Amplifi HD and OpenDNS

Comments

33 comments

  • Avatar
    mattwilson9090
    I'm not sure what their customer support meant when it does not support OpenDNS, but in most cases, if your computer is using the router as it's DNS server, and the router is pointed to the OpenDNS addresses, that's enough to get started.
     
    What happens when you go to the following website? What message do you receive? http://welcome.opendns.com/
     
    If you are trying to block adult websites, what happens when you go to this website? http://www.exampleadultsite.com/
     
    Please copy and paste the complete output of the following commands. If you choose to provide a screenshot rather than pasting the text do not provide a link to a third party website since it's very possible that the security conscious people reading this forum have that domain blocked. Instead use the "Attach file" link at the bottom of this page. Note, the periods at the end of each command are part of the command, do not omit them or the results won't be usable for diagnostic purposes.
     
    nslookup -type=txt debug.opendns.com.
     
     
    ipconfig/all
    1
    Comment actions Permalink
  • Avatar
    nfar

    I am not sure how to tell my computer to use my router as its DNS server, but maybe it helps to clarify that I was using multiple devices on my network with similar results.  I have a MacBook Air, two iPhones, and and iPad that I was using to try to verify if any filtering was happening.  I have young kids so I am trying to block all of the obvious bad stuff.  

    If I go to internetbadguys.com, it gives me the message that it is a demo site only and would be blocked if I was using OpenDNS.  Translation: No filtering.

    If I go to the OpenDNS welcome page, I get the Red X along with a message that I am not using Open DNS.  Translation: No filtering.

    Interestingly, if I go to exampleadultsite.com, it is blocked on my computer and iPhone, but not on the iPad.  Mixed results.

    I believe the commands you listed above are for Windows based machines, and I have a Mac, but I am not an expert so I tried running those commands in Terminal on my MacBook Air.  Results are below. 

    Appreciate your help!

    0
    Comment actions Permalink
  • Avatar
    nfar

    Doing more digging, I found that my devices had their own DNS settings and were not using the router's DNS settings.  It was not this way with my previous router, which was an Asus RT-AC3200.  How do I force all devices to use the router DNS settings without manually having to change the settings on each device?

    0
    Comment actions Permalink
  • Avatar
    rotblitz (Edited )

    Your outputs show that you don't use OpenDNS at all, as you have found out yourself too by visiting http://welcome.opendns.com/.

    The DNS server at 192.168.167.1 (which may be your router) is not forwarding your DNS traffic to OpenDNS, or your ISP redirects your DNS traffic to their own DNS service.  To verify the latter:

    nslookup -type=txt which.opendns.com. 208.67.220.222

    If this returns "I am not an OpenDNS resolver", then your ISP redirects your DNS traffic, and any settings on your router or computer does not take any effect.  You can try to circumvent this restriction with https://dnscrypt.org/

    If it is not your ISP, but your router, then you have to refer to your router's support. However, this "they said that Amplifi does no "support" OpenDNS" doesn't sound very promising.  Don't ask for OpenDNS, but generally for any 3rd party DNS service to be configured.

    "How do I force all devices to use the router DNS settings"

    You configure the end user devices to obtain their network settings automatically via DHCP from the router.  And you configure the router to not let through alternative DNS traffic over port 53.  This helps only if you can configure your router to use OpenDNS, and if your ISP doesn't redirect your DNS traffic, and if you can block port 53 passthrough on your router.

    "without manually having to change the settings on each device?"

    This is even harder and possible only if your router has the cabability to be configured for redirecting all traffic to port 53 to OpenDNS.  Router firmwares being able to do this usually have a CLI and allow for the iptables command.

    0
    Comment actions Permalink
  • Avatar
    nfar

    As I mentioned above, my previous ASUS router had no problems with OpenDNS.  Therefore I assume my ISP allows it as well.  I discovered my devices were using their own DNS addresses, so I updated them to the OpenDNS servers and now the filtering is working.  

    All of my devices have DHCP selected, so I don't know why they were using a separate DNS server.  I am far from a tech expert, but what I think may have happened is when I set up the new Amplifi Router, it pushed my ISP's default DNS settings out to each device.  Now I have to "undo" that.  On my IPhone, I thought I'd give this a test by "Forgetting" my wifi network and re-connecting, in hopes that it would push my new OpenDNS info through as the DNS server on my phone.  But this was a failure, as after I reconnected to the network, I got the old 192.168.167.1 DNS server showing up on my phone.  

    0
    Comment actions Permalink
  • Avatar
    rotblitz

    You're wrong, with nearly all of your assumptions, "thinking", "hopes".

