DNS Filtering
An Overview
To understand how this method blocks inappropriate sites, you need to understand something about how the Internet works. All websites are found at specific IP addresses that look like this: 154.234.133.073. This is the identity of the server that hosts the website, and several different websites might be at that same address. Fortunately, we don’t have to memorize these numbers any more than we memorize phone numbers. We rely instead on domain names like fifthchurch.org that point to the real server’s address: 23.236.62.147. Whenever you type fifthchurch.org into your browser window, or click on a link that goes to this address, your device first sends a request to a domain name server (DNS) that looks up the IP address of fifthchurch.org and then sends back the IP address, allowing the computer to find and access the content for this site from the server at 23.236.62.147.
The service that does this lookup by default is your internet provider, and most people never change it. However, you can choose to go through a different DNS server for connecting to websites. Some of the more popular ones are GoogleDNS, OpenDNS, Advantage DNS, and ScrubIT. Often a different service can give you a speed advantage, but they can also be selective in the results that they send back to you. Think of it as marking certain websites as unlisted. Your computer makes a request for naughtysite.xxx and when the request is received by the DNS provider, it says, “I’m sorry, we are not going to provide that information to you”. Even if you knew the exact IP address for naughtysite.xxx, typing it into your browser wouldn’t work, because websites display their site content only when you access them by their fully qualified domain name (FQDN). So switching to a DNS that blocks bad sites is an excellent way to keep your household safe.
The one that I recommend is called Norton ConnectSafe. It is by far the easiest one to set up because the only thing that you need to do is to add their IP Address to your modem or router as the DNS server. Other services like OpenDNS are two way services. Their server needs to know your address and you need to know their address. If your IP address changes (and it probably does all the time), the service stops working until you update them with your new address. In my experience with OpenDNS and similar services, something would go wrong, and only months later did I discover that the protection that I thought was in place all along was no longer working. ConnectSafe, on the other hand, doesn’t need to know your IP address at all, and it provides three standard filtering schemes:
- Security (malware, phishing sites and scam sites)
- Security + Pornography
- Security + Pornography + Other (includes sites that feature: mature content, abortion, alcohol, crime, drugs, file sharing, gambling, hate, suicide, tobacco or violence.)
Once you set it up, it just works. So let’s get to it!
Your network
The best way to provide protection is at the point of entry—in your modem or WiFi router. That way, all devices that connect to your network are automatically protected. Unfortunately, it is usually not possible to set up ConnectSafe with adequate protection using the modem that came with your Comcast, AT&T, or other Internet provider. To successfully apply DNS filtering to your network, there are two things that need to be set:
- The DNS servers must be set to Norton ConnectSafe's IP address for service one, two or three above.
- All requests to other DNS services must be blocked and rerouted to Norton ConnectSafe
You might be able to accomplish the first setting on the device that was supplied by your Internet Provider, but you definitely won’t be able to do the second. The blocking will work, but anybody with a little bit of skill can figure out how to bypass the protection. So with that in mind, I've got good news and bad news for you. The bad news is that you'll have to pay for a wireless router to do the filtering for you. The good news is that you will get an improved WiFi signal throughout your house. Why? Well, the modem generally sits somewhere where the phone service came into the house originally. That could be down in the basement, or in a corner of the house. Usually not in the center of your house. And secondly, the modem may have built-in WiFi, but they usually don't have antennaes. So the signal probably doesn't make it to the other side of your house, and then you have to install inefficient repeaters, that in and of themselves cause a lot of problems.
What we propose is to get a good WiFi router with antennaes that will send a strong signal throughout the house, and also to place that router towards the center of the house, running a cable between it and your modem. That part is optional, but since we are looking at your network, we might as well make a few improvements while we are at it!
For my personal use, I’ve selected a the TP-Link Archer C7 router that I’ve customized with OpenSource firmware. It comes with three antennas and when I place it centrally in my house, the signal is able to penetrate the entire space. Although it has been out for a couple years already, this is what was said about it in the New York Times:
BEST ROUTER FOR MOST PEOPLETP-Link Archer C7Fast, long-range, no-frills routerPRICE: $100
BEST FOR: Most people. The Archer C7 is a fast 802.11ac router with incredible range. It's better than many routers that are twice as expensive.
SPECIAL FEATURES: Price. The Archer C7 has an unbeatable price-performance ratio. Faster routers exist, but you’ll be spending more than it's worth for the slight speed increase.
If you want to benefit from a stronger signal and Internet protection from Norton ConnectSafe, purchase an Archer C7 and follow my tutorial step by step. If you already have a different router that is capable of running the DD-WRT firmware, you can make the most of this tutorial as the same basic steps will apply. Just be sure to do your research ahead of time and download the appropriate firmware.