Poor man's web content filter

Posted on 2010-03-05 06:45

Having kids in the computer age presents a lot of challenges that parents didn't have to deal with years ago. Among them is the fact that hard core pornography is just a couple of clicks away. Depending on your operating system of choice there are zillions of programs you can buy to "filter web content", but a parent has to shell out for the program, get it installed, then configure it, and it only works for the computer on which it was installed. There is a simpler way to block content, which will work for all computers on your "network" (all the computers in your home or business), which can be managed at a single place, and will even provide reports on what sites are being blocked which is completely free and fairly easy to set up.

To understand how this solution works, you need to understand some basic concepts. When you use a web browser to go to a chosen website, you're typing in a "friendly name" (like "google.com" or "facebook.com") which servers on the internet don't understand at all, so they need to translate that name into a set of numbers first. This translation is done using a system called DNS (domain name system). DNS is just a method whereby your computer sends out a request to whatever DNS server it is configured to use for the correct numbers needed to display the site name you typed. Most users just have their network connections set for "automatic" which makes everything "just work" and so their DNS servers are set to be their ISP's DNS servers by default. As an administrator of your own computer you can choose to change the DNS servers you are using manually. This post isn't a "How To" on changing your DNS settings, so I'll just say that the OpenDNS site has some pretty good tutorials on how to make that simple change.

Depending on the size of your network, you may already have a hardware firewall which offers content filtering. Hardware firewalls are expensive, and most home users rely on some kind of software solution instead. A DNS based solution can offer a sort of redundancy or double check on requests for "bad" sites that are making it through or around a firewall, but its a particularly good solution for home users who are currently using nothing or have only a software blocking solution in place. With the popularity of smart phones and gaming consoles with internet access, a DNS solution is particularly handy since it allows you to control what gets returned to all the devices on your network from a central point.

A solution I recommend is to use OpenDNS servers instead of your ISP's servers and then to set up a free account on OpenDNS.com and configure your account to use the free OpenDNS content filtering system to block specific sites or whole categories of sites. OpenDNS is not "open source", rather it is open in the sense that anyone can use their DNS servers; OpenDNS is a company and wants to make money. Some money is made by re-directing queries for non-existent domain names to (hopefully) relevant sites (provided by Yahoo!) of OpenDNS customers. They launched content filtering in 2007 aiming at business, educational, and parents. Sites are blocked by category and the lists of sites are maintained by the users. As a registered user you can suggest that a site be placed into one of the content filtering categories and vote on other user's suggestions. You can even maintain a an "override list" for sites that would otherwise be blocked because you have chosen to block a given category or permitted because you haven't chosen a category.

Important points to note

  • Probably the most important point is that if a user of a computer (or device) has the authority to change the DNS servers being used, they can totally get around this system. To use a system like this in a business, you'd have to ensure that you have permissions defined such that normal users cannot modify the DNS servers the administrator specifies for the network. At home, where you're just trying to make sure that a Google search doesn't turn into a bad learning experience for your kids, perhaps this isn't much of an issue - but I still think kids should not be able to run any machine as an administrator anyway.
  • It is rare that a home user will have a "fixed" (permanent) IP address. Home users are usually set up with a "dynamic" IP address, which just means that the number assigned to their home router (or directly to their computer if the PC is using dial up) is assigned from a pool of available numbers at the time and it may change. Since OpenDNS needs to know what your number (IP) is for it to block things going to you - you need to know that number. Then, you'll need to make sure you update OpenDNS if it changes. This could be done manually if it doesn't change very often (my cable IP at home hasn't changed in a long time), or you can run a little program on your PC which sends that information up to OpenDNS and keeps it up to date if it changes. How to do this is all explained on the site.
    To find your public IP (the number assigned to your router), which is the number the internet sees as "you", just visit whatismyip.com and the site will report it back to you.
  • Your ISP (Roadrunner, Cablevision, etc.) has access in its logs to all the sites you've ever requested to look at. If you are ever investigated by the police and they subpoena these logs from your ISP, the ISP will turn them over - just one more reason to use an alternate DNS provider if you're concerned about your privacy. But there's nothing that says OpenDNS won't hand over your logs when the man comes knocking either.
  • If you use a recent web browser you might already know that by typing into the address bar you are performing a search (on a particular search engine), but OpenDNS redirects these kinds of requests from the address bar. This is really sneaky, but is listed in the Terms of Service and can be disabled by unchecking the "OpenDNS proxy" option in the OpenDNS settings (or overridden in other ways in Firefox.

OpenDNS servers:

  • 208.67.222.220
  • 208.67.220.222