Comments

129 comments

  • Avatar
    pbbear

    I'm not suggesting they should do it differently from registering and handling an IPv4 subnet block.. Where can I register an IPv6 subnet block?

    1
    Comment actions Permalink
  • Avatar
    mattwilson9090

    To a certain extent we are just whistling in the dark here.

    I only talked about IPv6 address registration as one possible reason for the delay in IPv6 implementation. Short of a message several years ago that amounted to "we're working on it" I have no idea what the status of IPv6 and OpenDNS is, or why it's not yet implemented.

    As for registering blocks of addresses rather than discrete addresses that makes sense to me, but I think when they've done it with IPv4 it's been done manually. I'm not sure how they'd get that information automatically for all OpenDNS users who have IPv6 blocks assigned automatically (and presumably dynamically). The vast majority of home users will have no clue about that, and thought the RFC's and related document specify that an ISP should assign IPv6 addresses in /64 blocks, some will give much less than that, and I wouldn't be surprised if a handful will even try to get away with assigning a single IPv6 address just like they do with IPv4.

    All I know for sure is that I want IPv6 support, and I'll bet some users who are getting native IPv6 from their ISP's would be shocked to learn that OpenDNS is no longer protecting them. Or at least no longer protecting them on a consistent basis.

    1
    Comment actions Permalink
  • Avatar
    grdn

    +1 for feature parity on IPv6. 

    1
    Comment actions Permalink
  • Avatar
    clacknet

    I have read all the comments here in hopes to find a solution and I agree with everyone that we need to have IPv6 web filter support.  I run a large network with 60,000 licenses with 13 school districts and 120 school buildings.  We run a dual stack environment but OpenDNS Support tells me to turn off IPv6 if we want to web filter and that they don't support filtering for IPv6.

    They did tell me to go to https://support.opendns.com/forums/21322513 and submit a feature request.  I went there and realized there were only two other feature request for IPv6.  Mine now makes three.

    I ask that all of you reading this will do the same.  It sounds like the product managers don't listen to their support team but they do read these submissions.  So I ask that instead of  "+1" this feed that you please add it to the feature request page as we all need IPv6 support.

    Thanks

    1
    Comment actions Permalink
  • Avatar
    wcoile

    ::ffff:d043:dedc decodes to 0:0:0:0:0:ffff:208.67.222.220 which is clearly an IPv4 address rather than a globally routable IPv6 address.  That's a misleading answer.  That's a hack, and really just sends DNS traffic over IPv4.  That isn't a solution.

     

    We need to be able to add IPv6 networks in the dashboard, as paying customers, like we do with IPv4!

     

     

    1
    Comment actions Permalink
  • Avatar
    king_family

    ... how is any of that relevant to a statically registered AAAA record with a static DNS entry? None of those issues are unique to IPv6, including changing subnet masks as ISPs free up IPV4 ranges to sell and covert thier internal networks to IPv6.

    1
    Comment actions Permalink
  • Avatar
    king_family

    No basic ISP assigns static IPs to any consumer, IPv4, IPv6, or otherwise.  You pay extra for a static and that's been the case for decades.  The ability for OpenDNS to have the current address of your devices can be handled numerous ways, heck the dd-wrt can be configured with scripts to constantly update it's public IP list with sites, I've done it when setting up hurricane electric ipv6 tunnels for years now... and it's frankly out of scope of this request.

    I'm talking about nslookup -q=aaaa cisco.com giving me an IPv6 back and not an IPv4, and a blocked site redirect if it's on my black list.  Right now that's impossible, and instead you're saying I should basically configure my router to _only_ reply with IPv4.  That's simply not what's being asked.

    1
    Comment actions Permalink
  • Avatar
    mattwilson9090

    @wcoile Disinformation? How exactly is any of what rotblitz said wrong or misleading? Have you actually tried testing it yourself?

    1
    Comment actions Permalink
  • Avatar
    pbbear

    Ignore Rotblitz - he has a history of ignoring the actual problem statement.

    The title of the thread is "IPv6 Web Filtering", not "IPv6 Web Resolving".

    Yes, you can configure a IPv6-ified version of the IPv4 address, and get a name resolved to an IP address. You can even send the DNS request to OpenDNS's real IPv6 addresses, and get back an IPv4 or IPv6 address.

    Thats not the problem.

    If you send a DNS request to resolve a name and that request comes in over IPv6, OpenDNS cannot match the source IPv6 address with a user's account and filtering rules, and send back a filtered IP address that points to a block-page if the name is supposed to be blocked, and would be blocked over IPv4.The lookup will instead be resolved every time to the site's actual address.

    This means that a general web user's household, if they are on a dual-stack ISP, has at best a 50:50 chance of having a dodgy site blocked when someone in their house tries to connect to it, depending on whether their router tries to make the DNS lookup using IPv4 (will be blocked) or using IPv6 (will not be blocked, will be resolved to the site's actual address and let through).

