IPv6 Web Filtering
Support for web filtering when using OpenDNS IPv6 addresses.
-
You can use DNSCrypt to make filtering work even when using Open DNS over IPv6.
On Windows:
- Follow the instructions here: http://dnscrypt.org/#dnscrypt-windows and here: https://github.com/jedisct1/dnscrypt-proxy/blob/master/README-WINDOWS.markdown to download and install the command-line client.
- Install the service like this:
dnscrypt-proxy.exe -R cisco-ipv6 --install --plugin libdcplugin_example_ldns_opendns_set_client_ip.dll,127.0.0.1
Replace 127.0.0.1 with your IPv4 address (not the IPv6 one: this is the IPv4 address, where filtering works)
Change your DNS settings to 127.0.0.1 so that you use dnscrypt. Done! You are now using Open DNS over IPv6 but you keep the filtering rules configured on the IPv4 address.
On Mac, using the DNSCrypt-OSXClient user interface:
- Launch the "Terminal" app
- Type:
echo libdcplugin_example_ldns_opendns_set_client_ip.la,127.0.0.1 > /Library/Application\ Support/DNSCrypt/control/plugin-ip.enabled ; touch /Library/Application\ Support/DNSCrypt/control/plugins.enabled
Replacing 127.0.0.1 with your IPv4 address.
- Now you can select Open DNS over IPv6 in the preference pane or the menubar, and filtering will still work.
-
@rsgt: as @rotblitz said, if you just need to block categories that are not suitable for kids, you can use the FamilyShield IPv6 addresses:
You can however use the OpenDNS FamilyShield addresses which provide at least some basic filtering of "adult" sites, proxy servers, basic malware botnets and phishing.
::ffff:d043:de7b
::ffff:d043:dc7b -
IPv6, DNS and Windows (and OpenDNS filtering with IPv6): https://00f.net/2015/07/20/ipv6-dns-windows/
-
Not according to OpenDNS support. They sent me to this post to request Family Shield for IPv6. I've responded back asking for clarification. If it's the basic free adult, phishing and malware content filtering that's fine by me. It would be nice for the additional filtering and reporting features you get with the IPv4 but I'll take the basic. Again, asking for clarification because they do not post this anywhere on their main site. -
Are you saying you tried with the FamilyShield IPv6 addresses as of above:
::ffff:d043:de7b
::ffff:d043:dc7band it still does not work? Then post complete plain text output of the following diagnostic commands here, from the device you're having problems with:
nslookup -type=txt debug.opendns.com.
nslookup -type=txt debug.opendns.com. [::ffff:d043:de7b]
nslookup www.exampleadultsite.com.
nslookup www.exampleadultsite.com. [::ffff:d043:de7b]
-
@rotblitz, I received the below email from OpenDNS support yesterday stating FamilyShield for IPv6 is not a service they offer or have on the roadmap, just IPv4. Outside of this forum, I see no documentation on opendns.com that states they have basic content filtering with FamilySheild for IPv6 nor provide IPv6 DNS server IP addresses for FamilySheild. And, for the record, I'm currently pointing to the publicly listed IPv6 DNS servers from opendns.com: 2620:0:ccc::2 & 2620:0:ccd::2 listed here: https://www.opendns.com/about/innovations/ipv6/
(Emphasis added)
"
HI Jeremy,The welcome site is only tests against IPv4, so if you're using IPv6 unfortunately the FamilyShield service/welcome page will give you the error message. Since you have IPv6 configured on your network, the website will pick up your IPv6 IP address/resolvers even if you have IPv4 configured in conjunction with IPv6.
Currently IPv6 filtering for the FamilyShield service is not on our roadmap for the foreseeable future, however, this is subject to change. If this this is a feature you would like to see, I would recommend voicing your support for it here:
https://support.opendns.com/entries/21786344-IPv6-Web-Filtering
Our Product Managers review this frequently and when idea's get community support, we move on them! We also indicate if the idea is planned in this section.
If you have any further questions, please let us know.
Cheers,
Chris Frost
Customer Support Representative - Team Lead
OpenDNS, Inc."
-
"I'm currently pointing to the publicly listed IPv6 DNS servers from opendns.com: 2620:0:ccc::2 & 2620:0:ccd::2"
These are simple Sandbox IPv6 resolvers, without any filtering.
I see, you are advice persistent and do not want help if not from OpenDNS staff, so I give up and refrain from further trying to help you.
No matter, OpenDNS FamilyShield works also over IPv6, as confirmed also by jedisct1, so really no need to request it here as you did. -
I'll put my hand up as also caught by this. I deliberately set my home DNS resolver to forward all queries towards 2620:0:ccc::2 & 2620:0:ccd::2, removing the IPv4 equivalents, to help support the 'new technology' (c'mon guys, IPv6 has been around for 15 years now!) and do my bit driving up the IPv6 traffic charts. Didn't realise that these performed no checks or filtering, and my home network has been open for a month.
This really isn't acceptable in the 21st century - RFC6540 IPv6 Support Required for All IP-Capable Nodes - if it doesn't support both IPv4 and IPv6, it isn't the Internet.
Now I've had to set my resolver back to sending the queries to the IPv4 addresses - perpetuating the myth that nobody is using IPv6. As more and more of the Internet adopts IPv6, and even ARIN has run out of any more IPv4 to allocate, the apathy towards supporting IPv6 means more and more people will be left wide open inadvertantly as their ISPs turn on IPv6. Meanwhile, all those behind CGNAT gateways and increasingly IPv6-only ISPs are barred from using this service
Surely it can't be that hard to allow user to register an IPv6 subnet along with their IPv4 ISP address, and match a user account based on source of the DNS query regardless of which IP version is used?
-
I don't know how difficult or easy this is to for them to support IPv6 but they certainly aren't the only security related company that is not rolling out IPv6 support that is comparable to IPv4 support. The only things I've seen that consistently support IPv6 at the same level as they support IPv4 are some of the modem/router/gateways that some ISP's provide to their customers, and some of the routers that are intended for the home/consumer market. I've seen some UTM's intended for the SMB space that have support for IPv6 but it's either limited when compared to their IPv4 support, the devices are far too expensive for that market niche, or they are little better (feature wise) than a consumer router. I know there are UTM's intended for the higher end of the market that fully support IPv6 but I don't work in that segment of the market any longer.
Bottom line, although OpenDNS *appears* to be dragging their feet on IPv6 support (whether or not they actually are I don't know) they certainly aren't the only ones who are. I disable IPv6 at the router for all of my clients (assuming the router supports it, and regardless of whether the ISP supports it) and thus far haven't seen an issue with that. Granted, I'm in the US, so not having IPv6 on the internet isn't an issue, and I'm not certain when or if it will ever be.
Generally speaking hardware and software vendors support IPv6 for their products (or it doesn't matter since that's handled by the OS). Many more ISP's are offering dual-stack connections, but we're still waiting for the vast majority of the network security market to support IPv6. I don't know what the hold up is (though I suspect that at least some of it has to do with there not being the same type of NAT available with IPv6 as with IPv4. Without realizing it we've come to rely on NAT for security and networking far more than we really should as it's become a crutch), but generally speaking the industry is ready for it, though a lot of the technical people out there still don't know enough about IPv6 to support it.
I'm one of those who would like to see OpenDNS supporting IPv6 sooner rather than later, and it's one of the changes I'm waiting to see happen before I change my mind about support internet IPv6 for my clients. A while ago I opened a support ticket to ask about the status of IPv6, and though they didn't tell me any "secrets" a good discussion ensued. One of the things that resulted from that was the suggestion that support tickets would get more attention than forum postings. So my suggestion to you is that in addition to this posting you (and everyone else) open a support ticket asking about IPv6 support. If enough are opened it will definitely get attention from management.
-
-
You're missing the point by reposting that link. It's not that resolvers don't work over IPv6, it's that filtering doesn't work. The question of whether or not it makes sense to use v6 over v4 (or whether one blogger's opinion matters at all) is beside the point. We should be able to use either protocol to reach DNS. If OpenDNS resolvers don't filter, why not just use Google's or your ISP's?
The value add that OpenDNS provides is additional protection against bad actors out there. We all know we can use IPv4, but we should be able to use IPv6. It's lovely that they provide that service to their corporate clients, but we'd like it available for consumer-grade services. Hence the thread.
-
+1
My request to be able to use IPv6 by choice has nothing to do with myths or any belief that I need to resolve DNS queries over IPv6 in order to connect by IPv6. I know this is not true.
I choose where possible to use IPv6 in order to help along the day when IPv4 can die off a slow death and remove NAT from the Internet system. I choose suppliers that support dual-stack IPv6 and IPv4 because those suppliers are helping the Internet ecosystem provide a full service, not just access to the IPv4 half of the Internet. Not supporting IPv6 in this century is like the walled-garden of Compuserve in the previous century - yes its sorta-kinda online, but its not the full deal.
