Comments

129 comments

  • Avatar
    rotblitz

    "how is any of that relevant to a statically registered AAAA record with a static DNS entry?"

    I do not know an ISP assigning this to private households.  I get a /128 assigned to my router and a different /56 prefix for propagating to my end user devices.  And the ISP changes this every 24 hours, same as for IPv4.  And the end user devices make use of IPv6 privacy, i.e. the interface IDs randomly change; SLAAC is not being used for most.

    All such complicated factors would need to be taken into consideration for an OpenDNS IPv6 dashboard solution.  They didn't even deploy something for their Umbrella enterprise services.

    0
    Comment actions Permalink
  • Avatar
    rotblitz (Edited )

    "Right now that's impossible"

    It is possible with me, why not for you?  If I query e.g. www.internetbadguys.com with whatever address request type (A, AAAA) and I send my DNS queries over the IPv6 equivalents of the IPv4 OpenDNS resolver addresses, it returns the IP addresses for hit-phish.opendns.com in either IPv4 or IPv6 (::ffff:146.112.61.106) notation, depending on the request type A or AAAA.

    "That's simply not what's being asked."

    What is being asked, and who has asked it?  Do we still know after more than 100 comments???

    0
    Comment actions Permalink
  • Avatar
    wcoile

    Ignore @rotblitz.  He just loves to sow disinformation and confusion on this topic.

    0
    Comment actions Permalink
  • Avatar
    rotblitz (Edited )

    Ignore people who ask to ignore other people and have nothing to say on the topic.

    0
    Comment actions Permalink
  • Avatar
    jedisct1

    What Rotbliz said works. It always did. See https://00f.net/2015/07/20/ipv6-dns-windows/

     

    The server doesn't do anything different when it receives a query over IPv6 than it does for a query over IPv4. This is exactly the same code, that listens to a multiple IP addresses.

     

    0
    Comment actions Permalink
  • Avatar
    rotblitz (Edited )

    "This means that a general web user's household, if they are on a dual-stack ISP, has at best a 50:50 chance of having a dodgy site blocked"

    I have a dual-stack connection and always use my dashboard settings, for every single DNS query.

    "the user has to be cluefull enough to explicitly force their router to only make DNS lookups using IPv4 and not IPv6."

    Not the user.  This is what my router automatically does, just by having the initially mentioned IPv6 equivalents configured.

    "The problem to be solved is Filtering over IPv6."

    No problem at all for me.  It works flawlessly.  Here the proof:

    nslookup www.internetbadguys.com.
    Server:         fd00::ca0e:14ff:fee9:8362
    Address:        fd00::ca0e:14ff:fee9:8362#53

    Non-authoritative answer:
    Name:   www.internetbadguys.com
    Address: 146.112.61.108


    nslookup -type=aaaa www.internetbadguys.com.
    Server:         fd00::ca0e:14ff:fee9:8362
    Address:        fd00::ca0e:14ff:fee9:8362#53

    Non-authoritative answer:
    www.internetbadguys.com has AAAA address ::ffff:146.112.61.108


    nslookup www.pornhub.com.
    Server:         fd00::ca0e:14ff:fee9:8362
    Address:        fd00::ca0e:14ff:fee9:8362#53

    Non-authoritative answer:
    Name:   www.pornhub.com
    Address: 146.112.61.106


    nslookup -type=aaaa www.pornhub.com.
    Server:         fd00::ca0e:14ff:fee9:8362
    Address:        fd00::ca0e:14ff:fee9:8362#53

    Non-authoritative answer:
    www.pornhub.com has AAAA address ::ffff:146.112.61.106

    Full IPv6 with filtering!  Now what?
    I suggest that people ignore pbbear's useless comment.

    0
    Comment actions Permalink
  • Avatar
    pbbear

    No - that just filtering using the IPv4 servers using obfuscated IPv4 addresses.

    Change your IPv6 DNS servers to 2620:0:ccc::2 and 2620:0:ccd::2 and see how it works.

