MikroTik

Hi all,

I'm trying to use openDNS-like services to help me with web-filtering. See, there's a similar service in my country that contains "questionable" sites that openDNS often miss, mostly local sites though. Probably that's why openDNS doesn't have them in their database. Anyway, I'm thinking of using openDNS and the localDNS to complement each other in filtering my web traffic. Is that even possible?

I'm currently using ROS 4.5, by the way. Now, whenever I put in the localDNS's IP as the primary and openDNS's as the secondary, I can still access the sites that should be blocked by openDNS. And whenever I do it the other way around, the sites that should be blocked by the localDNS are accessible. In other words, the "secondary DNS" thing doesn't work the way I intend it to work.

Is there anything I can do if I want to use openDNS's database AND the localDNS's database at the same time? So whatever openDNS doesn't filter, the local one will do it, and vice versa.

Thanks much.

-Ted-

You cannot. You can give the client two DNS servers, but the client will not ask both if the first server asks responds. DNS stacks on clients simply don't work the way you want them to.

Darn...

So what can I do if I want to achieve the result I want?

There are quite a number of these local questionable sites that I would really want to block, and openDNS is just not filtering them. Same thing for some non-local sites and the local DNS.

-Z-

You can't mix and match DNS servers.

There could feasibly some software that acts as a recursive resolver and queries both, recognizes when one of them blocks the request based on the fake reply it receives, and passes the blocked reply back only. That software couldn't run on the router or the client but would need a dedicated server. I'm not aware of any such software.

So....

Not a chance in hell I can do that using ROS alone then? <sigh>

Oh well, it's worth a try.

Thanks fewi.

The best thing to do is to keep using opendns and submit list of sites you want opendns to block.

How long is the list that you want to block and how often does it change and can you fetch it?

If it is not too long and it doesn't change all that often, and you can fetch it via a script, then fetch it and make static entries in an RB dns, mapping those domains to a known "block page" ip. Presumably a page you host with a "blocked" message.

Intercept dns on the RB and continue to use opendns. Anything not in the cache (where statics end up) forces the RB to go to opendns.
This is effectively chaining 2 dns servers. The RB and Opendns.

I do this to intercept sites that I want to redirect and to a lesser extent to block sites.

Again, the list can't be huge and the frequency of update should be reasonable. I think I have about 50 sites and it runs once per day.
(I always fret using up my flash)

It's too bad non-ROS metarouter is not stable as it might be possible to mod an openwrt package to chain dns.

@benmikrotik: that's what I've been doing all along, and it's getting tedious.

@reverged: the problem I'm having with your solution is in the sentence "the list can't be huge and the frequency of update should be reasonable". If not for that, I woulda used your solution.

Thanks for the suggestions, you guys.

-Z-

How many sites are in the list?

I did this many years ago (killed those brain cells) using bind, pre-OpenDNS.
We subscribed to a service that allowed us to ftp a block list.
Loaded that into mysql and did queries locally first then off to the isp dns.

If you are able, setup your own dns server using bind or dnsmasq.
If you have never done it, you'll learn a lot.
Depending on the size of the list and size of your network, you might be able to do this in a cheap openwrt or monowall box.

ROS is not suited to this task, except with a suitable, stable metarouter.

How many? Well, I'm counting 120+ (I've just started about 2 weeks ago) and they're increasing at the rate of 5-10 a day.

Well, I'll see what I can find out about setting up a dns server. Thanks for the suggestion.

-Z-