I choose to engineer an environment where I can operate, as much as possible, IPv6-only, to learn where the corner cases are that won't work currently, so these holes can be fixed without having to fall back to IPv4.
Right now, and increasingly in the future, there are networks and customers where OpenDNS over IPv4 simply will not work. IPv6-only networks obviously cannot use OpenDNS for site access control at the moment. Customers of the rapidly growing numbers of providers using CGNAT to multiplex tens or hundreds of subscribers onto a single IPv4 address cannot either. Even North America has run out of IPv4 address space to allocate, AsiaPacific, with the five globally fastest growing national userbases have been dealing with IPv4 exhaustion for many years with NAT behind NAT behind NAT - up to seven layers of NAT in India. As even North American ISPs start deploying CGNAT in order to cope with growing subscriber numbers and IoT devices, having a unique IPv4 address for each customer that only changes slowly over weeks or days will become a luxury.
Already, here in Australia (and we started with lots of IPv4 space), each of the mobile 3G/4G cellular networks implements CGNAT to preserve IPv4 addresses for data sessions. Customers that have 'cut the cord' and run their house on cellular data cannot use the OpenDNS service, since each DNS lookup might come from a different source IPv4 address chosen by the CGNAT gateway, and IPv4 lookups from a given IPv4 source address might emanate from any one of tens or hundreds of customer sessions.
So really, I'm thinking mainly of the longevity of OpenDNS and its service. Gradually, globally, the number of subscribers where a single IPv4 address can be used to identify a particular user or network over timescales of days or weeks will shrink. Allowing an OpenDNS subscriber/network to be identified from an IPv6 source address subnet range is simply planning for the future. Encouraging the OpenDNS organisation to set this functionality up is one way of ensuring the service stays relevant and viable.
-
++1 to pbbear's comment. This IP game is starting to get dicey. OpenDNS used to lead in the DNS space, not sure what is happening in their ranks but this whole issue is not leadership and innovation. I wish marketing would get involved here too. Their dogmatic support person commenting here is not painting them with a consumer advocate/friendly brush.
-
"Their dogmatic support person commenting here is not painting them with a consumer advocate/friendly brush."
The only one comment from OpenDNS staff was back in April 17, 2014, 12:05. I do not see why you treat this comment or person as "dogmatic".
OpenDNS supports DNS resolution with our IPv6 resolvers, but not yet content filtering because an IPv4 address cannot be registered to your account. We suggest disabling IPv6 connectivity or ensuring your DNS server is IPv4 only. If you are seeing filtering, it would mean that your DNS requests are being sent via IPv4 to 208.67.220.220 and 208.67.222.222.If you have any questions or concerns, please don't hesitate to respond to this message.
But you and the other people are really right. It's time for IPv6 since a while. I've voted for this idea from begin already.
From our user perspective it would be only to allow registering also an IPv6 address at the dashboard, so that not only FamilyShield content filtering works, but also customized content filtering.I guess their problem is the huge engine behind the user interface, with stats and logs and checking against a registered IPv6 address and all this stuff. It sounds easy but may be hard efforts and hardly feasible yet. I'm quite sure there are already plans in the cupboards. OpenDNS was always good for positive surprises in the past.
-
It may be a big project, it might not take much at all. Adding a second field to ask for and store an IPv6 subnet prefix shouldn't be too hard. Searching and Matching an incoming source address against the collection of registered addresses - the logic is already there, although the IPv6 code will need to check a source address against being inside each subnet range, not just against a single address. The reporting & charting needn't change at all.
In any case, a change like this would need to be managed like a project, and a project has an expected end date - a comment from OpenDNS support saying something like "yes, we're aware of it, its in the queue, planned to be ready for testing by (insert month here)" would go a long way.
In any case, responses like 'use ::ffff:d043:dede', whether from an official rep or some a well meaning but misguided forum user, don't cut it - thats IPv4 displayed a different way, not IPv6.
-
OpenDNS does not seem to respond to "+1"s" buried in threads in their forums. Meaning they don't pay attention to them. Frankly, neither would I.
What they do seem to pay attention to are people clicking to vote in favor of ideas in the Idea Bank (I just checked and realized I hadn't yet, which surprised me, so went ahead and voted for this).
They also pay attention to Support tickets. So as I've said in this and other threads open up a support ticket asking about IPv6 status and availability.
Presumably they pay more attention to these two things because they drive metrics that management tracks and pays attention to. So use both these metrics to your advantage and vote and ask.