    And read OpenDNS's own words on this:
    https://www.opendns.com/about/innovations/ipv6/

    "Note: IPv6 support in the OpenDNS Sandbox is limited to standard recursive DNS initially. Additional functionality, like Web content filtering, malware and botnet protection, phishing protection, and more will be available on different IPs when IPv6 support is added to the OpenDNS Dashboard."

     

     

    0
    Comment actions Permalink
  • Avatar
    rotblitz

    Yes, this is true for exactly those IP addresses. One does not have to use them for filtering.

    0
    Comment actions Permalink
  • Avatar
    seefilms

    It's 2018! What's the deal with you, OpenDNS? Make this happen!

    0
    Comment actions Permalink
  • Avatar
    Permanently deleted user

    OpenDNS website has been updated here with instructions https://support.opendns.com/hc/en-us/articles/227986667-Does-OpenDNS-support-IPv6- 

    Update your DNS for IPv6 to the following:

    2620:0:ccc::2 
    2620:0:ccd::2

    or the long version

    2620:0:ccc:0:0:0:0:2
    2620:0:ccd:0:0:0:0:2

    0
    Comment actions Permalink
  • Avatar
    wcoile

    cwsites read the details, that provides no filtering. OpenDNS STILL doesn't do IPv6 filtering (which is the ENTIRE POINT of their IPv4 DNS service). Neither the corporate, nor the small business, nor the family VIP dashboards support IPv6 addresses.  

     

    If you just want fast recursive DNS without filtering, you'd be better off just pointing at Google's awesomely fast DNS servers.

    0
    Comment actions Permalink
  • Avatar
    Permanently deleted user (Edited )

    wcoile all I know is that it wasn’t working for me before I modified my IPv6 DNS and now it is. The filtering is being applied correctly on my internet by using it.

    0
    Comment actions Permalink
  • Avatar
    dustinv

    I've tried every IPv6 address listed on this thread and none of them have worked with my Google Fiber router. =(

    0
    Comment actions Permalink
  • Avatar
    rotblitz

    @dustin.vietzke

    Copy & paste the complete plain text output of the following diagnostic commands to here:

    nslookup -type=txt debug.opendns.com.
    nslookup whoami.akamai.net.
    netsh interface ipv4 show config
    netsh interface ipv6 show dns

     

    0
    Comment actions Permalink
  • Avatar
    dustinv

    Microsoft Windows [Version 10.0.17134.228]
    (c) 2018 Microsoft Corporation. All rights reserved.

    C:\>nslookup -type=txt debug.opendns.com.
    Server: UnKnown
    Address: 2605:a601:8015:700::1

    *** UnKnown can't find debug.opendns.com.: Non-existent domain

    C:\>nslookup whoami.akamai.net.
    Server: UnKnown
    Address: 2605:a601:8015:700::1

    Non-authoritative answer:
    Name: whoami.akamai.net
    Address: 74.125.42.132


    C:\>netsh interface ipv4 show config

    Configuration for interface "Local Area Connection"
    DHCP enabled: Yes
    InterfaceMetric: 5
    DNS servers configured through DHCP: 192.168.1.254
    Register with which suffix: Primary only
    WINS servers configured through DHCP: None

    Configuration for interface "Wireless Network Connection"
    DHCP enabled: Yes
    IP Address: 192.168.1.187
    Subnet Prefix: 192.168.1.0/24 (mask 255.255.255.0)
    Default Gateway: 192.168.1.1
    Gateway Metric: 0
    InterfaceMetric: 50
    DNS servers configured through DHCP: 208.67.222.123
    208.67.220.123
    Register with which suffix: Primary only
    WINS servers configured through DHCP: 192.168.1.1

    Configuration for interface "Ethernet"
    DHCP enabled: Yes
    InterfaceMetric: 55
    DNS servers configured through DHCP: None
    Register with which suffix: Primary only
    WINS servers configured through DHCP: None

    Configuration for interface "Bluetooth Network Connection"
    DHCP enabled: Yes
    InterfaceMetric: 65
    DNS servers configured through DHCP: None
    Register with which suffix: Primary only
    WINS servers configured through DHCP: None

