If your computer's configured DNS servers are changing to another set of values automatically, one of these scenarios is likely to be occurring.
To check your current DNS settings. To do so, please visit our DNS settings guide for computers and view if a DNS server is set statically with an IP address. If not (and is set to "Obtain DNS server address automatically"), please do not continue this guide as this article is not relevant. The computer configuration guide is located at https://support.opendns.com/forums/21618384.
Your DNS server settings are being changed to:
1) 127.0.0.1:
You are using DNSCrypt or the Roaming Client, and this behavior is completely expected. Please see the article at https://support.opendns.com/entries/37266750 for more information.
Solutions: There is not a problem in this case, as this is expected behavior.
2) 75.75.75.75 and/or 75.75.76.76:
You are using Comcast's Constant Guard. This security suite is provided for free by Comcast for all customers, and includes a utility that covers its users by ensuring that you are using Comcast's DNS servers.
This segment is targeted at Comcast Constant Guard users; however, it may also apply to other security suites that also automatically change DNS settings.
If you configured your router or computer for OpenDNS but notice that it isn't working, please begin by clearing your DNS cache (http://www.opendns.com/support/article/67). Next, please visit http://welcome.opendns.com and confirm if you see the check mark. If not, this may be as a result of ConstantGuard.
Solutions:
1. Open Comcast Constant Guard, and click on "Options:"
2. Set the "Set DNS Lock Protection to: to "OFF"
3. Set your DNS servers back to OpenDNS or "Obtain DNS server address automatically" using the instructions at https://support.opendns.com/forums/21618384.
Visually, please watch the following video for an example of what Constant Guard behavior would look like and how to resolve it.
https://www.youtube.com/watch?v=oZfWBA0Xa0Y
3) 209.222.18.222 and 209.222.18.218:
You are currently using a privateinternetaccess VPN service. This service's VPN client automatically sets your DNS servers to 209.222.18.222 and 209.222.18.218 and cannot be changed while you are connected to the VPN. Unfortunately, there is no way around this, and you will be unable to use OpenDNS while connected to this type of VPN client.
Solutions: Cease using privateinternetaccess for VPN service and switch providers to one that supports a standard VPN client if you wish to use OpenDNS over the VPN.
4) Avast! Internet Security 2015
If you are using Avast! Internet Security 2015, refer to our Avast! instructions page to disable their "Secure DNS" setting which may have automatically been enabled during an upgrade or install. OpenDNS also provides secure DNS as well as filtering, and disabling Avast's version will not decrease your network security.
Comments
13 comments
So then, anyone that uses my internet at home and they have Avast secure DNS setting enabled, they can surf the net as free as a bird and there's nothing OpenDNS can do about it?
I still don't understand how can I piece of software can bypass a static dns setting at the router level.
"there's nothing OpenDNS can do about it?"
No, not OpenDNS, because it is your network, but you can.
Block port 53 passthrough on the router and allow only the router's IP address as DNS server address, or redirect all DNS queries from the router to OpenDNS.
@magdiel1975 If you are the person who has asked this in several other threads it has been explained to you several times in several ways by more than one person. In the case of Avast it is locally installed software that bypasses standard DNS by making a direct and encrypted link to their servers. If you are concerned about people coming onto your network and doing things you don't want them to do, then don't let them on your network in the first place.
If you choose to let them on your network anyway then you need follow standard security practices and lock down what you can. Besides, even if OpenDNS or any other DNS service could block this specific thing, all they need to do is use a VPN connection and they can bypass pretty much any filtering or security that you have in place.
@rotblitz..
blocking port 53 does not work either if the user has avast dns server enabled, it somehow bypasses all the configurations at the router level :(
@magdiel1975
I understand your concern 100%
@magdiel1975
if you have the capability of adding firewall scripts in your router, you can use
iptables -I FORWARD -i br0 -o vland2 -j DROP
to block VPN leaks, but as mentioned before, if the user has avast dns enabled, it will bypass the router firewall iptable settings, so obviously this won't work in that case.
thank you pastelaso..
you are correct.. with the iptables code in my router, I cannot connect to my work vpn, but with another computer I have with avast dns enabled, I could.
wanted to point out that the script has a typo..
"iptables -I FORWARD -i br0 -o vland2 -j DROP"
it's supposed to be "iptables -I FORWARD -i br0 -o vlan2 -j DROP"
ooops..
Good catch..my apologies :)
@pastelaso29
"blocking port 53 does not work either if the user has avast dns server enabled"
Yes, but this was not about "AVAST! Secure DNS". For Avast you'll want to refer to this thread:
https://support.opendns.com/entries/57943894
@rotblitz
I see that magdiel1975 has already posted his question on that other thread..but that other thread only show how to disable the avast feature, which I don't believe it resolves his issue.
@magdiel1975
I don't think there is anything you can do about blocking Avast DNS or any other DNS on your network, since you have stated that blocking port 53 has no effect on Avast DNS.. good luck with that mate
@rotblitz
I have already posted my question on that other thread..but that other thread only show how to disable the avast feature, which I don't believe it resolves my issue.
"I don't believe it resolves my issue."
Sorry, but then I didn't understand what your issue was.
No matter, this thread here is about "DNS Servers Configuration Keep Changing Away from OpenDNS Automatically" and is from a year ago, listing an (outdated) version of a DNSCrypt preview, Comcast's Constant Guard, the privateinternetaccess VPN service, and apparently later updated with AVAST! ! Internet Security 2015 which is also handled in the other thread I linked to above. It is to provide instructions about preventing these softwares from changing the computer's DNS server settings, not more and not less.
Therefore one of these items would be your issue, else you would not have posted in this thread but opened a new one.
Ah wait, is this your issue?
"So then, anyone that uses my internet at home and they have Avast secure DNS setting enabled, they can surf the net as free as a bird and there's nothing OpenDNS can do about it?"
Although this is off-topic in this thread, the answer to this is: yes, and yes, i.e. yes to all, except for the "can surf the net as free as a bird". Your router may have other restriction methods beside DNS, so use these. Examples would include MAC address authentication and port and IP address filtering, maybe keyword filtering.
"I still don't understand how can I piece of software can bypass a static dns setting at the router level."
This is because this (and other pieces of) software do not use the router's DNS settings but their own DNS settings. Therefore they seem to "bypass" your router settings. But no, this is not bypassing, but just not using (i.e. ignoring) them. Not only normal home consumer routers are often not fool-proof enough to prevent from being able doing this.
And also, people even pay for this piece of AVAST! software, so they can expect that it really does what it is supposed to do, else it would be a bad product if the Secure DNS function wouldn't reliably work. People would correctly complain with the supplier then and would demand their money back. This is not the risk a company with good reputation should take.
I believe magdiel1975 fundamentally misunderstands how DNS and the Avast software works. Just because someone has the software or the DNS numbers doesn't mean they automatically have access to the network. For one thing, there should be a password on the computer to log onto the computer, for example. Then the wifi network should have it's own password. No passwords, no access. Roblitz tries to explain the other safeguards on the network. I'm sure magdiel1975 doesn't understand how silly her question sounds: IF I HAVE A KEY AND A LOCK DOES THAT MEAN ANYONE WITH THE KEY CAN OPEN THE LOCK?? AS FREE AS A BIRD? Yes magdiel, if you give someone a key, they can open the lock the key belongs to. I don't want to get too technical in describing how this works, let's just say it's magic.
Please sign in to leave a comment.