- Clavister Security Gateway 10.x. and 9.x
This document is a quick guide to setting up a test configuration that uses OpenDNS for resolving DNS queries.
Table of contents
- Objectives with this article
- Registering an account with OpenDNS
- OpenDNS in your DHCP servers
- OpenDNS as DNS server
- Forcing all outgoing DNS traffic to a OpenDNS server
- Dynamic IPv4 address, HTTP Poster
OpenDNS (About: http://www.opendns.com/about/) provides a (free to use), redundant network of DNS servers, which can help you filter out malicious software (malware), unwanted websites etc, by checking the DNS queries your users are performing, and if necessary prevent the users from resolving the "bad" site, thereby blocking access to it. A block page can be displayed in the web browser, if a browser was used to try to reach the "bad" site. Malware will be blocked from "calling home" as the DNS queries will not be resolved.
This is a method that is very easy to use and configure, and instantly increases the level of security at a site. It is also easy to combine this with e.g. WebAuth to allow certain users to bypass the OpenDNS servers, and use another, non-filtering, DNS server, should they need it.
We will look at how to use their DNS servers in your DHCP server, but also how we can force all outgoing DNS traffic to be redirected to the OpenDNS servers (using SAT+NAT).
Registering an account with OpenDNS
Start by registering an account with OpenDNS. Depending on the site your are setting this up on (home/school/business/...) they have different solutions available. Some will cost money to use. Here we will look at "OpenDNS Home (free)"
It is also possible to use their DNS servers without registering, but then you can't modify the content categories that you want to block or allow etc.
1. Go to http://www.opendns.com and click Sign in and Get started!.
2. Select OpenDNS Home and click Sign up now.
3. Fill in the requested information and activate your account by clicking the link in a e-mail that they send you.
4. Open up the Settings in the OpenDNS dashboard and add "your network". This is the public IPv4 address(es) you are using to reach the Internet and will be used to recognize your site, so they can apply the settings that you have chosen. You may use http://www.whatismyip.com to find your current IPv4 address.
Give "your network" a name.
If you have a dynamic public IPv4 address, we will use the HTTP Poster feature to keep your current IPv4 address mapped to "your network" at OpenDNS. We will need the name of this network as part of the update procedure. You must also enable "dynamic IP address" when you name your network if this is the case.
5. Verify your network by clicking a link in a new e-mail from OpenDNS.
6. Configure your network preferences: On http://www.opendns.com, go to the Home tab, Settings, select your network (you can add multiple), and go through the different types of filtering:
- Web content filtering
- Customization (show block page or not etc)
- Advanced settings (dynamic IP address, Phishing protection, domain "typo" protection, etc)
OpenDNS in your DHCP servers
Login to the Clavister Security Gateway WebUI.
1. Start in Objects > Address book. Add their DNS servers as separate IPv4 Address Objects:
Name = OpenDNS1_ip
Network = 22.214.171.124
Name = OpenDNS1_ip
Network = 126.96.36.199
2. Go to Network > Network Services > DHCP Servers and open/add your DNS server.
On the Options tab, specify the two OpenDNS servers that we created as DNS servers.
Close the DHCP server configuration.
3. Select Configuration > Save & Activate to make these changes permanent.
It will take some time (depending on your current DHCP lease time) before your users will actually get the new DNS servers and start using them. They can also bypass them by simply setting other DNS servers in their machines, that is why we should do the following changes.
OpenDNS as DNS server
Open System > Device > DNS
Use the two DNS servers created above as your DNS servers.
Forcing all outgoing DNS traffic to a OpenDNS server
To instantly force all DNS traffic, and prevent users from reaching other DNS servers, use a trick to redirect all outgoing DNS traffic to a OpenDNS server.
1. Go to Policies > Firewalling > Main IP Rules.
2. Add an IP Rule and fill it in as follows:
Name = OpenDNS_Redirect
Action = SAT
Source Interface = Any
Source Network = all-nets
Destination Interface = wan (The name of your Internet interface. If you have multiple you may need to use an Interface Group. )
Destination Network = all-nets
Service = dns-all
SAT Translate = Destination IP
New IP Address = OpenDNS1_ip To use multiple, you need to use the action SLB_SAT and do additional changes
All-to-One Mapping = Enabled
3. Make a clone of the previous IP Rule, by right-clicking on it and select Clone in the drop down menu.
On the cloned object, change the Action to NAT.
4. The two new IP Rules are now last in your IP Ruleset, but we must move them higher up, so we can be sure that they trigger before any other NAT rule.
Right click on them and select Move to Index and place them in a suitable place. You may also just move them to the top.
Make sure that the IP Rule with the SAT action is higher up than the one with the NAT action. This is very important.
5. Select Configuration > Save & Activate to make these changes permanent.
Now all outgoing DNS traffic should be redirected to the OpenDNS servers, no matter which IP address it was originally sent to. Verify this in the System Log.
Dynamic IPv4 address, HTTP Poster
If you have a dynamic IPv4 address, either use one of the clients that OpenDNS provides, that you install on e.g. a Windows PC, that must always be running, or use the Clavister's HTTP Poster feature to keep their record of your IPv4 address for "your network" updated.
The details can be found on these web pages:
This is our interpretation of how to use that feature:
1. Go to Network > Network Services > HTTP Poster
2. Add a HTTP Poster
3. Fill in the URL according to this format, with @ in your email replaced by %40 (percent sign 40) and mynetwork = "your network" (like I said, you can have multiple):
4. Select Configuration > Save & Activate to make these changes permanent.
Check the System Log for messages related to this update procedure. If you get a new IPv4 address and the HTTP Poster does not update it properly, please consult their support articles for details.