IPv6 Web Filtering
Support for web filtering when using OpenDNS IPv6 addresses.
-
"how is any of that relevant to a statically registered AAAA record with a static DNS entry?"
I do not know an ISP assigning this to private households. I get a /128 assigned to my router and a different /56 prefix for propagating to my end user devices. And the ISP changes this every 24 hours, same as for IPv4. And the end user devices make use of IPv6 privacy, i.e. the interface IDs randomly change; SLAAC is not being used for most.
All such complicated factors would need to be taken into consideration for an OpenDNS IPv6 dashboard solution. They didn't even deploy something for their Umbrella enterprise services.
-
"Right now that's impossible"
It is possible with me, why not for you? If I query e.g. www.internetbadguys.com with whatever address request type (A, AAAA) and I send my DNS queries over the IPv6 equivalents of the IPv4 OpenDNS resolver addresses, it returns the IP addresses for hit-phish.opendns.com in either IPv4 or IPv6 (::ffff:146.112.61.106) notation, depending on the request type A or AAAA.
"That's simply not what's being asked."
What is being asked, and who has asked it? Do we still know after more than 100 comments???
-
What Rotbliz said works. It always did. See https://00f.net/2015/07/20/ipv6-dns-windows/
The server doesn't do anything different when it receives a query over IPv6 than it does for a query over IPv4. This is exactly the same code, that listens to a multiple IP addresses.
-
"This means that a general web user's household, if they are on a dual-stack ISP, has at best a 50:50 chance of having a dodgy site blocked"
I have a dual-stack connection and always use my dashboard settings, for every single DNS query.
"the user has to be cluefull enough to explicitly force their router to only make DNS lookups using IPv4 and not IPv6."
Not the user. This is what my router automatically does, just by having the initially mentioned IPv6 equivalents configured.
"The problem to be solved is Filtering over IPv6."
No problem at all for me. It works flawlessly. Here the proof:
nslookup www.internetbadguys.com.
Server: fd00::ca0e:14ff:fee9:8362
Address: fd00::ca0e:14ff:fee9:8362#53
Non-authoritative answer:
Name: www.internetbadguys.com
Address: 146.112.61.108
nslookup -type=aaaa www.internetbadguys.com.
Server: fd00::ca0e:14ff:fee9:8362
Address: fd00::ca0e:14ff:fee9:8362#53
Non-authoritative answer:
www.internetbadguys.com has AAAA address ::ffff:146.112.61.108
nslookup www.pornhub.com.
Server: fd00::ca0e:14ff:fee9:8362
Address: fd00::ca0e:14ff:fee9:8362#53
Non-authoritative answer:
Name: www.pornhub.com
Address: 146.112.61.106
nslookup -type=aaaa www.pornhub.com.
Server: fd00::ca0e:14ff:fee9:8362
Address: fd00::ca0e:14ff:fee9:8362#53
Non-authoritative answer:
www.pornhub.com has AAAA address ::ffff:146.112.61.106Full IPv6 with filtering! Now what?
I suggest that people ignore pbbear's useless comment. -
No - that just filtering using the IPv4 servers using obfuscated IPv4 addresses.
Change your IPv6 DNS servers to 2620:0:ccc::2 and 2620:0:ccd::2 and see how it works.
And read OpenDNS's own words on this:
https://www.opendns.com/about/innovations/ipv6/"Note: IPv6 support in the OpenDNS Sandbox is limited to standard recursive DNS initially. Additional functionality, like Web content filtering, malware and botnet protection, phishing protection, and more will be available on different IPs when IPv6 support is added to the OpenDNS Dashboard."
-
OpenDNS website has been updated here with instructions https://support.opendns.com/hc/en-us/articles/227986667-Does-OpenDNS-support-IPv6-
Update your DNS for IPv6 to the following:
2620:0:ccc::2
2620:0:ccd::2or the long version
2620:0:ccc:0:0:0:0:2
2620:0:ccd:0:0:0:0:2 -
cwsites read the details, that provides no filtering. OpenDNS STILL doesn't do IPv6 filtering (which is the ENTIRE POINT of their IPv4 DNS service). Neither the corporate, nor the small business, nor the family VIP dashboards support IPv6 addresses.
