Protect your entire network using OpenDNS with DD-WRT

Posted on March 20, 2012 by

My original quest for DD-WRT came about due to using OpenDNS.  I originally had a D-Link wireless router which let me input the DNS addresses for OpenDNS, but the wireless signal eventually died in it.  I replaced it with a Motorola WR850G that worked great initially, but a firmware upgrade to version 6.1.4 actually disabled my ability to set DNS server entries.  Therefore, I had to either manually configure all of the network devices (computers, game consoles, etc.) to use OpenDNS, or just forget about it until I could change routers again.

It turns out that the DD-WRT router firmware was compatible with my router, so I installed it and was able to set OpenDNS again.  I have since upgraded to a newer Linksys model, which also supports DD-WRT; in fact, I specifically chose a router that would work with DD-WRT.

All worked smoothly on DD-WRT, except that any time my IP address changed with our Internet provider, the “protected” IP address registered with OpenDNS was no longer valid, and the filtering was thereby gone.  The OpenDNS updater I ran never worked reliably, either.

As many know, DD-WRT is based on a lightweight version of Linux, which provides that flexiblity needed to make custom changes.  DD-WRT only runs on certain routers that contain specific chipsets, but it is well worth the time to research routers that support it.  DD-WRT itself is full of numerous configuration options that make even a networking professional such as myself scratch my head over.  In addition to quite a few pages full of settings to configure, DD-WRT also lets you enter commands directly to make additional configuration settings.

Armed with that knowledge, I had a list of problems I needed solved with my DNS services.  First, I had to be able to set all computers and devices on the network to use OpenDNS.  Second, my WAN IP address (the IP address handed out by my ISP) needed to be updated (hopefully instantaneously) when it changed.  Finally, I wanted to prevent any device on the network from circumventing OpenDNS by manually changing settings on the device.

Prerequisites:  in order to make all of this work smoothly, you need to have created at least a basic account at OpenDNS, as well as a companion account at DNS-O-Matic.  The latter is the service that will automatically update not only our OpenDNS account with your current WAN IP address, it will also alert other nameserver providers (such as dyndns.org) with the information so they can also be automatically updated as well.

In the following instructions, the text in green is what you will enter into your router where indicated.  You may want to copy and paste the text to ensure you don’t enter anything incorrectly.

Our first step will be to setup OpenDNS as the router’s default DNS source.  There are two ways you can go with this.  You can either have your router hand out the DNS addresses itself (option 1 below), or you can pass this task off to OpenDNS (option 2).  Both methods work well.

From the DD-WRT Wiki, here are the instructions for changing your DNS server entries.

Option 1 – Configure DHCP with OpenDNS DNS server

  1. Go to Setup tab » Basic Setup sub tab » Network Setup section » Network Address Server Settings (DHCP), and
  2. Set Static DNS 1 to 208.67.222.222
  3. Set Static DNS 2 to 208.67.220.220
  4. Depending on the behavior you want, set Static DNS 3 to:
    1. 0.0.0.0 to fall back to your ISP DNS if OpenDNS is unresponsive
    2. 10.0.0.0 (a non-usable IP) if you don’t want to use any other servers
    3. Another DNS server of your choice (Do not duplicate one of the first two DNS’s or it will default to 0.0.0.0) – Note: OpenDNS also has these DNS IP’s that can be used for the 3rd Static DNS: 208.67.222.220 and 208.67.220.222 - To ensure that all devices are restricted by OpenDNS Web Content Filtering you should configure all 3 Static DNS entries using the OpenDNS IP’s.
  5. Apply Settings

If you want the DNS servers to be queried in the order they’re listed rather than randomly:

  1. Go to Services tab » Services sub tab » Services Management section » DNSMasq sub section »Additional DNSMasq Options text box, and enter:

    strict-order
  2. Apply Settings

Option 2 – Configure DNSMasq for OpenDNS DNS forwarding

  1. Go to Services tab » Services sub tab » Services Management section » DNSMasq sub section
  2. Enable both DNSMasq and Local DNS options
  3. In the Additional DNSMasq Options text box, enter:no-resolv
    strict-order
    server=208.67.222.222
    server=208.67.222.220
  4. Click Apply Settings
Now, what about a little trick to prevent devices on your network from bypassing your DNS entries?  With DD-WRT, it’s simple enough!  What you are doing, in essence, is intercepting those rogue DNS requests and forcing them to use the DNS addresses you’ve setup in your router.  Here are the steps to take (from the DD-WRT Wiki again):
  1. Go to Administration tab » Commands sub tab
  2. In the Commands text box, enter:iptables -t nat -A PREROUTING -i br0 -p udp –dport 53 -j DNAT –to $(nvram get lan_ipaddr)
    iptables -t nat -A PREROUTING -i br0 -p tcp –dport 53 -j DNAT –to $(nvram get lan_ipaddr)
  3. Click Save Firewall (note: your WAN interface will be restarted)

This protects all devices on your network.  If for some reason you want one device or a range of devices to be able to specify their own DNS server entries, you can specify a range of IP addresses on your network to which the DNS interception applies.  Refer to the DD-WRT Wiki page for those instructions.

Finally, does your IP address change often?  In order to stay protected, your current IP address needs to be registered in your OpenDNS account.  Using the DNS-O-Matic service with your DD-WRT router, you can nearly instantly send IP address changes to your OpenDNS account, and also keep those alternative DNS services (such as dyndns.org) updated as well.  To do this takes a few steps.  From the DD-WRT Wiki:

  1. Setup an account with OpenDns and Enable dynamic IP update under the settings tab on the OpenDNS website. Also enable any filtering options you want.
  2. Log into DNS-O-Matic. It shares the same username and password for OpenDNS.
  3. Add OpenDNS as a service on DNS-O-Matic
  4. Also add account information for any other Dynamic DNS providers you have.
  5. Now click the “Update Info” radio button
  6. On the DDNS tab under Setup in dd-wrt set DDNS Service to Custom.
  7. Set DYNDNS Server to: updates.dnsomatic.com
  8. Fill in your Username and Password for OpenDNS/DNS-O-Matic
  9. Set Host Name to all.dnsomatic.com
    To update multiple hosts, use hostname1 -a hostname2 -a hostname3 -a hostnameN
  10. Put /nic/update?hostname= in the URL text box.If that doesn’t work, use:
    http://updates.dnsomatic.com/nic/update?hostname=

    If you get a badauth error from dnsomatic, it could be that you need to use https instead of http, so try:
    https://updates.dnsomatic.com/nic/update?hostname=

  11. Apply
Having done all of this, your network should be using OpenDNS and protecting every device on your network.  Congratulations!
This entry was posted in E-mail and Spam Filtering, Networking, On The Internet. Bookmark the permalink.
  • Eric Hammes

    Great stuff!  Just set it up…thanks!

  • TL

    Thank you so much. OpenDSN wasn’t working on this router until I added the admin commands. Thanks so much for taking the time to write this up.