Originally Posted by
Saab Dastard
The thread topic has been expanded by Tableview, so there's 2 questions being discussed
And therein lies the problem inherent with reading threads on an iPhone screen! Apols all.
As long as the "lodgers" have admin rights to their PCs, there's no way of preventing them from inserting whatever DNS servers they want in their IP config, and simply bypassing what's in the router or ISP.
If you could block outbound DNS queries on the home router and use the router as a DNS forwarder that could work, but there aren't many home router/firewall/switch/adsl modems/WAPs that support that level of functionality. And as already been noted, on some home devices you can't even specify a DNS server!
Creating 2 rules in cascade, one specifically ALLOWing port 53 to 208.67.220.220 and 208.67.222.222 and then a second rule specifically DENYing all access to port 53 should sort all but ubergeek access to DNS on the LAN. Giving out the aforementioned OpenDNS servers via DHCP would then render any config change other than a mass 'hosts' file edit impractical.
Coupling that with a little legalese surrounding the computer misuse act in the tenancy agreement, and you can practically solve the problem for the home user.
Most routers with a built-in firewall have this ability. Certainly the Netgear, Draytek, Linksys, etc consumer range do (all bets are off with the HomeHub!)
Both Mixture and PeterH suggest that you would actually have to provide a separate access method for "lodgers" to achieve the desired result, and I have to agree.
The Tomato router I mention above gives you the ability to provide multiple virtual Wifi SSIDs, and combines it with a captive portal, web access monitoring, and specific VLANs and bandwidth throttling to ensure decent separation of home and lodger.
In a work environment a proxy is essential, combined with a firewall blocking ports such that all traffic MUST traverse the proxy. Whether the proxy is a dedicated device or a SW device (e.g. MS ISA server, sorry TMG) depends on budget and technical capability. DNS can be handled in a number of ways, but at least the administrator will have control of it.
SD
No issue there. Something like Squid would solve the issue as well.
