Saturday, November 22, 2008

Internet filtering using Linksys routers, Tomato firmware, OpenDNS and FreeDNS

I recently had the opportunity to help out a friend who had some very specific requirements for a home LAN which they were in the process of connecting to the Internet via a cable modem. They wanted to have some restrictions and controls in place to block those nefarious and family-unfriendly web sites, as well as giving different degrees of access to different machines in the home based on things like time of day. After investigating several options for hardware and software, I was pretty happy with the results and thought I would share some of this information.

The Hardware




Linksys have made variations of their WRT54G line of internet routers since 2002. These amazing little devices have a wonderful reputation for their flexibility, stability and low cost. We're talking here about a $45-$65 consumer-level electronics item that is capable of running free software which bestows upon it many capabilities normally associated with systems costing at least 10 times the price. It is also nice to see that the specs on these quiet and power-sipping routers resemble those of circa 1998 PC (266Mhz, 16Mb Ram). Bonus points for being green!

Unfortunately, as with many things in life, Linksys decided to trim back their cost to build these little gems. So hardware revisions 5 and later of the mainstream WRT54G line do not have sufficient memory to support our main requirement: the loading of 3rd party firmware/software. The good news is that Linksys have gone on to provide enthusiasts with a router that does supply enough memory for this purpose, the WRT54GL. The current 1.1 revision of this router has a 200MHz CPU, 16Mb of ram and 4Mb of flash memory. I would, of course, like more memory (prior revisions of the 54G's had double that), but this is enough for most configurations that use alternative software. For those who are hardcore and want the very best, the well endowed 54G/GS models  can still be found out there on e-bay. Just be sure to check exact compatibility of your hardware version to the software you intend to run.

The Software




There are many choices for what software to run on these routers. Some of the more popular ones are DD-WRT, OpenWRT and Tomato. In this case, I chose Tomato for several reasons including:
  • a clean user interface: nicely done layout, vector-based graphs
  • many advanced options and functions are made accessible via the user interface
  • it has been stable and problem free for me for years. Current uptime as I write this: 120 days
  • its well maintained: I still get new releases every few months
By default, Tomato gives you not just one, but two configurable trigger actions that can be fired off whenever your service provider assigns you a different IP address. This came in very handy for the purposes of this specific installation, as you will see below.

The Services

The two services I set up to be notified when the IP address is changed are OpenDNS and FreeDNS. They each provide a different benefit.

FreeDNS provides a zero-cost dynamic DNS service. For those who may not recognize what that is, it lets you refer to your router by name (instead of by numeric IP address) from anywhere on the Internet. When leaving your home for vacation or work, you may be in the habit of making a note of the IP address of your router so it can be reached from the remote location. This is actually a bit of a gamble because what if the IP address is reassigned after you've left? Good luck finding your router now! FreeDNS will give you a fixed host name (something like myrouter.freedns.org) which automatically reflects the last IP address registered by your router. Updates are instant and the price is free, can't beat that. This is very convenient, and may save more than a few PostIT notes with out of date IP addresses scribbled on them. It also opens up possibility for hosting your own Internet services to the world from a server in your home. And if you happen to own your own domain, i.e. "mypersonaldomain.com" it is trivial to set up a CNAME record that then becomes a synonym to the assigned FreeDNS name (aka "myrouterathome.mypersonaldomain.com" is then a synonym for "myrouter.freedns.org"). This gives you another layer of flexibility, so that your selection of dynamic DNS providers can be changed in the future, but your personally assigned host name can remain constant. Think of it as a phone number you own, but that you forward to your actual number which can change at anytime for any reason.

OpenDNS on the other hand is a bit different. First, an analogy. When your cell phone company sells you service, it often includes some form of voice mail system. For most people, that default voice mail service is free and adequate. But what if you had the option to get a more feature rich voice mail system from a source other than your phone company (I actually do this using PhoneTag-highly recommended. Ask me for a referral code if you want to get a discount or to try them out)? Some people wouldn't bother with this since it would probably involve typing some codes into the phone and setting things up, but others might find that option very useful, whether it be for the enhanced features they would receive, or the flexibility it affords ("hey, now I could switch cell phone providers and still keep my same voice mail and its messages!"). This is called "unbundling" and it is not usually something that your incumbent service providers will promote or even tell you about, but often they are forced at some basic level to support it, usually due to regulatory demands.

