Synology Parential Control
Synology DNS Parential Controls or Split Brain DNS
For a long time I was looking for a solution to 'protect' the child (9 year old) from the internet connected at home.
I was after a solution which would protect the child, but allow the adults and other devices in the house free-range access to the internet. It also needed to be flexable - add/remove restrictions easily.
I tried the following
- a proxy - squid which was ok but caused a lag when being used for video etc.
- dd-wrt iptables but this solution doesnt work if the connections are using https <sigh>
I had used my synology NAS for several years at the local DNS server (part of dnsmasq). I had this configured to do the opposite of what I wanted for Parential controls (forwarding DNS requests based upon destination onto a different DNS - proxying using noIP.com for netflix)
Recently (DSM 5.2) Synology added the DNS Application - this combined with a opendns.com account (free) and dnsomatic.com account (free) we have a way to restrict 'some' or 'all' devices in the house (thats as close to 'per user' we will get).
This method stops particular hosts resolving DNS Names to IPAddresses. A cunning child could resolve the IPAddresses on the internet, but for the most part this should work ok.
*Step 1* Create an account at opendns.com.
Use the 'For Personal' option and follow your nose. Create an account using your email address.
Login using your email address and configure the level of restictions you want for your children / Parential controls - using 'web content filtering' - We chose 'Moderate'.
*Step 2* Create an account at dnsomatic.com (login using your opendns.com credentials). Configure it to update your opendns.com account.
*Step 3* Configure your Synology NAS to update your dnsomatic.com account with your public IP -
- Main Menu -> Control Panel -> External Access -> DDNS
- Add {Enable DDNS support}
* Service Provider : DNS-O-Matic * Hostname : all.dnsomatic.com * Username/Email : {your opendns email address - replace @ with %40} * Password : {your opendns password} ** Test Connection
Ensure that your account at dnsomatic.com shows an update.
*Step 4* The Synology DNS Server Application (once configured) has a setting for 'Views'. - From the DMS Help "A domain name server can present different information to different clients by implementing views. This function, sometimes called spilt-horizon DNS, can improve security and privacy management of DNS zone records. For example, you have one domain name, but wish to provide different responses to queries from external and internal sources. In such cases, you can create different views with separate resource records."
Setup the DNS Server Application so it is working (there is a guide on the Synology website).
- Main Menu -> DNS Server -> Views -> Create {general tab}
- View Name : Restricted
- Limit Source IP Service {Enabled}
* Enter IP Addresses of the childrens devices / a subnet you assign them all into
- Enable Forwarders : {Enabled}
- Forwarder 1: 208.67.222.123
- Forwarder 2: 208.67.220.123
- Forward policy: Forward First
- OK
Make sure the 'Restricted' View has Prority 1
- Main Menu -> DNS Server -> Views -> Create {general tab}
- View Name : All
- Limit Source IP Service {Enabled}
* Enter IP Addresses of the childrens devices / a subnet you assign them all into
- Enable Forwarders : {Enabled}
- Forwarder 1: {Your ISP DNS 1}
- Forwarder 2: {Your ISP DNS 2}
- Forward policy: Forward First
- OK
Make sure the 'All' View has Prority 2
Test your devices using the instructions here https://support.opendns.com/entries/25897009-How-to-Test-for-Successful-OpenDNS-Configuration-
*Step 5* Block all hosts except your Synology NAS from accessing external DNS Servers at your router
- dd-wrt -> access-Restirctions
- Service = DNS
- List of Clients = IP Address Range excluding your NAS.
