Comments

129 comments

  • 0
    Comment actions Permalink
  • Avatar
    rchauncey

    You're missing the point by reposting that link. It's not that resolvers don't work over IPv6, it's that filtering doesn't work. The question of whether or not it makes sense to use v6 over v4 (or whether one blogger's opinion matters at all) is beside the point. We should be able to use either protocol to reach DNS. If OpenDNS resolvers don't filter, why not just use Google's or your ISP's?

    The value add that OpenDNS provides is additional protection against bad actors out there. We all know we can use IPv4, but we should be able to use IPv6. It's lovely that they provide that service to their corporate clients, but we'd like it available for consumer-grade services. Hence the thread. 

    0
    Comment actions Permalink
  • Avatar
    ziptx

    ++1 to pbbear's comment.   This IP game is starting to get dicey.   OpenDNS used to lead in the DNS space, not sure what is happening in their ranks but this whole issue is not leadership and innovation.   I wish marketing would get involved here too.   Their dogmatic support person commenting here is not painting them with a consumer advocate/friendly brush.

    0
    Comment actions Permalink
  • Avatar
    mattwilson9090

    OpenDNS does not seem to respond to "+1"s" buried in threads in their forums. Meaning they don't pay attention to them. Frankly, neither would I.

    What they do seem to pay attention to are people clicking to vote in favor of ideas in the Idea Bank (I just checked and realized I hadn't yet, which surprised me, so went ahead and voted for this).

    They also pay attention to Support tickets. So as I've said in this and other threads open up a support ticket asking about IPv6 status and availability.

    Presumably they pay more attention to these two things because they drive metrics that management tracks and pays attention to. So use both these metrics to your advantage and vote and ask.

    I don't really know why it has taken OpenDNS (or so much else of the industry) to roll out this kind of support for IPv6. It could be a technical issue, it could be some sort of internal politics, or it could be something else I can't even being to think of, but the way to apply pressure is to do both of those things that OpenDNS is actively asking for. Feedback of any other sort isn't going to have the same impact (or pressure).

     

    I too want to see this fully supported, and while there are gimmicks and work arounds that I've seen, I'm not convinced that any of them will do the key job of *filtering* IPv6 requests like we have with IPv4, though all of them should be capable of resolving DNS requests that come in via IPv6. Of course we already have that with the OpenDNS IPv6 sandbox addresses, so why bother with a workaround when we've got those now?

    0
    Comment actions Permalink
  • Avatar
    rotblitz

    @khlkhliup
    Did you work through the tips provided by jedisct1 above?  He said content filtering and stats would work also with IPv6.  I don't have a chance to prove this now, because I'm not on IPv6.  I may be from next year on when I'll be moving to another ISP.

    0
    Comment actions Permalink
  • Avatar
    khlkhliup

    @rotblitz, yes I tested this but filtering didn't work (that's why I shared my experience). The reason why filtering with DS-lite though IPv4 doesn work is that DS-lite is some form of carrier grade NAT; so multiple users share the same IPv4 address. Maybe setting that IPv4 address in the dashboard as "your" IPv4 address would work but I think customization of the filtering on a per user basis wouldn't work with many users sharing the same IPv4 address.

    I was able to 'roll-back' my connection to IPv4 by calling the helpdesk for now (an I had to provide a valid reason for requeting native IPv4) but in the future there will be a moment that native IPv4 for home broadband connections is no longer supported, I guess.

    0
    Comment actions Permalink
  • Avatar
    mattwilson9090

    @thranduil

     

    I do agree that OpenDNS needs to support IPv6 in the same manner as IPv4. I know that they are working on it, but I do not know what their technical, business, or legal reasons are for not being ready to deploy it.

    It's not like OpenDNS is not the only security company that is not supporting, or not fully supporting IPv6. Of the existing cloud based providers, like OpenDNS I'm not aware of any other that is supporting IPv6. Of the ones that use some sort of appliance, or locally installed "server" they may be supporting IPv6, but that is a completely different solution from a cloud based solution like OpenDNS.

    I do hate to say it, but your company didn't do it's due diligence in a security product that they purchased if they didn't know going in that IPv6 isn't yet supported. That's one of the questions I always ask when evaluating a security product.

    If your corporate LAN is IPv4 you could whatever method you use to manage and configure your devices to disable IPv6, or if the system is capable of it, disable IPv6 when away from that LAN. How you do that would be up to however the network and servers and configured and managed.

    A few questions for you, are you interested only in IPv6 for the roaming client, or do you want it for all of OpenDNS? If you want it only for the Roaming Client you should start a separate thread for that since this thread thus far has been about all of OpenDNS, especially the Home product and any others that are network centric instead of using a roaming client.

    Have you voted to like this thread? Have you opened a support ticket asking about IPv6 support. As has been said in this thread already, it doesn't seem that management pays much attention to these comments when it comes to deciding how much priority to give something. They pay even less attention to comments that are only "+1". The metrics that they really pay attention to are people voting for an idea or support tickets. That's not saying not to post comments, but it's saying comments alone, without a vote or a support ticket done do much.

     

    0
    Comment actions Permalink
  • Avatar
    khlkhliup

    @rotblitz, please seem my comment from December 2, 2015, 04:05 as it answers your question.

     

    TL;DR: It doesn't work that way.

    0
    Comment actions Permalink
  • Avatar
    mattwilson9090

    Another conversation in this forum got me to thinking about IPv6 and OpenDNS.

    Bear with me a bit, this might get long.

    The way most people use IPv4 today is with NAT. Regardless of what their perimeter device is they connect to the internet via some sort of NAT router that has a single public IPv4 address that then get's registered with OpenDNS. Regardless of how your network is configured, such as devices using the router as their DNS server, which then forwards requests, each device configured with the OpenDNS addresses, or something else, all requests sent to OpenDNS appear to come from the same address.

    However, IPv6 does away with this concept of NAT and each device on your network will have it's only public IPv6 address. If each device on your network continue to use your router for DNS lookups then things remain basically the same, ie that router needs to register a single IPv6 address with OpenDNS and that is the only address OpenDNS will see from your network.

    However this whole situation changes if each device is directly configured with the OpenDNS IPv6 address. *Each* device on the network, potentially even guest devices, will have their own IPv6 address which is used to access OpenDNS. Basicall, if you have 10 devices on the network, OpenDNS will see 10 different addresses, which would somehow have to be reistered with your OpenDNS network.

    I have no idea if this is the technical hurdle delaying OpenDNS from rolling out full IPv6 support, but I'm pretty sure they need to figure out how to register every IPv6 address from your network. while somehow figuring out that it's a *new* address, rather than just a *different* address from an already known device. There are ways to do it, but it can get very complex and I'm not sure what the answer is.

    I'm not speaking for OpenDNS, I don't know the actually reasons for IPv6 not yet being fully supported, but I am offering this as food for thought.

    0
    Comment actions Permalink
  • Avatar
    mark12547

    <b>However this whole situation changes if each device is directly configured with the OpenDNS IPv6 address. *Each* device on the network, potentially even guest devices, will have their own IPv6 address which is used to access OpenDNS. Basicall, if you have 10 devices on the network, OpenDNS will see 10 different addresses, which would somehow have to be registered with your OpenDNS network.</b>

    At least when Comcast allocates IPv6 addresses to residential customers with IPv6-capable routers or to their customers using Comcast's "gateways" (combined cable modem / router), it is a /64 block of IPv6 addresses that get allocated. I don't know if they are still allocating just 1 IPv6 address when it is a computer connected directly to the cable modem, but I know they used to. And of course larger establishments may get a larger block. So that presumably means that if OpenDNS would at some future date allow us to configure for IPv6 addresses and not just IPv4 addresses, the block size would have to be included.

