08-28-2016 01:14 PM
No, this isn't a thread asking OpenDNS to support IPv6. I've already posted in support of those threads.
This is a thread trying to explore some ideas to use IPv6 with OpenDNS filtering intact. Unfortunately I can't test any of them out right now since following a recent change in ISP I can't reestablish my IPv6 tunnel connection and the ISP isn't yet offering IPv6.
The first idea was inspired by a relatively recent conversation in here, though it wasn't related to IPv6. Basically it was using "firewall" type rules to block all port 53 traffic to non-OpenDNS addresses, and only allow port 53 to OpenDNS addresses. Could a similar technique be used for IPv6, only this time filtering all IPv6 port 53 traffic? My thinking is that even with IPv6 enabled, the DNS traffic would be forced to go out via IPv4, thus allowing OpenDNS to filter it. Of course it would require a firewall or router that could process that type of IPv6, which might be a challenge to find. My biggest concern is about performance, since IPv6 DNS lookups would first have to be rejected before IPv4 could be tried (unless IPv4 and IPv6 requests were sent at the same time, but I'm uncertain how the various OSes would handle that).
The second option I think is preferable, since it sidesteps questions of which OS is used, and whether or not the original request is made being IPv4 or IPv6. Why not use DNSCrypt. I'm not an expert on DNSCrypt, but it appears that it only connects to a single IP address, and with the implementation on my router you choose from a limited set of DNS providers. The list for OpenDNS included IPv4, IPv6, and FamilyShield. Since DNSCrypt essentially functions as a DNS forwarder for the rest of your network, regardless of how the traffic reaches it, it then sends it you specific. In this case I don't think it would matter if the original request was via IP4 or IPv6 since it would send it along via IPv4, which could then be filtered by OpenDNS. It should return AAAA and A records for the lookup, and if you are using IPv6 the actual internet connection could be made by IPv6. As a side effect security is enhanced since the traffic between your network and OpenDNS is encrypted, validating that it's received unchanged by any man in the middle.
Thoughts?
08-28-2016 02:44 PM
Your thoughts and ideas are completely right.
Yes, it's hard to find a router which can differentiate by port/protocol (TCP, UDP) and by Internet Protocol (v4, v6). The outgoing port rules on my (pretty advanced) router are good for both, IPv4 and IPv6. (Not so with the inbound FW rules.)
But DNSCrypt (https://dnscrypt.org/) or DeleGate (http://delegate.org/) are indeed options to proxy IPv6 traffic to IPv4 traffic. The DNSCrypt article https://github.com/jedisct1/dnscrypt-proxy/blob/master/README-WINDOWS.markdown has an own IPv6 support section. With this you get full filtering and stats also with IPv6 enabled. The challenge is the installation of DNSCrypt or DeleGate on the router though.
08-28-2016 03:15 PM
I'm glad to know that my thinking was accurate, especially since I can't test it right now.
Out of curiosity, what router are you using. I'm running an ASUS RT-N66U with Toastman 1.28.0510.1. It's got IPTables and IP6Tables, though they are not directly exposed in the GUI, so I'd have to enter text commands in the interface. I'm sure I can do it, but it would be a pain, plus as I mentioned, I'm uncertain about potential performance issues.
Fortunately I don't have to worry about installing DNSCrypt on this router since it's already installed and works just find. I'm not sure when it was added but I did notice it after I changed by ISP and started going through these adventures with getting my IPv6 tunnel to work with them.
This has become more of an issue lately since a regional ISP has altered how they are giving out IPv4 and IPv6 so I've been forced to examine solutions to getting OpenDNS to work with IPv6. Depending on the configuration I've now got various options on router, PC, or server using DNSCrypt.
Now if only I can get my IPv6 tunnel working again I can actually test with some things before I'm forced to deal with it for my clients.
08-29-2016 10:26 AM
My router is this: https://en.avm.de/products/fritzbox/fritzbox-7490/
I've got a dual-stack internet connection (native IPv4 and native IPv6), and nearly all DNS traffic goes over IPv6, and web traffic with priority over IPv6. Just IPv4-only sites are still reached over IPv4. That said, there is in fact no OpenDNS filtering and stats anymore, just plain DNS via IPv4 an IPv6. I had to jailbreak my FRITZ!Box to install DNSCrypt, and this is not a good idea in warranty cases and in cases of firmware upgrades. The only other option would be to disable IPv6 on the router or on the devices, and this is not what I prefer. There are no minors in the household, so it's not really pressing.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide