I admit I was skeptical about the free “Adult Site Blocking” offered by OpenDNS. I’ve seen too many “free” filters that in the end were worth what I paid for them. But we’ve been using the OpenDNS Adult Site Blocking for about two weeks in our house, and I’m can now say I’m a fan.
The installation is very simple. You follow the instructions outlined on the OpenDNS website to change the DNS settings on your computer: (You can also do this for your home router)
Then you need to create an account at OpenDNS and configure your blocking. You have a small number of categories to choose from. That’s basically it for installation. What’s really impressive about OpenDNS filtering is the speed. I didn’t notice any difference at all in Internet access. That’s because OpenDNS relies on filtering at the Domain Name Server (DNS) , rather than on your computer.
Next I decided to test the filtering to see how effective it was. I configured OpenDNS as shown to block only Pornography and Sexuality sites.
I then used Google, Yahoo! and Live to put together several searches for pornographic material, and after removing dead links, generated a sample of 100. OpenDNS only missed four of those sites for an underblocking rating of 96% — among the highest scores I’ve seen in my collection of filter effectiveness tests. I then tried a sample of 25 sexual education and lingerie sites, and found none of them were blocked by OpenDNS. After two weeks of use by everyone in my family, so far we haven’t encountered a wrongly blocked site. The high-quality filtering is provided by St. Bernard, which has been in the filtering business for about 10 years, and it shows.
I tried to get around the filter by using an unfiltered Google image search. OpenDNS let me enter “porn” into Google images, and brought up a screen full of porn thumbnail images. So it’s crucial that your children use search engines that have you have preconfigured to filter adult content in addition to using OpenDNS for it to be really effective.
Another downside to OpenDNS is its vulnerability to more knowlegable users, as CNET’s Michael Horowitz points out:
The bad news here is that I can’t see how this blocking can be enforced. A knowledgeable computer user can simply change the DNS servers used by the operating system.
Remember how easy it was to set up? A computer savvy teen can undo it just as easily, so if your child is a teenager, you either want a more robust solution or to buy some more tools to look down your browser and operating system.
Update: Most home routers allow you to set OpenDNS in your router, which you can password protect. OpenDNS describes this here.
Pros:
- Zero footprint, zero latency! This is huge, as most other home filters slow down both your Internet connection speed as well as your operating system’s response time. Not with OpenDNS.
- Institutional grade, granular filtering. The adult site filtering from St. Bernard is first rate, blocking 96 out of 100 porn sites I tried, while allowing lingerie and sexual health information.
- No updates necessary. A big problem with many home filters is they require updates to the filtering list. By putting the filtering in the DNS server, this isn’t a problem.
- Free reporting.
- Extremely simple setup and no maintenance.
Cons:
- Only protects from sexual/violent content the web. If your child uses e-mail, IM, social networking sites, etc. You’ll need other products in conjunction with OpenDNS.
- No search engine filtering. You will have to enable this separately, or buy another product.
- Limited reporting functionality. While OpenDNS will record blocked site violations, you don’t get much more functionality than that.
- Fairly easy to disable by a knowledgeable user.
Verdict:
For the home user who wants to block out adult-oriented sites, this is a great product. Fast, high-quality filtering that’s always up-to-date on your computer with no latency and simple installation, and it costs nothing. But if you want to block more than just explicit sites , set time limits, filter e-mail, IM, etc., you will need to use other products in conjunction with OpenDNS.
Update: For another blog review from Speed of Creativity, go here.
Filed under: Filtering, Filtering Companies, Internet Safety, Research
Thanks for sharing this thorough review. To address the limitation you cite “Fairly easy to disable by a knowledgeable user” I would recommend that people configure this on their home router, and use a secure password for their router settings. While it is true a child could reset the router to factory settings and bypass the DNS configuration, that is a more major configuration change than just altering computer DNS settings. The fact that search engine results are not filtered is important to note, but it is possible to enable “safe search” on Google which does improve the appropriateness of search results quite a bit from what I’ve seen.
Good point on the Router settings. I updated the post to reflect that, thanks.
What a thorough writeup! Thanks.
One note: both Windows and Mac allow you to control who can set / change DNS. So, while it’s not that hard to change DNS, it’s quite easy to prevent DNS from being changed. Just deny admin access to the account in question.
Nothing is foolproof, of course. You can also check the stats (if you enable them), and if no requests are made by the other party, then they were using another DNS… which might be an indication of something to watch!
Could you be more specific about how you felt the reporting was limited? We’re always looking to improve.
John Roberts
OpenDNS
John,
Thanks for your input. By reporting I mean the kind of sophisticated reporting you see in enterprise products where you can drill down by user, time, category, etc. and slice/ dice the data, make charts, export to excel. Etc. What you have is probably fine for most parents, though.
[...] OpenDNS expands to include more filtering options Still impressed 2 months later after first trying OpenDNS. My whole family has been using it, and we’ve yet to encounter an overblock, or an underblock (except in my initial testing). My Jan. 1 review is here. [...]
DNS-settings in the router are as secure as PC-settings. If you can change the PC-settings you don’t use the router for DNS.
Nor is the child doesnt have router password!
I think you should definitely look into K9 Web Protection it is free and is seriously really good and parental control…http://www1.k9webprotection.com/ ….. do a google search for it so you can read reviews of what other people thing about it. The real only downside to K9 web protection is that you can do it through your router..but if its installed in every computer you should be set and its password protected..like i said google search it and im sure soon you’ll be bloging about it.
Beware that OPEN DNS is so powerful you will not be able to recall old emails that may have ads, etc. on them….
[...] Burt posted a good review and setup here. Share and [...]
If your users are sophisticated they can configure their own DNS servers. The router will forward this traffic unless told to block it.
DD-WRT users have an easy option. They can use IPTABLES to intercept DNS queries and force these to the DNS server you want. See below (quoted from http://www.dd-wrt.com/wiki/index.php/OpenDNS):
1. Go to the Commands tab under Administration.
2. In the Commands box paste the following:
iptables -t nat -A PREROUTING -p udp -i br0 –dport 53 -j DNAT –to $(nvram get lan_ipaddr)
iptables -t nat -A PREROUTING -p tcp -i br0 –dport 53 -j DNAT –to $(nvram get lan_ipaddr)
1. Click Save Firewall (note: your WAN interface will be restarted)
My fellow on Orkut shared this link with me and I’m not dissapointed that I came to your blog.
Hi,
It appears that Open DNS now have more options to block other websites sucha s IM and Socail networks as well us custom site blocking and exception.
Windows tip: don’t let your home users run as admins.
1) in Windows XP non-admins aren’t allowed to change network settings and
2) it limits what can be installed/altered thereby minimizing the malware infections.
I am the admin for my home network and for my day to day use I NEVER run as admin!
Thanks for the concise review!
In XP and older…
=> Set up a Limited User Account (LUA) for the kids.
In Vista and newer…
=> Set up a Standard User Account (SUA), and enable Parental Mode. This uses a simplified software restriction policy that is specific for child PC users. (Restrict them to only applications that YOU allow to run!)
Both LUA and SUA are restricted accounts that prevent users from changing system settings. In this case, you can’t mess with the network settings.
Youre really thankful for this post, Ive been really enjoying checking up your posts from time to time. Looking forward to see your future posts
You can always set a firewall rule in your routers firewall to block dns from your local LAN to the Internet but allow dns queries to your router. The other option is to deny dns traffic to the Internet except to the opendns ips. Now it’s impossible to bypass.