DNS service is just like that voice mail service: it is a built in feature that every Internet service provider will include, but you have the liberty to use another provider if you want to, and often there is some other advantage to be gained in doing so. The primary function of DNS service is simply to translate a name like yahoo.com into a numeric address like 123.234.56.78. So you may ask what would be the point of having another company do this mundane thing for you? The answer is that OpenDNS manipulates the responses to these lookups in ways that reflect your personally selected preferences and add value.

One of these value-add features is their anti-phishing mechanism, which will send your users to a warning page instead of to the deceptive "phishing" forms posted by criminals seeking to collect your personal information. I am aware that some of the more recent web browsers also advertise that they include this kind of functionality, but as a matter of design, there are better ways to solve that problem. First, why should your PC (or "each of your PCs" if you have multiple) spend time and disk space tracking an ever changing list of phishing sites and vetting every page that you try to visit? I don't know about you, but my computers are already slow enough that I don't want to make them each do more work. If someone else like OpenDNS is offering to proactively do this for me instead, I'll gladly let them deal with that overhead. Offloading this task to them also benefits any web browsers or other Internet software running on your PC which do not yet have anti-phishing support built into them. When these programs look up the address for badguy.com, today they get no protection. But if that lookup is going through OpenDNS, they're automatically covered.

Another big plus for OpenDNS is categorical blocking of sites by content type. Call it parental controls or whatever you want, but many of us never want to see the seedy sides of the Internet. This service goes a very long way towards removing the likelihood of that happening. It also gives you an opportunity (in the OpenDNS account console they provide) to enter in a list of specific sites that you always want blocked. This is above and beyond the blocking they do based on your selection of broadly defined categories. Some of their broad categories include items like:
  • Adult Themes
  • Adware
  • Dating
  • File storage
  • Forums/Message boards
  • Gambling
  • Games
  • Hate/Discrimination
  • Lingerie/Bikini
  • Movies
  • Music
  • P2P/File sharing
  • Pornography
  • Proxy/Anonymizer
  • Sexuality
  • Tasteless
  • Television
  • Weapons
  • several others...
Getting the benefit out of this blocking feature is a bit more work, but its not complicated at all. You must sign up for a free account with OpenDNS, select your blocking categories and configure a method by which your network is identified to them (explanation below). You must also enter in any sites or URLs that you specifically want to have blocked, if that is desired. However, those screens are easy to use and follow. And since the administration of all this is centralized through the OpenDNS console, it is easy to maintain and monitor. Even attempts to access blocked sites and categories are logged and reported, so you can see a ticker that counts the number of times lil Johnny tried to visit www.bad-site-that-parents-said-not-to-visit.com!

The "configure a method by which your network is identified " step is where Tomato's second IP address updater comes into play. The router sees every IP address reassignment automatically, and so it can very efficiently inform OpenDNS of this change within seconds. I am aware that OpenDNS does provide a software "updater" for you that runs on your PC which sort of works, but for detailed reasons I won't go into here, let's just say that isn't really a great solution (depends on a running PC, updates lag after IP reassignment, wastes PC resources by running and polling blindly, etc. all of which leave you burdened with running MORE software on PCs and being un/under-protected for periods of time).

Future direction, final words

In my estimation, OpenDNS is the biggest news here. The nice thing is that you probably don't even have to run Tomato or have a special router to use it, although it is helpful if you do.

As nice as OpenDNS is (I may yet find that their controls alone are sufficient), I am still looking for a way to run a whitelisting proxy for certain PCs in the home. I know this is simple enough to do on a full PC running some form of unix and a proxy package like squid, but that seems like overkill. Ideally, I'd like a very simple, non-caching, whitelist proxy running ON the router and not on a separate PC. I'm looking into options like Privoxy, TinyProxy, Polipo and DansGuardian. Any success stories from router gurus out there would be appreciated.

I hope this is helpful to you if you've been looking for a good way to manage Internet connectivity in the home. There are always little ways that kids can find around measures we take, but this is a good general solution that works for a large set of the problems faced by concerned parents.

-mc

No comments: