All my geeky stuff ends up here. Mostly Unix-related

Parental control with OpenWRT and OpenDNS

with 9 comments


The following recipe took me a whole evening to find, so I am documenting it here in hope it could be useful to somebody else.

I recently upgraded my home network to a beefier TP-Link C5 Archer (75 euros on Amazon). This little box packs two Wi-Fi access points in 2.4 and 5GHz (Wi-Fi ac), which pushes wireless speeds up to 500Mbit/s within a few meters range. The main selling point for me was that it runs the latest OpenWRT firmware with absolutely no issue whatsoever. Flash firmware, done.

OpenWRT has become a real Linux distribution today, packing more power than you could ever imagine achieving with such hardware. I certainly miss the Tomato user-friendly GUI, but I do enjoy the power at my fingertips when it comes to network configuration. Kudos to the OpenWRT team for such a technical achievement!

Back to the point: parental control. I have kids at home and all sorts of networked devices: smartphones, tablets, computers, servers, printers, you name it. I want to be able to disable adult site browsing and the like from kids hardware. The easiest solution I found so far is OpenDNS (, which offers you free DNS filtering for one IP address. Create an account, configure your home IP address, set the categories you want to ban, and done. Any machine on my internal network using OpenDNS will receive re-directs for unwanted sites. In the past I used to manually modify the DNS settings on all kids hardware to switch to OpenDNS servers, but that quickly becomes old, and sometimes requires some sleight-of-hand to configure. Forget it.

Enter OpenWRT: you can actually assign different DHCP settings to hosts on your network, e.g. different DNS servers. Even if the documentation is respectfully thick on that topic, it took me a while to understand it.

In its latest incarnation Barrier Breaker (Dec 2014), OpenWRT packs all DHCP information into /etc/config/dhcp. Make your modifications there and restart the dnsmasq daemon to activate them.


1. edit /etc/config/dhcp to add a new section

config tag 'kids'
    list dhcp_option '6,,'

2. Now add individual sections for all devices you want to include in the ‘kids’ section:

config host
    option name 'pluto'
    option mac 'YOUR DEVICE MAC ADDRESS'
    option tag 'kids'

3. Restart dnsmasq with: /etc/init.d/dnsmasq restart

And you are done. Just tag the hosts you want to be part of the kids zone to distribute the OpenDNS servers instead of the default one.


Written by nicolas314

Wednesday 10 December 2014 at 10:24 pm

Posted in Uncategorized

Tagged with , ,

9 Responses

Subscribe to comments with RSS.

  1. Create a firewall rule to permit DNS request only vs opendns servers. Remember to deny proxy web sites on opendns configuration.


    Saturday 18 April 2015 at 3:41 pm

  2. This is great – thank you! I’m putting this into use tonight at my place.


    Sunday 21 June 2015 at 12:12 am

  3. just a small question, this advice is great but. What if I want ALL of the devices to be routed to use openDNS – maybe apart of a few (eg kind of whitelist approach) ?


    Sunday 13 March 2016 at 11:50 pm

    • If you want a reverse behaviour, i.e. all devices use OpenDNS except the ones you tag, you would define the OpenDNS servers as default ones in openwrt, and create a tag like this, e.g. for the few devices that will go through Google DNS instead:

      config tag 'googledns'
      list dhcp_option '6,,'

      Hope it helps


      Monday 14 March 2016 at 4:13 pm

      • duh, of course ! thanks a lot.


        Monday 14 March 2016 at 5:39 pm

  4. Hello, I came across this post because I’ve been trying to find a better way to manage my kids devices at home. I think I’ll go with an “opt out” solution following your process. Meaning that everyone gets the OpenDNS blocked internet unless their MAC address is in an exclude list (basically mine and my wife’s phones/computers). That way I don’t have to worry about my kid’s friends when they come over, etc.

    My question is … what is the easiest way to “edit /etc/config/dhcp” … ? I’ve install OpenWRT on an older router I had at home as a test before installing it on my newly purchased router. The installation was successful but I haven’t figured out where/how to perform the edit you’ve outlined.

    Thanks in advance!


    Thursday 15 December 2016 at 8:40 pm

    • Hi Scott,

      There are several text editors available on OpenWRT. I suggest you install ‘nano’ with ‘opkg update ; opkg install nano’ and then edit your config files with it:
      nano /etc/config/dhcp

      nano is reasonably simple to use and always displays available commands at the bottom of the screen, you should be able to find your way around it even if you never used it.
      Hope it helps


      Thursday 15 December 2016 at 10:14 pm

  5. Hi Nic,
    I am looking at implementing something similar to what you have mentioned above but for an open wireless hotspot i have on and RaspberryPi running OpenWRT (Chaos Chalmer). I basically want to limit all traffic going through the hotspot to “safe sites”. I’m a little new to OpenWRT but i was thinking the following syntax would do the trick;
    edit /etc/config/dhcp

    config dhcp hotspot
    list dhcp_option ‘6,,’

    Is it as simple as that or am I missing something??


    Tuesday 28 March 2017 at 4:09 am

    • Yep, seems it would do the trick. You are asking your DHCP server to always send option 6 (set DNS servers) to the ones at OpenDNS. Once you have configured your OpenDNS account to ban the sites you do not want, it should just work.


      Tuesday 28 March 2017 at 2:19 pm

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

%d bloggers like this: