A Software-Free Approach to Blocking Online Porn
Many readers have asked for advice on how to protect their kids from accidentally or purposefully viewing Internet porn, so over the next week or so Security Fix will examine various free methods for helping users block adult Web sites on their home networks.
One ingenious approach comes from OpenDNS. It offers a service to help filter out porn without installing software. Because the service works on a network level, it can easily be deployed across any operating system or network.
OpenDNS filters out Web page requests at the domain name system level. DNS is responsible for translating human-friendly Web site names like "example.com" into numeric, machine-readable Internet addresses. Anytime you send an e-mail or browse a Web site, your machine is sending a DNS look-up request to your Internet service provider to help route the traffic.
Most Internet users use their ISP's DNS servers for this task, either explicitly because the information was entered when signing up for service, or by default because the user hasn't specified any external DNS servers. By creating a free account at OpenDNS.com, changing the DNS settings on your machine, and registering your Internet address with OpenDNS, the company will block most porn sites from loading via any browser. Reboot, log back in to your account, and you should be all set.
You can change the DNS settings on each computer in your home. But if your network is behind a wireless router, a speedier and more reliable solution is to change the DNS settings on the router (see this link for instructions broken down by router model). That should cover all of the systems that connect to that router.
I tested the service using Internet Explorer 7 on a Windows Vista machine, but it shouldn't matter which browser or operating system you are using as long as you've correctly changed the DNS settings on that machine or on your router.
I was impressed by how comprehensively it blocked adult sites with the exception of two fairly significant incidents. OpenDNS lets you pick and choose which broad types of content you want to block, with categories such as lingerie and bikini, nudity, pornography, sexuality, tasteless sites and adult-themed sites.
I tested all of the categories, then set about the thankless task of searching for porn. In my first Google search, for the term "porn," OpenDNS blocked me from 99 of the top 100 results. I was able to access the very first one on the list, which contains an extremely graphic home page. Oops. OpenDNS chief executive Dave Ulevitch confirmed this oversight and said St. Bernard Software, which runs the back-end filtering part of the service, soon would block that site.
The other anomaly I found was Playboy.com. Although the site's homepage doesn't include extremely explicit photos, I was able to click around to some fairly explicit nude videos and still images. Eventually, however, a link I clicked within the Playboy site led me to OpenDNS's "blocked" page. The ads displayed on this page were promoting "Las Vegas Bachelor Party" and "Drag Queens." Ulevitch said the company is still ironing out the....er...kinks in blocking some ads as well.
What does OpenDNS get out of all this? When you mistype a domain or enter a Web site name that doesn't exist, the service will try to determine which site you meant to visit. So, if you accidentally type "linux.cmo," it takes you to "linux.com." But if it can't fix the domain you typed, it serves you targeted text ads. You also can set up the service so that it serves a custom image or message when you mistype a Web address.
The service has a few other useful features. It claims to speed your Web browsing, a claim that I haven't measured but one that has been praised in other media reviews of OpenDNS. Anyway, it doesn't appear to slow things down, except maybe when trying to visit porn sites. In addition, OpenDNS runs Phishtank, an anti-phishing community that works to identify known scam Web sites. By deploying OpenDNS, the system will block any attempts to visit phishing sites that Phishtank has verified as scammy.
One final note about the porn filtering service: Computer-savvy teens may find various ways to terminate porn filtering software, but monkeying with DNS settings is quite a bit trickier on a computer or router that's properly locked down. If you have secured your router with a strong administrator password (as you should), a user would have to know that password to change the DNS settings (unless he/she reset the router, in which case one giveaway would be that your router password would no longer work). Similarly, if you've taken my oft-uttered advice and are running Windows under a "limited user" account, regular users should not be able to alter their DNS settings.
By Brian Krebs |
June 15, 2007; 2:22 PM ET
From the Bunker
, Misc.
