Plusnet's failure to protect children from online porn

Studio_Two · ‎30-07-2007

Quote from: ReedRichards
I personally don't want my internet censored
BUT
You cannot get parental control software for all of these devices and if you know what you are doing it is easy to change the DNS server to avoid OpenDNS (and change it back again afterwards).

To be fair, the is always a way around something.
IMHO, OpenDNS is the simplest and most elegant solution (as this covers any device connected to your network without the need to install any additional client software). So, if a visitor connects to your network, they are also automatically protected - very useful for other children bringing laptops.
Taking this battle a step further, it is perfectly possible to BLOCK DNS requests to all other DNS Servers apart from OpenDNS. Therefore, if anybody changes their DNS settings to a different server (eg ISP or Google), the requests will fail. This should be done within the Router itself.
Regards,
Stephen

ReedRichards · ‎14-07-2009

Quote from: Studio_Two
it is perfectly possible to BLOCK DNS requests to all other DNS Servers apart from OpenDNS. Therefore, if anybody changes their DNS settings to a different server (eg ISP or Google), the requests will fail. This should be done within the Router itself.

Really? Care to elaborate? I thought I could completely bypass any router DNS settings by setting the DNS server on the device itself.

Anonymous · ‎26-04-2012

Certainly on my router's configuration it allows outgoing firewall rules to ALLOW or BLOCK different services (such as DNS=TCP/UDP-port#53), so it is trivial to ALLOW OpenDNS and BLOCK all other outgoing DNS requests.
Alternatively even the simplest router's have ALLOW (whitelist) and BLOCK (blacklist) on internet IP addresses, so you could manually configure a BLOCK a list of DNS addresses -
1) Plusnet DNS (212.159.13.49, 212.159.13.50, 212.159.6.9, 212.159.6.10)
2) Google DNS (8.8.8.8, 8.8.4.4),
3) Norton DNS (198.159.192.40, 198.159.194.40, 198.159.192.50, 198.159.194.50, 198.159.192.60, 198.159.194.60)
4) Level 3 DNS (4.2.2.1, 4.2.2.2, 4.2.2.3, 4.2.2.4, 4.2.2.5, 4.2.2.6)
5) Ultra DNS (156.154.70.1, 156.154.71.1)
While there are a few other globally accessible DNSes beyond those listed, it wouldn't take much to add any others in the unlikely event your children worked out what was going on !.

VileReynard · ‎01-09-2007

Is this a simple consumer grade modem-router?

"In The Beginning Was The Word, And The Word Was Aardvark."

Anonymous · ‎26-04-2012

Netgear DG834GT - only £8 including postage from eBay !
My previous Linksys gateways had similar capability, although the user interface wasn't quite as friendly as the Netgear.

VileReynard · ‎01-09-2007

Indeed - my Netgear DG834G does the same, including switching blocking on according to a time schedule.
I'm not interested in it, so forgot about it.
I don't block any sites or ip addresses.
I have all outgoing services enabled at all times.
I also have Google set to return all results - not just the "safe" ones.
If you bowdlerise the internet, don't be surprised if your children can't deal with malware, financial scams and worse.

"In The Beginning Was The Word, And The Word Was Aardvark."

ReedRichards · ‎14-07-2009

Quote from: purleigh
.. on my router's configuration it allows outgoing firewall rules to ALLOW or BLOCK different services (such as DNS=TCP/UDP-port#53), so it is trivial to ALLOW OpenDNS and BLOCK all other outgoing DNS requests.

Sorry, you've lost me there Purleigh. On my Netgear router I can block or allow DNS=TCP/UDP-port#53 (and do either by schedule) but I don't see how that allows me to permit OpenDNS only.
I'm genuinely interested because I looked into OpenDNS for someone who was looking for parental controls but I concluded it was too easy to get around. If there is a way you can force a router to block any alternative DNS servers that would overcome the problem. But I suspect there are many more than just the ones you listed.

Anonymous · ‎27-04-2012

The FIRST rule you set ALLOWs port#53 access to the OpenDNS addresses -

Then the SECOND rule you set BLOCK (always or schedule) port#53 but leave the LAN and WAN addresses set to 'Any'

The ALLOWed should take precedence over BLOCKed addresses, but also the firewall rules are processed IN ORDER - so put the ALLOW rule before the BLOCKed rule.

If you don't like, or can't use nested/overlapping definitions I suppose you could always -
BLOCK port#53 for addresses 0.0.0.0 to 208.67.220.219
ALLOW port#53 for addresses 208.67.220.220 to 208.67.222.222
BLOCK port#53 for addresses 208.67.222.223 to 255.255.255.255

If you were really pedantic, you could specify individual addresses for the OpenDNS servers - rather than the range I used in my examples.

JamesK · ‎20-11-2009

Quote from: purleigh
Certainly on my router's configuration it allows outgoing firewall rules to ALLOW or BLOCK different services (such as DNS=TCP/UDP-port#53), so it is trivial to ALLOW OpenDNS and BLOCK all other outgoing DNS requests..........

