Is it possible to build a recursive dns server in order to improve parental internet controls

Discussion in 'HOWTO-Related Questions' started by adamjedgar, Aug 15, 2020.

  1. adamjedgar

    adamjedgar Member

    Hi guys,
    I have kids with windows 10 laptops who regularly are able to bypass our microsoft family parental controls on these laptops.

    I wondered about the idea of building a dns server and using that as a means of restricting content/urls and even user access time available to them.

    on another forum, a responded talked about the idea that control panels usually are setup as authoritative dns, whereas i need to look at recursive dns for this...but it was also mentioned that my idea of setting up or using dns as a means of control was a good idea.

    Essentially what i would be doing is pointing all dns settings on the laptops (using my administrator account in windows) to restrict the available dns servers in networking on those laptops such that they access the internet via dns that i personally control. Kids accounts dont have access to this so they cant change the dns settings that are used for internet browsing...

    Since this website has a lot of tutorials associated with it, I am wondering if there is anything in the tutorials list or, does anyone have any advice on how i might use my own cloud servers, or extend my existing knowledge in configuring and setting up webhosting servers, to achieve my goal with family parental controls?

    My research thus far has lead to me to something like

    Any advice/thoughts hints on this?
  2. Th0m

    Th0m ISPConfig Developer Staff Member ISPConfig Developer

    You could use pi-hole for this and block custom domains. But in my experience, if kids want to get around something, they will. Depending on how old they are, it's probably better to educate them about online risks :)
  3. ahrasis

    ahrasis Well-Known Member HowtoForge Supporter

  4. adamjedgar

    adamjedgar Member

    trying to educated kids into not biting a "dangling carrot" is about as successful as it would be with a horse :p

    yes i have been looking at Opendns and it shows a lot of promise. I have one issue though...we use a Telstra smart modem which as far i can figure, does not allow me to manually set dns name server ipaddresses (can you believe that?).

    My only option is to manually do it via networking settings on each windows10 laptop. Doable, but a pain really because kids could get around this and since the laptops only connect to internet via wifii, its so much more robust a solution to use the modem for control at home.

    Now before you say, get another modem...we need the smart modem because of its simcard. We live in the bush and reguarly trees come down knocking out our internet line...the ability of the smart modem to automatically switch over to its cellular network is brilliant...sooo,

    any ideas on how i can get around the problematic modem? (is there a way to hack its firmware or can anyone think of another alternative?)
  5. Th0m

    Th0m ISPConfig Developer Staff Member ISPConfig Developer

    Why? In my experience, kids can learn this and even if you block as much as you can, they can still come across something bad.

    You could also try Cloudflare's DNS for family's though:
  6. ahrasis

    ahrasis Well-Known Member HowtoForge Supporter

    Actually I am looking into this as well but I am still researching and have not implemented anything yet. My idea for now is to have dual account for windows i.e. admin and guest where the later is for the kids with limited abilities in accessing internet and installing softwares.
  7. nhybgtvfr

    nhybgtvfr Well-Known Member HowtoForge Supporter

    why not go in the other direction. instead of trying to restrict what they can see, let them look at whatever they want.

    their viewing history is logged on that pc, even when using in-private browsing. just have your own always-on machine somewhere, and using admin policies to send all logging to this machine as a central log server. some internet routers will also let you log all activity that goes through it, with source and destination urls.
    just knowing you can see exactly what pages they were looking at, on what pc, and at what time should be more of a deterrent to them deliberately looking up dodgy stuff. and it has the added bonus that the logging should continue even if they bypass your family restriction filters or use a vpn to bypass your dns settings. plus if you can give the logging server a public ip address (even just port forwarding from the internet router), and the machine policies are applied to that computer regardless of network membership, you could even still get their internet activity logs when they're out using other networks for internet access. (they *really* won't expect this, so it's probably best to keep that one up your sleeve until they really drop themselves in the brown stuff.)
  8. Taleman

    Taleman Well-Known Member HowtoForge Supporter

    Useful discussion so far, I agree with the opinions posted but understand there are pros and cons.
    Just one more possible solution for thinking about. I have not implemented the restrictions, but have set up my own name servers for intranet use.
    1. set up your own DNS server (or two if HA is worthwhile) in the intranet and configure all computers to use it
    2. I think the default at least for Bind is recursive server, so it resolves all addresses.
    3. get file and make a script to copy that info to a zone file
    4. enjoy, hosts in intranet can not by hostname access any of hosts in that blacklist
    The Steven Black list is meant to be used in /etc/hosts file (or equivalent file in Windows, Wikipedia knows where file is in different Windows versions). Easy way is to copy it to each host, but for example Android phones and tablets do not allow that unless device is rooted.
    Maybe you are already using DHCP server to serve network settings to all intranet hosts. The DNS server hosts could also be DHCP servers (it can be set up as two hot spare servers at least in Debian) to maybe get more control on what settings are sent to intranet hosts.

Share This Page