OpenDSN servers wont work with Network or Netgear Router.

Comments

30 comments

  • Avatar
    rotblitz

    I need more information.
    Copy & paste the complete plain text outputs of the following diagnostic commands to here:

    nslookup -type=txt debug.opendns.com. 208.67.220.220
    nslookup -type=txt which.opendns.com.
    nslookup whoami.akamai.net.

     

  • Avatar
    spixe

    Hi, thanks for the quick response!  Here's the complete plain text output that you requested.

    C:\Users\RJ>nslookup -type=txt debug.opendns.com. 208.67.220.220
    Server: resolver2.opendns.com
    Address: 208.67.220.220

    DNS request timed out.
    timeout was 2 seconds.
    *** Request to resolver2.opendns.com timed-out

    C:\Users\RJ>nslookup -type=txt debug.opendns.com.
    Server: UnKnown
    Address: 10.0.0.1

    DNS request timed out.
    timeout was 2 seconds.
    *** Request to UnKnown timed-out

    C:\Users\RJ>nslookup whoami.akamai.net.
    Server: UnKnown
    Address: 10.0.0.1

    Non-authoritative answer:
    Name: whoami.akamai.net
    Address: 218.85.157.5


    C:\Users\RJ>

     

  • Avatar
    rotblitz

    You seem to have a lousy internet connection, because, as you can see, your first two requests timed out, or something is blocked by your ISP or your government.  Currently you're using your ISP's DNS service, to be seen from 218.85.157.5 (CHINANET Fujian province network).

    Post a variation of the command outputs again, these:

    nslookup -timeout=16 -type=txt debug.opendns.com. 208.67.220.220
    nslookup -timeout=16 -type=txt which.opendns.com.
    tracert 208.67.220.220

    If you still get timeouts with the first two commands, try these variations:

    nslookup -timeout=12 -port=443 -type=txt debug.opendns.com. 208.67.220.220
    nslookup -timeout=12 -port=5353 -type=txt debug.opendns.com. 208.67.220.220
    nslookup -timeout=12 -port=443 -vc -type=txt debug.opendns.com. 208.67.220.220
    nslookup -timeout=12 -port=5353 -vc -type=txt debug.opendns.com. 208.67.220.220

     

  • Avatar
    spixe

    Hi, thanks for the help!  I do believe my ISP is blocking me from changing DNS servers.  That's one thing I'd like to verify (since changing DNS in my router or network doesn't seem to work either), and if it's true, what options I have.  

    Here are the outputs:

    C:\Users\RJ>nslookup -timeout=16 -type=txt debug.opendns.com. 208.67.220.220
    Server: resolver2.opendns.com
    Address: 208.67.220.220

    DNS request timed out.
    timeout was 16 seconds.
    *** Request to resolver2.opendns.com timed-out

    C:\Users\RJ>nslookup -timeout=16 -type=txt which.opendns.com.
    Server: UnKnown
    Address: 10.0.0.1

    DNS request timed out.
    timeout was 16 seconds.
    *** Request to UnKnown timed-out

    C:\Users\RJ>tracert 208.67.220.220

    Tracing route to resolver2.opendns.com [208.67.220.220]
    over a maximum of 30 hops:

    1 <1 ms <1 ms <1 ms 10.0.0.1
    2 1 ms <1 ms <1 ms 192.168.1.1
    3 53 ms 34 ms 2 ms 100.64.0.1
    4 5 ms 2 ms 2 ms 117.30.26.253
    5 3 ms 2 ms 3 ms 61.154.236.29
    6 25 ms 22 ms 21 ms 202.97.47.181
    7 * 19 ms 19 ms 202.97.57.25
    8 22 ms 19 ms 19 ms 202.97.90.33
    9 45 ms 47 ms 47 ms 202.97.61.58
    10 44 ms 44 ms 45 ms 202.97.121.218
    11 84 ms 83 ms 82 ms TenGE0-1-0-0.br02.sin01.pccwbtn.net [63.218.162.186]
    12 82 ms 82 ms 82 ms TenGE0-1-0-0.br02.sin01.pccwbtn.net [63.218.162.186]
    13 82 ms 82 ms 82 ms 63-218-163-246.static.pccwglobal.net [63.218.163.246]
    14 82 ms 82 ms 82 ms resolver2.opendns.com [208.67.220.220]

    Trace complete.

