cancel
Showing results for 
Search instead for 
Did you mean: 

Son bypassed DNS. Can I force DNS on router/modem?

KamWest
I plan to stick around

Hello everyone

 

I have the CODA-4582U modem and am using open dns as a parental control for my kids. It works like a charm but my oldest boy has figured out how to bypass DNS on his chromebook and switched to google dns. Is there a way to make a rule of some sorts that enforces DNS on my coda modem. I could install a WRT router with DD-WRT and they have a setting to enforce dns but I prefer to not bridge my coda modem especially since I am using the new Rogers MyWifi app and I like some of the functionality in it. Most of the Rogers parental control are not as configurable as open dns so I really want to use that with a rule to enforce dns on the router level. Any ideas anyone?

 

**Labels Added**

13 REPLIES 13

Re: Son bypassed DNS. Can I force DNS on router/modem?

Gdkitty
Resident Expert
Resident Expert

Unfortunately I dont think so.

The real problem is, that in most cases like this one, is that the DNS is over-writable on the device itself.

I think the only option really would be to lock down the device.. enforce that his login is not at an administrator level, that they cant make system changes, etc.

Re: Son bypassed DNS. Can I force DNS on router/modem?

KamWest
I plan to stick around

Is there not a way of blocking a port and then just allowing open dns through?

Re: Son bypassed DNS. Can I force DNS on router/modem?

Datalink
Resident Expert
Resident Expert

@KamWest I believe that since your son has figured out how to switch DNS providers, you're beyond the capability of the modem and most routers to counter that capability.  Now its a cat and mouse game.....

 

What you need to do depends on what your doing for DNS providers.  If you only want to use one DNS provider for the whole family, then you might be able to use the modem's SECURITY .... KEYWORD FILTER to block any other DNS IP address.  I don't know if this will work, so, you will have to experiment with it.  In theory, you should be able to enable the Managed Keywords List and add google's IP address to the list.  

 

Fwiw, for reference purposes, here is a link to a Midco supplied CODA-4582 manual:

 

https://www.midco.com/contentassets/21f126b6721648ae910ae0af1328e9ff/Hitron_CODA-4582.pdf

 

First step is to assign a static address to the device using the BASIC .... LAN SETUP .... DHCP Reservation.  Setup a static address for your son's Chromebook.  When that is done and the changes are saved, you should reboot the modem using the ADMIN .... DEVICE RESET .... Reboot function, or, pull the power, wait for 10 to 15 seconds and then power up the modem.  This will for a restart/reboot.

 

Then, using the SECURITY .... KEYWORD FILTER, set up the IP addresses that you want to block, including google's DNS addresses.  That is found on page 131 of the manual.  There are two parts to this rule, the keyword "rule" and a so called "Trusted Device" to which the rule can be applied.  

 

For the keyword rule, add the IPV4 addresses for Google's DNS, and try adding the IPV6 DNS address as well.  That depends on whether or not you have IPV6 up and running in your modem.  If you look at the BASIC .... GATEWAY FUNCTION tab in the modem's user interface, you will see the Router Mode.  That might be set to Dual (Stack) which runs both IPV4 and IPV6.  If the Keyword filter won't accept an IPV6 address, you might have to consider using IPV4 only for your home network, as set by changing the Router Mode in the GATEWAY FUNCTION tab.  That's going to require some experimentation.  When you have the IP addresses entered, the next step is to add the Trusted PC.  

 

That Trusted Device entry requires an IP address, which is why I indicated earlier to set up a static address for your son's Chromebook.  I don't know if the Host Name entry will show a drop down menu when you are in the data entry stage, so, you might have to make note of the Chromebook name when you set up the static IP address.  

 

When that is done, hit Apply and reboot the modem using the ADMIN .... DEVICE RESET .... Reboot function.  

 

As I indicated earlier, this might become a cat and mouse game.  If this works as I hope it would, Google's DNS IP address should be blocked.  However, there are many other Domain Name Servers which could be used, so, you might have to block a good number of DNS IP addresses to get the point across.  Even then, all it takes is one DNS address that isn't blocked and your back at square one.   Just off of the top of my head, you would have to consider blocking all of the DNS addresses for every Canadian ISP, large and small plus the following: Google, OpenDNS, Cloudflare, Quad 9, Level 3, Yandex, etc, etc.  You might not get every Domain Name Service that is available, but, the point here is to get the point across that only the DNS that mom and dad specify will be used in the device. 

 

So, just thinking about this, I'm assuming that Chromebooks have an admin and user account capability as is found on Windows PC's.  If your son is changing the DNS address, it sounds like he's using an Admin account.  Personal opinion, no one should be using an Admin account for anything other than admin purposes.  That account has higher privileges, so if you run into a rogue web site somewhere, you run the risk of unauthorized changes to the device, including changing the DNS address to rogue DNS address used for the purposes of ID theft and password capture. 

