It’s always DNS. DNS is one of those things that is a corner stone of the internet, but most people are completely unfamiliar with. When the internet was created way back in the olden times, people would connect to computers over the internet directly using the IP address. For example, in the dawn of the internet if you wanted to connect to google, which did not exist – you would need to type 18.104.22.168.
Well somehow that didn’t catch on and people invented DNS Servers. Essentially every time your computer looks for google.com, it asks your router for directions. If your router doesn’t know it will send the request off to someone who does – usually a public DNS server. By default, your ISP will be nice enough to provide theirs for you, but some other companies are willing to provide this sort of service also.
Google’s DNS is very popular, 22.214.171.124 and 126.96.36.199.
At DigiLAN we use OpenDNS – 188.8.131.52
OpenDNS is a great service for families and anyone who wants to block website categories on their home network. The base product is a free preconfigured Family Shield that will block adult content.
We are using the OpenDNS Home VIP – this allows customization, usage stats, ability to whitelist sites. DigiLAN currently only prevents the worst things of the internet from getting through. OpenDNS does not block any advertisements and while I don’t have anything against unobtrusive ads, a few really bad apples make me take drastic measures against online advertising.
I found another blog writing about Pi Hole, a DNS filter for your network that will block advertisements across all devices using your network. Seems like a great plan.
Running an Active Directory server, I want to continue to have that be my primary DNS server. Remember when your computer asks where things are locally before going out? There are several internal only sites at DigiLAN. Unifi.digilan.org will not work outside of the network but will work internally. The computers still need to check with Digilan-DC first.
Forward lookup zones is the way to do this! In the DNS settings on each domain controller, I setup a forward lookup zone that will also check with my Pi Hole. Pretty much now the conversation goes like this.
Computer: Hey there Domain Controller do you know where malware-advertisements.xyz is?
Domain Controller: Nope, check with my good friend Pi Hole.
Pi Hole: oh yeah that doesn’t exist.
Computer: There were no ads to display here after all.
If the request is not filtered out by Pi Hole, it will forward the request to OpenDNS – and if it matches that filter the content will be blocked.
Now there is a lot of conversations going on each and every second of the day between your computer and DNS servers (and thus other computers on the internet) that we don’t really even know about. Turns out computers like to talk to each other, a LOT. In the 10 hours that my Pi Hole has been setup I haven’t seen anything super crazy, but our devices have made 13,900 requests and Pi Hole has blocked 1800 of them.