    So, if a OpenDNS user actually wants the OpenDNS service to filter dodgy sites consistently, the user has to be cluefull enough to explicitly force their router to only make DNS lookups using IPv4 and not IPv6.

    The problem to be solved is Filtering over IPv6. OpenDNS doesn't. And with IPv6 now been declared a full standard (RFC8200), that is a shortcoming that needs to be fixed, or a bug, depending on how charitable you're feeling.

     

    1
    Comment actions Permalink
  • Avatar
    mattwilson9090

    @pbbear You seem to not understand the concept of a workaround.

    While it's true that OpenDNS does not officially support IPv6 in the same manner as IPv4, there are at least two different methods that will allow an OpenDNS to use IPv6 while still have full fitering of any of their domains via OpenDNS just as if they were only exclusively using IPv4.

    The one the rotblitz recommends to others is one method, and is most definitely not a 50:50 chance, as born out by the results he pasted. Why don't you test it yourself, instead of proclaiming he's wrong without understanding what he's actually saying.

    The other method utilizes DNScrypt and is also a workaround.

    Rotblitz has never that this is the be all and end all of things. He's also stated many times that he'd like to see IPv6 fully supported. Rather than sitting on his hands and whining he's actually sought out, tested, and uses a workaround that allows him (and others) to have IPv6 resolution AND filtering until OpenDNS finally fully supports IPv6.

    1
    Comment actions Permalink
  • Avatar
    icekiss69 (Edited )

    2019 and this still hasn't been resolved and was written back in 2013?

    is the lack of functioning feature rich dns the result of opendns selling its soul to cisco

    now opendns sucks just like cisco internet modems and tv boxes

    https://en.wikipedia.org/wiki/OpenDNS

    https://en.wikipedia.org/wiki/Cisco_Systems

    since ciscodns/opendns are deprecated everyone may as well use google dns

    https://developers.google.com/speed/public-dns/

    https://developers.google.com/speed/public-dns/docs/security

    Statistics

    Google collects statistics about IPv6 adoption in the Internet on an ongoing basis.

    IPv6 adoption

    https://www.google.com/intl/en/ipv6/statistics.html

    Per-Country IPv6 adoption

    https://www.google.com/intl/en/ipv6/statistics.html#tab=per-country-ipv6-adoption

    anyone have any suggestions for more options in dns providers? because 2013-2019 = doa dead on arrival 10 year anniversary soon without any support don't forget to put the company logo by useless in the dictionary

    what it is like getting support with ciscodns/opendns

    https://www.youtube.com/watch?v=Kwo58m4JqY8

    1
    Comment actions Permalink
  • Avatar
    jedisct1

    There are two ways OpenDNS resolvers can identify a user:

    - By reading a 8 bytes shared key added to the end of each packet. You need to be an Umbrella customer to get a key. I *think* this also works when connecting to the IPv6 addresses.

    - By looking at a client IP, that can be added to the end of each packet, too, or if it's not there, by looking at the actual client IP the packet comes from. If a network matching this IP has been registered, the related filtering rules will match. This does *not* work when connecting to the IPv6 addresses, because well.. IPv6 addresses can't be registered in the dashboard.

    Now, here's the thing: there are no differences between IPv4 and IPv6 resolvers. They are the same machines, just accepting connections on IPv4 and IPv6 addresses. IPv6 addresses can be resolved just fine when the queries are sent to an IPv4 resolver address. The only difference is that if you use the OpenDNS IPv6 addresses, packets are bigger, thus your queries can be slower.

    For your operating system or your web browser, it can make a difference, though. When using an IPv6 resolver address, the stub resolver may try to resolve IPv6 addresses before IPv4, and not when you're using an IPv4 resolver address. Even if both addresses lead to the exact same machine.

    In the OSX user interface for DNSCrypt, if your network supports IPv6, it uses the OpenDNS IPv6 addresses. The only reason I did that is because users asked for it. They have IPv6, they want to use IPv6 to access a service if IPv6 is available, even if it would work better using IPv4.

    If your operating system or applications need an IPv6 resolver address, you can have that, and still use OpenDNS filtering.

    Just have dnscrypt listen to an IPv6 address, and forward the queries to a regular OpenDNS IPv4 address. For example:

    dnscrypt-proxy --local-address=::1

    And configure your DNS settings to use ::1 instead of 127.0.0.1

     

    0
    Comment actions Permalink
  • Avatar
    al1264

    According to my router (Fritz!Box 7390 using native IPv6), you cannot have a DNS server address staring with a semicolon so I'm currently unable to use the family filter on IPv6.  The sandbox resolver addresses work OK but don't seem to block anything (excuse my lack of knowledge on what the sandbox is supposed to do).