    C:\Users\RJ>nslookup -timeout=12 -port=443 -type=txt debug.opendns.com. 208.67.220.220
    Server: resolver2.opendns.com
    Address: 208.67.220.220

    DNS request timed out.
    timeout was 12 seconds.
    *** Request to resolver2.opendns.com timed-out

    C:\Users\RJ>nslookup -timeout=12 -port=5353 -type=txt debug.opendns.com. 208.67.220.220
    Server: resolver2.opendns.com
    Address: 208.67.220.220

    DNS request timed out.
    timeout was 12 seconds.
    *** Request to resolver2.opendns.com timed-out

     

    C:\Users\RJ>nslookup -timeout=12 -port=443 -vc -type=txt debug.opendns.com. 208.67.220.220
    Server: resolver2.opendns.com
    Address: 208.67.220.220

    Non-authoritative answer:
    debug.opendns.com text =

    "server m17.sin"
    debug.opendns.com text =

    "flags 30 0 70 7950800000000000000"
    debug.opendns.com text =

    "originid 0"
    debug.opendns.com text =

    "actype 0"
    debug.opendns.com text =

    "source 106.122.239.160:7697"

    C:\Users\RJ>nslookup -timeout=12 -port=5353 -vc -type=txt debug.opendns.com. 208.67.220.220
    Server: resolver2.opendns.com
    Address: 208.67.220.220

    Non-authoritative answer:
    debug.opendns.com text =

    "server m37.sin"
    debug.opendns.com text =

    "flags 30 0 70 7950800000000000000"
    debug.opendns.com text =

    "originid 0"
    debug.opendns.com text =

    "actype 0"
    debug.opendns.com text =

    "source 106.122.239.160:8197"

     

    I hope those help.

  • Avatar
    rotblitz

    Yes, these help a lot!  Your ISP blocks any DNS traffic to the OpenDNS servers (DC Singapore) via ports UDP/53, UDP/443 and UDP/5353, but not so via ports TCP/443 and TCP/5353.

    If you install and run a local DNS proxy like https://dnscrypt.org/ or http://delegate.org/delegate/ on the router or on the computer, and you configure it to send your DNS traffic out via TCP/443 or TCP/5353, then you can overcome your ISP's restrictions regarding DNS.  Simply entering the OpenDNS resolver addresses on the router or computer is to no avail in your case.

    Also, your IP address 106.122.239.160 is not yet registered with a network at https://dashboard.opendns.com/settings/
    So, even if you would use OpenDNS (which you don't yet), your dashboard settings would not take effect.

  • Avatar
    spixe

    Ah, so it is an ISP issue.  Thought so.  

    So now, thanks to you, I see I must run a DNS program on my computer (I'd have no idea how to set it up on my router).  In your opinion, do these slow down page open speed much?  I've been hesitant to use them because of that.  Although I suppose I can use it and make up my own opinion as well. :)

    You're indeed right about the IP address not being registered.  And that's because I use a VPN, so my IP changes several times a day in fact.  I also thought OpenDNS allowed one to use the DNS servers without actually registering, so I didn't think registering one's network was an absolute necessity to get it working.

    Such being the case, with my constantly changing IP due to a VPN (thus making it somewhat moot to register an IP), will those program (dnscrypt or delegate) not function as needed?

    Thanks again for the advice, truly appreciated!

  • Avatar
    rotblitz

    "In your opinion, do these slow down page open speed much?"

    No, these programs are lightweight and do not have influence on speed or performance, same as DNS in general does not have influence on upload/download speed.  DNS is the phone book of the internet, not the phone lines.  And DNS is not related to web traffic ("page open speed") which latter is over the "phone lines".  However, I expect OpenDNS to be a bit slower regarding the DNS responses ("phone book") for the following reasons:

    • Your next OpenDNS data center is in Singapore (maybe Hongkong), whereas your ISP's DNS service is certainly much closer to you.  The geographical distance from the DNS service can be important for both, DNS performance and resolution to geolocation based services.  It may be that you even do not become aware of this, given the latency of 82ms against the OpenDNS server.
    • You are forced to use TCP when using OpenDNS, because the usual and faster UDP is being blocked by your ISP.  This may add a bit to the DNS response times, but only minimal.

    "And that's because I use a VPN"

    Do you?  VPNs normally use their own DNS service, not the one you have explicitly or implicitly configured unless you configure the VPN's virtual NIC accordingly.

    "I also thought OpenDNS allowed one to use the DNS servers without actually registering,"

    This is correct.  You'll be using their default settings then, not your individual settings.

    "Such being the case, with my constantly changing IP due to a VPN (thus making it somewhat moot to register an IP), will those program (dnscrypt or delegate) not function as needed?"

    These DNS proxy programs have nothing to do with your IP address, so yes, they function.

  • Avatar
    spixe

    OK, I see, only if I want to use particular OpenDNS servers, not the two main public ones, I would need to register and have my IP noted in the OpenDNS dashboard, right?  Using the two public ones, as well as any other DNS servers, in the two third party programs you mentioned should otherwise work just fine.

    In answer to your question about my VPN, my VPN has OpenWeb mode and Stealth mode.  The OpenWeb mode only portal web traffic, but does not impact DNS at all.  If I switch to Stealth mode, then it will use it's own DNS as 100% of all traffic will pass through it.  But I prefer OpenWeb mode because I can very quickly and easily switch servers or with the VPN on or off that way.  OpenWeb is a bit more inconvenient for those tasks.  So if the dashboard on OpenDNS records my IP, it might chance depending on what VPN server I'm using at any given time.

    So OK, as far as i can tell, the only way for me to use other non-ISP DNS Servers is to use  https://dnscrypt.org/ or http://delegate.org/delegate/  (any one you recommend over the other?) and configure them with the OpenDNS public servers (the ones that don't need a registered IP in the dashboard).  Please correct me if I've misunderstood something.

    A world of thanks for your help btw.  I don't think I would have figured this out otherwise.  

  • Avatar
    rotblitz (Edited )

    "only if I want to use particular OpenDNS servers, not the two main public ones, I would need to register and have my IP noted in the OpenDNS dashboard, right?"

    No, these considerations are totally wrong.  You cannot determine particular OpenDNS servers.  There are just these six (or eight with IPv6) global Anycast resolver addresses, and the routing configured for them by the ISPs and network carriers defines at what OpenDNS data center you will be landing.
    https://www.opendns.com/data-center-locations/

    The purpose of registering your IP address at your dashboard is solely for your settings to take effect.  Without this your dashboard settings are irrelevant.

    "Using the two public ones, as well as any other DNS servers"

    There are six (or eight) resolver addresses I know of and which you call "public", and there are none otherwise.

    Normal: 208.67.222.222; 208.67.220.220; 208.67.222.220; 208.67.220.222
    FamilyShield: 208.67.222.123; 208.67.220.123  (adult domains and proxy/anonymizer blocked)
    IPv6 resolvers: 2620:0:ccc::2; 2620:0:ccd::2  (no content filtering, no dashboard in use, pure DNSv6)

    All these resolvers listen on ports 53, 443 and 5353, UDP + TCP, at any of their many data centers.

    "The OpenWeb mode only portal web traffic, but does not impact DNS at all."

    This would need to be proved when you started to use OpenDNS.  Visit http://welcome.opendns.com/ when you have OpenWeb mode (and OpenDNS) enabled to see if you still use OpenDNS.

    "So if the dashboard on OpenDNS records my IP, it might chance depending on what VPN server I'm using at any given time."

    The dashboard does not record your IP address.  You must run an Updater to send your IP address information changes to OpenDNS for registering with your dashboard.  If this Updater sees a new public IP address for you, it will send an update to OpenDNS.

    "any one you recommend over the other"

    Try with DNSCrypt first.  This is a bit easier than DeleGate and concentrates on DNS, whereas with DeleGate you can do a lot of other things too which you might not be interested in to do.

  • Avatar
    spixe

    Hi Rotblitz,

    Sorry it took awhile to reply.  Weekends are always the busiest for me.  Anywho, once again, thanks a ton.

    I'm still a bit unclear about the "The purpose of registering your IP address at your dashboard is solely for your settings to take effect.  "  Aren't the settings the actual utilization the OpenDNS IPs?  If I don't register on the dashboard, they will not work, no?  That was my understanding.  Otherwise, what exactly will "take effect" only by registering my IP address?

