Web Content Filtering not working, and I don't know why

Comments

17 comments

  • Avatar
    rotblitz

    You can post pictures directly in the forum, not using an image sharing service which may be blocked by OpenDNS user's settings.  And command outputs are best shown in plain text.

    Unfortunately your images do not show why it doesn't work as expected.  The command outputs look good so far.  Do you possibly use Chrome with the Data Saver extension?  Disable this!  Or do you have installed other browser plugins or add-ons which may interfere with your DNS server settings?

    0
    Comment actions Permalink
  • Avatar
    cholzer (Edited )

    [Quote]Do you possibly use Chrome with the Data Saver extension?  [/quote]

    I don't. Screenshots are from a new Notebook. Chrome was not even installed yet. Only Edge (which I uses in the screenshots).
    I did install Chrome now without any add-ons. Still no Content filtering Happening.

    I also tested on an Huawei P9 lite with Chrome and Opera. It gets the correct OpenDNS Servers from the DHCP, but no Content filtering.
    "Welcome" page says I am using OpenDNS, test site says I don't and I can Access any pornsite that should be blocked.

    Previously I tested with the secure DNS Servers from Norton Connect Safe, but I had the exact same experience there. DNS Servers are used, but no filtering. 

    0
    Comment actions Permalink
  • Avatar
    cholzer

    https://dashboard.opendns.com/stats/all/totalrequests/today/
    also shows that opendns gets requests from my site :-/

    0
    Comment actions Permalink
  • Avatar
    rotblitz

    Norton also didn't work with filtering?  Weird...

    Copy & paste the complete plain text outputs of the following diagnostic commands to here:
    (Trailing dots are part of the commands!)

    nslookup www.exampleadultsite.com.
    nslookup www.internetbadguys.com.
    nslookup whoami.akamai.net.
    tracert www.exampleadultsite.com
    tracert www.internetbadguys.com

    Also, perform these tests and tell me the results:
    http://www.lagado.com/tools/cache-test
    http://test-ipv6.com/

    0
    Comment actions Permalink
  • Avatar
    cholzer (Edited )
    C:\Users\chris>nslookup www.exampleadultsite.com.
    Server:  resolver1.opendns.com
    Address:  208.67.222.222
    Nicht autorisierende Antwort:
    Name:    www.exampleadultsite.com
    Addresses:  146.112.61.106
              146.112.61.106
     
    C:\Users\chris>nslookup www.internetbadguys.com.
    Server:  resolver1.opendns.com
    Address:  208.67.222.222
    Nicht autorisierende Antwort:
    Name:    www.internetbadguys.com
    Addresses:  146.112.61.108
              146.112.61.108
     
    C:\Users\chris>nslookup whoami.akamai.net.
    Server:  resolver1.opendns.com
    Address:  208.67.222.222
    Nicht autorisierende Antwort:
    Name:    whoami.akamai.net
    Address:  208.69.33.15
     
    C:\Users\chris>tracert www.exampleadultsite.com
    Routenverfolgung zu www.exampleadultsite.com [146.112.61.106]
    über maximal 30 Hops:
      1     3 ms     4 ms     2 ms  192.168.10.1
      2     4 ms     2 ms     2 ms  172.16.254.1
      3     5 ms     5 ms     3 ms  10ge-1-2.dc2-02-route-privat-01.as34347.net [80.92.112.185]
      4    20 ms    19 ms    17 ms  10ge-te0-0-0-59-frankfurt-43-route-01.as34347.net [185.35.182.225]
      5    20 ms    18 ms    17 ms  83.231.214.69
      6    18 ms    17 ms    18 ms  ae-1.r24.frnkge08.de.bb.gin.ntt.net [129.250.6.206]
      7    20 ms    18 ms    19 ms  ae-1.r04.frnkge02.de.bb.gin.ntt.net [129.250.4.110]
      8    20 ms    17 ms    17 ms  213.198.52.82
      9    29 ms    19 ms    19 ms  hit-adult.opendns.com [146.112.61.106]
    Ablaufverfolgung beendet.
     
    C:\Users\chris>tracert www.internetbadguys.com
    Routenverfolgung zu www.internetbadguys.com [146.112.61.108]
    über maximal 30 Hops:
      1     4 ms     2 ms     1 ms  192.168.10.1
      2     4 ms     2 ms     2 ms  172.16.254.1
      3     3 ms     2 ms     2 ms  10ge-1-2.dc2-02-route-privat-01.as34347.net [80.92.112.185]
      4    18 ms    17 ms    18 ms  10ge-te0-0-0-59-frankfurt-43-route-01.as34347.net [185.35.182.225]
      5    33 ms    28 ms    33 ms  83.231.214.69
      6    21 ms    19 ms    18 ms  ae-1.r24.frnkge08.de.bb.gin.ntt.net [129.250.6.206]
      7    19 ms    19 ms    20 ms  ae-1.r04.frnkge02.de.bb.gin.ntt.net [129.250.4.110]
      8    19 ms    20 ms    18 ms  213.198.52.82
      9    20 ms    18 ms    17 ms  hit-phish.opendns.com [146.112.61.108]
    Ablaufverfolgung beendet.
     
    page serial number - did not Change after step 3, the page age did increase. so I have a Proxy "somewhere" ?
    I am using an UBNT Edge Router Lite 3
     
     
     
     
    0
    Comment actions Permalink
  • Avatar
    lc3necro

    For what it's worth, I've been having pages blocked as well with no filtering enabled.  If I add them to the custom white list they will load, and I get my custom "blocked" notices, but not sure what's going on.

