OpenDNS not working via Router Setup

joeraven · ‎09-26-2015

It appears that I am not using OpenDNS any more on my network. I would like to be able to get it working again.

I get the following test output:

C:\Users\Joe>nslookup -type=txt debug.opendns.com.
Server: router.asus.com
Address: 192.168.1.1

*** router.asus.com can't find debug.opendns.com.: Non-existent domain

C:\Users\Joe>nslookup -type=txt which.opendns.com. 208.67.220.220
Server: resolver2.opendns.com
Address: 208.67.220.220

Non-authoritative answer:
which.opendns.com text =

"I am not an OpenDNS resolver."

opendns.com nameserver = auth1.opendns.com
opendns.com nameserver = auth2.opendns.com
opendns.com nameserver = auth3.opendns.com
auth1.opendns.com internet address = 208.69.39.2
auth2.opendns.com internet address = 67.215.92.66
auth3.opendns.com internet address = 208.69.39.2
(root) ??? unknown type 41 ???

C:\Users\Joe>ipconfig /all

Windows IP Configuration

Host Name . . . . . . . . . . . . : KOENIG-PC
Primary Dns Suffix . . . . . . . :
Node Type . . . . . . . . . . . . : Hybrid
IP Routing Enabled. . . . . . . . : No
WINS Proxy Enabled. . . . . . . . : No

Ethernet adapter Local Area Connection:

Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : Intel(R) 82567LM-3 Gigabit Network Connection
Physical Address. . . . . . . . . : 00-24-81-18-F5-27
DHCP Enabled. . . . . . . . . . . : Yes
Autoconfiguration Enabled . . . . : Yes
Link-local IPv6 Address . . . . . : fe80::69:6e95:784f:86d3%3(Preferred)
IPv4 Address. . . . . . . . . . . : 192.168.1.2(Preferred)
Subnet Mask . . . . . . . . . . . : 255.255.255.0
Lease Obtained. . . . . . . . . . : Wednesday, September 16, 2015 8:05:08 PM
Lease Expires . . . . . . . . . . : Sunday, September 27, 2015 7:25:01 PM
Default Gateway . . . . . . . . . : 192.168.1.1
DHCP Server . . . . . . . . . . . : 192.168.1.1
DHCPv6 IAID . . . . . . . . . . . : 268444801
DHCPv6 Client DUID. . . . . . . . : 00-01-00-01-1B-5D-C9-B3-00-24-81-18-F5-27
DNS Servers . . . . . . . . . . . : 192.168.1.1
NetBIOS over Tcpip. . . . . . . . : Enabled

Tunnel adapter isatap.{585EA215-1543-474C-901A-85CE4FA9E242}:

Media State . . . . . . . . . . . : Media disconnected
Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : Microsoft ISATAP Adapter
Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0
DHCP Enabled. . . . . . . . . . . : No
Autoconfiguration Enabled . . . . : Yes

Please see attachments for router settings.

Any help is greatly apprecieated

Capture.PNG
Capture2.PNG

mattwilson9090 · ‎09-26-2015

Have you made any recent changes on your network, or with your ISP?

It appears that things are configured properly on your router and your PC but there are some things you should check. I think I'm seeing something odd in the nslookup results, but I'm not as experienced with those as other so I'll et them comment

1) Make sure that your public IP address is properly registered on your OpenDNS dashboard

2) Disable IPv6 on the router

3) Make sure that your router has the latest firmwareinstalled

joeraven · ‎09-26-2015

Thanks mattwilson9090 for your quick response.

The only other incident that happened to my network is that I inadvertently installed a botnet, got blocked by my ISP a couple of times; I finally removed it after I identified the offending software ( around July). I was also hosting a website using dyn.com service. I took the DNS hosting offline recently and no longer host any website. I need to start having web filtering at home so my kids can surf the internet safely.

By the way, IPv6 is disabled on my router and my public IP is registered with OpenDNS.

joeraven · ‎09-26-2015

The router also has the latest and greatest firmware.

rotblitz · ‎09-27-2015

Definitely, your ISP is redirecting your DNS queries to their own DNS service, so that they don't reach OpenDNS. You'll have to contact your ISP to opt out from this DNS hi-jacking.

If this is not with success. you may be able to circumvent this redirection by using DNSCrypt: https://dnscrypt.info/

joeraven · ‎09-27-2015

Thanks rotblitz. I contacted my ISP and was of little help since the issue is still there. They said that my router might be the issue, but I am sure it is not since I also performed a device setup on my PC without a change in the outcome. I will give DNSCrypt a try although at this point, I am willing to go for a paid solution; a router with DNSCrypt already installed would be sweet. I am also willing to spend time to setup my own router with DNSCrypt.

joeraven · ‎09-27-2015

I tried DNSCrypt on my PC and I was pleasantly surprised that it worked not only on my PC but also on the clients connected to the network. I suspect that my PC must be running all the time to protect the network. My next step should be trying this on a router setup.

Thanks again for all your help!

rotblitz · ‎09-27-2015

No, your router is not the issue, as can be seen from your command outputs.

Before you invest in a router to run DNSCrypt on it, ensure that DNSCrypt really solves the problem. Or perform a pre-test without DNSCrypt:

nslookup -type=txt -port=443 debug.opendns.com. 208.67.220.220

nslookup -type=txt -port=443 -vc debug.opendns.com. 208.67.220.220

nslookup -type=txt -port=5353 debug.opendns.com. 208.67.220.220

nslookup -type=txt -port=5353 -vc debug.opendns.com. 208.67.220.220

rotblitz · ‎09-27-2015

Oh, my last message was overlapping with yours.

"I tried DNSCrypt on my PC and I was pleasantly surprised that it worked not only on my PC but also on the clients connected to the network."

Oh no, it should work only on the PC then. If it also works on the other devices now, calling your ISP has helped, and you may be able to use OpenDNS just normal, without further measures.

This is the test you can perform on every device: http://welcome.opendns.com/

joeraven · ‎09-27-2015

Ok good. I am debating whether to uninstall DNSCrypt or not. I suppose it doesn't hurt to leave it installed.

rotblitz · ‎09-27-2015

Sure, using DNSCrypt is a good idea, generally. It is just a bit more efforts, especially if you install it on every device.

eleung12 · ‎09-30-2015

Hi joeraven,

Sorry to hear you are having issues. DNSCrypt usually doesn't affect OpenDNS usage, though it does encrypt your DNS queries from your computer to your designated DNS resolver. Could you please submit a support ticket so we can take a closer look at your case? Please run our diagnostic tool according to instructions here: https://opendns.zendesk.com/entries/21841580-Diagnostic-Tool-Link-and-Instructions and submit the URL of the finished test to us.

Cheers!

joeraven · ‎09-30-2015

Hi Eden,

OpenDNS is working for me now as long as I disable Avast's Secure DNS. I found in another thread that my Avast antivirus' Secure DNS feature interferes with OpenDNS web filtering. Furthermore, my kids have the same antivirus. So all three PCs were effectively encrypting DNS queries and thus not redirecting them to OpenDNS. I also found out that Avast uses the same DNS encrypting software DNSCrypt. So basically, if anyone on my network wants to circumvent OpenDNS web filtering, all they have to do is enable Avast's Secure DNS feature or at least that is my conclusion. Let me know if you think I still need to submit a support ticket, but I think the root cause problem is Avast's DNS encrypting feature. Thanks again for your response.

rotblitz · ‎10-01-2015

Absolutely no reason to open a ticket. You found the root cause, and you fixed it.

eleung12 · ‎10-01-2015

Hi joeraven,

Yes, Avast's Secure DNS does cause conflicts with OpenDNS, so I'm glad to hear that it's working now that you've turned it off. If you'd like to read up about this topic, please take a look at this article: https://support.opendns.com/entries/57943894-Avast-2015-Security-Suite-Secure-DNS-and-OpenDNS. If you are happy with the results now, then you won't need to open a ticket. If you run into problems in the future though, feel free to talk to us!

Cheers!