Technology in terms you understand. Sign up for the Confident Computing newsletter for weekly solutions to make your life easier. Click here and get The Ask Leo! Guide to Staying Safe on the Internet — FREE Edition as my thank you for subscribing!

How do I block porn?


I would like to block porn from coming into my house. I am sure many people feel the same way because they have children but my reason for wanting to block it is my idiot son-in-law.

My daughter, grandchild, and idiot son-in-law live in an apartment in our basement because he cannot support his family. They were using a dialup modem but I got tired of them tying up the phone so I agreed for them to connect wirelessly to my router.

Since then, and before I suspect, my son-in-law has been viewing porn and I really do not want it in my house but I do not want to start a fight with my daughter by taking away the DSL. Especially since he says he needs it to look for a job.

I tried installing OpenDNS and configuring the router to use it but it did not work. I posted to their forum and was told that each computer had to be manually reconfigured to use OpenDNS for it to actually block certain websites. Since I do not have the password to their computer and do not want to snoop on their machine, that option was out.

I have been reading your blog for years now and you are always telling people that your ISP can see anything and do anything. Well, I am my SIL’s ISP so how do I use the router to block porn without having to access their machine?

Well, I believe you were on the right track with OpenDNS, but I suspect that the advice you got was a little off the mark.

That being said, I also have to throw out a big fat caveat as well, that you probably won’t like.

Become a Patron of Ask Leo! and go ad-free!

The honest bottom line is that there’s no way to absolutely, positively block porn, or anything else for that matter. You can make it more difficult, and maybe that’s enough, but for every approach we might consider taking there will be ways to circumvent it.

So with that out of the way, let’s block some porn…

You Are The ISP

The observation that you are your son-in-law’s ISP is a very good one. The very definition of the acronym is pretty clear: Internet Service Provider, and you are providing Internet service.

“You can make it more difficult, and maybe that’s enough …”


Your ISP has something you don’t: equipment, and lots of it. If you were to look at what your ISP actually has in their data center, you’d be amazed at what it takes to get those digital bits to and from your computer. A high-end router, for example, could easily block access to various sites. Your ISP probably has several such routers, but is it worth $10,000 or more to you to get one for yourself? Probably not.

The more traditional approach is to install parental control software on each machine that might be accessed by people you feel are untrustworthy (“idiot” or not Smile).

As you’ve indicated, even modifying the configuration for OpenDNS on each machine is not an option, so I’m certain that installing anything is even less of an option.

So we’ll head back to where the ISPs do: your router.

The approach is actually quite simple: when a computer connects to your network at boot time, it asks your router for an IP address. Along with that IP address, the router also provides the IP addresses that should be used for DNS lookups (the lookups that translate human-readable “” into what your computer really uses to connect:


So, we configure your router to provide OpenDNS‘s DNS servers to any computer that connects to your local network, including that of your idiot son-in-law.

Now, unfortunately exactly how you do this will depend on your specific brand of router. For example, in the Linksys router I happen to use, it’s configured in the DHCP settings:

DHCP and DNS in a LinkSys router

With these settings, any computer that connects to the internet through this router would use OpenDNS’s service.

You’ll need to make the equivalent settings for your own router, but fortunately OpenDNS’s website includes instructions for most common routers.

To enable content filtering, you’ll need to set up an account with OpenDNS and configure the types of filtering you want.

Now, there is one gotcha that I suspect is what the initial advice you received was about.

OpenDNS applies those filtering settings based on your internet IP address. In fact, it’s part of what you set up when you create an account and add a “network” to the account. All the requests that OpenDNS sees coming from your network IP address are then filtered according to the rules you’ve configured for your account.

So what happens if your IP address changes?

This is a very common scenario for consumer internet connections, and is called “dynamic IP addressing”. One day your internet connection might be on one IP address, and another day it might change. This is totally normal and is controlled by your ISP.

You can update your IP address with OpenDNS manually, of course. However, OpenDNS does make available a small program which will automatically update OpenDNS’s record of your IP address when it changes.

I’m thinking that this might be what they referred to as what you needed to install.

The missing piece is that you only need to install it on one machine – yours. Once OpenDNS understands that the internet IP address has changed for your account, its features are applied to all computers accessing sites through that connection.

So, in your situation, I do believe that OpenDNS remains the best solution – I just enabled it here on my home network’s router, and all my machines are now protected.

But please, don’t think of it as absolute protection. To the dedicated, there are likely ways around it.

One final caveat: what we’ve been talking about is web access. OpenDNS doesn’t filter incoming email, so any porn spam you might be getting will continue. You’ll need to investigate spam filtering solutions for that, and those are likely not things you’ll be able to implement without impacting the computers involved.

Do this

Subscribe to Confident Computing! Less frustration and more confidence, solutions, answers, and tips in your inbox every week.

I'll see you there!

22 comments on “How do I block porn?”

  1. Open DNS has been a great solution for me in blocking selective internet content, however if you are the chief of the house you will likely have their computer log in without administrator privileges, that is a standard account, you can also “modify” the account to fit the bill.

  2. I used OpenDNS for a while and then stopped using it. One big caveat was that it depends on its database of sites classified into categories. There could be many porn sites that are not yet in their database (although very extensive) and those would be allowed to pass through. Wrong classification is also a problem with OpenDNS.

    Also a little net savvy person can very easily circumvent the blockade.

    I personally prefer a solution based on my own network – e.g router/firewall based or a separate parental control device. You can route all net traffic through a master computer and use a control software on that machine. Any small PC would do a good job.

  3. I really think Opone NS is better than just a router firewall, all you have to do is press the router reset switch for 10 seconds, and all your settings and protection is away, even by a remote computer on your own network..

  4. Resetting the router also resets the DNS settings that were pointing to OpenDNS.

    Besides that will be only a temporary access as such a reset is soon observed and you can take appropriate counter measures. Protect your router physically, if such case is to be expected.

    Yep. As I mentioned in the article someone dedicated with just a bit of knowledge may work around whatever you do. There’s no 100% solution. (But this is a good reminder: secure your router.)

    – Leo
  5. Open DNS settings will no change resetting the router because the settings resides on Open DNS servers, but you must be running the open DNS client on each computer so it can track IP if your ISP use dynamic IP adressing.

    Not quite.

    Resetting the router will cause your client machines to stop using OpenDNS as the router reverts to giving the default DNS servers for your internet connection.

    You only need to run the OpenDNS client a) if you have a dynamic IP, and b) on only one machine on your network.

    – Leo
  6. correcting my last post, you must point to open DNS in each individual computer when assigning Static IP,s, and have open DNS client software also in each computer.

  7. Resetting the router is messy….

    With a router, the default strategy is to have router point to a DNS server normailly assigned by the ISP or OpenDNS and have all computers on the network point to the router as their DNS as assigned by the DHCP. This is easier on adding any new PCs and taking PCs on another network. You don’t have to reconfigure the PC every time you move it to a new network. Easy on the laptop too.

    Also resetting the router erases the log-on information to your ISP. And all Internet connection is broken until you reconfigure your router to log on to the ISP. So unless you know the log on information, you can’t reconfigure the router to ever connect to the ISP.

    Not all internet connections require that the router “log on”. In fact I’d guess that most actually do not. In those cases simply resetting the router will get you a working, but OpenDNS-free, internet connection.

    – Leo
  8. It’s pretty demented to actually monitor which sites adults are visiting. Living with you sounds like a nightmare. Even if your son-in-law is a pain, you are no picnic yourself to live with, I am betting.

    Thank God for the First Amendment. What do you have against it?

    The first amendment (assuming she’s even in the United States) doesn’t mean she has to allow others to bring materials she considers objectionable into her own home.

    – Leo
  9. configure your computer to use a specific IP address for your network AND a specific DNS, and you’re not using OpenDNS ..
    Hope the guy’s idiotic son-in-law isn’t a computer geek ..
    btw .. using an online proxy should bypass OpenDNS security .. atleast i think it would. OpenDNS would only see traffic coming in from the proxy server and let it go. O don’t remember much from when i last used my OpenDNS account .. =P .. but if OpenDNS blocks proxies, google translater is a useful tool.
    the guy who asked this should be praying his son-in-law doesn’t read this thread .. =P

  10. My ISP requires a login before using its services. I prefer using my router, thus I don’t have to login from my machine. More importantly, as Rahul points out, if IS-I-L resets the router, then no one gets out until the router is reconfigured again, assuming they don’t know the password required by the ISP.

    For those who login in from their machines rather than use the firewall, but have a situation similar to the author of the original question, one could switch over the configuration, per Rahul, AND change the password without providing it to IS-I-L. From that point on, if, IS-I-L pushes the reset, but there goes his access.

    I’ve had several routers. Both allow backup of settings to a PC. This greatly simplifies restoring settings if a router is reset.

    Footnote, if IS-I-L actually resets the router, the fight you wish to avoid will be out in the open, but you are on solid to ground to regulate what comes into your own home.

    A lawyer would have to advise whether or not you’d have any responsiblity should child porn be downloaded by IS-I-L, notwithstanding the First Ammendment.

  11. I’ve tried three approaches:

    1. The content filter on ZoneAlarm running on each machine. This worked pretty well. But the version of ZoneAlarm I was working with about a year ago did not like Vista.

    2. Webroot Parental Controls. It is possible to setup a “server” that manages all the clients. Far and away the best controll over who can use the computer when.

