Comments

129 comments

  • Avatar
    fixxser

    For IPv6 and FamilyShield I tried the
    ::ffff:d043:de7b
    ::ffff:d043:dc7b

    I was having DNS resolve issues using comcast
    I tried the web site: http://www.webdnstools.com/dnstools/dns-lookup 

    The above didn't work with the tools, and using every suggested combination.  I am using Ubuntu and using the above address' in my network device network connections Ubuntu resolved it to

    ::ffff:208.67.222.123 &
    ::ffff:208.67.220.123

    When I entered
    ::ffff:d043:de7b
    ::ffff:d043:dc7b

    So I used
    ::ffff:208.67.222.123 &
    ::ffff:208.67.220.123

    in the tools at the above website and everything looked like it worked (resolved) correctly.

    So now I am testing.  What was happening for a test I used a bad web site in Ubuntu then dual boot to Windows 10 and OpenDNS wasn't in effect.  I am thinking the operating system or link to Internet is switching between OpenDNS and Comcast DNS. And/or Resolving between Ipv4 and IPv6 DNS lookups.

    Example of my results using the website with ::ffff:208.67.222.123

    DNS Tool Results

    DNS Traversal

    Action Host Zone
    Starting at L.ROOT-SERVERS.NET [199.7.83.42] .
    Referred to c.in-addr-servers.arpa [196.216.169.10] in-addr.arpa
    Referred to arin.authdns.ripe.net. [193.0.9.10] 208.in-addr.arpa
    Referred to auth3.opendns.com [208.69.39.2] 222.67.208.in-addr.arpa

     

    DNS Results

    auth3.opendns.com [208.69.39.2] says:

     

    Name Type TTL Value
    123.222.67.208.in-addr.arpa PTR 604800 resolver1-fs.opendns.com.
    0
    Comment actions Permalink
  • Avatar
    rotblitz (Edited )

    Not sure why you use the webdnstools site at all, because if doesn't give you an option to define a DNS service (e.g. OpenDNS) to test against, and it doesn't use the DNS service you have configured locally.  Therefore your test was good for - nothing.

    You must raise your DNS lookups from your end user device with commands like nslookup, dig or host to verify the results.

    For example, if you want to check for "adult" domain blocking, you execute:

    nslookup www.exampleadultsite.com.

    Then you query the returned IP address and should get hit-adult.opendns.com.  And you will see what DNS server and what protocol (IPv4 or IPv6) has been used for the query.

    If you want to test explicitly via IPv6, then you execute:

    nslookup www.exampleadultsite.com. ::ffff:d043:de7b

     

    -1
    Comment actions Permalink
  • Avatar
    fixxser

    yes, I was trying that too, nslookup, and not getting useful results.  For example, comcast servers was listed and not anything pertaining to opendns doing a trace.  One thing I didn't mention was all these configures was in my router.  I tested my changes yesterday using ::ffff:208.67.222.123 and all looked to be good to my satisfaction.  Opendns is listed for a trace and nslookup.  Perhaps it is just with my system and comcast.  I only offer this other address if all else fails with previous suggestions.

    I noticed in my area, comcast is using the service ultradns.com.  I have a suspicion they are copying opendns servers and when a client request opendns for dns, it brings results from ultradns own database with opendns list sometimes coming out, but sometimes sends ultradns results and not exclusively opendns results.  With all other configurations, my results were hit and miss under Windows.  I suspect it is comcast doing what it takes for tracking purposes.

    0
    Comment actions Permalink
  • Avatar
    rotblitz

    "not getting useful results"

    Let's change this.  Copy & paste the complete plain text output of the following diagnostic commands here:

    nslookup -type=txt debug.opendns.com.
    nslookup whoami.akamai.net.
    netsh interface ipv4 show config
    netsh interface ipv6 show dns

    "For example, comcast servers was listed and not anything pertaining to opendns doing a trace.  One thing I didn't mention was all these configures was in my router."

    Attach also screen shots which show the OpenDNS address configuration on your router.

    0
    Comment actions Permalink
  • Avatar
    drn82 (Edited )

    +1 for IPV6 filtering.  IPV6 came out in 2012, that's 5 years ago!

    If Comcast, my ISP, has rolled out IPV6 and you haven't then you really must be behind the times.  There are few companies worse than them, but I guess you guys want to be one of them.

    I'm canceling due to no IPV6 support.  I'll consider re-enabling my account when you get IPV6 support if I haven't found a better option by then.  But there is no point in paying for filtering that my computers don't use.