 

For everyday use, a User account should be used which has limited privileges.  That might not be fully able to protect the user device from unauthorized changes, but, it should limit the damages that could occur.  So, fwiw, a little advice to your son, specifically on device and online security might be in order.  Don't know how old your son is, but, you might have to assert some rather strong parental control in this situation, as in, only mom or dad will have admin rights on the Chromebook, while anyone else will only have a User account.  That won't limit what the user can do, in terms of using the device, except perhaps making any changes to the DNS address.   That step alone would alleviate all of this and potentially prevent problems at some point in time.  I did that with my kids when they were much younger and now, in university, they still maintain that Admin / User account setup.   I've never restricted DNS addresses, but, I've used OpenDNS for malware site filtering and country filtering.  That's never appeared to have caused any issues over the years.  Fwiw ..... hope this helps.

 

Edit:  At the end of the day, even setting the preferred DNS in a router won't work as the Chromebook is using the DNS address directly.  That preferred address is usually set via device MAC address and is designed to route the DNS request from the specified MAC address to a specified DNS address.  So, the only way around the present situation is to use a routing rule that forces the device supplied address such as Google's DNS over to the address that you specify.  That is only found in advanced router operating systems such as DD-WRT, Merlin's Asuswrt, PfSense, etc.

Re: Son bypassed DNS. Can I force DNS on router/modem?

KamWest
I plan to stick around

Thank you for the info @Datalink

 

My son has no experience he just stumbled across the setting on his chromebook to use google dns but on so many routers you can make a rule to enforce dns. I got this from open dns but cannot figure it out for my modem/router.

 

 

General Instructions 

 
 
Most routers and firewalls will allow you to force all DNS traffic over port 53, thus requiring everyone on the network to use the DNS settings defined on the router/firewall (in this case, OpenDNS).  The preferred recommendation is to forward all DNS requests to go to the openDNS IP's listed below.  This way, you simply forward users' DNS requests without them knowing, instead of having the possibility of someone manually configuring DNS and having it not work.

Essentially, you will want to create a firewall rule to only allow DNS (TCP/UDP) to OpenDNS' servers and restrict all other DNS traffic to any other IPs. Ideally this filter or rule would be added to the firewall that is at the furthest edge of your network. In simple layman's term, this would be defined similarly as below:

ALLOW TCP/UDP IN/OUT to 208.67.222.222 or 208.67.220.220 on Port 53

and

BLOCK TCP/UDP IN/OUT all IP addresses on Port 53
 
The first rule trumps the second rule. Put simply, any requests to OpenDNS will be allowed and any requests to any other IP will be blocked. 

  • Depending on your firewall configuration interface, you may need to configure a separate rule for each of these protocols or one rule which covers them both.
  • The rule can be applied on either the firewall or the router, but normally is best placed on the device most at network edge.  A similar rule could be applied to software firewalls installed on a workstation as well, such as the built-in firewall on Windows or Mac OS/X.

Unfortunately, individual configurations are not something OpenDNS is able to assist in supporting, as each firewall or router has a unique configuration interface and these vary greatly.  If you are uncertain, you should check your router or firewall documentation or contact the manufacturer to see if this is possible with your device.

Re: Son bypassed DNS. Can I force DNS on router/modem?

KamWest
I plan to stick around

Your instructions from above are good but in my post above you see the open dns blocks all other dns providers and in yours it only blocks google dns. I need to only allow access for open dns and block the others.

Re: Son bypassed DNS. Can I force DNS on router/modem?

That's an advanced rule that you would have to create via DD-WRT or via any other router operating system.   Essentially, if this is UDP traffic on port 53 bound for anywhere other than OpenDNS, block the request.  If you posted a question in the DD-WRT forum you should get an answer.   As I indicated above, you would have to potentially block more than one service.  

 

Do you happen to have an account set up with OpenDNS, or are you using the family friendly address?  If you have an account set up, then you would also have to have the DNS updater running on at least one pc in your network that updates your WAN IP address with OpenDNS.  That ties your OpenDNS account to the dns request.  

 

Personal opinion, exerting parental control over the Chromebook accounts is the easiest way to solve this issue.  With that done, its just a matter of setting the OpenDNS address in the modem.  That doesn't solve the issue of what happens when the Chromebook is outside of the home, unless you have admin control and set the family friendly DNS address in the Chromebook, so that there isn't any way around this.  At school, there is always the possibility that the IT staff has set a series of routing or filtering rules that force the students devices to use a filtering DNS address.

Re: Son bypassed DNS. Can I force DNS on router/modem?


@KamWest wrote:

Your instructions from above are good but in my post above you see the open dns blocks all other dns providers and in yours it only blocks google dns. I need to only allow access for open dns and block the others.


As I indicated above, this is now a cat and mouse game.  Now that your son had figured this out, you can play this game and try to prevent the use of any and all services except for OpenDNS, or, you can choose to exert some control over the device and force the use of OpenDNS.

Re: Son bypassed DNS. Can I force DNS on router/modem?

KamWest
I plan to stick around

Anything on a device level is not an option because of friends coming over with their chromebooks so I need to do it on a router level. I experimented with dd-wrt at work on an WRT1900ACS router and they have a little checkbox beside the DNS entry to enforce DNS and even if your device is set to use a different DNS it enforces the router version.

 

This is soooooo ideal and I could easily install this at home but I hate the idea of putting another device on my network when my rogers modem is doing the job just fine. I have the coverage and everything just very poor parental controls. The rogers tech support said rogers has a more configurable modem than the coda-4582U bit it is for their iptv service and I don't have that. I asked and he said they would not give it to me even though it has stronger parental controls.

 

I think Rogers needs to give more attention to parental controls because it's one thing to give fast internet and another to make sure it is used securely while protecting the young.

 

Any more suggestions would certainly be appreciated.

Re: Son bypassed DNS. Can I force DNS on router/modem?

KamWest
I plan to stick around

Exactly what I am trying to do, maybe I overlooked it in one of your responses, I will re-read to see what the answer was.

Re: Son bypassed DNS. Can I force DNS on router/modem?


@KamWest wrote:

Anything on a device level is not an option because of friends coming over with their chromebooks so I need to do it on a router level.......

 

...... Any more suggestions would certainly be appreciated.


@KamWest the only change that I'm suggesting at the device level is for your son's Chromebook, which would:

 

1.  enforce your rights as the parent and device admin;

2.  allow you to change the chromebook's DNS to the router's DNS by leaving the Chromebook's DNS entry empty; and

3.  allow you to create a User account for your son to use on a day to day basis. 

 

Nothing else changes on your network, or in any other device. 

Re: Son bypassed DNS. Can I force DNS on router/modem?

HughR
I plan to stick around

I just noticed this thread so I'm a bit late.  I use my Rogers modem in bridge mode, so what I'm going to say is untested.

 

The modem ("gateway" would be a better term) can operate as a DNS server.  (In technical terms, a "recursive DNS server".)  This is described in the Hitron manual linked above (starting on page 77).

 

You need to set "DNS Obtain" to "manual".  You need to fill in "Proxy Hostname 1" and "Proxy Hostname 2" to OpenDNS's IP addresses (the field name suggests that a domain name would work, but I doubt that).

 

You should turn on the proxy server by setting "DNS Proxy Status" to "enabled".

 

Then just instruct the modem to block all outgoing traffic that is destined for UDP or TCP port 53 (as described in previous replies).

 

That should force everyone in your LAN to use the modem's DNS server.  It, in turn, will use OpenDNS.

 

This can not and will not stop DNS queries that go through a VPN.  Or through a non-traditional port.

Re: Son bypassed DNS. Can I force DNS on router/modem?

KamWest
I plan to stick around

I follow all that @HughR except I cannot find where to set dns proxy to enabled.

 

Do you have that on your coda-45982 modem.

Re: Son bypassed DNS. Can I force DNS on router/modem?

chomyn
I plan to stick around

@KamWest wrote:

Hello everyone

 

I have the CODA-4582U modem and am using open dns as a parental control for my kids. It works like a charm but my oldest boy has figured out how to bypass DNS on his chromebook and switched to google dns. Is there a way to make a rule of some sorts that enforces DNS on my coda modem. I could install a WRT router with DD-WRT and they have a setting to enforce dns but I prefer to not bridge my coda modem especially since I am using the new Rogers MyWifi app and I like some of the functionality in it. Most of the Rogers parental control are not as configurable as open dns so I really want to use that with a rule to enforce dns on the router level. Any ideas anyone?

 

**Labels Added**


This is possible, but it's a little bit complicated.  You can block Google's DNS from the router level by using Static IP Routing effectively blocking Google's DNS 8.8.8.8  and 8.8.4.4.. though he could keep changing to a different DNS or by using Tor Browser.  It's a little bit technical, and requires some configuration through networking and policy settings.  You could have the DNS locked to his device so he's not allowed to change it.  Depends what hardware he is using and if there are restrictions in place to do so.  There are several software programs that are probably much easier to install and configure than trying to use it via the router level.

Topic Stats
  • 13 replies
  • 6805 views
  • 6 Likes
  • 5 in conversation