    0
    Comment actions Permalink
  • Avatar
    al1264

    Sorry, meant colon, not semicolon in the above post.

    0
    Comment actions Permalink
  • Avatar
    al1264

    Can anyone advise whether

    0::ffff:d043:de7b
    0::ffff:d043:dc7b

    would work correctly?

    0
    Comment actions Permalink
  • Avatar
    al1264

    Thanks, router accepts the long version (didn't refresh the page when I posted the one above).

    0
    Comment actions Permalink
  • Avatar
    zacharydl

    One day Windows 8 started using IPv6 for DNS queries, and I noticed my filter settings were ignored. I spent some time searching for a solution, to no avail. Six months later, I am back here trying again, and to my surprise it works!

    Solution: Set the IPv6 DNS servers in Windows to the values suggested by rotblitz above:

    ::ffff:d043:dede
    ::ffff:d043:dcdc

    0
    Comment actions Permalink
  • Avatar
    Alexander Harrison

    Hello,

    OpenDNS supports DNS resolution with our IPv6 resolvers, but not yet content filtering because an IPv4 address cannot be registered to your account. We suggest disabling IPv6 connectivity or ensuring your DNS server is IPv4 only. If you are seeing filtering, it would mean that your DNS requests are being sent via IPv4 to 208.67.220.220 and 208.67.222.222. 

    If you have any questions or concerns, please don't hesitate to respond to this message.

    Best regards,

    0
    Comment actions Permalink
  • Avatar
    kellerfam

    With the Live Parental Controls on a Netgear device, the local IP4 Internet Address isn't used for network identification so IP6 support should be easier to implement. As it stands if the router is configured for IP6 in addition to IP4, it responds to IP6 requests with different filter results than to a request via IP4. So adding IP6 support so that the Netgear Live Parental Controls would work as promised would help as more connected devices default to IP6 for their DNS requests is imperative before parents learn that their filter is no longer working the hard way. (like I did)

    0
    Comment actions Permalink
  • Avatar
    mattwilson9090

    Netgear Live Parental Controls is a Netgear product, not an OpenDNS product, so if you want it to add IPv6 features beyond what is already there you'll need to contact Netgear.

    That being said, other than the IPv6 resolver addresses that provide recursive IPv6 DNS service, OpenDNS does not provide any other IPv6 functionality, including domain filtering. It doesn't matter how Netgear Live Parental Controls leverages OpenDNS, it cannot use those services to provide IPv6 filtering since OpenDNS doesn't have any mechanism to do so. If Netgear wants to provide IPv6 filtering they'll need to develop or use something other than what OpenDNS offers for IPv6.

    For future reference, the proper terminology is IPv6 and IPv4, not IP6 and IP4. Although omitting the "v" from the middle may seem like a small thing to you, doing so conveys the distinct possibility that your knowledge and understanding of the two technologies is just as lacking as your use of the proper terminology. It is a technical field, and using the proper terminology is important to be able to communicate with others.

    0
    Comment actions Permalink
  • Avatar
    kellerfam

    Actually it is an OpenDNS product.  See the last comment on this thread: https://support.opendns.com/entries/21769775-Rebranding-OpenDNS-with-Netgear-Not-The-Most-Successful-Partnership

    I had been working with OpenDNS support on the issue. This is the thread I was told to voice my opinion for them to get working on IP6 support.

    0
    Comment actions Permalink
  • Avatar
    rotblitz

    "it is not accepted by my router."

    Then you're out of luck anyway, even if OpenDNS supported IPv6 with content filtering.  You had to enter OpenDNS IPv6 resolver addresses into your router, same as IPv4 addresses.  Therefore, it seems it is time for a new router too which supports IPv6...

    Let's see who's quicker, OpenDNS or your router equipment...

    0
    Comment actions Permalink
  • Avatar
    mattwilson9090

    Even if your router accepts it, either via a firmware upgrade on the existing router, or a new router, you've got to remember that this is essentially a kludge that is unsupported by OpenDNS.

    I'd like to experiment with it myself, but just haven't had time to examine it and see how well it holds up.

    Plus, as with any kludge, there is always the possibility that an update to software or firmware somewhere, or just a tweak in settings could suddenly stop making things work. It would like OpenDNS wasn't working properly, but in reality it was working right all along, you were just relying on an edge case to make it do something that it wasn't intended to do.

    0
    Comment actions Permalink
  • Avatar
    jedisct1

    @rsgt: as @rotblitz said, if you just need to block categories that are not suitable for kids, you can use the FamilyShield IPv6 addresses:

     

        You can however use the OpenDNS FamilyShield addresses which provide at least some basic filtering of "adult" sites, proxy servers, basic malware botnets and phishing.