    2
    Comment actions Permalink
  • Avatar
    mattwilson9090

    @drn82 If a "+1" was the extent of your feedback on this then OpenDNS management will not see or care about it. Unless you use the voting buttons at the top of these ideas they will not tabulate it.

    As for your knowledge and statements about IPv6, they are quite wrong and/or misleading.

    IPv6 did not "come out" 5 years ago. IPv6 is a spec that has been with us for more than 20 years, and has been built into most major operating systems for 15 years or so. Despite that, there has been very little momentum towards widespread adoption and use of IPv6. Even the United States Federal Government has ignored statutory requirements to have IPv6 implemented in all of their systems.

    OpenDNS is hardly the only technology company that does not support IPv6 throughout it's entire product line. I have encountered very few hardware or software products, especially security products that partially or fully support IPv6. Rather than being behind the times their implementation of IPv6 is pretty much on par, and in some ways is even ahead of the industry.

    -2
    Comment actions Permalink
  • Avatar
    drn82

    @mattwilson9090 I did up vote the idea prior to posting my comment. And I know IPv6 had been in the works for much longer than 5 years, but many people consider the June 20, 2012 IPv6 Launch Day by the Internet Society to be when it came out https://www.google.com/search?q=when+did+ipv6+come+out So I think calling me "wrong and/or misleading" isn't accurate.

    And using the federal government as a standard of speedy rollouts and current technology is ridiculous. The fact is residential ISPs like Comcast have switched to IPv6 and they aren't exactly known for speedy updates. And really it doesn't matter as much what the rest of the industry supports, because if OpenDNS wants to keep customers they need to support the protocols their customer's ISPs are using.

    3
    Comment actions Permalink
  • Avatar
    tgeorgescu (Edited )

    To be sure, IPv6 filtering with OpenDNS works if you have a public IPv4 address. Your router has to redirect all DNS calls to its own DNS server (i.e. to itself). DD-WRT can do that simply by enabling an option in the GUI.

    See e.g.:

    $ dig purevpn.com AAAA

    ; <<>> DiG 9.11.0-P5 <<>> purevpn.com AAAA
    ;; global options: +cmd
    ;; Got answer:
    ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 60862
    ;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1

    ;; OPT PSEUDOSECTION:
    ; EDNS: version: 0, flags:; udp: 4096
    ;; QUESTION SECTION:
    ;purevpn.com. IN AAAA

    ;; ANSWER SECTION:
    purevpn.com. 0 IN AAAA ::ffff:146.112.61.106

    ;; Query time: 56 msec
    ;; SERVER: 192.168.2.1#53(192.168.2.1)
    ;; WHEN: zo aug 20 01:29:15 CEST 2017
    ;; MSG SIZE rcvd: 68

     

    0
    Comment actions Permalink
  • Avatar
    king_family (Edited )

    Um, that's because you're not using ipv6, you're redirecting to ipv4 which is the exact opposite of what's being requested

    2
    Comment actions Permalink
  • Avatar
    tgeorgescu

    Yes, I know what it is being meant: full control over OpenDNS options from a purely IPv6 address. That's not available yet. Some people have /64, some /56, some /48 and it would be very difficult to know who has what. What I meant: if you still have one public IPv4 address, you may configure OpenDNS for that address and redirect all DNS calls to the router running on that IPv4 address. So, one may have full OpenDNS control if having at least one public IPv4 address.

    0
    Comment actions Permalink
  • Avatar
    tgeorgescu

    And, horror of all horrors, some ISPs allocate IPv6 subnets dynamically. I.e. OpenDNS would have to know who has what and when.

    0
    Comment actions Permalink
  • Avatar
    king_family

    ... how is any of that relevant to a statically registered AAAA record with a static DNS entry? None of those issues are unique to IPv6, including changing subnet masks as ISPs free up IPV4 ranges to sell and covert thier internal networks to IPv6.

    1
    Comment actions Permalink
  • Avatar
    rotblitz

    "how is any of that relevant to a statically registered AAAA record with a static DNS entry?"

    I do not know an ISP assigning this to private households.  I get a /128 assigned to my router and a different /56 prefix for propagating to my end user devices.  And the ISP changes this every 24 hours, same as for IPv4.  And the end user devices make use of IPv6 privacy, i.e. the interface IDs randomly change; SLAAC is not being used for most.

    All such complicated factors would need to be taken into consideration for an OpenDNS IPv6 dashboard solution.  They didn't even deploy something for their Umbrella enterprise services.