, Safety Tips
Previous: House Approves Anti-Caller ID Spoofing Bill |
Next: PayPal to Roll Out Buyer Vetting Service
Posted by: relayer | June 15, 2007 3:59 PM
This is cool. I love what OpenDNS is doing with DNS. I wouldn't use this for myself, but I could definitely see recommending it to friends who ask about this kind of thing since it's free.
I want the stats they give me to be better and when I emailed their CEO it he said they were working to totally redo the way they do stats to make it more useful.
Posted by: Nick Sullivan | June 15, 2007 4:27 PM
OpenDNS must be high-quality if St. Bernard Software is behind it.
Posted by: Demoane | June 15, 2007 5:28 PM
Performance is great.
Features (including Privacy) are great.
Price is right (as in "Free").
What other questions can there possibly be?
.
Posted by: J. Warren | June 15, 2007 6:55 PM
While not interested in a filter that shuts out pornography - at my age I feel competent to protect myself - I thought I'd check Open DNS to see if it could increase my web-browsing speed. Alas, no significant differences could be observed using a TP test for both TCP and UDP from Stockholm. So can it go....
Henri
Posted by: M Henri Day | June 17, 2007 4:53 PM
This might be useful when the kids are young, but I'd be embarrassed if my kid (when I have one) wasn't smart enough to bypass this regardless of how well the machine had been locked down!
There are plenty of online dns lookup sites eg www.zoneedit.com/lookup.html
So he/she could simply get the IP address there and then connect to the website by IP address. A minor inconvenience.
I think the best way to protect your kids from porn is by teaching them, and placing the pc they use in an open area that is easily seen.
Posted by: Anon | June 17, 2007 8:57 PM
Anon> There are plenty of online dns lookup sites eg www.zoneedit.com/lookup.html So he/she could simply get the IP address there and then connect to the website by IP address. A minor inconvenience.
Uh, yeah, that's actually a pretty major inconvenience for most people, especially if the site is using name-based virtual hosting. And there are plenty of less inconvenient methods than the one you propose. A DNS-based anti-porn strategy is nevertheless useful, especially in the case where the user isn't determined to look at port, such as when bombarded with unwanted pop-up ads or html email content.
Posted by: antibozo | June 18, 2007 12:30 AM
In my opinion, anyone with the knowledge to bypass the assigned DNS is mature enough to know the penalty. I have a seven year old that watches PS2 videos online, in the living room, with supervision. He makes mistakes typing at times and porn is even included in search results when he does not make a mistake. I have been looking for an easy solution for a while now. This looks very promising to me. When he is seventeen this may not be as valuable to me as it appears now.
Posted by: Will Mars | June 18, 2007 11:28 AM
Porn? I can easily delete that by using filtering! What about the other crap?
Posted by: umm.huh | June 18, 2007 12:00 PM
Aside from the fact that it's utterly foolish to think you can adequately and successfully block porn from the internet, how about instead of trying to censor the last great free frontier of human expression, you teach your children that human sexuality is a good thing?
Speaking as someone who grew up with the internet at its wildest, i can say firsthand that porn doesn't warp fragile little minds, in fact it bolsters a wider understanding and creates more open minded people. Censorship even at its best only does the polar opposite.
Posted by: Devil's Advocate | June 18, 2007 12:36 PM
Devil's Advocate> Aside from the fact that it's utterly foolish to think you can adequately and successfully block porn from the internet,
As has already been stated, it's not requisite to successfully block all porn; the first objective, which this solution addresses effectively, is to minimize the risk of unintended exposure to porn through pop-ups and email spam, or, as Will Mars concisely exemplifies, simple mistyping of URLs. Remember whitehouse dot com?
Devil's Advocate> Speaking as someone who grew up with the internet at its wildest, i can say firsthand that porn doesn't warp fragile little minds, in fact it bolsters a wider understanding and creates more open minded people. Censorship even at its best only does the polar opposite.