    As far as I can tell, I have proved OpenDNS doesn't work with my VPN's OpenWeb mode.  I have OpenDNS IPs both on my network card and in my routers DNS, but welcome.opendns.com still shows I'm not using OpenDNS, nor does internetbadguys.com and dnsleaktest.com.  So that's why I think I have no choice but to try a 3rd party client. 

    Thanks for your suggestion on DNSCrypt.  I'll look for it now.

     

    Rj

  • Avatar
    spixe

    So I've got Simple DNSCrypt up and working (kinda).  IPv6 disabled.  Set my primary resolver to Cisco OpenDNS and secondary to SecureDNS.  In advanced settings, I enabled Transport Settings to use TCP port 443 instead of UDP port 443, and enabled both services.

    Funny thing is, welcome.opendns.com and http://www.internetbadguys.com/ both report that I'm not using OpenDNS, but dnstestleak.com shows I am (I think):

    Am I missing something?

  • Avatar
    rotblitz (Edited )

    "If I don't register on the dashboard, they will not work, no? "

    If you don't register your IP address at the dashboard, the OpenDNS defaults will take effect, not your individual dashboard settings (as you don't have any individual settings then).

     "...and secondary to SecureDNS."

    This was wrong!  You use then also SecureDNS beside OpenDNS, and your results cannot be consistent if you mix different DNS services.  You use OpenDNS at best randomly.

    "Funny thing is, welcome.opendns.com and http://www.internetbadguys.com/ both report that I'm not using OpenDNS"

    Not funny, because you seem to use SecureDNS instead of OpenDNS.

  • Avatar
    spixe

    I see.  I would have switched it to another OpenDNS server but there is only one (well, 2 if you include Family Shield) in the list of resolvers, so it would have just set to both primary and secondary resolve to the same DNS IP.  What other choice is there?

  • Avatar
    rotblitz

    As I can see from your screen shot, the second resolver is optional anyway, so don't use a second resolver.

  • Avatar
    spixe

    I turned off the second resolver, cleared cache and flushed DNS.  The same results.  The OpenDNS and InternetBadGuys still don't show I'm using OpenDNS, but dnsleak does.  Any idea why?

    As always, I'm still very grateful for your help.

  • Avatar
    rotblitz (Edited )

    I need to see the complete output of the following commands:

    nslookup -type=txt debug.opendns.com.
    nslookup whoami.akamai.net.
    netsh interface ipv4 show config
    netstat -nao | find ":53 "

     

  • Avatar
    spixe

    Sure, my pleasure, here you go.  I hope it's useful!  I ran those commands with DNSCrypt configured like this:

    C:\Users\RJ>nslookup -type=txt debug.opendns.com.
    1.0.0.127.in-addr.arpa
    primary name server = localhost
    responsible mail addr = nobody.invalid
    serial = 1
    refresh = 600 (10 mins)
    retry = 1200 (20 mins)
    expire = 604800 (7 days)
    default TTL = 10800 (3 hours)
    Server: UnKnown
    Address: 127.0.0.1

    Non-authoritative answer:
    debug.opendns.com text =

    "server m33.sin"
    debug.opendns.com text =

    "flags 30 0 70 7950800000000000000"
    debug.opendns.com text =

    "originid 0"
    debug.opendns.com text =

    "actype 0"
    debug.opendns.com text =

    "source 106.122.241.198:2327"
    debug.opendns.com text =

    "dnscrypt enabled (713156774457306E)"

    C:\Users\RJ>nslookup whoami.akamai.net.
    1.0.0.127.in-addr.arpa
    primary name server = localhost
    responsible mail addr = nobody.invalid
    serial = 1
    refresh = 600 (10 mins)
    retry = 1200 (20 mins)
    expire = 604800 (7 days)
    default TTL = 10800 (3 hours)
    Server: UnKnown
    Address: 127.0.0.1

