Comments

129 comments

  • Avatar
    olidew

    +1 vote for full ipv6 support please.

    6
    Comment actions Permalink
  • Avatar
    ahahumz

    +1 for IPV6 .

    The lack of support for this is causing problems with the Umbrella Roaming Client when on a network that hands out IPv6 addresses - i.e. all new Comcast modems.

    6
    Comment actions Permalink
  • Avatar
    rchauncey
    +1 for IPv6. I know it's tricky but you should be developing a solution.
    5
    Comment actions Permalink
  • Avatar
    rich.slack

    Comcast is now calling people that do not have IPV6 modems in place.  My assumption is since they are pressing the issue it will become a bigger need for filtering.  I just switched to an IPV6 compliant modem and filtering no longer works. I assume this will be a growing problem for others now too.  Since Comcast's recording every couple of weeks is what drove me to upgrade my modem.

    3
    Comment actions Permalink
  • Avatar
    kellerfam

    I made a "spelling" mistake by typing quickly in a forum that does not allow me to go back and edit the comments. For that I am sorry. I would happily correct my offending mistake for you if I could. As I am sure you would also, being that you are the one that made a bold declaration out of ignorance and not me.

    But I don't want to get in a flame war and distract from the real problem. OpenDNS needs to focus resources on getting IPv6 support in all of their products. OpenDNS provides foundational services for the web that are relied on by millions, and by faltering on the provision of those services in critical places and the current juncture of time could force them to fall out of favor and become irrelevant. And I, as well as many others, do not wish for that to happen.

    3
    Comment actions Permalink
  • Avatar
    drn82

    @mattwilson9090 I did up vote the idea prior to posting my comment. And I know IPv6 had been in the works for much longer than 5 years, but many people consider the June 20, 2012 IPv6 Launch Day by the Internet Society to be when it came out https://www.google.com/search?q=when+did+ipv6+come+out So I think calling me "wrong and/or misleading" isn't accurate.

    And using the federal government as a standard of speedy rollouts and current technology is ridiculous. The fact is residential ISPs like Comcast have switched to IPv6 and they aren't exactly known for speedy updates. And really it doesn't matter as much what the rest of the industry supports, because if OpenDNS wants to keep customers they need to support the protocols their customer's ISPs are using.

    3
    Comment actions Permalink
  • Avatar
    nhudson7

    Guys I like the ::ffff:d043:dcdc trick, but it is not accepted by my router.

    I'm a little disappointed after reading under Innovation that OpenDNS supported IPv6 to find out the content filtering only works with IPv4. I'll go back to my old content filtering methods and DNS, and check back with you in 6 months. Hopefully you will actually support IPv6 then.

    PS I'm not disabling my IPv6

    cheers :-)

     

    2
    Comment actions Permalink
  • Avatar
    drn82 (Edited )

    +1 for IPV6 filtering.  IPV6 came out in 2012, that's 5 years ago!

    If Comcast, my ISP, has rolled out IPV6 and you haven't then you really must be behind the times.  There are few companies worse than them, but I guess you guys want to be one of them.

    I'm canceling due to no IPV6 support.  I'll consider re-enabling my account when you get IPV6 support if I haven't found a better option by then.  But there is no point in paying for filtering that my computers don't use.

    2
    Comment actions Permalink
  • Avatar
    king_family (Edited )

    Um, that's because you're not using ipv6, you're redirecting to ipv4 which is the exact opposite of what's being requested

    2
    Comment actions Permalink
  • Avatar
    j.r.jett1

    This was the response I received from support, after creating a ticket.

    I should also mention that I use DNSCrypt.

     

    We currently have no estimated time of completion on that project. Please add your idea to the Idea Bank, and encourage other people to vote on it as it will become an increasingly high priority as the world rolls over to IPv6. You can find the Idea Bank here: https://support.opendns.com/forums/21211727-Idea-Bank

    1
    Comment actions Permalink
  • Avatar
    tarloch

    I'm really surprised this doesn't work...

    1
    Comment actions Permalink
  • Avatar
    chas4

    To quote from http://www.opendns.com/technology/ipv6/

    "Note: IPv6 support in the OpenDNS Sandbox is limited to standard recursive DNS initially. Additional functionality, like Web content filtering, malware and botnet protection, phishing protection, and more will be available on different IPs when IPv6 support is added to the OpenDNS Dashboard in the coming months."