    0
    Comment actions Permalink
  • Avatar
    rotblitz

    Sad to see, you've got it!  Case solved!  That is it:

    "page serial number - did not Change after step 3, the page age did increase. so I have a Proxy "somewhere" ?"

    This is your ISP (Stadtwerke Hall in Tirol GmbH, citynet.at) operating a stealthed transparent proxy cache.  Symptomatic for this is that the DNS responses (e.g. from OpenDNS and Norton) are almost ignored, and the ISP presents you with web content from their caching proxy servers instead, unrelated to the DNS query results and unrelated to what you may get from the real web servers.  They do this to massively save traffic volume costs and to serve their customers quicker with web content.  This technology is often used in the Pacific area and Africa, but very untypical for Central Europe.

    You may want to contact your ISP to opt out from this caching.  If this is not possible, your only option is to change to another ISP, or to use DNS responses from OpenDNS just randomly as is.

    OpenDNS does exactly what you expect it to do: it logs all your DNS traffic and will report also all related domains as blocked (even if they are not being blocked in the browser for you), and it returns the correct result for every DNS query.  However, this does almost not take effect when browsing the web, because your ISP does his own things with your web traffic.

    0
    Comment actions Permalink
  • Avatar
    rotblitz

    Ah, btw, this is where you also can see this proxy thing:

      1     3 ms     4 ms     2 ms  192.168.10.1
      2     4 ms     2 ms     2 ms  172.16.254.1
      3     5 ms     5 ms     3 ms  10ge-1-2.dc2-02-route-privat-01.as34347.net [80.92.112.185]

    This 172.16.254.1 is a private IP address within the ISP network, but totally unrelated to your LAN address range 192.168.10.x.

    0
    Comment actions Permalink
  • Avatar
    cholzer (Edited )

    @rotblitz thanks a lot! I will call my ISP first thing on Monday!

    But 172.16.254.1 is not the proxy, it's the fiber router provided by my ISP. :)
    I am forced to use the ISP router, so the ERLite3 192.168.10.1 is in its DMZ.

    0
    Comment actions Permalink
  • Avatar
    rotblitz

    Whatever, it is untypical that a second hop in a traceroute is a private (RFC-1918) address.  You will be most likely also unable to reach your network from outside unless your ISP does routing and port forwarding for you.

    You may want to report back what the result of your call was.  It may help other users in the same situation.

    0
    Comment actions Permalink
  • Avatar
    cholzer (Edited )

    I can reach my home network without any issues using RDP, VPN (PPTP) and FTP.
    My Edge Router (192.168.10.1) is the DMZ host of my ISP router (172.16.254.1), so I only have to configure port forwarding and VPN inside the Edge Router and not bother with the ISP router config at all.

    I would prefer to switch the ISP router to bridge mode, but that is only possible when you have a business plan, which is very expensive.


    This is the very first time that I encountered any kind of odd issues with my ISP. Which is why this surprises me quite a bit.

    0
    Comment actions Permalink
  • Avatar
    rotblitz

    Ah, so you are able to access your Edge Router to manage it?  I understood that you cannot.  Then yes, you have double NAT which can be worked with, no problem for remote access from outside then.  But they still interfere with your web traffic from inside, unfortunately.  This can often not be seen with traceroute which measures the flow of ICMP packets only, not with port based TCP sessions like HTTP(S).

    0
    Comment actions Permalink
  • Avatar
    cholzer

    @rotblitz thanks for your help! Maybe you can help me to better understand what is going on? :)

    So my client correctly asks OpenDNS for the IP address of a site.
    In case that it is a blocked site, my client should not receive the address of the webserver, but get redirected to the "blocked" notification URL, correct?

    At which point does the ISP proxy interfere?
    To me it seems that it would have to alter the answer/redirect that I get from OpenDNS? So that instead of getting redirected to the "blocked" information, the client is sent to the webserver of the site that should be blocked.

    Am I right?

    0
    Comment actions Permalink
  • Avatar
    rotblitz (Edited )

    DNS traffic and web traffic are different things.  DNS is the phone book of the internet, web and other traffic is the phone lines of the internet.  OpenDNS is only in charge for the DNS traffic.

    No matter if a domain (not "site") has to be blocked, OpenDNS (or any other DNS service) returns the IPv4 and/or IPv6 address.  In case of blocking they return their own IP addresses instead of the real one.

    The browser now connects with this IP address information to this domain, but - your ISP interferes at least all web traffic (TCP/80, maybe also TCP/443) to analyze the HTTP header which contains the domain name and the URI.  The ISP looks into his cache if the document in question is still stored there, and if so, he serves you out of the cache, ignoring the IP address information from the TCP header (provided by the DNS service) but using the information from the HTTP header.  If this content is not found in the cache, they even may raise their own DNS query to become able loading the content from its original location into their cache which cannot be like from OpenDNS.

    So yes, they alter the information by ignoring the IP address information from DNS.

    0
    Comment actions Permalink
  • Avatar
    cholzer

    Thanks @rotblitz! I will let you know what my ISP tells me on monday. :)

    0
    Comment actions Permalink
  • Avatar
    cholzer

    So, they do this on normal consumer connections for security reasons to prevent that you get redirected to wrong IP's.

    Business connections are not affected by this as there they expect to have a qualified admin with hardwarefirewalls, etc.

    0
    Comment actions Permalink
  • Avatar
    rotblitz

    Not a good idea to hinder other security services with this "security measure".  Because OpenDNS does exactly this: they return their own IP address in cases where you want to have domains blocked.  I.e. they redirect you to their block page.

    If you cannot opt out from this caching,  it's up to you to either order the business product, or to move to another ISP.

    0
    Comment actions Permalink

Please sign in to leave a comment.