IPv6 Web Filtering
Support for web filtering when using OpenDNS IPv6 addresses.
-
@thranduil
I do agree that OpenDNS needs to support IPv6 in the same manner as IPv4. I know that they are working on it, but I do not know what their technical, business, or legal reasons are for not being ready to deploy it.
It's not like OpenDNS is not the only security company that is not supporting, or not fully supporting IPv6. Of the existing cloud based providers, like OpenDNS I'm not aware of any other that is supporting IPv6. Of the ones that use some sort of appliance, or locally installed "server" they may be supporting IPv6, but that is a completely different solution from a cloud based solution like OpenDNS.
I do hate to say it, but your company didn't do it's due diligence in a security product that they purchased if they didn't know going in that IPv6 isn't yet supported. That's one of the questions I always ask when evaluating a security product.
If your corporate LAN is IPv4 you could whatever method you use to manage and configure your devices to disable IPv6, or if the system is capable of it, disable IPv6 when away from that LAN. How you do that would be up to however the network and servers and configured and managed.
A few questions for you, are you interested only in IPv6 for the roaming client, or do you want it for all of OpenDNS? If you want it only for the Roaming Client you should start a separate thread for that since this thread thus far has been about all of OpenDNS, especially the Home product and any others that are network centric instead of using a roaming client.
Have you voted to like this thread? Have you opened a support ticket asking about IPv6 support. As has been said in this thread already, it doesn't seem that management pays much attention to these comments when it comes to deciding how much priority to give something. They pay even less attention to comments that are only "+1". The metrics that they really pay attention to are people voting for an idea or support tickets. That's not saying not to post comments, but it's saying comments alone, without a vote or a support ticket done do much.
-
I should pick up something from above again: https://00f.net/2015/07/20/ipv6-dns-windows/
OpenDNS filtering works even if you have IPv6 connectivity. It always did.
What is described there, would require the DNS resolver addresses to be entered as follows:
::ffff:208.67.222.222
::ffff:208.67.220.220
::ffff:208.67.222.220
::ffff:208.67.220.222As I did not have the opportunity to test this in an IPv6 supported network, I cannot confirm if this works or not. Someone having an IPv6 network may confirm.
-
Another conversation in this forum got me to thinking about IPv6 and OpenDNS.
Bear with me a bit, this might get long.
The way most people use IPv4 today is with NAT. Regardless of what their perimeter device is they connect to the internet via some sort of NAT router that has a single public IPv4 address that then get's registered with OpenDNS. Regardless of how your network is configured, such as devices using the router as their DNS server, which then forwards requests, each device configured with the OpenDNS addresses, or something else, all requests sent to OpenDNS appear to come from the same address.
However, IPv6 does away with this concept of NAT and each device on your network will have it's only public IPv6 address. If each device on your network continue to use your router for DNS lookups then things remain basically the same, ie that router needs to register a single IPv6 address with OpenDNS and that is the only address OpenDNS will see from your network.
However this whole situation changes if each device is directly configured with the OpenDNS IPv6 address. *Each* device on the network, potentially even guest devices, will have their own IPv6 address which is used to access OpenDNS. Basicall, if you have 10 devices on the network, OpenDNS will see 10 different addresses, which would somehow have to be reistered with your OpenDNS network.
I have no idea if this is the technical hurdle delaying OpenDNS from rolling out full IPv6 support, but I'm pretty sure they need to figure out how to register every IPv6 address from your network. while somehow figuring out that it's a *new* address, rather than just a *different* address from an already known device. There are ways to do it, but it can get very complex and I'm not sure what the answer is.
I'm not speaking for OpenDNS, I don't know the actually reasons for IPv6 not yet being fully supported, but I am offering this as food for thought.
-
<b>However this whole situation changes if each device is directly configured with the OpenDNS IPv6 address. *Each* device on the network, potentially even guest devices, will have their own IPv6 address which is used to access OpenDNS. Basicall, if you have 10 devices on the network, OpenDNS will see 10 different addresses, which would somehow have to be registered with your OpenDNS network.</b>
At least when Comcast allocates IPv6 addresses to residential customers with IPv6-capable routers or to their customers using Comcast's "gateways" (combined cable modem / router), it is a /64 block of IPv6 addresses that get allocated. I don't know if they are still allocating just 1 IPv6 address when it is a computer connected directly to the cable modem, but I know they used to. And of course larger establishments may get a larger block. So that presumably means that if OpenDNS would at some future date allow us to configure for IPv6 addresses and not just IPv4 addresses, the block size would have to be included.