     

    1
    Comment actions Permalink
  • Avatar
    zacharydl

    Alexander,

    You are correct. The net effect of my solution is to trick Windows into sending DNS queries to the IPv4 servers.

    When I set my DNS settings to:

    ::ffff:d043:dede
    ::ffff:d043:dcdc
    208.67.222.222
    208.67.220.220

    Command Prompt shows my DNS servers as:

    ::ffff:208.67.222.222
    ::ffff:208.67.220.220
    208.67.222.222
    208.67.220.220

    At the end of the day, my issue is resolved, albeit via a workaround.

    Thanks again.

    1
    Comment actions Permalink
  • Avatar
    mattwilson9090

    Open a support ticket asking for IPv6 support in addition to posting here. It draws more attention to the issue. I'm paraphrasing, but that's part of the message I got in correspondence that resulted after I opened a support ticket asking for the status of IPv6 support.

    1
    Comment actions Permalink
  • Avatar
    Permanently deleted user
    +1 for IPv6 support
    1
    Comment actions Permalink
  • Avatar
    rsgt
    +100.000.000.000 for ipv6 filtering! i dont want to remain on ipv4 just because i need to protect my kids!
    1
    Comment actions Permalink
  • Avatar
    jmchowbizzarre
    OpenDNS, you are now a Cisco company. Family Filtering is still not a priority on IPv6? They're working hard to include your filtering in their security products. Come on, get this working please. No excuses!
    1
    Comment actions Permalink
  • Avatar
    pbbear

    I'll put my hand up as also caught by this. I deliberately set my home DNS resolver to forward all queries towards 2620:0:ccc::2 & 2620:0:ccd::2, removing the IPv4 equivalents, to help support the 'new technology' (c'mon guys, IPv6 has been around for 15 years now!) and do my bit driving up the IPv6 traffic charts. Didn't realise that these performed no checks or filtering, and my home network has been open for a month.

    This really isn't acceptable in the 21st century - RFC6540 IPv6 Support Required for All IP-Capable Nodes - if it doesn't support both IPv4 and IPv6, it isn't the Internet.

    Now I've had to set my resolver back to sending the queries to the IPv4 addresses - perpetuating the myth that nobody is using IPv6. As more and more of the Internet adopts IPv6, and even ARIN has run out of any more IPv4 to allocate, the apathy towards supporting IPv6 means more and more people will be left wide open inadvertantly as their ISPs turn on IPv6. Meanwhile, all those behind CGNAT gateways and increasingly IPv6-only ISPs are barred from using this service

    Surely it can't be that hard to allow user to register an IPv6 subnet along with their IPv4 ISP address, and match a user account based on source of the DNS query regardless of which IP version is used?

     

     

     

     

    1
    Comment actions Permalink
  • Avatar
    pbbear

    +1

    My request to be able to use IPv6 by choice has nothing to do with myths or any belief that I need to resolve DNS queries over IPv6 in order to connect by IPv6. I know this is not true.

    I choose where possible to use IPv6 in order to help along the day when IPv4 can die off a slow death and remove NAT from the Internet system. I choose suppliers that support dual-stack IPv6 and IPv4 because those suppliers are helping the Internet ecosystem provide a full service, not just access to the IPv4 half of the Internet. Not supporting IPv6 in this century is like the walled-garden of Compuserve in the previous century - yes its sorta-kinda online, but its not the full deal.

    I choose to engineer an environment where I can operate, as much as possible, IPv6-only, to learn where the corner cases are that won't work currently, so these holes can be fixed without having to fall back to  IPv4.

    Right now, and increasingly in the future, there are networks and customers where OpenDNS over IPv4 simply will not work. IPv6-only networks obviously cannot use OpenDNS for site access control at the moment. Customers of the rapidly growing numbers of providers using CGNAT to multiplex tens or hundreds of subscribers onto a single IPv4 address cannot either. Even North America has run out of IPv4 address space to allocate, AsiaPacific, with the five globally fastest growing national userbases have been dealing with IPv4 exhaustion for many years with NAT behind NAT behind NAT - up to seven layers of NAT in India. As even North American ISPs start deploying CGNAT in order to cope with growing subscriber numbers and IoT devices, having a unique IPv4 address for each customer that only changes slowly over weeks or days will become a luxury.

