Internet filtering

AttachmentSize
OpenDNS screenshot121.36 KB

The OPLIN Board has negotiated a contract with OpenDNS to set up a statewide Internet content filtering system that will be available to all public libraries. OPLIN is charged by the Ohio Legislature "...to help local libraries use filters to screen out obscene and illegal internet materials." For many years, OPLIN has fulfilled this requirement by distributing individual grants to libraries, but the earmarked funds were never enough to provide assistance to more than about 40-50 library systems. Clearly, a "central" filtering system available to all libraries would be better.

After several unsuccessful tests over the years, OPLIN finally identified OpenDNS as a filtering solution which can effectively provide content filtering for all Ohio public libraries, while still allowing each library to have complete control over how, or if, the filter is to be used in their library system. (See the screenshot attached to this page for an idea of some of the options which libraries can control.)

Beginning in January 2012, OPLIN will begin implementing this solution for many libraries, and will have the capacity to handle all public libraries by July 2012, at no cost to the library. Libraries whose current filtering solution will expire before June 30, 2012 will get first priority. No filtering grants will be available to individual libraries after June 2012; all funds earmarked by the legislature for filtering will instead be used to support the statewide filter.

If you have questions about our free, statewide filtering, please contact http://support.oplin.org.

More technical information:

Rather than filtering content using a proxy based or span port appliance, OpenDNS is a filtered Domain Name Server (DNS) service. You set up an account and associate IP address blocks with said account, and then you can control what types of content you want your users to see much like a traditional content filter. For any request to access a website that falls outside what you deem appropriate, OpenDNS returns the IP of one of their block servers, instead of the IP for the real web server. The block can be bypassed on a per session basis by inputing a ticket code you create in the web admin interface. This ticket creates a cookie in the user's browser, which the block server detects and proxies the user to the content. Unless a ticket code is in use, the user is never proxied, so there is no worry of interfering with IP authenticated resources. There are also quite a few other options for how you can specify which machines are held to which rules.

In addition, since OpenDNS does not have to handle the actual traffic after the initial DNS request, you do not have to worry about bottlenecks like you would with an appliance. Add to that the only thing you need to do to achieve redundancy is use the state's DNS server as your tertiary forwarder.

See our Steps for obtaining an OPLIN-paid OpenDNS Enterprise account document for more information.

Steps for obtaining an OPLIN-paid OpenDNS Enterprise account

  1. Send an email to support@oplin.org stating that you would like to participate, along with the contact information for the person to whom we should email the account login details.
  2. The contact's account will be set to an administrator level for your library account. This user will have the ability to send out additional invitations to other staff members, and also elevate them to administrator status.

From now on, your library is in complete control of your OpenDNS account and will not need to contact OPLIN unless you need assistance.

OpenDNS first steps

Step 1: Add your first network

OpenDNS uses the term "network" to describe either a single IP address, or multiple IPs to which you can assign filtering rules. Before you can select any filters you have to create a network.

  1. Login to OpenDNS (http://opendns.com)
  2. Click "Dashboard"
  3. Click "Settings"
  4. Enter your outbound IP into the boxes provided. We recommend to only do a single IP, rather than your entire network block. This way you can easily have different rule sets for different IPs. A quick way to find out what IP you're currently using is with a website like http://whatismyip.com
  5. Select the library account from the "Organization" drop down
  6. Click "Add this network"
  7. OpenDNS will send you an email in which you'll need to click on a link while coming from the IP you're registering.

Step 2: Set rules for your new network

Now that you've created a network you can modify its settings.

  1. Login to OpenDNS (http://opendns.com)
  2. Click "Dashboard"
  3. Click "Settings"
  4. Select your newly added IP from the large drop down box in the middle/top of the screen

You'll be presented with the settings page for that network. All the options are presented in a traditional web form layout and have a lot of helpful hints on the same page. We recommend clicking around the option categories to see what's available. At this point the service still isn't live on your network, so you can't hurt anything.

Step 3: Going live

The final step is to use the OpenDNS name servers on your network. The IPs for those servers are 208.67.222.222 and 208.67.220.220. If you want to test out the service before making it live on the entire network, you can always change the DNS servers on just your workstation to those two IPs and verify the filtering is working as you want it to. If you're ready to make filtering live, the place to use those two IPs will vary depending on how your network is currently configured.

  • If you statically define every workstation with its DNS settings (ex. the state DNS servers at 156.63.130.100) then you would need to change every workstation to use these two new IPs. You can leave the state IPs in, but they have to come after the two OpenDNS IPs.
  • If your workstations point to a local device for DNS (ex. a firewall/router/ActiveDirectory server) then the place you would use the two OpenDNS IPs would be in the forwarders settings of that device. Changing the IPs on a top level device like this will make filtering live for every workstation pointing to said device.

FAQ

None yet. Ask us a question at http://support.oplin.org.