    As far as 10 devices potentially showing up as 10 different IPv6 addresses to OpenDNS, it can actually be more than that. Windows 7, for example, will generate a public IPv6 address and then will immediately generate a temporary public IPv6 address that it will use for communicating on the network (including the Internet). Typically this address will have a preferred lifetime of a day and a valid lifetime of a week, and will generate a new public IPv6 address after the end of that lifetime (or, I suspect, during the next bootup).  So in such a case it may be easier to track the block than individual and frequently changing IPv6 addresses, though I can imagine even that creating a bunch of headaches as many people won't know if they are from an individual IPv6 address, a /64 block, or some other block size of IPv6 addresses.

     

    I used to use OpenDNS but I ended up dropping it when I started using IPv6, and now the antivirus package I use has its own "Secure DNS" that it uses in preference to whatever DNS server address I set up.

    0
    Comment actions Permalink
  • Avatar
    rotblitz

    Like today with IPv4 addresses, OpenDNS would certainly also consider to allow registering blocks of IPv6 addresses like /64.  This IPv4 feature is and was already available for Umbrella and even for the Home versions on request, so will definitely be for IPv6.

    "the antivirus package I use has its own "Secure DNS" that it uses in preference to whatever DNS server address I set up."

    Yes, but Avast's concept is totally different from OpenDNS'.  It must run on the local computer.
    https://support.opendns.com/entries/57943894

    0
    Comment actions Permalink
  • Avatar
    fadedtom

    +1

    0
    Comment actions Permalink
  • Avatar
    mattwilson9090

    @clacknet I tried following the link you posted but got "Access Denied". I'm assuming that it was in an Umbrella forum.

    That said, I've said several times in this and a few other threads, OpenDNS management does not pay attention to "+1's", the only real thing they pay attention to are trouble tickets, idea bank suggestions, and "votes" to agree with an idea that has been submitted. I finally stopped posting it because it seemed that people would rather not do anything of those things and just mindlessly post another useless +1. Thank you for confirming my words.

    0
    Comment actions Permalink
  • Avatar
    clacknet

    @mattwilson9090  Sorry about the link.  It was supposed to open the feature request page. 

    0
    Comment actions Permalink
  • Avatar
    mattwilson9090

    No problem. I don't remember a feature request page for OpenDNS Home, only this Idea Bank, so I'm guessing the feature request page you're referring to is in an Umbrella forum, only open to Umbrella Partners and customers

    0
    Comment actions Permalink
  • Avatar
    wrtdns

    Another Vote for making available on IPV6

    0
    Comment actions Permalink
  • Avatar
    mattwilson9090

    Make sure you vote by clicking on the vote window at the top of the thread. "Voting" by adding a comment in this thread will basically be ignored by OpenDNS management for these purposes. The only things they really pay attention to are actual votes and trouble tickets.

    0
    Comment actions Permalink
  • Avatar
    wrtdns

    Thank you. Yes I clicked up top and then posted, just in case such was the case. Appreciate you letting me know.

    0
    Comment actions Permalink
  • Avatar
    parkamark

    Just adding that I have managed to achieve complete and full web content filtering using OpenDNS on IPv6 by putting Squid as a transparent proxy on my network, for BOTH IPv4 and IPv6 traffic. So even IPv6 clients are forced through it. I have then configured Squid to use the 4 standard IPv4 OpenDNS resolvers, and finally, I've used Linux iptables NAT magic so that any traffic originating from Squid (be that DNS lookups or HTTP requests to other webservers) are mapped to use a specific IPv4 source address on the WAN side of my Linux router (I have 8 public IPv4 addresses to play with), which I've then placed as the single IPv4 "network/location" on my OpenDNS account (along with the configured filtering on the OpenDNS port for it).

    Finally, for good measure, I've blocked any attempt to query IPv6 resolvers (icmp-administrator-prohibited) and also used further iptables NAT magic to redirect all IPv4 requests, made to ANY IPv4 address on the internet, to hit the 4 OpenDNS IPv4 servers, in a round robin fashion, using the same IPv4 source address that I have forced upon Squid to use. This has resulted in a complete and full lock down of content filtering, and makes any internet experience completely safe for children.

    This has all been achieved on a CentOS 6 router and works brilliantly. So for now, as much as OpenDNS really need to get their act together with regards to IPv6 content filtering, this work around does address everything rather nicely, and I do recommend this solution to anyone who desperately needs web content filtering on a dual stack setup.

    0
    Comment actions Permalink
  • Avatar
    mattwilson9090

    This would be a usable workaround to someone who has the right router hardware/software combination, but is probably beyond the experience and comfort level of most people to implement. Full and proper IPv6 support from OpenDNS is still needed.

    One question though, are you certain that your internet traffic is going out via IPv6. From the first reference to iptables where you say that any traffic originating from squid (including HTTP requests) are mapped to a specifc IPv4 address it sounds as if you are sending all your traffic out via IPv4, and not any via IPv6.

    Note, it's also possible to accomplish this via DNSCrypt, which is now available in many of the 3rd party firmware that is able to be loaded on many of the consumer grade routers from ASUS, Linksys and others. Some of the makes enabling DNSCrypt as easy as 3 or 4 mouse clicks.

    0
    Comment actions Permalink
  • Avatar
    parkamark

    @Matt No, Squid can and still does connect to sites over IPv6. However, the key point is that the only name servers it knows about and uses are the 4 OpenDNS IPv4 ones. All IPv4 traffic originating from Squid (DNS requests in the case of any DNS lookups it makesIPv4 it makes) use the specific IPv4 source address of the router which OpenDNS is then aware of for filtering purposes.

    0
    Comment actions Permalink
  • Avatar
    mattwilson9090

    @parkamark Ok thanks. I thought that's what you meant, but the way you wrote it I could have read it the other way, ie squid passing all IPv4 and IPv6 traffic along via IPv4. Basically the same result of DNSCrypt by making sure that the DNS traffic always goes out via IPv4, but the rest of the traffic goes via IPv4 or IPv6. Of course squid does a lot more than that, and DNSCrypt encrypts the DNS traffic.

    0
    Comment actions Permalink
  • Avatar
    mattwilson9090

    @wcoile Which OpenDNS products do you use? The vast majority of the people posting in this forum are free OpenDNS Home users and anything that is added to pay products is irrelevant to them. If you are interested only in adding IPv6 support to Umbrella or one of the other pay products I think the closed forums for those products have their own Idea banks.

    0
    Comment actions Permalink
  • Avatar
    king_family

    If squid only replies with IPv4 addresses then the traffic will be over IPv6.  It's a filter that effectively means IPv6 is only working behind squid and you're using IPv4 on any queries (though your machines could reply to internet IPv6 if they are published).

    Adding my vote to the IPv6 problem.  It's been _years_ sense I started a similar request which seems to have been replaced by other highly voted requests ... at some point it's kind of got to happen.  Both Azure andAWS now support full IPv6 in their respective virtual network stacks so maybe that last barrier is has been removed for you guys (assuming OpenDNS uses a cloud service)?

    0
    Comment actions Permalink
  • Avatar
    fixxser

    For IPv6 and FamilyShield I tried the
    ::ffff:d043:de7b
    ::ffff:d043:dc7b

    I was having DNS resolve issues using comcast
    I tried the web site: http://www.webdnstools.com/dnstools/dns-lookup 

    The above didn't work with the tools, and using every suggested combination.  I am using Ubuntu and using the above address' in my network device network connections Ubuntu resolved it to

    ::ffff:208.67.222.123 &
    ::ffff:208.67.220.123

    When I entered
    ::ffff:d043:de7b
    ::ffff:d043:dc7b

    So I used
    ::ffff:208.67.222.123 &
    ::ffff:208.67.220.123

    in the tools at the above website and everything looked like it worked (resolved) correctly.

    So now I am testing.  What was happening for a test I used a bad web site in Ubuntu then dual boot to Windows 10 and OpenDNS wasn't in effect.  I am thinking the operating system or link to Internet is switching between OpenDNS and Comcast DNS. And/or Resolving between Ipv4 and IPv6 DNS lookups.

