How to use OpenDNS as an Internet Filter MX64

SOLVED
bjk
Here to help

How to use OpenDNS as an Internet Filter MX64

I have an MX64 for a very small public library network without the advanced security license.  How does one configure the MX64 to use OpenDNS and do I need to subscribe and pay for a license to use OpenDNS?

Just need a very simple way to block porn or adult websites.

1 ACCEPTED SOLUTION
BrandonS
Kind of a big deal

There are some free and low cost options here: https://www.opendns.com/home-internet-security/

 

You enroll for free or paid and then tell it your public IP or IP block to filter against. 

 

To ensure users can’t bypass this DNS that you would serve via DHCP presumably, you could create firewall rules denying all DNS port 53/UDP except OpenDNS/Umbrella and that should do a good job complying with blocking adult content for a library. 

My generally understanding for the laws around this in the US is that you make a reasonable attempt such as this and are not liable for reporting or instances where people find a way around it. 

 

- Ex community all-star (⌐⊙_⊙)

View solution in original post

19 REPLIES 19
Inderdeep
Kind of a big deal
Kind of a big deal

@bjk : OpenDNS which is now Cisco Umbrella (Cloud DNS security and Proxy) has manual integration with Meraki MX

Have a look on below link for your reference , Check out the Meraki Group Policy with Umbrella

https://documentation.meraki.com/General_Administration/Cross-Platform_Content/Manually_Integrating_... 

 

Regards/Inder
Cisco IT Blogs awarded in 2020 & 2021
www.thenetworkdna.com

But doesn't this require the Advance Security License?

"This feature is available for an MX with Advanced Security license"

Inderdeep
Kind of a big deal
Kind of a big deal

if you have advance security license then no body cares about the Cisco Umbrella as you have all the security features on the box. 

Regards/Inder
Cisco IT Blogs awarded in 2020 & 2021
www.thenetworkdna.com

I have an MX64 firewall.  I do not have the advance security license.  I am asking for a suggestion for a simple Internet filtering solution for this very small network. 

Inderdeep
Kind of a big deal
Kind of a big deal

So you have enterprise license on the MX ?

Regards/Inder
Cisco IT Blogs awarded in 2020 & 2021
www.thenetworkdna.com

Yes.

Inderdeep
Kind of a big deal
Kind of a big deal

To integrate Cisco Umbrella with Meraki MX you still need Advance Security license.

Check the below link and check for "Features by License Option" on the link below you will get to know. 

 

https://documentation.meraki.com/General_Administration/Licensing/Meraki_MX_Security_and_SD-WAN_Lice... 

 

and so integration with Cisco Umbrella 

https://documentation.meraki.com/General_Administration/Cross-Platform_Content/Manually_Integrating_... 

Regards/Inder
Cisco IT Blogs awarded in 2020 & 2021
www.thenetworkdna.com

I am aware of that.  

Can anyone help me with a solution that does not require and advance security license?

Inderdeep
Kind of a big deal
Kind of a big deal

When you say Security from the internet what features you need ?

1. IPS/IDS

2. Advance Malware Protection 

3. DNS security

4. Threat Grid

 

All these are not available on the enterprise license of MX. 

Regards/Inder
Cisco IT Blogs awarded in 2020 & 2021
www.thenetworkdna.com

I only need Internet content filtering for a small library network.

Inderdeep
Kind of a big deal
Kind of a big deal

Content filtering is also available with the Advance security license only but not available with Enterprise license.

Regards/Inder
Cisco IT Blogs awarded in 2020 & 2021
www.thenetworkdna.com
BrandonS
Kind of a big deal

There are some free and low cost options here: https://www.opendns.com/home-internet-security/

 

You enroll for free or paid and then tell it your public IP or IP block to filter against. 

 

To ensure users can’t bypass this DNS that you would serve via DHCP presumably, you could create firewall rules denying all DNS port 53/UDP except OpenDNS/Umbrella and that should do a good job complying with blocking adult content for a library. 

My generally understanding for the laws around this in the US is that you make a reasonable attempt such as this and are not liable for reporting or instances where people find a way around it. 

 

- Ex community all-star (⌐⊙_⊙)
Inderdeep
Kind of a big deal
Kind of a big deal

@bjk As @BrandonS says, you can put the firewall rules to block all the adult content for a library. You can make use of your Internet DNS pointed to Cisco Umbrella instead of your local service provider or Google whatever is now pointed. The traffic flow from the internet to your site via Cisco Umbrella. 

The Umbrella IPv4 addresses are:

  • 208.67.222.222
  • 208.67.220.220

The Umbrella IPv6 addresses are:

  • 2620:119:35::35
  • 2620:119:53::53
Regards/Inder
Cisco IT Blogs awarded in 2020 & 2021
www.thenetworkdna.com

We cannot use Cisco Umbrella because we do not have the advance security license.

I will try the "home" version of OpenDNS and see how that works.  Thanks BrandonS.

That worked great.  Thanks.

CptnCrnch
Kind of a big deal
Kind of a big deal


@Inderdeep wrote:

if you have advance security license then no body cares about the Cisco Umbrella as you have all the security features on the box. 


You won‘t be able to achieve even half of what Umbrella provides you with with an on-box solution.

DarrenOC
Kind of a big deal
Kind of a big deal

Hey @bjk , bit late to the party on this one. What’s your wireless solution? Meraki MR’s? Or are your library users wired?

 

If Meraki MR you could filter on the SSID using Layer 7 rules.

Darren OConnor | doconnor@resalire.co.uk
https://www.linkedin.com/in/darrenoconnor/

I'm not an employee of Cisco/Meraki. My posts are based on Meraki best practice and what has worked for me in the field.

The library has ten wired desktop computers and does also offer wifi via a MR access point.

Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels