Re: Suddenly OpenDNS not filtering

mallocarray1 · ‎12-14-2017

I've been using OpenDNS along with my Charter/Spectrum internet and a Ubiquity USG router for more than 2 years. In the last week, the OpenDNS updater on my computer has started saying I'm not using OpenDNS and filtering is not consistent.

Sometimes www.internetbadguys.com will be blocked while www.exampleadultsite.com is not blocked at all. Sites I've explicitly blocked are currently allowed.

I thought it may be due to an upgrade on my router, but I rolled it back to an earlier version and the same issue occurs.

It did seem that if I reboot the router, when the Internet connection comes up first, things are filtered as expected, then my Internet drops out for a few seconds and when it comes back,filtering is not working.

Could my ISP be doing something like redirecting or blocking?

I've run the common nslookup tests I've seen in other questions and I think it is resolving as expected, or at least I don't see anything saying it isn't a resolver

C:\WINDOWS\system32>nslookup -type=txt which.opendns.com. 208.67.220.220
Server: resolver2.opendns.com
Address: 208.67.220.220

Non-authoritative answer:
which.opendns.com text =

"m53.dfw"

C:\WINDOWS\system32>nslookup -type=txt -port=443 which.opendns.com. 208.67.220.220
Server: resolver2.opendns.com
Address: 208.67.220.220

Non-authoritative answer:
which.opendns.com text =

"m33.dfw"

C:\WINDOWS\system32>nslookup -type=txt -port=443 -vc which.opendns.com. 208.67.220.220
Server: resolver2.opendns.com
Address: 208.67.220.220

Non-authoritative answer:
which.opendns.com text =

"m33.dfw"

rotblitz · ‎12-14-2017

Two things are important:

You must use OpenDNS. http://welcome.opendns.com/
Your IP address must be registered at https://dashboard.opendns.com/settings/

Your command outputs are not useful. They just show that you could use OpenDNS if you would. You better post from:

nslookup -type=txt debug.opendns.com.
nslookup whoami.akamai.net.

Just in case you use Charters DNSv6 service, you can configure the addresses ::ffff:d043:dedc and ::ffff:d043:dcde in your IPv6 settings.

mallocarray1 · ‎12-14-2017

Sorry, this is my second time writing my initial post as it lost my original one apparently.

The welcome.opendns.com site says I'm using OpenDNS. My IPv4 address is registered in my account and I have the OpenDNS Updater on my computer which is what originally told me that I wasn't using OpenDNS in the first place.

I do have IPv6 also setup, but I don't see a way to add my public IPv6 address to my OpenDNS account. But even sites that resolve to IPv4 addresses are not being filtered correctly.

C:\WINDOWS\system32>nslookup -type=txt debug.opendns.com.
Server: Router
Address: 192.168.2.1

*** Router can't find debug.opendns.com.: Non-existent domain

C:\WINDOWS\system32>nslookup whoami.akamai.net.
Server: Router
Address: 192.168.2.1

Non-authoritative answer:
Name: whoami.akamai.net
Address: 68.114.44.102

rotblitz · ‎12-14-2017

Your command output clearly shows that your router at 192.168.2.1 doesn't use OpenDNS, but Charter's DNS service. You must send your DNS traffic to OpenDNS, not to Charter.

"I don't see a way to add my public IPv6 address to my OpenDNS account."

You cannot do this, but you need to configure the above DNSv6 resolver addresses in your IPv6 settings.

mallocarray1 · ‎12-14-2017

I guess I'll work with my router vendor to ensure things are working correctly there. I have logged into the Ubiquity Unified Secure Gateway interface and confirmed I have both OpenDNS's IPv4 and IPv6 servers configured, but I'm also getting Charter's IPv6 from DHCP.

Why would the welcome page show that I am using OpenDNS?

admin@Router:~$ show dns forwarding nameservers
-----------------------------------------------
Nameservers configured for DNS forwarding
-----------------------------------------------
208.67.220.220 available via 'system'
208.67.222.222 available via 'system'
2620:0:ccc::2 available via 'system'
2620:0:ccd::2 available via 'system'
2607:f428:ffff:ffff::1 available via 'system'
2607:f428:ffff:ffff::2 available via 'system'

rotblitz · ‎12-14-2017

"Why would the welcome page show that I am using OpenDNS?"

This can have several reasons. The DNS lookup may have randomly gone over IPv4 or one of OpenDNS' IPv6 resolvers. Or you have been served out of your local resolver cache or browser cache.

2620:0:ccc::2 available via 'system'
2620:0:ccd::2 available via 'system'

Although this is 'using OpenDNS', these IPv6 resolvers do not make use of your dashboard. If you want content filtering and stats, use the ones I listed above.
Again: ::ffff:d043:dedc and ::ffff:d043:dcde

2607:f428:ffff:ffff::1 available via 'system'
2607:f428:ffff:ffff::2 available via 'system'

These are Charter's and should not appear here. Suppress or overwrite DHCPv6, else you will be using OpenDNS at best randomly.

mallocarray1 · ‎12-15-2017

Thank you for your help. I was able to find the command for my Ubiquity Unified Secure Gateway to disable the DHCPv6 provided DNS server

set interfaces ethernet eth0 dhcpv6-pd no-dns

I also changed to the IPv6 address you provided and now I'm filtering consistently.

Can the two following links be updated to include the addresses you provided that do filtering and stats?

https://support.opendns.com/hc/en-us/articles/227986667-Does-OpenDNS-support-IPv6-

https://www.opendns.com/about/innovations/ipv6/

rotblitz · ‎12-15-2017

Great to hear that it works now for you!

I'm a user like you and have no power to update any of those articles. Let's hope that staff stumbles over this and take appropriate action.

Whatever, the addresses I provided are the normal IPv4 resolver addresses in IPv6 notation. Their usage forces the DNS queries to go out over IPv4. This is rather a weak but viable workaround. The final solution should be full IPv6 support, e.g. being able to register an IPv6 prefix at the dashboard, etc. Therefore it may not be worth to update the articles with this workaround.