    Configuration for interface "Loopback Pseudo-Interface 1"
    DHCP enabled: No
    IP Address: 127.0.0.1
    Subnet Prefix: 127.0.0.0/8 (mask 255.0.0.0)
    InterfaceMetric: 75
    Statically Configured DNS Servers: None
    Register with which suffix: Primary only
    Statically Configured WINS Servers: None


    C:\>netsh interface ipv6 show dns

    Configuration for interface "Local Area Connection"
    DNS servers configured through DHCP: None
    Register with which suffix: Primary only

    Configuration for interface "Wireless Network Connection"
    DNS servers configured through DHCP: 2605:a601:8015:700::1
    Register with which suffix: Primary only

    Configuration for interface "Ethernet"
    DNS servers configured through DHCP: fec0:0:0:ffff::1%1
    fec0:0:0:ffff::2%1
    fec0:0:0:ffff::3%1
    Register with which suffix: Primary only

    Configuration for interface "Bluetooth Network Connection"
    DNS servers configured through DHCP: fec0:0:0:ffff::1%1
    fec0:0:0:ffff::2%1
    fec0:0:0:ffff::3%1
    Register with which suffix: Primary only

    Configuration for interface "Loopback Pseudo-Interface 1"
    Statically Configured DNS Servers: fec0:0:0:ffff::1%1
    fec0:0:0:ffff::2%1
    fec0:0:0:ffff::3%1
    Register with which suffix: Primary only


    C:\>

    0
    Comment actions Permalink
  • Avatar
    dustinv

    I updated with those addresses and no change. I think it might be an issue with the Google Fiber routers not using the IPv6 addresses. If I turn off IPv6 driver on my wireless network, it will work since I have the IPv4 addresses listed on the router settings as well. I was hoping to globally have it set on the router for my home, but it looks like IPv6 will have to be done per device =(

    0
    Comment actions Permalink
  • Avatar
    sheamuspatt

    I'm pretty sure that the "filtering" service was still called OpenDNS when this thread started back in 2013, so I think that's what icekiss69 was referring to. As an old OpenDNS (now Umbrella) customer, I'm also wondering just how long this is going to take. Fortunately I'm able to configure the OpenDNS ipv4 servers directly in my ipv6 modem to access the ipv6 network with Umbrella filtering, but I'd really like to be able to configure (real) ipv6 addresses for my DNS servers.

    This seems to be an entirely solvable problem to me. The big change is that instead of filtering based on a single ipv4 address, it needs to be based on the range of addresses assigned to a customer by their ISP. I'd be interested in an update on exactly why this is taking Cisco so long.

    0
    Comment actions Permalink
  • Avatar
    rotblitz

    Yes, we know that.

    -1
    Comment actions Permalink
  • Avatar
    rotblitz

    But we were not talking about the sandbox resolver addresses 2620:0:ccc::2 and 2620:0:ccd::2 but about the normal OpenDNS resolver addresses in IPv6 notation. Didn't see that?

    -1
    Comment actions Permalink
  • Avatar
    rotblitz

    The long version of the FamilyShield addresses are:

    0000:0000:0000:0000:0000:ffff:d043:de7b
    0000:0000:0000:0000:0000:ffff:d043:dc7b

    Double-colon means all zeroes.

    -1
    Comment actions Permalink
  • Avatar
    mattwilson9090

    Just  reminder, there is no such things as IP6. The proper term is IPv6. You make yourself appear to be a fool if you insist on using the wrong terminology in discussing a technical topic.

    Unfortunately you didn't post the whole story, namely that you'd already been in touch with OpenDNS about this, and they ask you to post something to this thread. It would have been very helpful to know the full backstory before I responded.

     

    Given that additional piece of information I have no idea if they are trying to prioritize their development cycles for adding IPv6 to this very niche product first, or if they will add generalized support for their product line and then tweak it for niche products. I could see adding it to LPC first if they want to use that as a testbed, otherwise I'd hope they add it to the generalized products first, as a way of benefiting the most customers at once.

