Wednesday 9 September 2015

Using Opendns on an Huawei hg533 router

Why would I want to do this?

OpenDns is one of (if not) the best way to restrict access to content you are uncomfortable being available on your network. Whether you are a parent and don't want your kids seeing porn, are a school or institution that wants to ban anything that may upset anyone, or just someone who wants to block irritating websites which load up your Windows PC with Malware, OpenDns is a free (for personal use), independent, configurable solution.

The instructions below are for the HG533 Router but if you are trying to work out how to set this up on any other router the basic principles should still be the same even if some of the specifics are different.

Step 1 - Setting up the DNS server configuration

Step 1.1 - Point you router to the OpenDns DNS Servers

You can do this even if you don't have an OpenDns account but that won't give you any control over the content accessible over your router. All that will happen is that you will use the OpenDns DNS servers which are good but meh! 

Go to the router page on your LAN. This is normally 192.168.1.1 but you may have changed it.

Login as the admin user using your password (make sure you change this from the default or all the stuff below will be pointless)
  1. Go to the Basic LAN section 
  2. Change the Primary and Secondary DNS settings to the OpenDns servers 208.67.222.222 and 208.67.220.220 respectively. These are the DNS settings given to computers that connect to your router. Make sure you are in the LAN section not the WAN section as there is also a place for DNS settings there.
  3. Check your config is working by going to - https://store.opendns.com/settings

Step 1.2 - Get an OpenDns account and block whatever content you like

Next step, if you don't already have one, is to set up an OpenDns account (I'm not going to document this - just go to OpenDns.com and set up a free account and choose which content you want to block)

Step 1.3. Configure your router to tell OpenDns what your IP is

If you have a fixed (static) public IP (which most people don't) then you can ignore this step as you will already have configured your OpenDns account with your IP address. If on the other hand, like most of us, you have a Dynamic IP that changes on the whim of your internet provider then you need something to keep OpenDns informed whenever it changes. 

You can do this in a number of ways but I think the best way is to get your router to do it auto-magically via dns-o-matic. I have had some issues getting this to work but it seems to be working now I've upgraded to version 1.20t of the router firmware (we'll see). 
  1. Create a dns-o-matic account (https://www.dnsomatic.com/)
  2. Add the OpenDns service to your account
Then go back to your router to point it to the dns-o-matic account you've just created
  1. Go to the Advanced -> DDNS section 
  2. Set Service Provider to "Others"
  3. Set host to "all"
  4. Set domain to "dnsomatic.com"
  5. Set username and password to the values you entered when creating your dns-o-matic account
  6. Set server to "dnsomatic.com"
  7. Set port to "80"
  8. Set protocol to "GNUDip.http"
  9. Set service name to something appropriate (I used "dnsomatic")
  10. Submit your config

Step 2 - Enforcing the use of the DNS config

By doing step one the OpenDns servers will be used for the DNS lookups and inappropriate will be blocked based on your OpenDns settings. BUT anyone can override this by making changes to the configuration on their PC or other device. 

To ensure that they can't do this and that your OpenDns blocking will always be adhered to you need to do some firewall configuration.

Step 2.1 - Block port 53

First you need a blanket ban on the use of port 53. To do this
  1. Go to the Advanced -> Firewall section and click on the "Application Filtering" option.
  2. Select DNS from the application drop down
  3. Set status to reject
  4. Click submit

Step 2.2 - Open your firewall for OpenDns

You have now block all DNS traffic, so nothing can get out. This isn't what you want so...
  1.  still in the Advanced -> Firewall section click on "IP Filtering"
  2. type in a rule name (I called mine "OpenDns")
  3. set protocol to UDP
  4. set destination start address to 208.67.220.220
  5. set destination end address to 208.67.222.222
  6. set destination start and end port to 53
  7. set priority to something high (I used 253)
  8. set status to "Accept"
  9. set input interface to "All"

And there you go!

So it took me a while to work this out and although the information is around on the internet I couldn't find it all in one place in a way I could understand. Hopefully other people will find this useful. If you have any suggestions for improving the configuration or if I've made a mistake somewhere please post comments.
Posted by at

11 comments:

  1. Unknown31 December 2015 at 01:26

    Thanks Dave, this helps me alot!

    ReplyDelete
    Replies
    1. Dave13 January 2016 at 15:38

      No problem. Did you get the dnsomatic stuff working? Mine still doesn't work properly.

      Delete
  2. Unknown26 March 2016 at 05:21

    Thanks for your post.
    In my HG532d I had to change the server to Set server to "http://updates.dnsomatic.com/nic/update" and it worked.

    ReplyDelete
  3. S Asmal14 April 2016 at 03:13

    Thanks, but both methods do not work on HG532f

    ReplyDelete
    Replies
    1. Dave14 April 2016 at 23:52

      Let me know what isn't working, and I'll see if I can help

      Delete
    2. Dave14 April 2016 at 23:53

      This comment has been removed by the author.

      Delete
  4. Unknown12 June 2016 at 03:50

    Hi,

    Does anyone have a link or could send me the 1.20t firmware update/file. I am no longer with talk talk and want to use this router as an access point. I can't seem to find it online and can't get any sense out of talk talk about it... :(

    ReplyDelete
  5. Unknown12 June 2016 at 03:50

    This comment has been removed by the author.

    ReplyDelete
  6. cagri11 December 2016 at 07:08

    can you still confirm it is working? I did exactly the same but it is not working for me. my router is hg253s but settings for ddns seems exactly same.

    ReplyDelete
  7. Ivan Rodrigo23 March 2018 at 14:47

    I'm sharing the configuration for a HG8245Q2 Huawei Router with Dnsomatic and OpenVPN as follows.

    1.- Go to the "Network Application" -> DDNS section
    2.- Set Service Provider to "dyndns-custom"
    3.- Set host to "updates.dnsomatic.com"
    4.- Set domain to your "alias" in dnsomatic.com
    5.- Set username(full email) and password to the values you entered when creating your dns-o-matic account
    6.- Set port to "80"
    7.- Submit your config

    ReplyDelete
  8. charlos john20 May 2019 at 04:34

    Excellent article. Very interesting to read. I really love to read such a nice article. Thanks! keep rocking. 192.168..49.1

    ReplyDelete

Subscribe to: Post Comments (Atom)