Direct MP3 Download: Geeksters #150 – Sesquicentennial
Episode 150 Show Notes
Title — Sesquicentennial
* Lenovo admits security issues with Superfish, releases removal too
* Truecrypt Phase Two Audit Announced
* A deeper look at Outlook for iOS and Android
Good evening Martin,
I was just listening to the last Geeksters show. After a little thought, here is how I would solve your problem with selectively blocking traffic on port 53.
1 Choose compatible routers and install DD-WRT
2 Modify the tables with iptable commands in command line to block port 53 with exceptions for specific devices.
3 After testing, save as a startup script so that a reboot of the router won’t clear the rules.
This should only cost you about fifty to sixty dollars per device, though Trendnet has a DD-WRT compatible device for just over one hundred dollars. Below are a few links that may be useful.
Here is a link describing the DD-WRT iptables commands.
Link for DD-WRT startup scripts
Trendnet wireless router http://www.trendnet.com/store/
This should work for you. Hope it helps, If you need a device for testing I have one that I can send you (Dlink DIR632). Let me know if I can be of any help.
I have been listening to episode 149 and have had to deal with the same problem as the IT guy at a public library that Marin was having with open wifi access and opendns. I have a few possible solutions for you.
You can totally lock down your dns through the firewall on pfsense (open source freebsd based router appliance). This software doesn’t requite much in the way of hardware specs. But for best performance I would try to get a coupld of intel NICs.
What I did here was as you described by locking down ports 53 to only allow opendns ips through. Also, under the Services->Dynamic DNS one of the options you can select is opendns so I’m guessing that this will update your external IP once you’ve put your username and password in.
A couple of other things to watch out for are you’ll probably want to block ports 6881:6999 to stop other bit torrent traffic because even with dns locked down if someone has started a torrent elsewhere, they are able to resume the torrenting w/o dns at that point.
I have created a specific pool of addresses that I call my “wifi-prison” for repeat offenders. When I get a repeat offender I temporarily block their connecting to the wifi AP by blocking their MAC address.
Then I assign a static DHCP mapping based on their MAC address that assigns them an IP in the “wifi-prison” range. I then block all traffic for addresses in that range. Once I have assigned the static mapping I can clear the block on the AP (This is nice b/c most AP only allow you to block a few MAC addresses at a time). It works pretty well, It’s not fool proof, but it will keep most people at bay.
If you didn’t want another box you could look at getting a Buffalo WIFI router that comes with DD-WRT as its firmware. I’ve heard that the firmware that it comes with is a little dumbed down, but you can flash them with the full dd-wrt. The models that work are listed here. http://www.dd-wrt.com/site/
DD-WRT also has a new feature called Optware (http://www.dd-wrt.com/wiki/
A final option would be to bypass the optware and just use the ddclient software on an raspberry pi attached to the network.
Hopefully some of the suggestions help! 🙂
Can you pass this on to the Mitch and Tim.Just listen to Show #149
I would recommend a Mikrotik routerboard for your DNS issue, Something like a
These are fully feature packed router/firewalls just like a cisco firewall/router. You can do Firewall rules on them, Nat, DHCP,VPN,Router and some come with wifi as well.
More can be found out about the routeros at: http://download2.mikrotik.com/
It can be can be configure by command line or a nice little program called Winbox (Sorry it only a windows software, but have heard people running under wine)
It has a fully fledge Firewall so you could block DNS request expect for opendns, it just taken a bit of getting your head round how the policy work on the router but if you have done any ip tables/forwarding in linux you should be able to pickup quickly. But there is loads of resource and great mikrotik forum on the web.
I don’t know if your ISP let you turn the ISP router into a modem, so you can configure the Mikrotik as PPPOE client so you can present the static public IP address to one of the Mikrotik interface if not you would have to configure some kind of double nat.
Even better look like you can configure the mikrotik, so that if it see any DNS request comeing through the router it will redirect it to open DNS for you!!
Hope this help
To send a voicemail call 707-6PODNUT (707-6763688)
To support Podnutz please use the following links, and remember you don’t pay any extra for using the links !
Podnutz Amazon link (http://www.podnutz.com/amazon
Podnutz Newegg link (http://www.podnutz.com/newegg
Podnutz Ebay (http://www.podnutz.com/ebay)
Podnutz Deals (http://www.podnutz.com/deals)
Podnutz Clothing (http://www.podnutz.com/