    3. The Zone Alarm Z100 hardware firewall with wireless G. Extreemly good content filtering. Note there is a supsciption fee per host per year that can be bought in groups of licenses for 5 hosts.

    I creat on each machine a “play” account and a “School” account. I then use the Webroot parentla controls to allow “play” only for a few hours after dinner and all day Saturday. The “student” account is allowed to go to only school related accounts any time of day. The content filtering is then done against checkpoints database via a proxy which has proven to be very good. I put the Z100 and other network equipment in a locked cabinet. If you have a tendency yourself to surf porn that you want to mitigate, have your wife enter the password for the Z100.

    The only bad thing I can say about the Z100 is that it is on the upper end of complexity for a home user. It’s ability to support printers via it’s USB ports is limited. I highly recommend checking with ZoneAlarm for supported printers before planning to use the USB/Printer function.

    I note that ZoneAlarm is owned by Checkpoint who makes six digit $$ firewalls for most of the banking industry.

    We don’t allow the public interstate system to be used for a crime, why the internet? The question is porn a crime? Or asserted that we cannot define it thus we cannot make it a crime. Is child porn a crime? Some place in the shades of gray from frontal Nudity to Child Porn a line is clearly crossed. “Under the Influance”, e.g. DUI is really shades of gray too but we don’t allow it on the highway or streets. Using the highways for a crime is a crime, for example crossing state lines with children of the “Ex”. I’m stating something we’ve already excepted, i.e. public resources should not be used in criminal activity. Do what you want with your own private network. But please don’t think the public Tax dollar should be used to support a crime.

  12. I have to agree with m g (Posted by: m g at March 10, 2009 9:56 AM). I have my own personal computer in my bedroom and another out in the living room.

    Both connected with a router to a cable connection and the last thing I want to do is to spy on any one using the client computer. What they are viewing is there business.

    I also noticed the person in question only “suspects” – no real proof – “I may not beleive in what you say, but I’ll defend your right to say it.”

    On the same hand, if there are children in the house, hopefully the son-in -law has taken necessary precautions to protect his child. I suspect in this case this statement is the bigger problem “… idiot son-in-law live in an apartment in our basement because he cannot support his family.”

    [link removed]

  13. If SIL and family are living in “an apartment in the basement”–is that apartment really the OP’s “own home”? What if rent is being paid?

    The OP will find that trying to control the behavior of others is only going to lead to more and more problems. Far better for her to work on her own reactions and behavior–the only things she really has the power to control. But, good for Leo for trying to help, anyway.

    I *heart* Ask Leo!

  14. Can you bypass opendns by modifing the dns on the computer you are using? Or use a web proxy to by pass it?
    You didn’t mentioned about desktop porn blockers, such as aobo porn filter, how do you think of this kind of software?

    Yes the DNS could be bypassed. That’s one of the reasons I started the article by saying that there’s no way to absolutely block anything.

    The questioner also did not have the option to install anything on the machine in question, so desktop blockers were not an option. Even so, any thing you install on the desktop can be bypassed by someone using the machine who has sufficient knowledge and motivation.

    – Leo
  15. You really need an internet filter software.
    Our company is using “WFilter” to filter websites, block p2p, filter emails…
    I am sure its helpful to you.

  16. Sorry for putting it in Dutch. Google had translated this webpage to Dutch, so here my addition in English

    An good option is K9 aswell. It is an endpoint solution though, but give a very good blocking possibility. Even VM’s on top of an os with K9 will not be able to bypass this blocker. It is owned by Bluecoat, who is providing contentfilters for Global 500 companies.
    It is free, but they make use of the community by getting the list of all sites through K9. You can set to block all sites, that aren’t tagged already. In my home network I use both K9 and OpenDNS. This is for all users that are bringing their laptop/smartphone to my home and make use of my internet. Further more, not every machine K9 can be installed on, per example laptops from your work.

    For my self I am still looking for a router that has the ability to block IP-addresses. Some people are sharing porno just from an IP address. This will bypass DNS, because it can set up a streight connection. (OpenDNS is not able to block these addresses, K9 is able to block them)

  17. Porn had almost ruined my relationship with my husband. He now goes to Sex Anonymous meetings. I downloaded a porn blocker {URL removed} and I also installed it on his work computer. There is no way he can view it now unless he goes to the public library or has a computer I don’t know about. My advice is not to give up on a relationship because of this. There are a ton of men who struggle with this but I finally decided to draw the line. If he messes up again he will be moving out! Tough love.. There is no exception.


Leave a reply:

Before commenting please:

  • Read the article.
  • Comment on the article.
  • No personal information.
  • No spam.

Comments violating those rules will be removed. Comments that don't add value will be removed, including off-topic or content-free comments, or comments that look even a little bit like spam. All comments containing links and certain keywords will be moderated before publication.

I want comments to be valuable for everyone, including those who come later and take the time to read.