    Already, here in Australia (and we started with lots of IPv4 space), each of the mobile 3G/4G cellular networks implements CGNAT to preserve IPv4 addresses for data sessions. Customers that have 'cut the cord' and run their house on cellular data cannot use the OpenDNS service, since each DNS lookup might come from a different source IPv4 address chosen by the CGNAT gateway, and IPv4 lookups from a given IPv4 source address might emanate from any one of tens or hundreds of customer sessions.

     

    So really, I'm thinking mainly of the longevity of OpenDNS and its service. Gradually, globally, the number of subscribers where a single IPv4 address can be used to identify a particular user or network over timescales of days or weeks will shrink. Allowing an OpenDNS subscriber/network to be identified from an IPv6 source address subnet range is simply planning for the future. Encouraging the OpenDNS organisation to set this functionality up is one way of ensuring the service stays relevant and viable.

     

     

    1
    Comment actions Permalink
  • Avatar
    rotblitz

    "Their dogmatic support person commenting here is not painting them with a consumer advocate/friendly brush."

    The only one comment from OpenDNS staff was back in April 17, 2014, 12:05.  I do not see why you treat this comment or person as "dogmatic".


    OpenDNS supports DNS resolution with our IPv6 resolvers, but not yet content filtering because an IPv4 address cannot be registered to your account. We suggest disabling IPv6 connectivity or ensuring your DNS server is IPv4 only. If you are seeing filtering, it would mean that your DNS requests are being sent via IPv4 to 208.67.220.220 and 208.67.222.222. 

    If you have any questions or concerns, please don't hesitate to respond to this message.


    But you and the other people are really right.  It's time for IPv6 since a while.  I've voted for this idea from begin already.
    From our user perspective it would be only to allow registering also an IPv6 address at the dashboard, so that not only FamilyShield content filtering works, but also customized content filtering.

    I guess their problem is the huge engine behind the user interface, with stats and logs and checking against a registered IPv6 address and all this stuff.  It sounds easy but may be hard efforts and hardly feasible yet.  I'm quite sure there are already plans in the cupboards.  OpenDNS was always good for positive surprises in the past.

    1
    Comment actions Permalink
  • Avatar
    pbbear

    It may be a big project, it might not take much at all. Adding a second field to ask for and store an IPv6 subnet prefix shouldn't be too hard. Searching and Matching an incoming source address against the collection of registered addresses - the logic is already there, although the IPv6 code will need to check a source address against being inside each subnet range, not just against a single address. The reporting & charting needn't change at all.

    In any case, a change like this would need to be managed like a project, and a project has an expected end date - a comment from OpenDNS support saying something like "yes, we're aware of it, its in the queue, planned to be ready for testing by (insert month here)" would go a long way.

    In any case, responses like 'use ::ffff:d043:dede', whether from an official rep or some a well meaning but misguided forum user, don't cut it - thats IPv4 displayed a different way, not IPv6.

     

     

    1
    Comment actions Permalink
  • Avatar
    smayba

    Well, my ISP finally enabled IPv6 this last Friday (November 29, 2015), and immediately OpenDNS Updater told me I'm not using OpenDNS.

    I am using OpenDNS for both IPv6 and IPv4, but the OpenDNS Updater doesn't seem to know about the IPv6 sandbox.  I also ran the test filtering sites and they didn't get blocked.

    OpenDNS used to be a leader on this in that it got the IPv6 sandbox up so early, but it seems the world (or at least my ISP) is finally catching up.  If OpenDNS wants to remain a leader, they need to get full support for this implemented soon.

    1
    Comment actions Permalink
  • Avatar
    dirtyharry_28

    When will OpenDNS provide support for IPv6 with regards to ontent filtering? Isn´t IPv6 available since a long time now and getting more popular/used?

    Last comment from an OpenDNS employee is from 2014...sad :(

    1
    Comment actions Permalink
  • Avatar
    pbbear

    Yes, to support IPv6 OpenDNS will need to allow the customer to register the full /64 address block they'll be allocated by the ISP, just like the single IPv4 they are allocated now.

