Building a Network Level DNS Filter - A Practical Approach to Family Online Safety.

As a father, my primary concern is the well being of my family, and i have this compulsion to do tech stuff for the hell of it, particularly within the increasingly complex digital environment. Traditional parental controls often fall short in providing truly effective protection and, more importantly, hinder a child’s ability to engage with information responsibly. This prompted an investigation into creating a more targeted and adaptable solution, one that moves beyond simple restrictions and focuses on proactive filtering at the network level. The goal wasn't simply to block content it was to establish a system capable of evolving alongside emerging online threats while fostering a child’s ability to navigate the internet with informed discernment.

The core of this project centered around repurposing a Dell 3040 Wyse Ultra Low Power machine, acquired through Facebook Marketplace for $40 AUD. Its low power consumption (typically drawing under 15W), minimal footprint, and inherent robustness made it an ideal candidate for deploying a custom DNS filter using AdGuard Home a powerful, open source solution designed specifically for this purpose. The challenge lay in establishing a robust, configurable network wide solution that wouldn’t introduce unnecessary complexity or resource demands while providing granular control over online access.

System Architecture & Implementation: A Layered Approach

The architecture of the system was deliberately layered to provide redundancy and flexibility. It wasn't conceived as a monolithic solution but rather as a modular setup capable of adapting to evolving needs.

1. Hardware Foundation: The Dell 3040 Wyse Ultra Low Power (Model # 923-5867) served as the core processing unit. Its ARM Cortex-A9 processor, 2048MB RAM, and integrated Gigabit Ethernet port provided sufficient resources for DNS proxying and AdGuard’s filtering engine. The machine was selected primarily for its reliability and low power consumption crucial factors given its intended role as a dedicated security appliance.

2. Operating System & Network Configuration: I opted for Debian Bullseye (version 11.3) specifically the “minimal” image to minimize resource overhead and provide a clean, stable base. The initial partitioning involved creating a single root partition using parted, allocating approximately 32GB of storage. Crucially, I configured the machine with a static IP address on the internal network (192.168.1.100) and enabled DHCP client functionality for internet access. Network segmentation was achieved through VLAN configuration on our existing router (Ubiquiti EdgeRouter X), placing the Wyse machine on VLAN 3, isolating it from the primary LAN where sensitive devices resided. This added a critical layer of security by limiting potential lateral movement in case of compromise.

3. DNS Proxy & Filtering Engine – AdGuard Home: The heart of the system is AdGuard Home, a free and open-source DNS server with powerful filtering capabilities. I installed AdGuard Home using Docker on the Wyse machine. This containerized approach simplifies management, ensures consistent updates, and isolates the application from the host operating system. AdGuard Home’s dynamic filtering features are particularly valuable – allowing for both blacklisting specific domains (e.g., gambling sites, adult content) and employing content categories to enforce safe search settings for my daughter's devices.

4. Dashboard & Monitoring: I configured AdGuard Home to expose a web based dashboard accessible via HTTPS. This provides real time insights into DNS queries, blocked domains, and overall system performance. The dashboard’s logging capabilities are invaluable for troubleshooting and identifying potential threats. Furthermore, I implemented basic scripting (using Bash) to generate automated reports on filtered traffic a crucial element for ongoing monitoring and assessment.

Detailed Configuration & Tuning:

• DNS Forwarding: AdGuard Home is configured as a DNS forwarder, meaning it receives all DNS queries from the network and resolves them itself. This allows us to intercept and filter these requests before they reach the client devices.

• AdGuard Filter Lists: I utilized several pre-configured filter lists within AdGuard Home, including:

  • “Malware” Blocks known malicious domains.

  • “Adult” Filters adult content categories.

  • “Gambling” Blocks gambling websites.

  • Custom blacklists Added specific domains based on observed threats and parental concerns.

• Safe Search Enforcement: AdGuard Home’s “SafeSearch” feature is enabled for Google, Bing, and DuckDuckGo, ensuring that search results are filtered to remove explicit content.

• Rate Limiting & Throttling (Future Enhancement): While not initially implemented, I plan to explore rate limiting features within AdGuard Home to further mitigate potential abuse or denial-of-service (DoS) attacks.

Beyond Basic Filtering – A Customizable Solution:

The resulting setup offers granular control. I can dynamically adjust device access permissions and enforce safe search parameters on a per-device basis. Furthermore, the system’s adaptability allows me to proactively block services based on evolving threat intelligence. The ability to easily add or remove domains from the filter lists ensures that the system remains responsive to changing online landscapes.

Future Development & Considerations:

This project is an ongoing exploration. Future development includes:

• Integrating automated updates for AdGuard Home ensuring the system remains protected against the latest threats.

• Expanding the monitoring capabilities to provide more detailed analytics, including query frequency and source IP addresses.

• Implementing a VPN connection through the Wyse machine to mask our family’s internet activity (privacy enhancement).

• Exploring advanced features within AdGuard Home, such as URL filtering and application control.

The 3D printed 10" rake not just as a physical grounding point but also as a tangible reminder of the dedication required to build and maintain this complex system a small, functional artifact representing a significant investment in our family’s online safety.

Note: The four blocked adult sites was me .... i had to test it somehow.

I just wish doing it in real life was just as easy.....