OpenWrt Forum Archive

Topic: Save the Children! Using OpenDNS for Free Content Filtering

The content of this topic has been archived on 19 Apr 2018. There are no obvious gaps in this topic, but there may still be some posts missing at the end.

Here's a guide to configure OpenWRT to use OpenDNS to block much (but not all) objectionable web content.  OpenDNS replaces your ISP's DNS servers to redirect any web requests not suitable for children, such as adult content, porn, gambling, etc.  It won't block *all* objectionable content as it works on a domain level, but its domain database seems to be actively maintained.

The advantage of using OpenDNS vs. a local content filtering application (such as SquidGuard, Privoxy, or dansguarding) is that it doesn't require much resources on your OpenWRT device, works for any computer on your LAN, and provides high performance.

This guide assumes that:
a) You have created a OpenDNS Basic account and configured the content filtering rules for your IP address
b) You have also created an account on DNS-O-Matic and configured your OpenDNS account there (this step is only required if you have a dynamic IP address see below)
c) dnsmasq is running on your OpenWRT device for your lan

Here's the configuration:

1) Configure OpenWRT to use the OpenDNS servers for DNS lookups:
<quote>
Goto Luci
Click Network
Click Interfaces
Click wan
Set DNS-Server = 208.67.222.222 and 208.67.220.220
</quote>

2) Add a firewall rule to block DNS requests from the LAN.  This will prevent a user from manually overriding the DNS settings on their local computer:
<quote>
Goto Luci
Click Network
Click Firewall
Under Rules, click Add
Set the following:
- Name = “Block DNS from LAN to WAN”
- Source Zone = lan
- Protocol = TCP+UDP
- Destination Port = 53
- Action= Reject
- Destination Zone = wan
</quote>

3) If you have a dynamic IP address, then also configure the Dynamic DNS client.  Your public IP address is used by OpenDNS to match any DNS requests from your LAN with your OpenDNS content filtering rules.  (Note that the Dynamic DNS client for OpenWRT does not support SSL encryption out of the box, so your DNS-O-Matic password will be sent in cleartext.  DNS-O-Matic is used as OpenDNS requires SSL connections for IP address updates, whereas DNS-O-Matic does not).

a) Install the Dynamic DNS Client:
<quote>
Goto Luci
Click System
Click Software
Click "Update package lists"
Click Install next to "luci-app-ddns"
Reboot
</quote>

b) Next, configure the Dynamic DNS Client to send your IP address to OpenDNS:
<quote>
Goto Luci
Click Services
Click Dynamic DNS
Set the following:
- Enable = Checked
- Service = “Custom”
- Custom update-URL = https://[USERNAME]:[PASSWORD]@updates.dnsomatic.com/nic/update?hostname=[DOMAIN]&myip=[IP]&wildcard=NOCHG&mx=NOCHG&backmx=NOCHG
- Hostname = [your OpenDNS Network name]
- Username = [your DNS-O-Matic username]
- Password = [your DNS-O-Matic password]
- Source of IP Address = “URL”
- URL = “”
- Check for changed IP every = 10
- Check-time unit = min
- Force update every = 72
- Force-time unit = h
</quote>

(Last edited by languagegame on 18 Mar 2013, 04:59)

Dnsomatic works with https also so probably you should use:

https://[USERNAME]:[PASSWORD]@updates.dnsomatic.com/nic/update?hostname=[DOMAIN]&myip=[IP]&wildcard=NOCHG&mx=NOCHG&backmx=NOCHG

as Custom update url.

(Last edited by Boydon on 12 Aug 2011, 20:57)

In case any other noobs come across this, you have to uncheck the "Use DNS servers advertised by peer" setting under WAN > Advanced before you can set DNS servers for the WAN to use.

To be honest, this doesn't make a ton of sense to me. If I leave that setting checked, shouldn't it use the DNS servers I set up for the LAN? It doesn't seem to...

(Last edited by davidkennedy85 on 22 Oct 2012, 22:36)

Adding this to /etc/dnsmasq.conf worked for me:

no-resolv
server=208.67.222.222
server=208.67.220.220
server=208.67.222.220
server=208.67.220.222

no-resolv forces users to use the DNS servers listed here.

Boydon wrote:

Dnsomatic works with https also so probably you should use:

httpshmm/[USERNAME]:[PASSWORD]@updates.dnsomatic.com/nic/update?hostname=[DOMAIN]&myip=[IP]&wildcard=NOCHG&mx=NOCHG&backmx=NOCHG

as Custom update url.

You can do that without specifying something like

option use_https '1'
option cacert    '/etc/ssl/certs'

in /etc/config/ddns and/or installing ca-certificates (cf. this)?

I use this custom url to update my IP to OpenDNS for filtering

https://[USERNAME]:[PASSWORD]@updates.opendns.com/nic/update?hostname=[DOMAIN]

dnsomatic is somewhat problematic to me and always throws an error like !yours or !allowed
updating my IP directly to opendns works like a charm and reply with good <your IP here>

The discussion might have continued from here.