    Example of my results using the website with ::ffff:208.67.222.123

    DNS Tool Results

    DNS Traversal

    Action Host Zone
    Starting at L.ROOT-SERVERS.NET [199.7.83.42] .
    Referred to c.in-addr-servers.arpa [196.216.169.10] in-addr.arpa
    Referred to arin.authdns.ripe.net. [193.0.9.10] 208.in-addr.arpa
    Referred to auth3.opendns.com [208.69.39.2] 222.67.208.in-addr.arpa

     

    DNS Results

    auth3.opendns.com [208.69.39.2] says:

     

    Name Type TTL Value
    123.222.67.208.in-addr.arpa PTR 604800 resolver1-fs.opendns.com.
    0
    Comment actions Permalink
  • Avatar
    fixxser

    yes, I was trying that too, nslookup, and not getting useful results.  For example, comcast servers was listed and not anything pertaining to opendns doing a trace.  One thing I didn't mention was all these configures was in my router.  I tested my changes yesterday using ::ffff:208.67.222.123 and all looked to be good to my satisfaction.  Opendns is listed for a trace and nslookup.  Perhaps it is just with my system and comcast.  I only offer this other address if all else fails with previous suggestions.

    I noticed in my area, comcast is using the service ultradns.com.  I have a suspicion they are copying opendns servers and when a client request opendns for dns, it brings results from ultradns own database with opendns list sometimes coming out, but sometimes sends ultradns results and not exclusively opendns results.  With all other configurations, my results were hit and miss under Windows.  I suspect it is comcast doing what it takes for tracking purposes.

    0
    Comment actions Permalink
  • Avatar
    rotblitz

    "not getting useful results"

    Let's change this.  Copy & paste the complete plain text output of the following diagnostic commands here:

    nslookup -type=txt debug.opendns.com.
    nslookup whoami.akamai.net.
    netsh interface ipv4 show config
    netsh interface ipv6 show dns

    "For example, comcast servers was listed and not anything pertaining to opendns doing a trace.  One thing I didn't mention was all these configures was in my router."

    Attach also screen shots which show the OpenDNS address configuration on your router.

    0
    Comment actions Permalink
  • Avatar
    tgeorgescu (Edited )

    To be sure, IPv6 filtering with OpenDNS works if you have a public IPv4 address. Your router has to redirect all DNS calls to its own DNS server (i.e. to itself). DD-WRT can do that simply by enabling an option in the GUI.

    See e.g.:

    $ dig purevpn.com AAAA

    ; <<>> DiG 9.11.0-P5 <<>> purevpn.com AAAA
    ;; global options: +cmd
    ;; Got answer:
    ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 60862
    ;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1

    ;; OPT PSEUDOSECTION:
    ; EDNS: version: 0, flags:; udp: 4096
    ;; QUESTION SECTION:
    ;purevpn.com. IN AAAA

    ;; ANSWER SECTION:
    purevpn.com. 0 IN AAAA ::ffff:146.112.61.106

    ;; Query time: 56 msec
    ;; SERVER: 192.168.2.1#53(192.168.2.1)
    ;; WHEN: zo aug 20 01:29:15 CEST 2017
    ;; MSG SIZE rcvd: 68

     

    0
    Comment actions Permalink
  • Avatar
    tgeorgescu

    Yes, I know what it is being meant: full control over OpenDNS options from a purely IPv6 address. That's not available yet. Some people have /64, some /56, some /48 and it would be very difficult to know who has what. What I meant: if you still have one public IPv4 address, you may configure OpenDNS for that address and redirect all DNS calls to the router running on that IPv4 address. So, one may have full OpenDNS control if having at least one public IPv4 address.

    0
    Comment actions Permalink
  • Avatar
    tgeorgescu

    And, horror of all horrors, some ISPs allocate IPv6 subnets dynamically. I.e. OpenDNS would have to know who has what and when.

    0
    Comment actions Permalink

Please sign in to leave a comment.