    Non-authoritative answer:
    Name: whoami.akamai.net
    Address: 67.215.80.67


    C:\Users\RJ>netsh interface ipv4 show config

    Configuration for interface "Astrill SSL VPN"
    DHCP enabled: Yes
    IP Address: 198.18.7.107
    Subnet Prefix: 198.18.0.0/21 (mask 255.255.248.0)
    InterfaceMetric: 1
    Statically Configured DNS Servers: 208.67.222.222
    208.67.220.220
    Register with which suffix: Primary only
    WINS servers configured through DHCP: None

    Configuration for interface "Ethernet"
    DHCP enabled: Yes
    IP Address: 10.0.0.2
    Subnet Prefix: 10.0.0.0/24 (mask 255.255.255.0)
    Default Gateway: 10.0.0.1
    Gateway Metric: 0
    InterfaceMetric: 35
    Statically Configured DNS Servers: 127.0.0.1
    Register with which suffix: Primary only
    WINS servers configured through DHCP: None

    Configuration for interface "Loopback Pseudo-Interface 1"
    DHCP enabled: No
    IP Address: 127.0.0.1
    Subnet Prefix: 127.0.0.0/8 (mask 255.0.0.0)
    InterfaceMetric: 75
    Statically Configured DNS Servers: None
    Register with which suffix: None
    Statically Configured WINS Servers: None


    C:\Users\RJ>netstat -nao | find ":53 "
    TCP 127.0.0.1:53 0.0.0.0:0 LISTENING 12100
    TCP 127.0.0.1:53 127.0.0.1:49187 TIME_WAIT 0
    TCP 127.0.0.1:53 127.0.0.1:49544 TIME_WAIT 0
    TCP 127.0.0.1:53 127.0.0.1:49663 TIME_WAIT 0
    TCP 127.0.0.1:53 127.0.0.1:49747 TIME_WAIT 0
    TCP 127.0.0.1:53 127.0.0.1:50143 TIME_WAIT 0
    TCP 127.0.0.1:53 127.0.0.1:50463 TIME_WAIT 0
    TCP 127.0.0.1:53 127.0.0.1:50895 TIME_WAIT 0
    TCP 127.0.0.1:53 127.0.0.1:50936 TIME_WAIT 0
    TCP 127.0.0.1:53 127.0.0.1:52068 TIME_WAIT 0
    TCP 127.0.0.1:53 127.0.0.1:52338 TIME_WAIT 0
    TCP 127.0.0.1:53 127.0.0.1:52762 TIME_WAIT 0
    TCP 127.0.0.1:53 127.0.0.1:52829 TIME_WAIT 0
    TCP 127.0.0.1:53 127.0.0.1:53201 TIME_WAIT 0
    TCP 127.0.0.1:53 127.0.0.1:53950 TIME_WAIT 0
    TCP 127.0.0.1:53 127.0.0.1:54001 TIME_WAIT 0
    TCP 127.0.0.1:53 127.0.0.1:54140 TIME_WAIT 0
    TCP 127.0.0.1:53 127.0.0.1:54318 TIME_WAIT 0
    TCP 127.0.0.1:53 127.0.0.1:54979 TIME_WAIT 0
    TCP 127.0.0.1:53 127.0.0.1:55146 TIME_WAIT 0
    TCP 127.0.0.1:53 127.0.0.1:55150 TIME_WAIT 0
    TCP 127.0.0.1:53 127.0.0.1:55152 TIME_WAIT 0
    TCP 127.0.0.1:53 127.0.0.1:55158 TIME_WAIT 0
    TCP 127.0.0.1:53 127.0.0.1:55160 TIME_WAIT 0
    TCP 127.0.0.1:53 127.0.0.1:55162 TIME_WAIT 0
    TCP 127.0.0.1:53 127.0.0.1:55494 TIME_WAIT 0
    TCP 127.0.0.1:53 127.0.0.1:57050 TIME_WAIT 0
    TCP 127.0.0.1:53 127.0.0.1:57629 TIME_WAIT 0
    TCP 127.0.0.1:53 127.0.0.1:57683 TIME_WAIT 0
    TCP 127.0.0.1:53 127.0.0.1:58110 TIME_WAIT 0
    TCP 127.0.0.1:53 127.0.0.1:58354 TIME_WAIT 0
    TCP 127.0.0.1:53 127.0.0.1:58665 TIME_WAIT 0
    TCP 127.0.0.1:53 127.0.0.1:59121 TIME_WAIT 0
    TCP 127.0.0.1:53 127.0.0.1:59292 TIME_WAIT 0
    TCP 127.0.0.1:53 127.0.0.1:59293 TIME_WAIT 0
    TCP 127.0.0.1:53 127.0.0.1:59496 TIME_WAIT 0
    TCP 127.0.0.1:53 127.0.0.1:59506 TIME_WAIT 0
    TCP 127.0.0.1:53 127.0.0.1:59803 TIME_WAIT 0
    TCP 127.0.0.1:53 127.0.0.1:59989 TIME_WAIT 0
    TCP 127.0.0.1:53 127.0.0.1:60186 TIME_WAIT 0
    TCP 127.0.0.1:53 127.0.0.1:60506 TIME_WAIT 0
    TCP 127.0.0.1:53 127.0.0.1:61247 TIME_WAIT 0
    TCP 127.0.0.1:53 127.0.0.1:62303 TIME_WAIT 0
    TCP 127.0.0.1:53 127.0.0.1:63178 TIME_WAIT 0
    TCP 127.0.0.1:53 127.0.0.1:63890 TIME_WAIT 0
    TCP 127.0.0.1:53 127.0.0.1:64067 TIME_WAIT 0
    TCP 127.0.0.1:53 127.0.0.1:65067 TIME_WAIT 0
    TCP 127.0.0.1:55150 127.0.0.1:53 TIME_WAIT 0
    TCP 127.0.0.1:55152 127.0.0.1:53 TIME_WAIT 0
    TCP 127.0.0.1:55158 127.0.0.1:53 TIME_WAIT 0
    TCP 127.0.0.1:55160 127.0.0.1:53 TIME_WAIT 0
    TCP 127.0.0.1:55162 127.0.0.1:53 TIME_WAIT 0
    TCP 127.0.0.1:60186 127.0.0.1:53 TIME_WAIT 0
    UDP 127.0.0.1:53 *:* 12100

