use is slow DNS response speed. Having to satisfy such a large number of requests, OpenDNS has a extremely large and updated cache. This means that if a client asks for the resolution of a name in IP, OpenDNS most probably already knows the answer, without having to ask the authoritative DNS to receive it. Moreover, OpenDNS provides recursive DNS that can directly respond to client requests. Not having to receive responses for subsequent loops helps to reduce client wait time.

OpenDNS and Anti Phishing protection

One of the most dangerous navigation traps is called Phishing. A user may be tricked into providing sensitive data such as credit card information or online bank account login credentials on sites that appear to be the originals but are really only intended to acquire this information for illicit use. The names of these Phishing sites are almost exactly the same as the original ones to confuse users. They are opened by clicking hyperlinks in spam messages or by incorrectly entering address names in your web browser. Obviously, these sites do not use encrypted https protocol and thus the user doesn't even receive invalid digital certificate warnings. Since OpenDNS has a database that contains an accurate list of sites used for Phishing, it helps you to prevent Phishing since it blocks IP address resolution and thus its display.

Web content filter and parental control

Simply use the two DNS, 208.67.222.222 and 208.67.220.220 to use OpenDNS to improve response time and get anti Phishing ptotection without any other worries. However, you can create an OpenDNS account to open the web dashboard where you can set the service to best meet your needs and use advanced OpenDNS services. Specifically, you can filter websites dividing them into categories deemed inappropriate for your Internet users. For example, you can disable the resolution of site names classified as containing pornographic material, that discuss illegal subjects or social networks like Facebook or instant messaging just using the dashboard. In addition to controlling content using the default categories, you can setup your own blacklist and whitelist to block or permit access to certain sites.
Obviously, if you want to use these advanced OpenDNS features, you must create a link between your personal OpenDNS account and internet users' IP addresses. If IP addresses are static, just set them on the Dashboard. Otherwise you can use a DNS updater for dynamic IP addresses to send IP address changes to the OpenDNS database. Zeroshell can perform these tasks and we will see how to set it up below.

Internet use statistics

One of the best ways to see which Internet services are most used on your LAN is to obtain statistics on domain resolution requests. Obviously, whatever the requested service is (WWW, e-mail, VoIP, etc.), it is hard to access services via the IP address, which is difficult to remember and may even change dynamically, but are almost always accessible via a hostname.
OpenDNS lets you view domain access statistics. Remember that statistics must be activated on the dashboard following OpenDNS registration.

URL spelling check

Another helpful although unessential OpenDNS feature is the hostname spelling check. If you enter an inexistent URL, OpenDNS attempts to interpret the user's request and, when possible, automatically corrects it before responding with its web search page.

URL shortcuts

With an OpenDNS account you can create shortcuts on the dashboard to assign easy to remember nicknames to long and complex web addresses. You will be automatically redirected to the linked website when you enter the shortcuts in the browser address bar. This feature is not essential but may be a helpful web navigation tool.

Setting up Zeroshell for OpenDNS

In order to take advantage of OpenDNS features, simply add the two DNS (208.67.222.222 and 208.67.220.220) to the settings on each internet user client. Otherwise, you can set up the DHCP server to automatically set them. Another possibility, if you have a DNS server on your LAN, is to have the server work as a DNS cache set to use OpenDNS as Forwarders to resolve any non authoritative domain. This way, when the client response is not in the LAN DNS cache, just forwards the request to the OpenDNS server instead of ROOT DNS. In addition to having local cache, this solution lets you manage advanced OpenDNS features, creating a single account and and only updating the local DNS server IP address in the OpenDNS database.



OpenDNS forwarders
Setting up OpenDNS servers as DNS forwarders



To set up the Zeroshell DNS server as described to use OpenDNS as forwarders, simply display the [DNS][Forwarders] section and update services with IP 208.67.222.222 and 208.67.220.220 separated by a comma and specifying ANY as the domain. The result is the one illustrated above.

Setting the Dynamic DNS Updater for OpenDNS

At this point, once two DNS forwarders are set, OpenDNS is already used by LAN clients. However, as already mentioned, to use advanced services such as customized web filters and parent control, Internet access statistics and shortcuts, you must inform OpenDNS of the IP addresses used to send requests. If you have a static IP address, you only have to set it once on the OpenDNS dashboard while you should use a Dynamic DNS Updater for dynamic IP addresses.


OpenDNS Updater
OpenDNS updater to keep dynamic IP addresses updated in the OpenDNS database.



Zeroshell has a dynamic DNS client compatible with OpenDNS. To set it, simply select OpenDNS as the domain in the [DNS][Dynamic DNS] section (as illustrated above), enter your OpenDNS account username and password and activate the service.

Firewall setup to prevent non OpenDNS DNS use

If you intend to enable web filters to prevent access to certain site categories, you should make sure that the only DNS clients use is the Zeroshell one that uses OpenDNS as a forwarder. This way, users cannot change their client DNS to avoid restrictions. To do this, if Zeroshell is the Internet access default gateway or transparent bridge, block communications to port 53 UDP/TCP in the Firewall.


OpenDNS Firewall
Firewall settings to prevent DNS use other than OpenDNS.


This block should be set in the FORWARD chain to process router traffic. The Zeroshell DNS server can still contact OpenDNS servers since traffic generated by a local process is not influenced by the FORWARD chain.



    Copyright (C) 2005-2013 by Fulvio Ricciardi