If you just want fast recursive DNS without filtering, you'd be better off just pointing at Google's awesomely fast DNS servers.
-
Copy & paste the complete plain text output of the following diagnostic commands to here:
nslookup -type=txt debug.opendns.com.
nslookup whoami.akamai.net.
netsh interface ipv4 show config
netsh interface ipv6 show dns -
Microsoft Windows [Version 10.0.17134.228]
(c) 2018 Microsoft Corporation. All rights reserved.C:\>nslookup -type=txt debug.opendns.com.
Server: UnKnown
Address: 2605:a601:8015:700::1*** UnKnown can't find debug.opendns.com.: Non-existent domain
C:\>nslookup whoami.akamai.net.
Server: UnKnown
Address: 2605:a601:8015:700::1Non-authoritative answer:
Name: whoami.akamai.net
Address: 74.125.42.132
C:\>netsh interface ipv4 show configConfiguration for interface "Local Area Connection"
DHCP enabled: Yes
InterfaceMetric: 5
DNS servers configured through DHCP: 192.168.1.254
Register with which suffix: Primary only
WINS servers configured through DHCP: NoneConfiguration for interface "Wireless Network Connection"
DHCP enabled: Yes
IP Address: 192.168.1.187
Subnet Prefix: 192.168.1.0/24 (mask 255.255.255.0)
Default Gateway: 192.168.1.1
Gateway Metric: 0
InterfaceMetric: 50
DNS servers configured through DHCP: 208.67.222.123
208.67.220.123
Register with which suffix: Primary only
WINS servers configured through DHCP: 192.168.1.1Configuration for interface "Ethernet"
DHCP enabled: Yes
InterfaceMetric: 55
DNS servers configured through DHCP: None
Register with which suffix: Primary only
WINS servers configured through DHCP: NoneConfiguration for interface "Bluetooth Network Connection"
DHCP enabled: Yes
InterfaceMetric: 65
DNS servers configured through DHCP: None
Register with which suffix: Primary only
WINS servers configured through DHCP: NoneConfiguration for interface "Loopback Pseudo-Interface 1"
DHCP enabled: No
IP Address: 127.0.0.1
Subnet Prefix: 127.0.0.0/8 (mask 255.0.0.0)
InterfaceMetric: 75
Statically Configured DNS Servers: None
Register with which suffix: Primary only
Statically Configured WINS Servers: None
C:\>netsh interface ipv6 show dnsConfiguration for interface "Local Area Connection"
DNS servers configured through DHCP: None
Register with which suffix: Primary onlyConfiguration for interface "Wireless Network Connection"
DNS servers configured through DHCP: 2605:a601:8015:700::1
Register with which suffix: Primary onlyConfiguration for interface "Ethernet"
DNS servers configured through DHCP: fec0:0:0:ffff::1%1
fec0:0:0:ffff::2%1
fec0:0:0:ffff::3%1
Register with which suffix: Primary onlyConfiguration for interface "Bluetooth Network Connection"
DNS servers configured through DHCP: fec0:0:0:ffff::1%1
fec0:0:0:ffff::2%1
fec0:0:0:ffff::3%1
Register with which suffix: Primary onlyConfiguration for interface "Loopback Pseudo-Interface 1"
Statically Configured DNS Servers: fec0:0:0:ffff::1%1
fec0:0:0:ffff::2%1
fec0:0:0:ffff::3%1
Register with which suffix: Primary only
C:\> -
I updated with those addresses and no change. I think it might be an issue with the Google Fiber routers not using the IPv6 addresses. If I turn off IPv6 driver on my wireless network, it will work since I have the IPv4 addresses listed on the router settings as well. I was hoping to globally have it set on the router for my home, but it looks like IPv6 will have to be done per device =(
-
I'm pretty sure that the "filtering" service was still called OpenDNS when this thread started back in 2013, so I think that's what icekiss69 was referring to. As an old OpenDNS (now Umbrella) customer, I'm also wondering just how long this is going to take. Fortunately I'm able to configure the OpenDNS ipv4 servers directly in my ipv6 modem to access the ipv6 network with Umbrella filtering, but I'd really like to be able to configure (real) ipv6 addresses for my DNS servers.