    C:\Users\RJ>

  • Avatar
    rotblitz

    The issue is with the "Astrill SSL VPN" interface where you have the OpenDNS resolver addresses configured.  This is wrong, because these addresses are blocked by your ISP, as you know, or the VPN provider ignores your DNS settings.

    In order to hopefully use OpenDNS via DNSCrypt also with the "Astrill SSL VPN" interface, you configure it with 127.0.0.1 as the only one DNS server address.  This 127.0.0.1 (localhost) is where DNSCrypt is listening on to capture your DNS traffic.

  • Avatar
    spixe

    Ah, so it's because I didn't have the settings taking affect under the Astrill VPN Network Card's section.  OK, I turned it on (that is, clicked it, so now a "check" appears on the box).  

    When you said "you can configure it with..." was "it" referring to DNSCrypt or Astrill?  As far as I can tell, DNSCrypt is already configured with that (at least that's what it says to the right of "Primary Resolver").  

    But the results are all the same as before (internetbadguys and welcome.opendns show no OpenDNS in use, opendnsleak shows Singapore OpenDNS).

    So then I thought maybe you meant I had to configure the 127.0.0.1 in Astril - which I did, i entered it under the proxy settings, but then nothing worked, so I was probably wrong with that assumption.

    These are my current settings: 


    What's next?  And thanks as always.

  • Avatar
    rotblitz (Edited )

    "When you said "you can configure it with..." was "it" referring to DNSCrypt or Astrill?"

    I meant the "Astrill SSL VPN" interface.

    You need to configure 127.0.0.1 where currently is configured:

    Statically Configured DNS Servers: 208.67.222.222
                                                       208.67.220.220

    As I have mentioned earlier, it may be a challenge to use another DNS service when using a VPN.

  • Avatar
    spixe

    Thanks again.  Sorry to be a bother, but where are these Statically configured DNS servers?  Do you mean in my Network adapter settings?  

    If so, to confirm, under the astrill adapter, I should configure the DNS as 127.0.0.1.  

    Funnily enough, I opened the Astrill and the Ethernet adapter settings and found 127.0.0.1 was already set as the preferred DNS for both.  I didn't do that myself, so I guess DNSCrypt must have.  That's what you were to have me do, right?  So that's has been set the the whole time.

    Anything else I can try?