    0
    Comment actions Permalink
  • Avatar
    king_family

    No basic ISP assigns static IPs to any consumer, IPv4, IPv6, or otherwise.  You pay extra for a static and that's been the case for decades.  The ability for OpenDNS to have the current address of your devices can be handled numerous ways, heck the dd-wrt can be configured with scripts to constantly update it's public IP list with sites, I've done it when setting up hurricane electric ipv6 tunnels for years now... and it's frankly out of scope of this request.

    I'm talking about nslookup -q=aaaa cisco.com giving me an IPv6 back and not an IPv4, and a blocked site redirect if it's on my black list.  Right now that's impossible, and instead you're saying I should basically configure my router to _only_ reply with IPv4.  That's simply not what's being asked.

    1
    Comment actions Permalink
  • Avatar
    rotblitz (Edited )

    "Right now that's impossible"

    It is possible with me, why not for you?  If I query e.g. www.internetbadguys.com with whatever address request type (A, AAAA) and I send my DNS queries over the IPv6 equivalents of the IPv4 OpenDNS resolver addresses, it returns the IP addresses for hit-phish.opendns.com in either IPv4 or IPv6 (::ffff:146.112.61.106) notation, depending on the request type A or AAAA.

    "That's simply not what's being asked."

    What is being asked, and who has asked it?  Do we still know after more than 100 comments???

    0
    Comment actions Permalink
  • Avatar
    wcoile

    Ignore @rotblitz.  He just loves to sow disinformation and confusion on this topic.

    0
    Comment actions Permalink
  • Avatar
    rotblitz (Edited )

    Ignore people who ask to ignore other people and have nothing to say on the topic.

    0
    Comment actions Permalink
  • Avatar
    mattwilson9090

    @wcoile Disinformation? How exactly is any of what rotblitz said wrong or misleading? Have you actually tried testing it yourself?

    1
    Comment actions Permalink
  • Avatar
    jedisct1

    What Rotbliz said works. It always did. See https://00f.net/2015/07/20/ipv6-dns-windows/

     

    The server doesn't do anything different when it receives a query over IPv6 than it does for a query over IPv4. This is exactly the same code, that listens to a multiple IP addresses.

     

    0
    Comment actions Permalink
  • Avatar
    pbbear

    Ignore Rotblitz - he has a history of ignoring the actual problem statement.

    The title of the thread is "IPv6 Web Filtering", not "IPv6 Web Resolving".

    Yes, you can configure a IPv6-ified version of the IPv4 address, and get a name resolved to an IP address. You can even send the DNS request to OpenDNS's real IPv6 addresses, and get back an IPv4 or IPv6 address.

    Thats not the problem.

    If you send a DNS request to resolve a name and that request comes in over IPv6, OpenDNS cannot match the source IPv6 address with a user's account and filtering rules, and send back a filtered IP address that points to a block-page if the name is supposed to be blocked, and would be blocked over IPv4.The lookup will instead be resolved every time to the site's actual address.

    This means that a general web user's household, if they are on a dual-stack ISP, has at best a 50:50 chance of having a dodgy site blocked when someone in their house tries to connect to it, depending on whether their router tries to make the DNS lookup using IPv4 (will be blocked) or using IPv6 (will not be blocked, will be resolved to the site's actual address and let through).

    So, if a OpenDNS user actually wants the OpenDNS service to filter dodgy sites consistently, the user has to be cluefull enough to explicitly force their router to only make DNS lookups using IPv4 and not IPv6.

    The problem to be solved is Filtering over IPv6. OpenDNS doesn't. And with IPv6 now been declared a full standard (RFC8200), that is a shortcoming that needs to be fixed, or a bug, depending on how charitable you're feeling.

     

    0
    Comment actions Permalink
  • Avatar
    rotblitz (Edited )

    "This means that a general web user's household, if they are on a dual-stack ISP, has at best a 50:50 chance of having a dodgy site blocked"

    I have a dual-stack connection and always use my dashboard settings, for every single DNS query.

    "the user has to be cluefull enough to explicitly force their router to only make DNS lookups using IPv4 and not IPv6."

    Not the user.  This is what my router automatically does, just by having the initially mentioned IPv6 equivalents configured.

    "The problem to be solved is Filtering over IPv6."