As evidenced by your extreme position that the desire to protect children from confusing or harmful content is censorship, or that online porn is a good education on human sexuality? Anyone who thinks that a substantial portion of the online porn content doesn't have the potential to be psychologically harmful to children doesn't know much about developmental psychology. And people who learn sexual technique from online porn are doing themselves and their partners a disservice.
Posted by: antibozo | June 18, 2007 2:16 PM
Hey "Devil's Advocate", this isn't amateur hour. Go make some rabble-rousing AC posts on /. and come back when you get modded up "Insightful".
I think Will Mars hit the nail on the head. This was presented as more effective than it actually is. It really is of little to no use for content blocking, as you could also use an anonymizing proxy to serve content without directly sending a request to the blocked domain. The main use would be to prevent either easy, casual access, or accidental access, to these sites. But if a kid is even smart enough to start in safe mode or use restore points to get around software-based blocking, they are probably aware of proxy servers.
Posted by: The Cosmic Avenger | June 18, 2007 3:40 PM
Brian,
If your wife didn't know about this 'test,' she does now...
Posted by: Ryan Singel | June 18, 2007 5:29 PM
Haha! Yes, Ryan, she knows all about it. She came home the other day and asked how my day was and I sighed, saying I'd surfed for porn the whole day. Not your usual dinner chit-chat ;)
Posted by: Bk | June 18, 2007 6:28 PM
Yes, that should give you a little insight into the lot of the computer forensics people who work on child porn cases. Imagine having to dig through hundreds of thousands of images classifying each one as to what kind of porn it is, in order to build a criminal case--a vile job, and the ones who are saddled with it deserve respect and kind treatment.
Posted by: antibozo | June 18, 2007 7:14 PM
It's pretty easy for a kid to simply use an online dns lookup to get the IP of a site they were trying to access, and then access that site using it's IP address rather than domain name. So "monkeying with DNS settings" is actually pretty easy, easier than disabling filters.
Posted by: Anon | June 18, 2007 7:30 PM
Anon> It's pretty easy for a kid to simply use an online dns lookup to get the IP of a site they were trying to access, and then access that site using it's IP address rather than domain name.
Yes, I think we already dispensed with that argument above. Did you read the earlier posts?
Posted by: antibozo | June 19, 2007 12:36 AM
When you try to suppress the curiosity of a young mind, you immediately peak that curiosity with the obvious long term effect of turning young minds into staunch rebellious minds at an earlier age. Have we all grown so old and fusty that we've forgotten what that feels like! And we all run the risk of being found out as hypocrites, (young mind = sharp enquiring mind) people in glass houses and all that. Better to direct and teach through clear and honest information rather than suppression and prohibition... My answer is do without filtering altogether, as it's the easy lazy option for lazy parents.
Posted by: stephen | June 19, 2007 11:24 AM
SECURITY FIX?
When you try to suppress the curiosity of a young mind, you immediately peak that curiosity with the obvious long term effect of turning young minds into staunch rebellious minds at an earlier age. Have we all grown so old and fusty that we've forgotten what that feels like! And we all run the risk of being found out as hypocrites, (young mind = sharp enquiring mind) people in glass houses and all that. Better to direct and teach through clear and honest information rather than suppression and prohibition... My answer is do without filtering altogether, as it's the easy lazy option for lazy parents.
Posted by: stephen clarke | June 19, 2007 11:29 AM
stephen clarke> My answer is do without filtering altogether, as it's the easy lazy option for lazy parents.
I see, so you think if parents are unable to keep their children from receiving pornographic spam, and unable to prevent them from accidentally mistyping a URL and landing on a porn site, they're being lazy. And you think that exposing five-year-olds to online rape, bondage, and torture porn will pique (not "peak") their curiosity, rather than confuse or harm them. Am I misrepresenting your views here?
Posted by: antibozo | June 19, 2007 1:30 PM
The comments to this entry are closed.
hopefully, it will block goatse :0