     

  • Avatar
    rotblitz (Edited )

    Yes, the DNS settings are always in the network adapter properties settings of the related interface.  And yes, your Simple DNSCrypt configures the DNS settings to be 127.0.0.1, at least for the "Ethernet" interface, else the DNS proxy would not work at all.

    See with the following command if you have any other DNS server address than 127.0.0.1 configured.

    netsh interface ipv4 show dns

    If in both interfaces, "Ethernet" and "Astrill SSL VPN", 127.0.0.1 is configured, you cannot do anything anymore.  The OpenWeb mode of your VPN may circumvent your settings, so try with the Stealth mode to see if it works then.  Also try without VPN to see if it works.

  • Avatar
    spixe

    Thanks.  These are the results of the netsh command:

    C:\Users\RJ>netsh interface ipv4 show dns

    Configuration for interface "Astrill SSL VPN"
    Statically Configured DNS Servers: 127.0.0.1
    Register with which suffix: Primary only

    Configuration for interface "Ethernet"
    Statically Configured DNS Servers: 127.0.0.1
    Register with which suffix: Primary only

    Configuration for interface "Loopback Pseudo-Interface 1"
    Statically Configured DNS Servers: None
    Register with which suffix: None

    Is this the result that basically means there's nothing I can do?  It's weird that OpenWeb mode of Astrill would circumvent me using custom IPs, considering the entire reason an app like that is build.  Especially because the OpenWeb mode doesn't use any custom DNS IPs, so it just defaults to the ISP's DNS. 

    Stealth mode I know for a fact uses it's on DNS Servers, as I am able to choose which DNS I want to use in Stealth mode.  I was just hoping I could use custom ones (OpenDNS) in normal OpenWeb mode, which as far as I knew, didn't affect DNS at all.

    Does this also mean that dnsleaktest.com results, showing I'm using OpenDNS servers, are unreliable?

    Thanks a million

  • Avatar
    rotblitz (Edited )

    "Especially because the OpenWeb mode doesn't use any custom DNS IPs, so it just defaults to the ISP's DNS. "

    No, even not the ISP's DNS.  As I said initially, VPNs tend to use their own DNS service, being configured on the remote VPN server.  Although you have configured 127.0.0.1 (for DNSCrypt) in the "Astrill SSL VPN" interface, this doesn't mean that the VPN client regards your settings, but may ignore it to do its own thing.  You simply do not seem to have control over it.

    "I was just hoping I could use custom ones (OpenDNS) in normal OpenWeb mode, which as far as I knew, didn't affect DNS at all."

    It obviously does affect DNS.

    "Does this also mean that dnsleaktest.com results, showing I'm using OpenDNS servers, are unreliable?"

    No, it tells you that your operating system is configured correctly to use OpenDNS, but your browser and its VPN plugin do their own thing.

    I would think that the following command shows that your OS uses OpenDNS now, with DNSCrypt enabled:

    nslookup -type=txt debug.opendns.com.

    Whereas your browser with VPN does not:  http://welcome.opendns.com/

    I occasionally use some VPN services where one can use OpenDNS with.  You may consider to use a different VPN service where you can use OpenDNS as well.  These also create such a virtual network interface like yours, but if you configure DNS there, it does work.

  • Avatar
    spixe

    Ah, I see, thank you.  But if OpenWeb mode did affect DNS, why would it still just point to my ISP's DNS servers?  Funny it would force that.

    I ran the nslook up you mentioned, this is the result:

    C:\Users\RJ>nslookup -type=txt debug.opendns.com.
    Server: UnKnown
    Address: 10.0.0.1

    DNS request timed out.
    timeout was 2 seconds.
    *** Request to UnKnown timed-out

    First time I saw 10.0.0.1 there.  Could that be the problem?

    I just bought a 2 year Astrill plan, ha, so it'll be awhile before I can switch up (affordably).  But if we've finally hit a wall here, I'll go ahead and contact there support about incorporating some kind of custom DNS servers in their OpenWeb mode, since it seems like that's my last resort right now.  So that means DNSCrypt basically isn't working either right?  I'll go ahead and turn it off if it's not actually doing anything, ha.

    Thanks again for taking the trouble to walk me through all this.

     

  • Avatar
    rotblitz (Edited )

    "But if OpenWeb mode did affect DNS, why would it still just point to my ISP's DNS servers?"