    -1
    Comment actions Permalink
  • Avatar
    jedisct1

    You can use DNSCrypt to make filtering work even when using Open DNS over IPv6.

     

    On Windows:

    - Follow the instructions here: http://dnscrypt.org/#dnscrypt-windows and here: https://github.com/jedisct1/dnscrypt-proxy/blob/master/README-WINDOWS.markdown to download and install the command-line client.

    - Install the service like this:

    dnscrypt-proxy.exe -R cisco-ipv6 --install --plugin libdcplugin_example_ldns_opendns_set_client_ip.dll,127.0.0.1

    Replace 127.0.0.1 with your IPv4 address (not the IPv6 one: this is the IPv4 address, where filtering works)

    Change your DNS settings to 127.0.0.1 so that you use dnscrypt. Done! You are now using Open DNS over IPv6 but you keep the filtering rules configured on the IPv4 address.

     

    On Mac, using the DNSCrypt-OSXClient user interface:

    - Launch the "Terminal" app

    - Type: 

    echo libdcplugin_example_ldns_opendns_set_client_ip.la,127.0.0.1 > /Library/Application\ Support/DNSCrypt/control/plugin-ip.enabled ; touch /Library/Application\ Support/DNSCrypt/control/plugins.enabled

    Replacing 127.0.0.1 with your IPv4 address.

    - Now you can select Open DNS over IPv6 in the preference pane or the menubar, and filtering will still work.

    -1
    Comment actions Permalink
  • Avatar
    jedisct1

    It already works. It always did.

    -1
    Comment actions Permalink
  • Avatar
    rotblitz

    Are you saying you tried with the FamilyShield IPv6 addresses as of above:

        ::ffff:d043:de7b
        ::ffff:d043:dc7b

    and it still does not work?  Then post complete plain text output of the following diagnostic commands here, from the device you're having problems with:

       nslookup -type=txt debug.opendns.com.

       nslookup -type=txt debug.opendns.com.  [::ffff:d043:de7b]

       nslookup www.exampleadultsite.com.

       nslookup www.exampleadultsite.com.  [::ffff:d043:de7b]

    -1
    Comment actions Permalink
  • Avatar
    rotblitz

    "I'm currently pointing to the publicly listed IPv6 DNS servers from opendns.com: 2620:0:ccc::22620:0:ccd::2"

    These are simple Sandbox IPv6 resolvers, without any filtering.

    I see, you are advice persistent and do not want help if not from OpenDNS staff, so I give up and refrain from further trying to help you.
    No matter, OpenDNS FamilyShield works also over IPv6, as confirmed also by jedisct1, so really no need to request it here as you did.

    -1
    Comment actions Permalink
  • Avatar
    rotblitz

    I should pick up something from above again: https://00f.net/2015/07/20/ipv6-dns-windows/

       OpenDNS filtering works even if you have IPv6 connectivity. It always did. 

    What is described there, would require the DNS resolver addresses to be entered as follows:

       ::ffff:208.67.222.222
       ::ffff:208.67.220.220
       ::ffff:208.67.222.220
       ::ffff:208.67.220.222

    As I did not have the opportunity to test this in an IPv6 supported network, I cannot confirm if this works or not.  Someone having an IPv6 network may confirm.

    -1
    Comment actions Permalink
  • Avatar
    rotblitz

    Well spotted!

    -1
    Comment actions Permalink
  • Avatar
    rotblitz

    Not sure why you post this here.  I say it again, this is already the case with IPv4 today.  You can register a static block /NN.  Why should OpenDNS do it differently for IPv6 at all?

    -1
    Comment actions Permalink
  • Avatar
    mark12547

    What's different this time is that the average home user might not be aware whether the IPv6 allocation is a /64, a /128, or something else, whereas it's a good bet that the average home user has just 1 IPv4 address, those with more IPv4 addresses would likely be aware of them. I could see IPv6 issues, just in determining the allocation block size, increasing the support desk workload.

    -1
    Comment actions Permalink
  • Avatar
    rotblitz

    The allocation is normally shown on the router's status page, at least on mine.

    -1
    Comment actions Permalink

Please sign in to leave a comment.