DNS Filtering for kids

Started by OPNsense4ever, April 15, 2023, 09:11:33 PM

Previous topic - Next topic
Print
Go Down Pages1
User actions
April 15, 2023, 09:11:33 PM Last Edit: April 15, 2023, 09:26:25 PM by OPNsense4ever
Hi all,

Wanted to see if anyone had any great opinions on this. I am replacing my legacy FW with a new machine to support 10Gb (w00t fiber!)

In the previous machine I use NAT rules to send all DNS traffic back to the FW itself. I have a /24 that I created a FW alias of a number of IPs that I called "trusted." All other IPs in the DHCP range and are "untrusted." The "untrusted" IPs go to a port that runs BIND with safe-search and a few other blackholes enabled. The "trusted" IPs go right to 53 where unbound is running and tunneling DoT to supported, external servers.

All of this was a little complicated, but ended up working great. Any new machine the kids pop up automatically is safe and I add static-mapped IPs for any devices that need unfettered Internet access. I mainly did this because of the limitations of BIND and Unbound at the time. I know there are a lot of new changes, but I never updated the old configuration.

What I want is to have some devices pushed through safe searches and other filters for a bit longer and others with unfettered access. Any thoughts on new ways to do this? What are you using?

Thanks so much.
April 16, 2023, 08:54:17 AM #1
When my kids were younger, I used OpenDNS. It's still free even after being gobbled up by Cisco: https://www.opendns.com/home-internet-security/
April 17, 2023, 04:33:59 AM #2
DHCP reservations, one or more (per kid ?) docker containers with either AdGuardHome or Pi-Hole, dedicated VLAN for their devices to make sure they can't get out with a random MAC - a few things to ponder depending on their age, interests, trustworthiness when it comes to homework on an internet facing device, circle of friends...
April 19, 2023, 08:33:47 PM #3
I'm running adguard into unbound all in opnsense.

https://forum.opnsense.org/index.php?topic=22162.msg146626#msg146626

In adguard:
setup safesearch and dns blocklists (public lists).   I apply that to everyone on my LAN, then allow certain mac's access above and beyond.

In unbound:
I have a few combinations of cleanbrowsing.org lists in the dns over tls options.
Print
Go Up Pages1
User actions