We’re launching a powerful new feature today. We are giving you the power to block specific websites. That means you can protect your computer, your house, your office and anything else that uses DNS from being able to service domains that you don’t want to load. Oh, and best of all: This service is totally free.
When customers started to ask for this feature we wondered who would want this. The geeks here in the office remarked that this kind of blocking would be trivial with a Linux server and some proxy/filtering software installed. Then it quickly dawned on us. (Eureka!) It’s not just mom and dad at home who have no easy way to just block an individual domain with any ease but it’s also network administrators at offices. Network administrators can now block problem domains for their entire office in a simple way without having to pay 1000’s of dollars in new hardware and time to achieve similar functionality. Does your ISP’s DNS server let you do this?
Blocking domains is really easy. Here’s how you do it:
- Sign in to your OpenDNS account and make sure you have a network configured.
- Go to the Networks tab in your account and click on the Settings icon (
) for your network. - Click on the Blocked domains link and add a domain to be blocked.
You can delete or edit blocked domains on that same page. When you block a domain you block what is technically called a “zone.” This means it also blocks all sub-domains. Here’s an example. If you block craigslist.org then you’ll also be blocking la.craigslist.org (Craigslist Los Angeles) and sfbay.craigslist.org (Craigslist San Francisco), etc. If, instead, you just blocked newyork.craigslist.org then the rest of the Craigslist properties would load just fine.
When you try to visit a domain that is blocked in your network you’ll see a page that looks like this:
Since this is your network, we will show your logo on the blocked page, just as we do on the Guide pages. What? You haven’t uploaded your own logo yet? Go do it now, and go block some domains!
Let us know what you think!
Manuzhai
This is nice, but what I’m really running into more and more is that I’d like any domain example.org where example.org doesn’t exist but www.example.org does a redirection to the latter address. Of course, this could be optional, but I still don’t see any downsides (I suggested it some time ago, it was said you were looking into it). Any news on that?
posted on May 13th, 2007 at 10:36 pm
Mysterious1der
Since OpenDNS is a DNS service (and a darned good one at that!), not a true content filtering service, does that mean that typing IP addresses into your address bar will still work?
I don’t mean so be a naysayer since I love you guys and I’m glad to see all the new features, but I think people should know where the holes in the blocking are.
**Update: Just tested this feature: I was able to block google.com, but not
http://64.233.167.99
posted on May 13th, 2007 at 11:02 pm
Martin
Of course, if someone decides to go get the IP from another source (a website, another DNS server, their home pc), this won’t do anything….
posted on May 13th, 2007 at 11:35 pm
Deep
Wooooooooooooooow … thanks a lot for this amazing addition and also giving it out for free …. ….
I wish you all the best … a big ~~*HUG*~~ for all you there …
posted on May 14th, 2007 at 1:47 am
Adam
I like it
But, any possibility to make it not so obvious? lol.
Lately, I’ve just been using HOSTS files across all 3 computers, to restrict access to certain domains by routing them to 208.69.32.133 (internet bad guys) and I just sorta “play stupid” and blame it on the ISP
posted on May 14th, 2007 at 2:58 am
Sam
As a network administrator this is very useful, thanks!!
posted on May 14th, 2007 at 4:27 am
IanP
Surely I can do this already just by adding a filter into my routers.
posted on May 14th, 2007 at 5:15 am
Dougie Lawson
Wow, thanks for this. I had been doing this with
zone “bad-nasty-domain.com” { type master; file “db.block.addr”; };
in my /etc/named.conf
and a dummy zone file
$TTL 24h
@ IN SOA machine.my-own-domain.co.uk admin.machine.my-own-domain.co.uk. ( 1 86400 300 604800 3600)
@ IN NS my-own-domain.co.uk.
@ IN A 127.0.0.1
* IN A 127.0.0.1
I like your system better, it’s easier to manage (more dynamic) and I can be sure my kids machines will get blocked since they get the OpenDNS addresses from my home router. I can take my home server out of that config (if I choose). They also won’t moan so much if my home server is unavailable.