I'm not sure that trivial is the right word! I'm an IT Consultant so for me it is trivial however my brother's a builder and I suspect if I started talking to him about blocking certain TCP ports he would not find it quite so trivial!
For most people I think the answer is a router that has proper support for parental controls. From memory I think that most of the recent Draytek's have this and in addition are excellent routers!
On the wider debate as a parent of a 3 & 6 year old I think it's ridiculous to suggest that the ISP should be responsible for filtering the connection. It's just another example of the government coming up with a policy which they think will be a vote winner however in reality makes no sense. The simple fact of the matter is it's down to the parents to educate their children regarding the dangers of the net and then enforce that with supervision when they have access to it. I don't plan to let either of mine on the internet without close supervision until I am confident they know what they are doing and even then it will be very strictly filtered access.
I say that every now and then parents should take responsibility for their offspring and not expect society to do it for them!

Anonymous · ‎27-04-2012

While I agree that as parents we should be educating the children to understand and avoid perceived dangers, but who is educating the parents ?
As I said previously, it apparently doesn't matter how carefully I filter the internet, or ensure that my children play age appropriate games, when 95% of their friends have unrestricted internet access in their bedrooms and have owned many 16+ or 18+ rated console games since they were seven years old.
Other children's parents see that "it is only a game", and "what harm can it do", but they wouldn't buy their kid a subscription to Playboy - which in my opinion would be far less harmful !
Apparently this makes me the ogre, as my sons friends don't want to visit our house because he only has 'babies' games, despite me allowing him 12+ rated games at age 11 - because in my opinion he is mature for his age. Some parents have also taken offense when they have arranged for their child (aged ten) to have a gaming party with all his friends, to play a selection of adult rated console games, and I have queried whether games that feature graphic mutilation, rape by prison guards, and explicit sexual scenes, would be appropriate for children to see - let alone play !
I really don't know what the answer is, because I have very little influence over where the biggest problems occur - i.e. away from home.
Filtering what YOUR children access on the internet IS trivial - compared with the enormity of what you can't control !

JamesK · ‎20-11-2009

Quote from: purleigh
While I agree that as parents we should be educating the children to understand and avoid perceived dangers, but who is educating the parents ?

Well I guess that would be the government, however telling parents that they have to take responsibility for something is not a vote winner and why bother when you have a perfectly good scapegoat in the form of ISP's? Fact is it's cheaper and easier to blame the ISP's and the technology rather then actually dealing with the problem.

Studio_Two · ‎30-07-2007

Quote from: ReedRichards
Sorry, you've lost me there Purleigh. On my Netgear router I can block or allow DNS=TCP/UDP-port#53 (and do either by schedule) but I don't see how that allows me to permit OpenDNS only.

I think some Netgear routers implement a "DNS Proxy" whereby the Router performs all of the DNS lookups on behalf of the clients. The clients never actually contact an external dns server in this type of setup. I'm happy to be corrected on this - not all Netgear routers do this.
Can you confirm within your client computer ip settings (ipconfig /all) whether or not DNS is set to the address of the netgear router (as opposed to the address of an external dns server)?
If this is the case, you should be able to completely block DNS lookups for everything apart from the router (192.168.0.1).
Could you give the make / model of your router?

Regards,
Stephen

Anonymous · ‎27-04-2012

I think primary schools should have mandatory child safety lessons for parents, which could cover the relevant aspects of using the internet, gaming, chat-rooms, mobile phone usage, and bullying.
Our local primary school already does a teach the parent's how to do maths lesson, as current teaching is significantly different from the way parents learnt to do math.
That way, only the relevant people need educating - i.e. the parents.
Because all the parents would have had the same information, then hopefully it would reduce the peer pressure to play games or access websites beyond the child age.
It would also have the effect of creating or identifying the local experts, who would be willing to help out those parents for whom router port blocking is not trivial !
Maybe there needs to be a class on how to secure your technology in your home ?

Anonymous · ‎27-04-2012

@Studio_Two
I appreciate the question that you are asking me, but if I were to answer with what my network actually does, as opposed to the suggested solutions that I have posted so far, then this thread would go way off topic as I use separate subnet for my children, I have multiple home-built caching DNS servers some with filtering others without, I have a guest network that has limited network access and internet filtering, some parts use OpenDNS filtering others don't, some use the Netgear DNS proxy and others don't, and four wireless networks with different channels SSIDs and connectivity.
Even if the answer to your question, did or did not prove your point, that would only be relevant to my router model and firmware revision.
The general point about router firewall DNS filtering is going to be subtly different for every customers device - and therefore people need to read their own router's handbook to find out how to do it, albeit that seeing an example implemented on another device may assist with the understanding of what is trying to be achieved.
For most people, just setting their router to use OpenDNS, then set up the OpenDNS filters, and finally remove admin privileges from your children's login, should be enough to secure the majority of connections.

VileReynard · ‎01-09-2007

So does OpenDNS not provide a proper DNS service?
Do they pick and choose which are the "good" sites and hide the "bad" sites?
I don't want any of that!