As far as 10 devices potentially showing up as 10 different IPv6 addresses to OpenDNS, it can actually be more than that. Windows 7, for example, will generate a public IPv6 address and then will immediately generate a temporary public IPv6 address that it will use for communicating on the network (including the Internet). Typically this address will have a preferred lifetime of a day and a valid lifetime of a week, and will generate a new public IPv6 address after the end of that lifetime (or, I suspect, during the next bootup). So in such a case it may be easier to track the block than individual and frequently changing IPv6 addresses, though I can imagine even that creating a bunch of headaches as many people won't know if they are from an individual IPv6 address, a /64 block, or some other block size of IPv6 addresses.
I used to use OpenDNS but I ended up dropping it when I started using IPv6, and now the antivirus package I use has its own "Secure DNS" that it uses in preference to whatever DNS server address I set up.
-
Like today with IPv4 addresses, OpenDNS would certainly also consider to allow registering blocks of IPv6 addresses like /64. This IPv4 feature is and was already available for Umbrella and even for the Home versions on request, so will definitely be for IPv6.
"the antivirus package I use has its own "Secure DNS" that it uses in preference to whatever DNS server address I set up."
Yes, but Avast's concept is totally different from OpenDNS'. It must run on the local computer.
https://support.opendns.com/entries/57943894 -
Yes, to support IPv6 OpenDNS will need to allow the customer to register the full /64 address block they'll be allocated by the ISP, just like the single IPv4 they are allocated now.
In my case:
IPv4 : 220.239.110.56
IPv6 : 2001:4830:1200:806E/64
Yes, every device will have a different address, and most devices will have multiple address and change addresses frequently - but all the public source addresses that OpenDNS sees will be from within the assigned address block.
This doesn't make the algorithm any harder - it goes from:
Receive DNS request from IPv4 address X.X.X.X
Look up account associated with IPv4 address X.X.X.X
Lookup rules associated with account
Apply rule to DNS query string
to
Receive DNS request from IPv6 address XXXX;YYYY:ZZZZ::abcd
Lookup account with IPv6 subnet XXXX:YYYY:ZZZZ/MM that this source address sits in
Lookup rules associated with account
Apply rule to DNS query string
Seriously, its no more difficult than adding a couple of AND operations for the subnet bitmask when searching for the account.
-
What's different this time is that the average home user might not be aware whether the IPv6 allocation is a /64, a /128, or something else, whereas it's a good bet that the average home user has just 1 IPv4 address, those with more IPv4 addresses would likely be aware of them. I could see IPv6 issues, just in determining the allocation block size, increasing the support desk workload.
-
To a certain extent we are just whistling in the dark here.
I only talked about IPv6 address registration as one possible reason for the delay in IPv6 implementation. Short of a message several years ago that amounted to "we're working on it" I have no idea what the status of IPv6 and OpenDNS is, or why it's not yet implemented.
As for registering blocks of addresses rather than discrete addresses that makes sense to me, but I think when they've done it with IPv4 it's been done manually. I'm not sure how they'd get that information automatically for all OpenDNS users who have IPv6 blocks assigned automatically (and presumably dynamically). The vast majority of home users will have no clue about that, and thought the RFC's and related document specify that an ISP should assign IPv6 addresses in /64 blocks, some will give much less than that, and I wouldn't be surprised if a handful will even try to get away with assigning a single IPv6 address just like they do with IPv4.
All I know for sure is that I want IPv6 support, and I'll bet some users who are getting native IPv6 from their ISP's would be shocked to learn that OpenDNS is no longer protecting them. Or at least no longer protecting them on a consistent basis.
-
I have read all the comments here in hopes to find a solution and I agree with everyone that we need to have IPv6 web filter support. I run a large network with 60,000 licenses with 13 school districts and 120 school buildings. We run a dual stack environment but OpenDNS Support tells me to turn off IPv6 if we want to web filter and that they don't support filtering for IPv6.
They did tell me to go to https://support.opendns.com/forums/21322513 and submit a feature request. I went there and realized there were only two other feature request for IPv6. Mine now makes three.
I ask that all of you reading this will do the same. It sounds like the product managers don't listen to their support team but they do read these submissions. So I ask that instead of "+1" this feed that you please add it to the feature request page as we all need IPv6 support.
Thanks
-
@clacknet I tried following the link you posted but got "Access Denied". I'm assuming that it was in an Umbrella forum.