    "All of my devices have DHCP selected"

    Fine, but this is in contrast to "I updated them to the OpenDNS servers".  Only one option is possible at any time.  The devices either obtain their settings via DHCP, or the DNS entries are statically configured on them.

    "what I think may have happened is when I set up the new Amplifi Router, it pushed my ISP's default DNS settings out to each device."

    You could have checked it at this time, but you didn't.  So you cannot know.  But most likely you're wrong.

    "Now I have to "undo" that."

    You cannot "undo" DHCP.  This is an automatic process where you have no influence on and which executes each time a device connects to your network.  You just may be able to enable/disable it and to configure what network settings are to be propagated via DHCP, including the DNS server settings if you configured it on the LAN/DHCP side.

    "in hopes that it would push my new OpenDNS info through as the DNS server on my phone.  But this was a failure, as after I reconnected to the network, I got the old 192.168.167.1 DNS server showing up on my phone."

    Nope, this is not how it is supposed to work.  Your end user devices send the DNS queries to your router (therefore 192.168.167.1 as DNS server on the devices), and the router is to forward them to OpenDNS if you have it configured on the WAN side.  Only if you configured OpenDNS on the LAN/DHCP side (suboptimal), then the OpenDNS resolver addresses will be propagated via DHCP to the devices.

    Where do you have the OpenDNS resolver addresses configured?  Can you post a screen shot of where you have OpenDNS configured on the router?  Is there a link to a user manual of your router?

    0
    Comment actions Permalink
  • Avatar
    nfar

    Please remember that I know nothing about this stuff.  I am an average guy trying to set up DNS filtering.  

    In regards to the DHCP and manual configurations- I agree with what you are saying, but my devices all say DHCP and I am able to manually change DNS settings.  Screenshots are attached. The top two come from my Macbook.  Under TCP/IP, it clearly says "Using DHCP".  If I go to the DNS tab, it let me manually put in the OpenDNS info.

    The last two screenshots come from my iPhone.  The first is from the Amplifi App and shows the router settings, again with DHCP.  The second is the wifi settings on my iPhone itself.  In both the Amplifi App, as well as on my iPhone wifi settings, it allows me to tap on the DNS info and punch in any DNS address that I want, all while DHCP remains.




    0
    Comment actions Permalink
  • Avatar
    mattwilson9090

    If you are an average person who doesn't understand this, saying that in every post, along with speculations, assumptions, and attempted interpretations on every result is not only pointless, but it rapidly pisses off people who are volunteering their time to help you, since they then need to spend even more time dealing with things that are unrelated. It's far better just to answer the questions asked, and if you don't want understand anything, or want more information to ask for more detail, not just to speculate endlessly.

    The IP address 192.168.167.1 most definitely is your router. The ipconfig/all command would have identified that for us earlier, but that command does not exist on a Mac. I believe the command there is ifconfig /all

    Anyway, on to the rest of this response I honestly can't tell what pic comes is supposed to displaying what. Your description of which is simply confusing when I look at them and try to figure out what is what. Can you respond with screeenshots JUST of the router configuration screens?

    0
    Comment actions Permalink
  • Avatar
    nfar

    My apologies if I am making it more difficult than it needs to be.  Just trying to understand it better.  This is the screenshot of the router configuration on the Amplifi App on my iPhone.

    0
    Comment actions Permalink
  • Avatar
    mattwilson9090

    Ok, it appears as if the router is properly configured to use OpenDNS, that's a good confirmation.

    Now please send the results of ifconfig/all from one of the Mac's. If you can't get any results from that please send a screenshot of the network configuration from the Mac. The command will be more definitive, but the settings page will at least give an idea of what's going on.

    0
    Comment actions Permalink
  • Avatar
    nfar

    I believe this covers your request.  Let me know if you need anything else.  



    0
    Comment actions Permalink
  • Avatar
    mattwilson9090

    The command to see the network configuration still isn't working, but I'm not as familiar with the ins and out on Mac's as I am other systems. However, it looks as if you are receiving your IP address via DHCP from the router, but overriding that to manually configure your DNS settings. It's uncommon, but can be done.

    If I understood an earlier posting, with this configuration the http://welcome.opendns.com website is successful from the Mac and OpenDNS filtering is working.

    It appears as if, for one of several possible reasons, this router is ignoring it's DNS settings and routing them elsewhere, but fortunately not intercepting DNS calls from inside your network and sending them there as well.

    Basically you've got 3 options. 1) Get another router that actually does what it's configured to do 2) if possible, configure DHCP on the router to hand out the OpenDNS addresses instead of it's own 3) manually configure the OpenDNS addresses on every device on your network. For me, #1 would be the best option, but it might not be for you. #2 and #3 can cause problems with internal name resolution in your network, but could work for you, though #2 would be the easiest, especially since not all devices will allow you to manually configure DNS, or at least not let you do it easily.

