Here's a guide to configure OpenWRT to use OpenDNS to block much (but not all) objectionable web content. OpenDNS replaces your ISP's DNS servers to redirect any web requests not suitable for children, such as adult content, porn, gambling, etc. It won't block *all* objectionable content as it works on a domain level, but its domain database seems to be actively maintained.
The advantage of using OpenDNS vs. a local content filtering application (such as SquidGuard, Privoxy, or dansguarding) is that it doesn't require much resources on your OpenWRT device, works for any computer on your LAN, and provides high performance.
This guide assumes that:
a) You have created a OpenDNS Basic account and configured the content filtering rules for your IP address
b) You have also created an account on DNS-O-Matic and configured your OpenDNS account there (this step is only required if you have a dynamic IP address see below)
c) dnsmasq is running on your OpenWRT device for your lan
Here's the configuration:
1) Configure OpenWRT to use the OpenDNS servers for DNS lookups:
<quote>
Goto Luci
Click Network
Click Interfaces
Click wan
Set DNS-Server = 208.67.222.222 and 208.67.220.220
</quote>
2) Add a firewall rule to block DNS requests from the LAN. This will prevent a user from manually overriding the DNS settings on their local computer:
<quote>
Goto Luci
Click Network
Click Firewall
Under Rules, click Add
Set the following:
- Name = “Block DNS from LAN to WAN”
- Source Zone = lan
- Protocol = TCP+UDP
- Destination Port = 53
- Action= Reject
- Destination Zone = wan
</quote>
3) If you have a dynamic IP address, then also configure the Dynamic DNS client. Your public IP address is used by OpenDNS to match any DNS requests from your LAN with your OpenDNS content filtering rules. (Note that the Dynamic DNS client for OpenWRT does not support SSL encryption out of the box, so your DNS-O-Matic password will be sent in cleartext. DNS-O-Matic is used as OpenDNS requires SSL connections for IP address updates, whereas DNS-O-Matic does not).
a) Install the Dynamic DNS Client:
<quote>
Goto Luci
Click System
Click Software
Click "Update package lists"
Click Install next to "luci-app-ddns"
Reboot
</quote>
b) Next, configure the Dynamic DNS Client to send your IP address to OpenDNS:
<quote>
Goto Luci
Click Services
Click Dynamic DNS
Set the following:
- Enable = Checked
- Service = “Custom”
- Custom update-URL = https://[USERNAME]:[PASSWORD]@updates.dnsomatic.com/nic/update?hostname=[DOMAIN]&myip=[IP]&wildcard=NOCHG&mx=NOCHG&backmx=NOCHG
- Hostname = [your OpenDNS Network name]
- Username = [your DNS-O-Matic username]
- Password = [your DNS-O-Matic password]
- Source of IP Address = “URL”
- URL = “”
- Check for changed IP every = 10
- Check-time unit = min
- Force update every = 72
- Force-time unit = h
</quote>
(Last edited by languagegame on 18 Mar 2013, 03:59)