MacBook Air, Mac OS X (10.6.6)
What I'm trying to set up is content filtering at a router level that network users cannot bypass.
If you don't want them to bypass your "mandatory" OpenDNS servers you need to block all other DNS servers.
How do you block the other DNS?
I use OpenDns to filter out unwanted sites for my kids but they managed to search on the internet and bypass the filtering by changing the DNS on their iPads.
I consider that a flaw in the iOS because you can't do that in Blackberry or Android.
Will Apple address this issue eventually in an update?
Here is how I solved this problem, maybe this will help you:
(1) I wanted to continue to use the Airport Extreme and all its integration features (with Maverick/Sever and Radius/Open Directroy and iphones/ipads/airplay for example).
(2) I wanted to make sure that no matter what the clients put for their preferred DNS, when going out to the internet their DNS ip address were replaced and forced into the OpenDNS servers DNS, without the user even realizing the replacement was taken place.
(3) I wanted to use OpenDNS to filter what types of sites clients could go to
Here's what I did ...
(A) I placed an additional router between the Internet and the Airport Extreme. This router would couse doubleNAT for Airport Extreme ... intentionally ... (and you can set Airport Extreme to ignore this warning so the green light comes back, and otherwise has no ill effect on the functionality of the Airport Extreme and its clients)
(B) This router is really an old access point, a Linksys E4200 that I flashed the firmware with an openware firmware called DD-WRT (search google for this and you'll see lots of old access points supported by this firmware and you can find these old access points for dirt cheap used)
(C) followed instructions for setting up OpenDNS to be automatically updated by the router, and most importantly added the following two line to the firewall rules, to replace all outgoing DNS requests with the replacement IP Addresses of Open DNS
iptables -t nat -A PREROUTING -i br0 -p udp --dport 53 -j DNAT --to $(nvram get lan_ipaddr)
iptables -t nat -A PREROUTING -i br0 -p tcp --dport 53 -j DNAT --to $(nvram get lan_ipaddr)
---
all this is documented very well if you search for DD-WRT and OpenDNS in google - especially, there is a single page on DD-WRT site with a how-to for this integration.
now all dns requests on my network are forced through OpenDNS and taking advantage of all the filtering and auto-replacement features of OpenDNS ...
caveat, the user could still do this to bypass the openDNS resolution ... search the net for a name resolution site, type in the DNS they want to go to , and write the ip address into their network host file on their computer (etc folder) to go to the site without needing DNS to get there.
but for what i need - the avoidance of Phishing, and casually block all the content i don't want them to use, this works for me ... if I were worried about this more, I could set the e4200 to log all ip traffic to a computer, and search the domains visited or amounts of data moving around ... but this level of supervision is not needed for my purposes.
Hope this helps save you some time in figuring out what to do ... good luck
Airport Extreme + openDNS
