Re: OpenDNS doesn't work with CGNAT style services like Starlink

ga1 · ‎02-16-2024

OpenDNS has a big problem with services, like mobile internet and Starlink, where multiple users get the same IP address. The first person to set the IP address as "theirs" gets to control the OpenDNS settings for all users on the same IP address. This is clearly unworkable.

I've reported this to support but I'm not sure they understand the issue.

Meantime I have had to move away from OpenDNS which is a real shame as a paid up user for many years.

A side comment - there are many broken links too. It feels like Cisco is just letting OpenDNS slowly die.

reham1 · ‎02-19-2024

Hello,

If your IP address has been recorded as a NAT'd IP address and cannot be registered to a single user in the OpenDNS system this is because it is shared among many users in your area or region.

Please contact your ISP and request to be assigned a dynamic or static IP address outside of your ISP's NAT'd IP range. If you're successful in doing so then you can register your IP address with OpenDNS.

ga1 · ‎02-20-2024

Mobile ISPs and the likes of Starlink don't allocate non CGNAT addresses for good reasons.

This is rendering opendns pointless. I had thought your updater might be smart, and ID a user over CGNAT (other services do this routinely) - but it doesn't do that.

Sadly after many, many years I'll be ending my paid sub to opendns - the service simply no longer works.

What you should do, if not providing a smart updater, is provide a set of different IPs for different portection levels.

reham1 · ‎02-20-2024

We do not provide IP addresses or host domains.

If you wish you can enter a request for the smart updater feature in our Idea Bank - https://support.opendns.com/hc/en-us/community/topics/201090987-OpenDNS-Community-Idea-Bank

ga1 · ‎02-21-2024

I didn't suggest you provide IP addresses or hots domains. What I suggested is that you expand what you already do, and provide more dns IP addresses for different opendns protection levels.

reham1 · ‎02-22-2024

Hello,

We do not provide IP addresses and new IP addresses can not just be created (for more information see ***https://en.wikipedia.org/wiki/IP_address***).

I hope that helps.

ga1 · ‎02-23-2024

You're not reading my comment. I'll try once more. You provide several ip addresses for dns - 208.67.222.222 for instance. You have some that have fixed protection functions. I suggested you expand that. And, there's plenty of free IPV4 addresses about. I'd think that Cisco would know this.

reham1 · ‎02-25-2024

We do register proven CNAT'd IP addresses so they should not be registered with us.

Cisco only uses the four DNS server addresses the family shield numbers of 208.67.222.123 and 208.67.220.123 and the OpenDNS numbers of 208.67.220.220 and 208.67.222.222.

If you wish to have Cisco add more you can enter a request for this feature in our Idea Bank - https://support.opendns.com/hc/en-us/community/topics/201090987-OpenDNS-Community-Idea-Bank.

jimbabwe1 · ‎06-13-2024

ga1, I see how it appears you are talking to a brick wall.

reham1 · ‎06-16-2024

Hello,

If you wish you can enter a request for this feature in our Idea Bank - https://support.opendns.com/hc/en-us/community/topics/201090987-OpenDNS-Community-Idea-Bank

jimbabwe1 · ‎06-16-2024

OpenDNS has known about this problem, based on comments I've read in this forum, for 7 years.

I will not waste my time requesting, nor waste my time waiting, for OpenDNS to address it.

I was able to shut down all 270 subscribers of my ISP. That's not right and OpenDNS should fix it.

I will not be using OpenDNS any more.

dig · ‎10-25-2024

CGNAT is an unfortunate trade-off due to the limited address space in IPv4, and it affects all services that rely on tracking/identifying the source IP of traffic to a single subscriber. We're making multiple improvements that are meant to identify and prevent network registrations in shared address space. This unfortunately means that OpenDNS network registration will not work when the source IP can't be tied to a single subscriber.

The DNS service remains available to anyone behind CGNAT; basic malware/phishing protection is available by default to anyone using the OpenDNS service if coming from an unregistered source, and FamilyShield IPs provide a reasonable default set of content filtering categories. If you have your traffic going through CGNAT with your provider and you notice that the network has been "claimed" by someone and should be released, or have accidentally claimed for yourself, please let our Support team know.

If you know you are behind CGNAT (or are an ISP reading this) please let us know in the forums or via Support ticket what the expected IP ranges are with any supporting documentation and we'll be able to exclude from registration.