    No problem at all for me.  It works flawlessly.  Here the proof:

    nslookup www.internetbadguys.com.
    Server:         fd00::ca0e:14ff:fee9:8362
    Address:        fd00::ca0e:14ff:fee9:8362#53

    Non-authoritative answer:
    Name:   www.internetbadguys.com
    Address: 146.112.61.108


    nslookup -type=aaaa www.internetbadguys.com.
    Server:         fd00::ca0e:14ff:fee9:8362
    Address:        fd00::ca0e:14ff:fee9:8362#53

    Non-authoritative answer:
    www.internetbadguys.com has AAAA address ::ffff:146.112.61.108


    nslookup www.pornhub.com.
    Server:         fd00::ca0e:14ff:fee9:8362
    Address:        fd00::ca0e:14ff:fee9:8362#53

    Non-authoritative answer:
    Name:   www.pornhub.com
    Address: 146.112.61.106


    nslookup -type=aaaa www.pornhub.com.
    Server:         fd00::ca0e:14ff:fee9:8362
    Address:        fd00::ca0e:14ff:fee9:8362#53

    Non-authoritative answer:
    www.pornhub.com has AAAA address ::ffff:146.112.61.106

    Full IPv6 with filtering!  Now what?
    I suggest that people ignore pbbear's useless comment.

    0
    Comment actions Permalink
  • Avatar
    pbbear

    No - that just filtering using the IPv4 servers using obfuscated IPv4 addresses.

    Change your IPv6 DNS servers to 2620:0:ccc::2 and 2620:0:ccd::2 and see how it works.

    And read OpenDNS's own words on this:
    https://www.opendns.com/about/innovations/ipv6/

    "Note: IPv6 support in the OpenDNS Sandbox is limited to standard recursive DNS initially. Additional functionality, like Web content filtering, malware and botnet protection, phishing protection, and more will be available on different IPs when IPv6 support is added to the OpenDNS Dashboard."

     

     

    0
    Comment actions Permalink
  • Avatar
    rotblitz

    Yes, this is true for exactly those IP addresses. One does not have to use them for filtering.

    0
    Comment actions Permalink
  • Avatar
    mattwilson9090

    @pbbear You seem to not understand the concept of a workaround.

    While it's true that OpenDNS does not officially support IPv6 in the same manner as IPv4, there are at least two different methods that will allow an OpenDNS to use IPv6 while still have full fitering of any of their domains via OpenDNS just as if they were only exclusively using IPv4.

    The one the rotblitz recommends to others is one method, and is most definitely not a 50:50 chance, as born out by the results he pasted. Why don't you test it yourself, instead of proclaiming he's wrong without understanding what he's actually saying.

    The other method utilizes DNScrypt and is also a workaround.

    Rotblitz has never that this is the be all and end all of things. He's also stated many times that he'd like to see IPv6 fully supported. Rather than sitting on his hands and whining he's actually sought out, tested, and uses a workaround that allows him (and others) to have IPv6 resolution AND filtering until OpenDNS finally fully supports IPv6.

    1
    Comment actions Permalink
  • Avatar
    seefilms

    It's 2018! What's the deal with you, OpenDNS? Make this happen!

    0
    Comment actions Permalink
  • Avatar
    cwsites

    OpenDNS website has been updated here with instructions https://support.opendns.com/hc/en-us/articles/227986667-Does-OpenDNS-support-IPv6- 

    Update your DNS for IPv6 to the following:

    2620:0:ccc::2 
    2620:0:ccd::2

    or the long version

    2620:0:ccc:0:0:0:0:2
    2620:0:ccd:0:0:0:0:2

    0
    Comment actions Permalink
  • Avatar
    wcoile

    cwsites read the details, that provides no filtering. OpenDNS STILL doesn't do IPv6 filtering (which is the ENTIRE POINT of their IPv4 DNS service). Neither the corporate, nor the small business, nor the family VIP dashboards support IPv6 addresses.  

     

    If you just want fast recursive DNS without filtering, you'd be better off just pointing at Google's awesomely fast DNS servers.

    0
    Comment actions Permalink
  • Avatar
    cwsites (Edited )

    wcoile all I know is that it wasn’t working for me before I modified my IPv6 DNS and now it is. The filtering is being applied correctly on my internet by using it.

    0
    Comment actions Permalink
  • Avatar
    dustinv

    I've tried every IPv6 address listed on this thread and none of them have worked with my Google Fiber router. =(

    0
    Comment actions Permalink
  • Avatar
    rotblitz

    @dustin.vietzke

    Copy & paste the complete plain text output of the following diagnostic commands to here:

    nslookup -type=txt debug.opendns.com.
    nslookup whoami.akamai.net.
    netsh interface ipv4 show config
    netsh interface ipv6 show dns

     

    0
    Comment actions Permalink

Please sign in to leave a comment.