Filtering Websites With Ubiquiti Security Gateway And OpenDNS

Overview

The Unifi Security Gateway (USG) can be setup to assign a custom DNS server. The DNS server itself will perform the blocking based on the sites people/devices access.

Pre-Requisites

In order for everything to work beyond a working Unifi setup and controller are:

OpenDNS can be setup to filter categories of sites out. It is reliant on OpenDNS to be accurate and catch all sites in those categories.

DNS O Matic will update OpenDNS with the public IP address for dynamic IP addresses which is typical for home / consumer broadband. If you have a static IP then you can skip this part.

OpenDNS

Follow the instructions to add a network as per OpenDNS’ getting started guidde. Make sure the Dynamic IP is set to yes so it can be updated using DNS O Matic.
OpenDNS Advanced Settings

Once complete, the filtering can be setup as per this guide. I’d recommend adding a known individual site for testing purposes.

DNS O Matic

Go to “YOUR SERVICES” after logging in and follow the steps to “Add a service” selecting OpenDNS from the dropdown. It will prompt to log into OpenDNS.

DNS O Matic services

Unifi Controller

Settings > Services > Dynamic DNS. Add your DNS O Matic credentials in the settings as per below.
Unifi-DYNDNS-Settings

Then for each network where you want to apply the OpenDNS filtering then go to Settings > Networks > [Select Network]

In the DHCP Name Server change it to “Manual” and enter the OpenDNS IP addresses.
Unifi-DYNDNS-Settings

Test Setup

It will take time for the settings to take hold depending on your DHCP lease time. The fastest way for the changes to take hold is to come off the network and rejoin e.g switching airplane mode on.

Then go to your blocked site added in OpenDNS and see if you’re able to get to the site. Any changes to OpenDNS will also take some time to update.

Summary

OpenDNS provides basic filtering for free. All this is served using existing DHCP mechanism on your network so it’s almost a set and forget action.

A more powerful and also complex solution would be to host your own using something like Pi-hole which allows you to see a history of DNS queries and appropriate allow or blocked action.

Of course, there’s no reason to use each for different networks to provide different filtering.

About Danny

I.T software professional always studying and applying the knowledge gained and one way of doing this is to blog. Danny also has participates in a part time project called Energy@Home [http://code.google.com/p/energyathome/] for monitoring energy usage on a premise. Dedicated to I.T since studying pure Information Technology since the age of 16, Danny Tsang working in the field that he has aimed for since leaving school. View all posts by Danny → This entry was posted in Networking and tagged , , , , , , , , , . Bookmark the permalink.

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.