That said, I've said several times in this and a few other threads, OpenDNS management does not pay attention to "+1's", the only real thing they pay attention to are trouble tickets, idea bank suggestions, and "votes" to agree with an idea that has been submitted. I finally stopped posting it because it seemed that people would rather not do anything of those things and just mindlessly post another useless +1. Thank you for confirming my words.
-
Just adding that I have managed to achieve complete and full web content filtering using OpenDNS on IPv6 by putting Squid as a transparent proxy on my network, for BOTH IPv4 and IPv6 traffic. So even IPv6 clients are forced through it. I have then configured Squid to use the 4 standard IPv4 OpenDNS resolvers, and finally, I've used Linux iptables NAT magic so that any traffic originating from Squid (be that DNS lookups or HTTP requests to other webservers) are mapped to use a specific IPv4 source address on the WAN side of my Linux router (I have 8 public IPv4 addresses to play with), which I've then placed as the single IPv4 "network/location" on my OpenDNS account (along with the configured filtering on the OpenDNS port for it).
Finally, for good measure, I've blocked any attempt to query IPv6 resolvers (icmp-administrator-prohibited) and also used further iptables NAT magic to redirect all IPv4 requests, made to ANY IPv4 address on the internet, to hit the 4 OpenDNS IPv4 servers, in a round robin fashion, using the same IPv4 source address that I have forced upon Squid to use. This has resulted in a complete and full lock down of content filtering, and makes any internet experience completely safe for children.
This has all been achieved on a CentOS 6 router and works brilliantly. So for now, as much as OpenDNS really need to get their act together with regards to IPv6 content filtering, this work around does address everything rather nicely, and I do recommend this solution to anyone who desperately needs web content filtering on a dual stack setup. -
This would be a usable workaround to someone who has the right router hardware/software combination, but is probably beyond the experience and comfort level of most people to implement. Full and proper IPv6 support from OpenDNS is still needed.
One question though, are you certain that your internet traffic is going out via IPv6. From the first reference to iptables where you say that any traffic originating from squid (including HTTP requests) are mapped to a specifc IPv4 address it sounds as if you are sending all your traffic out via IPv4, and not any via IPv6.
Note, it's also possible to accomplish this via DNSCrypt, which is now available in many of the 3rd party firmware that is able to be loaded on many of the consumer grade routers from ASUS, Linksys and others. Some of the makes enabling DNSCrypt as easy as 3 or 4 mouse clicks.
-
@Matt No, Squid can and still does connect to sites over IPv6. However, the key point is that the only name servers it knows about and uses are the 4 OpenDNS IPv4 ones. All IPv4 traffic originating from Squid (DNS requests in the case of any DNS lookups it makesIPv4 it makes) use the specific IPv4 source address of the router which OpenDNS is then aware of for filtering purposes.
-
@parkamark Ok thanks. I thought that's what you meant, but the way you wrote it I could have read it the other way, ie squid passing all IPv4 and IPv6 traffic along via IPv4. Basically the same result of DNSCrypt by making sure that the DNS traffic always goes out via IPv4, but the rest of the traffic goes via IPv4 or IPv6. Of course squid does a lot more than that, and DNSCrypt encrypts the DNS traffic.
-
::ffff:d043:dedc decodes to 0:0:0:0:0:ffff:208.67.222.220 which is clearly an IPv4 address rather than a globally routable IPv6 address. That's a misleading answer. That's a hack, and really just sends DNS traffic over IPv4. That isn't a solution.
We need to be able to add IPv6 networks in the dashboard, as paying customers, like we do with IPv4!
-
@wcoile Which OpenDNS products do you use? The vast majority of the people posting in this forum are free OpenDNS Home users and anything that is added to pay products is irrelevant to them. If you are interested only in adding IPv6 support to Umbrella or one of the other pay products I think the closed forums for those products have their own Idea banks.
-
If squid only replies with IPv4 addresses then the traffic will be over IPv6. It's a filter that effectively means IPv6 is only working behind squid and you're using IPv4 on any queries (though your machines could reply to internet IPv6 if they are published).
Adding my vote to the IPv6 problem. It's been _years_ sense I started a similar request which seems to have been replaced by other highly voted requests ... at some point it's kind of got to happen. Both Azure andAWS now support full IPv6 in their respective virtual network stacks so maybe that last barrier is has been removed for you guys (assuming OpenDNS uses a cloud service)?
Please sign in to leave a comment.
Comments
129 comments