Sunday, October 30, 2016

Best Web Content Filtering using a cheap WIFI Router

OpenDNS is great for web content filtering, but it cannot enforce safe search nor youtube restricted mode. Of course, you can disable all search engines and all video sites.

Google did provide a mechanism via DNS to enforce safe search and restricted mode on your network, which OpenDNS cannot implement. The solution is DD-WRT. You can buy a WIFI router with DD-WRT as the OEM software. Somebody sells routers preinstalled with it, or you can replace the OEM software yourself.

The router can be very cheap. You don't need to give up your current super duper routers. You just need one DD-WRT router to be the final gatekeeper to the internet. You just need fast switching and a higher bandwidth than your ISP link.

Inside DD-WRT, under the Services tab, you can add the following to the additional DNSMasq options:

address=/www.google.com/216.239.32.20
address=/www.youtube.com/216.239.38.120
address=/m.youtube.com/216.239.38.120
address=/youtubei.googleapis.com/216.239.38.120
address=/youtube.googleapis.com/216.239.38.120
address=/www.youtube-nocookie.com/216.239.38.120

That is all! Being DD-WRT, I would be very careful about extra spaces. The 1st line redirects to the IP of forcesafesearch.google.com. The rest are Google's instructions to redirect to the IP of restrict.youtube.com. You can also redirect to 216.239.38.119, the IP of restrictmoderate.youtube.com.

These settings are independent of OpenDNS, but much better with it. At the OpenDNS settings, you should disable search engines and video sharing. Then you whitelist, never block, just google and youtube:

forcesafesearch.google.com
google.com
youtube.com

Unfortunately, if your kids are smart enough to bypass the DNS on the router, you have to be smarter to disable their DNS request. In DD-WRT, it's under the Access Restrictions tab. You add a policy that filters out some services. You select dns under the Blocked Services section.

Under the list of clients, you should enter all phones, computers, and tablets that access the internet. You can use MAC's, IP's or range of IP's. 

The most important warning for DD-WRT is that what you see may not all work! There are multiple underlying chipsets that are not compatible. The software is probably written and tested by very few people. In brief, buy a recommended model, and flash only the recommended DD-WRT version.

For my DD-WRT, access restrictions on MAC and IP all don't work. Only a range of IP's work. MAC's are unique for each machine but IP's can change with automatic assignments by DHCP. You can map MAC's to IP's in a central place under the Services tab, DHCP Server, Static Leases.

Enjoy!