Thank you.
posted on May 14th, 2007 at 7:08 am
David Ulevitch
IanP,
You might be able to do this on your own router… as I point out in my post… but it’s complicated and a PITA. Why not make your life easier?
posted on May 14th, 2007 at 7:40 am
dennyhalim.com
i have at least few hundreds of bad domains i like to block.
entering them one by one will take … few days if i’m doing just this one thing….
posted on May 14th, 2007 at 10:28 am
John Roberts
@dennyhalim - domain blocking isn’t for hundreds of domains. It’s a pinpoint, precision tool. It’s not a category filter, like our phishing protection or our adult filtering (in the works). As we watch how people use the feature, we’ll adjust the limits or decide what else needs to be done.
@Martin - by definition, yes, IP addresses don’t go through DNS. But how many people want to fight through that? There’s a reason we all depend on DNS — IP addresses are no fun to remember/track down, and they change.
posted on May 14th, 2007 at 4:20 pm
Andy
Do you have any plans to make a feature that makes and exception to that block, Like I use myspace, but I dont wnat my little brother on myspace, he is too young to be on it. any way to do that?
posted on May 14th, 2007 at 7:02 pm
pdabr
WOOT!
This now means that I can block all of .cn and .ru from my mum’s connection, and also occasionally add suspicious domains we see reported in various security fora.
posted on May 14th, 2007 at 7:57 pm
John Roberts
@Andy - we’ll consider additional complexity in the future. Keeping it nice and simple for now.
@pdabr, you just made my colleague David very happy, based on an internal discussion about how much flexibility w/r/t TLDs should be provided. Have fun.
posted on May 14th, 2007 at 9:13 pm
links for 2007-05-15 « insignificant thoughts
[…] OpenDNS Blog » Block the bad guys with OpenDNS! Domain blocking at the DNS level made REALLY easy. I really love OpenDNS. (tags: opendns, security, internet, networking) […]
posted on May 15th, 2007 at 12:22 am
Dragos Lungu Dot Com
Domain blocking with OpenDNS - Free URL Filtering ?…
OpenDNS has added a new interesting feature to their free DNS resolution service. It’s about domain blocking. It may seem a poor man’s URL filtering solution.
……
posted on May 15th, 2007 at 8:22 am
Andy
how well does this protect against PROXYs?
posted on May 15th, 2007 at 3:08 pm
Ansi
howbt providing and option for admins to see a blocked website after typing in a password?
example. parents want to use myspace.com but not for their kids?
posted on May 16th, 2007 at 3:59 pm
Block the bad guys with OpenDNS! « Bloggitation
[…] read more | digg story […]
posted on May 17th, 2007 at 7:42 am
Jack
Great work guys, another fantasticly helpful feature!!
posted on May 23rd, 2007 at 6:20 am
Claude Gelinas
If many users block a specific web site, will you take the hint and block it for everyone else, as a “preventive measure”?
Are everyone’s entries truly private?
posted on May 25th, 2007 at 9:22 pm
Gnarlodious
Great! You rock! Hope this feature expands to take over the internet!
posted on May 28th, 2007 at 2:25 am
Tim Thein
It’s a nice feature but using it created a few unexpected results. Internet Explorer complains about security certificate errors when accessing a web page using secure http and the web page contains references to blocked domains. For example, when I sign into BankOfAmerica.com to view my account, the web page has a few references to doubleclick.net which I blocked because that domain is a big source of web advertisements.
posted on June 5th, 2007 at 12:00 am
Christoph
So I blocked a couple advertising servers (doubleclick.net, atdmt.com, and advertising.com are the top offenders).
But something I noticed is that they still show up in the Top Domains Resolved list. Is this intentional? Perhaps a new list is needed called something like Top Domains Blocked. Otherwise the blocked domains just spam the normal Top Domains Resolved list.
(For me, ad.doubleclick.net, view.atdmt.com, and servedby.advertising.com still show up my Top Domains Resolved list)
posted on June 6th, 2007 at 12:24 pm
John Roberts
@Christoph, reasonable point. It’s not intentional, but it’s something we’ll take a look at.
posted on June 7th, 2007 at 12:04 pm
theo
Perhaps OpenDNS should consider a menu of blockable sites. For example, the military regularly configures its firewalls to block outbound traffic to domains in hostile contries, under the assumption that any traffic bound to them is generated by malware or trojans - or spies. One possible drawback - such malware may rely on IP addresses, and not require DNS lookup.
Great service, guys…keep it up.
posted on June 22nd, 2007 at 3:09 am