IPv6 Web Filtering
Support for web filtering when using OpenDNS IPv6 addresses.
-
This was the response I received from support, after creating a ticket.
I should also mention that I use DNSCrypt.
We currently have no estimated time of completion on that project. Please add your idea to the Idea Bank, and encourage other people to vote on it as it will become an increasingly high priority as the world rolls over to IPv6. You can find the Idea Bank here: https://support.opendns.com/forums/21211727-Idea-Bank
-
There are two ways OpenDNS resolvers can identify a user:
- By reading a 8 bytes shared key added to the end of each packet. You need to be an Umbrella customer to get a key. I *think* this also works when connecting to the IPv6 addresses.
- By looking at a client IP, that can be added to the end of each packet, too, or if it's not there, by looking at the actual client IP the packet comes from. If a network matching this IP has been registered, the related filtering rules will match. This does *not* work when connecting to the IPv6 addresses, because well.. IPv6 addresses can't be registered in the dashboard.
Now, here's the thing: there are no differences between IPv4 and IPv6 resolvers. They are the same machines, just accepting connections on IPv4 and IPv6 addresses. IPv6 addresses can be resolved just fine when the queries are sent to an IPv4 resolver address. The only difference is that if you use the OpenDNS IPv6 addresses, packets are bigger, thus your queries can be slower.
For your operating system or your web browser, it can make a difference, though. When using an IPv6 resolver address, the stub resolver may try to resolve IPv6 addresses before IPv4, and not when you're using an IPv4 resolver address. Even if both addresses lead to the exact same machine.
In the OSX user interface for DNSCrypt, if your network supports IPv6, it uses the OpenDNS IPv6 addresses. The only reason I did that is because users asked for it. They have IPv6, they want to use IPv6 to access a service if IPv6 is available, even if it would work better using IPv4.
If your operating system or applications need an IPv6 resolver address, you can have that, and still use OpenDNS filtering.
Just have dnscrypt listen to an IPv6 address, and forward the queries to a regular OpenDNS IPv4 address. For example:
dnscrypt-proxy --local-address=::1
And configure your DNS settings to use ::1 instead of 127.0.0.1
-
You cannot register an IPv6 address with your OpenDNS network yet, therefore content filtering won't work. You can however use the OpenDNS FamilyShield addresses which provide at least some basic filtering of "adult" sites, proxy servers, basic malware botnets and phishing.
::ffff:d043:de7b
::ffff:d043:dc7b -
To quote from http://www.opendns.com/technology/ipv6/
"Note: IPv6 support in the OpenDNS Sandbox is limited to standard recursive DNS initially. Additional functionality, like Web content filtering, malware and botnet protection, phishing protection, and more will be available on different IPs when IPv6 support is added to the OpenDNS Dashboard in the coming months."
-
According to my router (Fritz!Box 7390 using native IPv6), you cannot have a DNS server address staring with a semicolon so I'm currently unable to use the family filter on IPv6. The sandbox resolver addresses work OK but don't seem to block anything (excuse my lack of knowledge on what the sandbox is supposed to do).
-
One day Windows 8 started using IPv6 for DNS queries, and I noticed my filter settings were ignored. I spent some time searching for a solution, to no avail. Six months later, I am back here trying again, and to my surprise it works!
Solution: Set the IPv6 DNS servers in Windows to the values suggested by rotblitz above:
::ffff:d043:dede
::ffff:d043:dcdc -
Hello,
OpenDNS supports DNS resolution with our IPv6 resolvers, but not yet content filtering because an IPv4 address cannot be registered to your account. We suggest disabling IPv6 connectivity or ensuring your DNS server is IPv4 only. If you are seeing filtering, it would mean that your DNS requests are being sent via IPv4 to 208.67.220.220 and 208.67.222.222.
If you have any questions or concerns, please don't hesitate to respond to this message.
Best regards,
-
Alexander,
You are correct. The net effect of my solution is to trick Windows into sending DNS queries to the IPv4 servers.
When I set my DNS settings to:
::ffff:d043:dede
::ffff:d043:dcdc
208.67.222.222
208.67.220.220Command Prompt shows my DNS servers as:
::ffff:208.67.222.222
::ffff:208.67.220.220
208.67.222.222
208.67.220.220At the end of the day, my issue is resolved, albeit via a workaround.
Thanks again.
-
Comcast is now calling people that do not have IPV6 modems in place. My assumption is since they are pressing the issue it will become a bigger need for filtering. I just switched to an IPV6 compliant modem and filtering no longer works. I assume this will be a growing problem for others now too. Since Comcast's recording every couple of weeks is what drove me to upgrade my modem.
-
OpenDNS supports IPv4 and IPv6 lookups in a couple of different ways, including having their own IPv6 resolver addresses that provide recursive IPv6 service. They currently do not support DNS filtering or any of their other security products for IPv6 products.
The biggest reason I do not roll out IPv6 internet access and services for any of my clients (aside from lack of availability) is the lack of security products and tools that support it. Most consumer routers are pretty useless when it comes to IPv6 support, and many UTM firewalls don't support it as well, or if they do it's very basic. There are a few "prosumer" UTM firewalls out there that support it pretty well, and most offer to sell you purpose made hardware, or let you build your own hardware (usually an older PC with two NIC's) and install your own software image on them that gives it the same functionality as the hardware they sell. I'd consider it if it was just me, but I won't go that way in business because I'd then become a manufacturer with all the issues that entails.
I don't know what kind of IPv6 service Comcast is providing you, including if they are providing IP6 only or IPv4 and IPv6, or how they are providing IPv6, but I'd recommend going back to IPv4 if you can, until you figure out all the security and filtering options you want and how to get them to support IPv6.
-
With the Live Parental Controls on a Netgear device, the local IP4 Internet Address isn't used for network identification so IP6 support should be easier to implement. As it stands if the router is configured for IP6 in addition to IP4, it responds to IP6 requests with different filter results than to a request via IP4. So adding IP6 support so that the Netgear Live Parental Controls would work as promised would help as more connected devices default to IP6 for their DNS requests is imperative before parents learn that their filter is no longer working the hard way. (like I did)
-
Netgear Live Parental Controls is a Netgear product, not an OpenDNS product, so if you want it to add IPv6 features beyond what is already there you'll need to contact Netgear.
That being said, other than the IPv6 resolver addresses that provide recursive IPv6 DNS service, OpenDNS does not provide any other IPv6 functionality, including domain filtering. It doesn't matter how Netgear Live Parental Controls leverages OpenDNS, it cannot use those services to provide IPv6 filtering since OpenDNS doesn't have any mechanism to do so. If Netgear wants to provide IPv6 filtering they'll need to develop or use something other than what OpenDNS offers for IPv6.
For future reference, the proper terminology is IPv6 and IPv4, not IP6 and IP4. Although omitting the "v" from the middle may seem like a small thing to you, doing so conveys the distinct possibility that your knowledge and understanding of the two technologies is just as lacking as your use of the proper terminology. It is a technical field, and using the proper terminology is important to be able to communicate with others.
-
Actually it is an OpenDNS product. See the last comment on this thread: https://support.opendns.com/entries/21769775-Rebranding-OpenDNS-with-Netgear-Not-The-Most-Successful-Partnership
I had been working with OpenDNS support on the issue. This is the thread I was told to voice my opinion for them to get working on IP6 support.
-
Just reminder, there is no such things as IP6. The proper term is IPv6. You make yourself appear to be a fool if you insist on using the wrong terminology in discussing a technical topic.
Unfortunately you didn't post the whole story, namely that you'd already been in touch with OpenDNS about this, and they ask you to post something to this thread. It would have been very helpful to know the full backstory before I responded.
Given that additional piece of information I have no idea if they are trying to prioritize their development cycles for adding IPv6 to this very niche product first, or if they will add generalized support for their product line and then tweak it for niche products. I could see adding it to LPC first if they want to use that as a testbed, otherwise I'd hope they add it to the generalized products first, as a way of benefiting the most customers at once.
-
I made a "spelling" mistake by typing quickly in a forum that does not allow me to go back and edit the comments. For that I am sorry. I would happily correct my offending mistake for you if I could. As I am sure you would also, being that you are the one that made a bold declaration out of ignorance and not me.
But I don't want to get in a flame war and distract from the real problem. OpenDNS needs to focus resources on getting IPv6 support in all of their products. OpenDNS provides foundational services for the web that are relied on by millions, and by faltering on the provision of those services in critical places and the current juncture of time could force them to fall out of favor and become irrelevant. And I, as well as many others, do not wish for that to happen.
-
Guys I like the ::ffff:d043:dcdc trick, but it is not accepted by my router.
I'm a little disappointed after reading under Innovation that OpenDNS supported IPv6 to find out the content filtering only works with IPv4. I'll go back to my old content filtering methods and DNS, and check back with you in 6 months. Hopefully you will actually support IPv6 then.
PS I'm not disabling my IPv6
cheers :-)
-
"it is not accepted by my router."
Then you're out of luck anyway, even if OpenDNS supported IPv6 with content filtering. You had to enter OpenDNS IPv6 resolver addresses into your router, same as IPv4 addresses. Therefore, it seems it is time for a new router too which supports IPv6...
Let's see who's quicker, OpenDNS or your router equipment...
-
Even if your router accepts it, either via a firmware upgrade on the existing router, or a new router, you've got to remember that this is essentially a kludge that is unsupported by OpenDNS.
I'd like to experiment with it myself, but just haven't had time to examine it and see how well it holds up.
Plus, as with any kludge, there is always the possibility that an update to software or firmware somewhere, or just a tweak in settings could suddenly stop making things work. It would like OpenDNS wasn't working properly, but in reality it was working right all along, you were just relying on an edge case to make it do something that it wasn't intended to do.
Please sign in to leave a comment.
Comments
129 comments