    0
    Comment actions Permalink
  • Avatar
    rotblitz (Edited )

    The command on Mac OS X should be:

    ifconfig -all

    "it allows me to tap on the DNS info and punch in any DNS address that I want, all while DHCP remains."

    Yes, then DNS is no longer DHCP controlled, but manually set.  The remainder of the network settings (IP address, subnet mask, gateway) is still via DHCP.  You should not need to manually configure DNS on the end user devices at all.

    According to your router settings you should be using OpenDNS.
    Check it by visiting http://welcome.opendns.com/ on your devices.

    No idea what is still left to do in your case.  You should be done already!

    If the test page says that you're not using OpenDNS, copy & paste the complete plain text output of the following commands here:

    ifconfig -all
    nslookup whoami.akamai.net.

    so that I can see what DNS service is actually being used.

    Btw, the cellular connection of your smart device with IP address range 173.18.48.* is not through your router, therefore your dashboard settings will not take effect although you still might be able to use OpenDNS (with its default settings).

    0
    Comment actions Permalink
  • Avatar
    jbhill

    Hi nfar - I just got an Amplifi HD router today and am experiencing the same thing you did. Thought I'd check and see if you ever had luck getting OpenDNS working on it. 

    0
    Comment actions Permalink
  • Avatar
    nfar

    Unfortunately not.  At this time, I have just manually configured each device to use the OpenDNS settings, which is possible while connected via DHCP, contrary to some of the posts above.

    I am hopeful that Amplifi will allow OpenDNS in a future firmware update.  Outside of this issue, I have been 100% satisfied with the performance of the router and mesh points.

    0
    Comment actions Permalink
  • Avatar
    rotblitz

    "possible while connected via DHCP, contrary to some of the posts above"

    I couldn't find anything contrary... 
    For sure, you can exempt DNS from DHCP on many kind of devices while configuring resolver addresses manually.  You must have misunderstood something.

    According to the settings below it should work with the router.  If it doesn't, then this is likely a bug in the firmware.

    Unfortunately you never posted the nslookup command outputs I have asked for, but you posted your own diagnostics, so this leaves me with guessing.  Maybe it's not a router problem, but that you have IPv6 connectivity or something like this...

    0
    Comment actions Permalink
  • Avatar
    nfar

    rodblitz, your own comment above was "Fine, but this is in contrast to "I updated them to the OpenDNS servers".  Only one option is possible at any time.  The devices either obtain their settings via DHCP, or the DNS entries are statically configured on them."

     

    0
    Comment actions Permalink
  • Avatar
    rotblitz

    This is correct.  DNS settings either can be obtained automatically via DHCP from the router, or they can be configured manually statically.  Nothing in between.  You made use of the second option now and configured them manually with OpenDNS resolvers.

    This is not "contrary to some of the posts above".

    0
    Comment actions Permalink
  • Avatar
    cebot

    The problem here is that the Amplifi app APPEARS to let you set the DNS address to use that will override the DHCP-provided settings, but those fields actually do nothing if you've selected DHCP.

    I'm having the same problem with my brand-new Amplifi device combined with an AT&T Uverse router.

    1. The AT&T router does not let you specify a DNS server to use with your DHCP leases.(argggghhh!!!)

    2. In order to use the "cascaded router" feature, the AT&T device forces me to use DHCP on the downstream router (dumb!). 

    3. The Amplifi settings also do not let you specify a DNS server to use with your DHCP leases (even though they pretend to let you set the DNS address for your WAN port, which setting is ignored later).

    The end result of 1+2+3 is that my DHCP-allocated devices (like my kids' cell phones) get the default AT&T DNS servers, meaning I can't use OpenDNS.

    0
    Comment actions Permalink
  • Avatar
    rotblitz

    "I can't use OpenDNS"

    You can!  You can still configure the OpenDNS resolver addresses on the devices.

    0
    Comment actions Permalink
  • Avatar
    cebot (Edited )

    Can you explain how? Because I've been through every permutation and have spoken with their tech support, and they agreed it isn't possible...

    (Unless your use of the plural "devices" means you're suggesting I configure static DNS server entries on every wireless device, which can then just be easily changed. In that case you're correct from a technical standpoint, but that's simply not a workable, realistic solution.)

    0
    Comment actions Permalink
  • Avatar
    rotblitz (Edited )

    Yes, I meant the end user devices which is indeed a viable solution if the end users are not admins, but regular users on their devices.  They cannot change the network settings.  And your concerns don't hold true anyway, because even if you could configure your router, the admin end users could still change their network settings, simply ignoring your router settings.