I don't really know why it has taken OpenDNS (or so much else of the industry) to roll out this kind of support for IPv6. It could be a technical issue, it could be some sort of internal politics, or it could be something else I can't even being to think of, but the way to apply pressure is to do both of those things that OpenDNS is actively asking for. Feedback of any other sort isn't going to have the same impact (or pressure).
I too want to see this fully supported, and while there are gimmicks and work arounds that I've seen, I'm not convinced that any of them will do the key job of *filtering* IPv6 requests like we have with IPv4, though all of them should be capable of resolving DNS requests that come in via IPv6. Of course we already have that with the OpenDNS IPv6 sandbox addresses, so why bother with a workaround when we've got those now?
-
Well, my ISP finally enabled IPv6 this last Friday (November 29, 2015), and immediately OpenDNS Updater told me I'm not using OpenDNS.
I am using OpenDNS for both IPv6 and IPv4, but the OpenDNS Updater doesn't seem to know about the IPv6 sandbox. I also ran the test filtering sites and they didn't get blocked.
OpenDNS used to be a leader on this in that it got the IPv6 sandbox up so early, but it seems the world (or at least my ISP) is finally catching up. If OpenDNS wants to remain a leader, they need to get full support for this implemented soon.
-
It has been said many times in many threads that if you want OpenDNS to work consistently and reliably you *must* disable IPv6 internet traffic. The easiest way to do that is to disable IPv6 on your router. It's good that your ISP is offering IPv6 now, but if you intend to use OpenDNS with your IPv6 you won't be able to take advantage of the new offering.
The Updater doesn't know anything about the IPv6 Sandbox, nor does it know about the IPv4 OpenDNS DNS server addresses. It's only function is to update your IPv4 address registration against your OpenDNS network *if* you have a dynamic IPv4 address. It has no other purpose and has no other function.
OpenDNS is still a leader in the DNS field, including offering IPv6 DNS services. Across the entire technology field, especially internet security, just about every company and service provider is being extremely slow to fully support IPv6 just like they do with IPv4. I have no idea why that is, but it's not like OpenDNS is the only company that isn't making a making a comprehensive IPv6 product.
That said, did you follow my advice in the preceding post? Namely to vote that you like this topic and to open a support ticket asking about IPv6 status? I was advised to do a long while ago from an OpenDNS support employee when I made my own inquiries about IPv6 support. They seem to be the only metrics that management is tracking regarding this and other issues, but at least you wrote something instead of just being lazy and typing +1.
-
@rotblitz, yes I tested this but filtering didn't work (that's why I shared my experience). The reason why filtering with DS-lite though IPv4 doesn work is that DS-lite is some form of carrier grade NAT; so multiple users share the same IPv4 address. Maybe setting that IPv4 address in the dashboard as "your" IPv4 address would work but I think customization of the filtering on a per user basis wouldn't work with many users sharing the same IPv4 address.
I was able to 'roll-back' my connection to IPv4 by calling the helpdesk for now (an I had to provide a valid reason for requeting native IPv4) but in the future there will be a moment that native IPv4 for home broadband connections is no longer supported, I guess.
-
I see pbbear already explained my problem in detail, with the slight difference that he addresses CGNAT for mobile data users instead of CGNAT for home broadband.
I encourage OpenDNS to add native IPv6 support for web content filtering (and applying any other user defined preferences).
-
There are so many other support threads and community threads where the problem is a variant of "OpenDNS is not working for me" and the resolution ends up being "you are using IPv6 without knowing - turn off IPv6 and all is well" that surely there is a message there - increasingly people are getting and using IPv6 by default, as they should expect to in this century, and OpenDNS should filter identically, whether people are using IPv4, or IPv6, or both at the same time. Turning off IPv6 is not an acceptable resolution.
-
Yeah - they need to get their act together on IPv6. I'm a corporate user and Web Filtering doesn't work for us either on IPv6. Funny - we purchased Umbrella because we wanted a cloud solution to secure web traffic on Laptops when they're off the corporate network - like at home on Comcast or Verizon. But now because new modems from Comcast & Verizon are IPv6 capable, machines attached to them (wifi or wired) are getting IPv6 IP and DNS settings automatically when connected. That means the Umbrella client will no longer provide any web filter functions as it does when machines are connected on the IPv4 Corportate LAN back in the office. So our options are to wait for Open DNS to fix this, or start looking at other options from BlueCoat, zScaler, and Websense. Come on OpenDNS - support IPv6 and IPv4 in the Roaming Client...!!!
Please sign in to leave a comment.
Comments
129 comments