Loading...
 

Simple safe browsing environment for intranets

Intro


You want to avoid that someone can browse porn or other bad content? You can simply do this with opendns. If you run your own bind DNS server for your intranet, you can also have some more fine grained control, which device has restricted acces, and which not. This is based on the IP of the device, so it can be easily circumvented, but for some environments this is hard enough.

OpenDNS


OpenDNS offers access to DNS Servers that redirect unwanted sites to a blocking page. To get access to configure the level of filtering, you have to create a account here:

http://www.opendns.com/home-internet-security/parental-controls/opendns-home/Question

Dynamic IPs


Most people get dynamic IPs. So OpenDNS hast to get informed, who queries. With Linux you can use ddlient. It is described here:

https://support.opendns.com/entries/23554765-Linux-IP-Updater-for-Dynamic-NetworksQuestion

Filter for some, but not all internal IPs


This works well, if you run bind DNS server inside your network. You can use bind's "view" feature. A example config:

acl restricted_hosts { 192.168.178.128/25; };

view "restricted" {
        match-clients { restricted_hosts; };
        forwarders {
            208.67.222.222; # OpenDNS Servers
            208.67.220.220;
        };

        zone "localhost" in {
                type master;
                file "localhost.zone";
        };

        zone "0.0.127.in-addr.arpa" in {
                type master;
                file "127.0.0.zone";
        };
        # ... more zones ...
};


view "unrestricted" {
        match-clients { !restricted_hosts; any; };

        zone "." in {
                type hint;
                file "root.hint";
        };

        zone "localhost" in {
                type master;
                file "localhost.zone";
        };

        zone "0.0.127.in-addr.arpa" in {
                type master;
                file "127.0.0.zone";
        };
        # ... more zones ...
};


This would restict all IPs from 192.168.178.129-255 while lower IPs would be able to access the internet unrestricted.


Created by redflo. Last Modification: Tuesday 06 of May, 2014 22:49:54 UTC by redflo.

Flattr me!