This seems to be an entirely solvable problem to me. The big change is that instead of filtering based on a single ipv4 address, it needs to be based on the range of addresses assigned to a customer by their ISP. I'd be interested in an update on exactly why this is taking Cisco so long.
-
Just reminder, there is no such things as IP6. The proper term is IPv6. You make yourself appear to be a fool if you insist on using the wrong terminology in discussing a technical topic.
Unfortunately you didn't post the whole story, namely that you'd already been in touch with OpenDNS about this, and they ask you to post something to this thread. It would have been very helpful to know the full backstory before I responded.
Given that additional piece of information I have no idea if they are trying to prioritize their development cycles for adding IPv6 to this very niche product first, or if they will add generalized support for their product line and then tweak it for niche products. I could see adding it to LPC first if they want to use that as a testbed, otherwise I'd hope they add it to the generalized products first, as a way of benefiting the most customers at once.
-
You can use DNSCrypt to make filtering work even when using Open DNS over IPv6.
On Windows:
- Follow the instructions here: http://dnscrypt.org/#dnscrypt-windows and here: https://github.com/jedisct1/dnscrypt-proxy/blob/master/README-WINDOWS.markdown to download and install the command-line client.
- Install the service like this:
dnscrypt-proxy.exe -R cisco-ipv6 --install --plugin libdcplugin_example_ldns_opendns_set_client_ip.dll,127.0.0.1
Replace 127.0.0.1 with your IPv4 address (not the IPv6 one: this is the IPv4 address, where filtering works)
Change your DNS settings to 127.0.0.1 so that you use dnscrypt. Done! You are now using Open DNS over IPv6 but you keep the filtering rules configured on the IPv4 address.
On Mac, using the DNSCrypt-OSXClient user interface:
- Launch the "Terminal" app
- Type:
echo libdcplugin_example_ldns_opendns_set_client_ip.la,127.0.0.1 > /Library/Application\ Support/DNSCrypt/control/plugin-ip.enabled ; touch /Library/Application\ Support/DNSCrypt/control/plugins.enabled
Replacing 127.0.0.1 with your IPv4 address.
- Now you can select Open DNS over IPv6 in the preference pane or the menubar, and filtering will still work.
-
Are you saying you tried with the FamilyShield IPv6 addresses as of above:
::ffff:d043:de7b
::ffff:d043:dc7band it still does not work? Then post complete plain text output of the following diagnostic commands here, from the device you're having problems with:
nslookup -type=txt debug.opendns.com.
nslookup -type=txt debug.opendns.com. [::ffff:d043:de7b]
nslookup www.exampleadultsite.com.
nslookup www.exampleadultsite.com. [::ffff:d043:de7b]
-
"I'm currently pointing to the publicly listed IPv6 DNS servers from opendns.com: 2620:0:ccc::2 & 2620:0:ccd::2"
These are simple Sandbox IPv6 resolvers, without any filtering.
I see, you are advice persistent and do not want help if not from OpenDNS staff, so I give up and refrain from further trying to help you.
No matter, OpenDNS FamilyShield works also over IPv6, as confirmed also by jedisct1, so really no need to request it here as you did. -
I should pick up something from above again: https://00f.net/2015/07/20/ipv6-dns-windows/
OpenDNS filtering works even if you have IPv6 connectivity. It always did.
What is described there, would require the DNS resolver addresses to be entered as follows:
::ffff:208.67.222.222
::ffff:208.67.220.220
::ffff:208.67.222.220
::ffff:208.67.220.222As I did not have the opportunity to test this in an IPv6 supported network, I cannot confirm if this works or not. Someone having an IPv6 network may confirm.
-
What's different this time is that the average home user might not be aware whether the IPv6 allocation is a /64, a /128, or something else, whereas it's a good bet that the average home user has just 1 IPv4 address, those with more IPv4 addresses would likely be aware of them. I could see IPv6 issues, just in determining the allocation block size, increasing the support desk workload.
Please sign in to leave a comment.
Comments
129 comments