    In my case:

    IPv4 : 220.239.110.56

    IPv6 : 2001:4830:1200:806E/64

    Yes, every device will have a different address, and most devices will have multiple address and change addresses frequently - but all the public source addresses that OpenDNS sees will be from within the assigned address block.

    This doesn't make the algorithm any harder - it goes from:

    Receive DNS request from IPv4 address X.X.X.X

    Look up account associated with IPv4 address X.X.X.X

    Lookup rules associated with account

    Apply rule to DNS query string

    to

    Receive DNS request from IPv6 address XXXX;YYYY:ZZZZ::abcd

    Lookup account with IPv6 subnet XXXX:YYYY:ZZZZ/MM that this source address sits in

    Lookup rules associated with account

    Apply rule to DNS query string

     

    Seriously, its no more difficult than adding a couple of AND operations for the subnet bitmask when searching for the account.

    1
    Comment actions Permalink
  • Avatar
    mattwilson9090

    To a certain extent we are just whistling in the dark here.

    I only talked about IPv6 address registration as one possible reason for the delay in IPv6 implementation. Short of a message several years ago that amounted to "we're working on it" I have no idea what the status of IPv6 and OpenDNS is, or why it's not yet implemented.

    As for registering blocks of addresses rather than discrete addresses that makes sense to me, but I think when they've done it with IPv4 it's been done manually. I'm not sure how they'd get that information automatically for all OpenDNS users who have IPv6 blocks assigned automatically (and presumably dynamically). The vast majority of home users will have no clue about that, and thought the RFC's and related document specify that an ISP should assign IPv6 addresses in /64 blocks, some will give much less than that, and I wouldn't be surprised if a handful will even try to get away with assigning a single IPv6 address just like they do with IPv4.

    All I know for sure is that I want IPv6 support, and I'll bet some users who are getting native IPv6 from their ISP's would be shocked to learn that OpenDNS is no longer protecting them. Or at least no longer protecting them on a consistent basis.

    1
    Comment actions Permalink
  • Avatar
    grdn

    +1 for feature parity on IPv6. 

    1
    Comment actions Permalink
  • Avatar
    clacknet

    I have read all the comments here in hopes to find a solution and I agree with everyone that we need to have IPv6 web filter support.  I run a large network with 60,000 licenses with 13 school districts and 120 school buildings.  We run a dual stack environment but OpenDNS Support tells me to turn off IPv6 if we want to web filter and that they don't support filtering for IPv6.

    They did tell me to go to https://support.opendns.com/forums/21322513 and submit a feature request.  I went there and realized there were only two other feature request for IPv6.  Mine now makes three.

    I ask that all of you reading this will do the same.  It sounds like the product managers don't listen to their support team but they do read these submissions.  So I ask that instead of  "+1" this feed that you please add it to the feature request page as we all need IPv6 support.

    Thanks

    1
    Comment actions Permalink
  • Avatar
    wcoile

    ::ffff:d043:dedc decodes to 0:0:0:0:0:ffff:208.67.222.220 which is clearly an IPv4 address rather than a globally routable IPv6 address.  That's a misleading answer.  That's a hack, and really just sends DNS traffic over IPv4.  That isn't a solution.

     

    We need to be able to add IPv6 networks in the dashboard, as paying customers, like we do with IPv4!

     

     

    1
    Comment actions Permalink
  • Avatar
    king_family

    ... how is any of that relevant to a statically registered AAAA record with a static DNS entry? None of those issues are unique to IPv6, including changing subnet masks as ISPs free up IPV4 ranges to sell and covert thier internal networks to IPv6.

    1
    Comment actions Permalink
  • Avatar
    king_family

    No basic ISP assigns static IPs to any consumer, IPv4, IPv6, or otherwise.  You pay extra for a static and that's been the case for decades.  The ability for OpenDNS to have the current address of your devices can be handled numerous ways, heck the dd-wrt can be configured with scripts to constantly update it's public IP list with sites, I've done it when setting up hurricane electric ipv6 tunnels for years now... and it's frankly out of scope of this request.

    I'm talking about nslookup -q=aaaa cisco.com giving me an IPv6 back and not an IPv4, and a blocked site redirect if it's on my black list.  Right now that's impossible, and instead you're saying I should basically configure my router to _only_ reply with IPv4.  That's simply not what's being asked.

    1
    Comment actions Permalink

Please sign in to leave a comment.