    If this is not a solution for you, then...

    Your next best solution is to run a free DNS server distro (and maybe a free DHCP server distro) on an old computer still being around (even Windows XP would do), i.e. running your own internal DNS server which forwards external DNS traffic to the DNS services of your choice, e.g. OpenDNS.  You can even fine-tune this to handle DNS requests differently based on source device and domain being queried, and you can possibly log and monitor DNS traffic in real-time.  And you can enforce Google/YouTube and Bing Safe Search easily, and much more.  These great features are all for free beside a few cents for electricity per day.  What's about this?

    0
    Comment actions Permalink
  • Avatar
    nfar

    "Can you explain how? Because I've been through every permutation and have spoken with their tech support, and they agreed it isn't possible...

    (Unless your use of the plural "devices" means you're suggesting I configure static DNS server entries on every wireless device, which can then just be easily changed. In that case you're correct from a technical standpoint, but that's simply not a workable, realistic solution.)"

    Ceboot- You have unfortunately come to the same conclusion that I did.  The only workaround at this point is to manually configure DNS on each device on the network.  For me, it works because my children are young and have no clue what DNS settings are.  They just want WiFi access, and Amplifi has been excellent in that regard.  

    Long term- I really hope Amplifi patches this up and enables true use of Open DNS from the router itself.  My kids will grow older and our devices will change, and it will be hard to try to stay on top of all of that unless Amplifi makes this change.  

    0
    Comment actions Permalink
  • Avatar
    cebot

    rotblitz - I actually already run my own DNS server (part of my Samba4 Active Directory) that handles internal DNS and forwards to OpenDNS for the rest. The problem is you can't turn off DHCP on the AmpliFi, either, so I can't even replace the DHCP server with my own where I can control the DNS servers that are delivered... 

    And while I agree with you about administrative access, that only applies to desktop/laptop devices where such things have access controls. There is no such ability on mobile devices, for example. And furthermore, I don't want their friends able to get at any of that naughty stuff on my network, either, and I certainly don't have the ability to change their DNS settings.

    Bottom line: I'm returning mine and have already ordered the eero solution, as they specifically state you have the ability to set custom DNS servers. Hopefully those of you with AmpliFi will get this ability in a future update, but knowing it would probably be months before I saw it, I decided to make the switch while I still could (plus it has ethernet backhaul!).

    0
    Comment actions Permalink
  • Avatar
    rotblitz

    Yes, going for another device is apparently the best solution then.  Just one further comment:

    "There is no such ability on mobile devices"

    Not for e.g. Android based devices, but for iOS (iPhone, iPod, iPad).

    0
    Comment actions Permalink
  • Avatar
    cebot

    Fair point - as an Android-only household, I didn't know that!

    0
    Comment actions Permalink
  • Avatar
    jbhill

    This seems to have been fixed by Amplifi in a recent update. I noticed today when I had to reset network settings on my iPhone, which erased the DNS settings - but it nonetheless shows that my router is successfully using OpenDNS. 

    0
    Comment actions Permalink
  • Avatar
    ajkic (Edited )

    AmplifiHD as a router can not configure specific IPv6 DNS resolvers; only IPv4.

    I get this is not likely the case here.

    But if your home ISP is dual-stack as mine is, and provides DNS resolvers, configuring OpenDNS resolvers (208.67.220.220, 208.67.222.222) on AmpliFi results in IPv4 protection only.  Any DNS queries via IPv6 inherit the ISP's DNS resolver.

    I have noted this on the Reddit /Amplifi forum when IPv6 support was added.

    0
    Comment actions Permalink
  • Avatar
    rotblitz

    If you cannot edit the DNSv6 addresses on the router, you have to do it on the end user devices.
    ::ffff:d043:dede   ::ffff:d043:dcdc   ::ffff:d043:dedc   ::ffff:d043:dcde
    Or you have to disable IPv6 connectivity altogether.  Else you use OpenDNS randomly at best.

    "I have noted this on the Reddit /Amplifi forum when IPv6 support was added."

    What?  No!  It doesn't matter what a website supports, but what your ISP supports on your internet connection.  If you get provided with IPv6 by your ISP, then DNSv6 takes priority over DNSv4.  This is how newer operating systems are configured today, in view of the future when the IPv4 internet will disappear step by step.

    0
    Comment actions Permalink
  • Avatar
    ajkic

    Yep, exactly: want to use OpenDNS with my dual-stack ISP. Until Amplifi supports dual-stack DNS prefs will continue using it in bridge mode, with Mikrotik external router.

    0
    Comment actions Permalink

Please sign in to leave a comment.