I don’t have any immediate need for website filtering but I was curious about the OpenDNS solution so I set up an account and configured the router to use the OpenDNS nameservers. DNS (and DHCP) is handled by dnsmasq. ddclient is used to pass the IP address of the router to OpenDNS so that they can match it with my account in order to block certain domains and provide stats. To stop users getting around the OpenDNS restrictions by configuring a different nameserver on the PC, the iptables firewall is configured not to forward DNS requests (only to proxy them.)

Configure ddclient address updater

root@voyage:~# vi /etc/ddclient.conf
# check every 600 seconds
# log update msgs to syslog
# Mail failed updates to user
# record PID in file.

## DynDNS
use=web,, web-skip='IP Address'

## OpenDNS

Restart ddclient in debug mode

root@voyage:~# ddclient stop
root@voyage:~# ddclient -daemon=0 -debug -verbose -noquiet -force

Tell dnsmasq to get nameservers from a file (not from the ISP)

root@voyage:~# vi /etc/dnsmasq.conf

Add OpenDNS nameservers to this file

root@voyage:~# vi /etc/resolv.conf.opendns

Restart dnsmasq

root@voyage:~# /etc/init.d/dnsmasq restart

Add firewall rules to the interface startup script
root@voyage:~# vi /etc/network/if-up.d/firewall
iptables -A INPUT -p udp --dport 53 -j ACCEPT # allow inbound DNS
iptables -A OUTPUT -p udp --dport 53 -j ACCEPT # allow outbound DNS
iptables -A OUTPUT -p udp --dport 53 -j ACCEPT # do not forward DNS
root@voyage:/var/run/resolvconf# vi /etc/default/dnsmasq
# This file has five functions:
# 1) to completely disable starting dnsmasq,
# 2) to set DOMAIN_SUFFIX by running `dnsdomainname`
# 3) to select an alternative config file
# by setting DNSMASQ_OPTS to --conf-file=<file>
# 4) to tell dnsmasq to read the files in /etc/dnsmasq.d for
# more configuration variables.
# 5) to stop the resolvconf package from controlling dnsmasq's
# idea of which upstream nameservers to use.
# For upgraders from very old versions, all the shell variables set
# here in previous versions are still honored by the init script
# so if you just keep your old version of this file nothing will break.


# Whether or not to run the dnsmasq daemon; set to 0 to disable.

# By default search this drop directory for configuration options.
# Libvirt leaves a file here to make the system dnsmasq play nice.
# Comment out this line if you don't want this. The dpkg-* are file
# endings which cause dnsmasq to skip that file. This avoids pulling
# in backups made by dpkg.

# If the resolvconf package is installed, dnsmasq will use its output
# rather than the contents of /etc/resolv.conf to find upstream
# nameservers. Uncommenting this line inhibits this behaviour.
# Not that including a "resolv-file=<filename>" line in
# /etc/dnsmasq.conf is not enough to override resolvconf if it is
# installed: the line below must be uncommented.