    Does it?  I doubt it!  It either points at DNSCrypt now or at the VPN.

    "First time I saw 10.0.0.1 there.  Could that be the problem?"

    No, it's definitely not the first time.  Look at your first two comments above from 8-9 days ago where you already see this 10.0.0.1 as DNS server.  At this time I thought it is your router's IP address, because I didn't know that you used a VPN, but now this 10.0.0.1 seems to be your VPN gateway and DNS server address when using the VPN.

    This is apparently your VPN program setting DNS (and maybe the gateway) to 10.0.0.1.  As I said, you'll have a hard time using OpenDNS and VPN at the same time.  I'm not sure why you want to use OpenDNS at all if you use a VPN.  This is artificially forcing and creating a DNS leak.

    If you repeated some of the commands from above, you would see what interface this 10.0.0.1 is related to.  If you cannot change this permanently to 127.0.0.1, then you cannot use OpenDNS via DNSCrypt at the same time as the VPN.

    "So that means DNSCrypt basically isn't working either right?"

    It does perfectly work, but possibly not at the same time when using this VPN and this 10.0.0.1 DNS server takes priority.  DNSCrypt only proxies your DNS traffic to OpenDNS if the DNS traffic goes to 127.0.0.1, not if it goes to 10.0.0.1.

    Going back to the begin of all of this:

    OpenDSN servers wont work with Network or Netgear Router.

    This statement is clearly wrong.  Instead it should read:

    OpenDNS wont work with a certain VPN.

  • Avatar
    rotblitz

    Just looking through this thread again, I see that this 10.0.0.1 is in fact your router and the "Ethernet" interface, likely not the VPN.  There must be something, be it the Simply DNSCrypt or the VPN client which changes the DNS server address from 127.0.0.1 to 10.0.0.1 and vice versa.  If you can prevent from these changes taking effect, in the "Ethernet" interface and in the "Astrill SSL VPN" interface, then you should be sorted.

  • Avatar
    spixe

    Right, 10.0.0.1 is my router which is hooked up to my ISP's modem.  Also, the reason I know, or presume, OpenWeb mode doesn't affect DNS is because when I set OpenDNS IPs to my ethernet adapter, astrill adapter, and my router configuration, none of those IPs took, and it still went to my ISP's DNS (according to dnsleaktest, which showed it was using Chinese DNS IPs, the ones my ISP provides).  

    I'm trying to look for where the 10.0.0.1 is coming from, but so far I can't find anything.  My ethernet and astrill adapter right now both have the DNS servers set to 127.0.0.1, Simple DNSCrypt is using a primary resolver of 127.0.0.1:53 (pointing to Cisco OpenDNS).  I went through my router's entire settings and the only mention of 10.0.0.1 was in regard to it's own IP address.  

    Any idea where I can look to hunt down the culprit changing my DNS server from 127.0.0.1 to 10.0.0.1?  If only I knew where that change originated, perhaps it's get me a step closer to preventing it.

    Either way, thanks for all the help!

     

  • Avatar
    rotblitz (Edited )

    "Any idea where I can look to hunt down the culprit changing my DNS server from 127.0.0.1 to 10.0.0.1?"

    I don't know either.

    As I said before, try without using any VPN, ensure that the DNS servers in the interfaces are set to 127.0.0.1 for DNSCrypt, and see if you're using OpenDNS then:
    http://welcome.opendns.com/

  • Avatar
    spixe

    Oh, sorry, I had forgot to mention that I tried it without VPN on. I tried awhile ago in fact, which is what led me to presume that my ISP doesn't let me change my DNS. 

    At that time though, I wasn't using DNS Crypt, so I tried again and did as you said, as viola, OpenDNS servers are shown!  

    Isn't that strange then, that using the VPN OpenWeb mode forces my connection to use my ISP's DNS?  Seems quite counter productive.  I assume this proves it's a problem I must take up with Astrill, and there's probably not much else I can do, since you've already spent a lot of time in helping me to get the root of the issue.

    I gotta say Rotblitz, your awesome.  I truly appreciate you taking the time (all this time over two weeks) to help me like this.  Wish there was someway I could repay the favor.  Thanks again and again.

     

Please sign in to leave a comment.