        ::ffff:d043:de7b
        ::ffff:d043:dc7b

    0
    Comment actions Permalink
  • Avatar
    jedisct1

    Also, on Windows, if the problem is that you need an IPv6 address for the DNS resolver in the "Internet Protocol Version 6 (TCP/IPv6)" section, enter:

     

    ::ffff:208.67.222.222

    ::ffff:208.67.220.220

     

    => OpenDNS filtering, even when using IPv6.

    0
    Comment actions Permalink
  • Avatar
    jedisct1

    IPv6, DNS and Windows (and OpenDNS filtering with IPv6): https://00f.net/2015/07/20/ipv6-dns-windows/

    0
    Comment actions Permalink
  • Avatar
    jmchowbizzarre
    Not according to OpenDNS support. They sent me to this post to request Family Shield for IPv6. I've responded back asking for clarification. If it's the basic free adult, phishing and malware content filtering that's fine by me. It would be nice for the additional filtering and reporting features you get with the IPv4 but I'll take the basic. Again, asking for clarification because they do not post this anywhere on their main site.
    0
    Comment actions Permalink
  • Avatar
    jmchowbizzarre

    @rotblitz, I received the below email from OpenDNS support yesterday stating FamilyShield for IPv6 is not a service they offer or have on the roadmap, just IPv4.  Outside of this forum, I see no documentation on opendns.com that states they have basic content filtering with FamilySheild for IPv6 nor provide IPv6 DNS server IP addresses for FamilySheild. And, for the record, I'm currently pointing to the publicly listed IPv6 DNS servers from opendns.com: 2620:0:ccc::22620:0:ccd::2 listed here: https://www.opendns.com/about/innovations/ipv6/

     

    (Emphasis added)

    "
    HI Jeremy,

    The welcome site is only tests against IPv4, so if you're using IPv6 unfortunately the FamilyShield service/welcome page will give you the error message. Since you have IPv6 configured on your network, the website will pick up your IPv6 IP address/resolvers even if you have IPv4 configured in conjunction with IPv6.

    Currently IPv6 filtering for the FamilyShield service is not on our roadmap for the foreseeable future, however, this is subject to change. If this this is a feature you would like to see, I would recommend voicing your support for it here:

    https://support.opendns.com/entries/21786344-IPv6-Web-Filtering

    Our Product Managers review this frequently and when idea's get community support, we move on them! We also indicate if the idea is planned in this section.

    If you have any further questions, please let us know.

    Cheers,

    Chris Frost
    Customer Support Representative - Team Lead
    OpenDNS, Inc.

    "

    0
    Comment actions Permalink
  • Avatar
    jmchowbizzarre

    @rotblitz Thanks from refraining to help me further, I do appreciate it.

    0
    Comment actions Permalink
  • Avatar
    mattwilson9090

    I don't know how difficult or easy this is to for them to support IPv6 but they certainly aren't the only security related company that is not rolling out IPv6 support that is comparable to IPv4 support. The only things I've seen that consistently support IPv6 at the same level as they support IPv4 are some of the modem/router/gateways that some ISP's provide to their customers, and some of the routers that are intended for the home/consumer market. I've seen some UTM's intended for the SMB space that have support for IPv6 but it's either limited when compared to their IPv4 support, the devices are far too expensive for that market niche, or they are little better (feature wise) than a consumer router. I know there are UTM's intended for the higher end of the market that fully support IPv6 but I don't work in that segment of the market any longer.

     

    Bottom line, although OpenDNS *appears* to be dragging their feet on IPv6 support (whether or not they actually are I don't know) they certainly aren't the only ones who are. I disable IPv6 at the router for all of my clients (assuming the router supports it, and regardless of whether the ISP supports it) and thus far haven't seen an issue with that. Granted, I'm in the US, so not having IPv6 on the internet isn't an issue, and I'm not certain when or if it will ever be.

    Generally speaking hardware and software vendors support IPv6 for their products (or it doesn't matter since that's handled by the OS). Many more ISP's are offering dual-stack connections, but we're still waiting for the vast majority of the network security market to support IPv6. I don't know what the hold up is (though I suspect that at least some of it has to do with there not being the same type of NAT available with IPv6 as with IPv4. Without realizing it we've come to rely on NAT for security and networking far more than we really should as it's become a crutch), but generally speaking the industry is ready for it, though a lot of the technical people out there still don't know enough about IPv6 to support it.

    I'm one of those who would like to see OpenDNS supporting IPv6 sooner rather than later, and it's one of the changes I'm waiting to see happen before I change my mind about support internet IPv6 for my clients. A while ago I opened a support ticket to ask about the status of IPv6, and though they didn't tell me any "secrets" a good discussion ensued. One of the things that resulted from that was the suggestion that support tickets would get more attention than forum postings. So my suggestion to you is that in addition to this posting you (and everyone else) open a support ticket asking about IPv6 support. If enough are opened it will definitely get attention from management.

    0
    Comment actions Permalink

Please sign in to leave a comment.