IPv6 Web Filtering
Support for web filtering when using OpenDNS IPv6 addresses.
-
Comcast is now calling people that do not have IPV6 modems in place. My assumption is since they are pressing the issue it will become a bigger need for filtering. I just switched to an IPV6 compliant modem and filtering no longer works. I assume this will be a growing problem for others now too. Since Comcast's recording every couple of weeks is what drove me to upgrade my modem.
-
I made a "spelling" mistake by typing quickly in a forum that does not allow me to go back and edit the comments. For that I am sorry. I would happily correct my offending mistake for you if I could. As I am sure you would also, being that you are the one that made a bold declaration out of ignorance and not me.
But I don't want to get in a flame war and distract from the real problem. OpenDNS needs to focus resources on getting IPv6 support in all of their products. OpenDNS provides foundational services for the web that are relied on by millions, and by faltering on the provision of those services in critical places and the current juncture of time could force them to fall out of favor and become irrelevant. And I, as well as many others, do not wish for that to happen.
-
@mattwilson9090 I did up vote the idea prior to posting my comment. And I know IPv6 had been in the works for much longer than 5 years, but many people consider the June 20, 2012 IPv6 Launch Day by the Internet Society to be when it came out https://www.google.com/search?q=when+did+ipv6+come+out So I think calling me "wrong and/or misleading" isn't accurate.
And using the federal government as a standard of speedy rollouts and current technology is ridiculous. The fact is residential ISPs like Comcast have switched to IPv6 and they aren't exactly known for speedy updates. And really it doesn't matter as much what the rest of the industry supports, because if OpenDNS wants to keep customers they need to support the protocols their customer's ISPs are using.
-
Guys I like the ::ffff:d043:dcdc trick, but it is not accepted by my router.
I'm a little disappointed after reading under Innovation that OpenDNS supported IPv6 to find out the content filtering only works with IPv4. I'll go back to my old content filtering methods and DNS, and check back with you in 6 months. Hopefully you will actually support IPv6 then.
PS I'm not disabling my IPv6
cheers :-)
-
+1 for IPV6 filtering. IPV6 came out in 2012, that's 5 years ago!
If Comcast, my ISP, has rolled out IPV6 and you haven't then you really must be behind the times. There are few companies worse than them, but I guess you guys want to be one of them.
I'm canceling due to no IPV6 support. I'll consider re-enabling my account when you get IPV6 support if I haven't found a better option by then. But there is no point in paying for filtering that my computers don't use.
-
Well, not "fully implemented". There is a big caveat on that support page:
"For network identities, both IPv4 and IPv6 IP addresses are supported; however, dynamic IP addresses are only supported for IPv4."
As a regular retail customer unwilling to shell out for a static address. I need dynamic IP support. I realize it gets very complicated over ipv6. The OpenDNS dynamic updater as well is still an ipv4 only tool (I just reinstalled it to check).
I'm a bit confused about this distinction between Umbrella and OpenDNS as well. As I mentioned above, I signed up for OpenDNS years ago, and after the Umbrella migration have been logging into umbrella.com -> umbreella.opendns.com . However, my dashboard is at dashboard.opendns.com and I see nothing suggesting IPv6 support. My "Add Network" dialog looks like this (the IP Address dropdown allows various IPv4 subnets, but no IPv6 alternatives):
-
This was the response I received from support, after creating a ticket.
I should also mention that I use DNSCrypt.
We currently have no estimated time of completion on that project. Please add your idea to the Idea Bank, and encourage other people to vote on it as it will become an increasingly high priority as the world rolls over to IPv6. You can find the Idea Bank here: https://support.opendns.com/forums/21211727-Idea-Bank
-
To quote from http://www.opendns.com/technology/ipv6/
"Note: IPv6 support in the OpenDNS Sandbox is limited to standard recursive DNS initially. Additional functionality, like Web content filtering, malware and botnet protection, phishing protection, and more will be available on different IPs when IPv6 support is added to the OpenDNS Dashboard in the coming months."
-
Alexander,
You are correct. The net effect of my solution is to trick Windows into sending DNS queries to the IPv4 servers.
When I set my DNS settings to:
::ffff:d043:dede
::ffff:d043:dcdc
208.67.222.222
208.67.220.220Command Prompt shows my DNS servers as:
::ffff:208.67.222.222
::ffff:208.67.220.220
208.67.222.222
208.67.220.220At the end of the day, my issue is resolved, albeit via a workaround.
Thanks again.
-
I'll put my hand up as also caught by this. I deliberately set my home DNS resolver to forward all queries towards 2620:0:ccc::2 & 2620:0:ccd::2, removing the IPv4 equivalents, to help support the 'new technology' (c'mon guys, IPv6 has been around for 15 years now!) and do my bit driving up the IPv6 traffic charts. Didn't realise that these performed no checks or filtering, and my home network has been open for a month.
This really isn't acceptable in the 21st century - RFC6540 IPv6 Support Required for All IP-Capable Nodes - if it doesn't support both IPv4 and IPv6, it isn't the Internet.
Now I've had to set my resolver back to sending the queries to the IPv4 addresses - perpetuating the myth that nobody is using IPv6. As more and more of the Internet adopts IPv6, and even ARIN has run out of any more IPv4 to allocate, the apathy towards supporting IPv6 means more and more people will be left wide open inadvertantly as their ISPs turn on IPv6. Meanwhile, all those behind CGNAT gateways and increasingly IPv6-only ISPs are barred from using this service
Surely it can't be that hard to allow user to register an IPv6 subnet along with their IPv4 ISP address, and match a user account based on source of the DNS query regardless of which IP version is used?
-
+1
My request to be able to use IPv6 by choice has nothing to do with myths or any belief that I need to resolve DNS queries over IPv6 in order to connect by IPv6. I know this is not true.
I choose where possible to use IPv6 in order to help along the day when IPv4 can die off a slow death and remove NAT from the Internet system. I choose suppliers that support dual-stack IPv6 and IPv4 because those suppliers are helping the Internet ecosystem provide a full service, not just access to the IPv4 half of the Internet. Not supporting IPv6 in this century is like the walled-garden of Compuserve in the previous century - yes its sorta-kinda online, but its not the full deal.
I choose to engineer an environment where I can operate, as much as possible, IPv6-only, to learn where the corner cases are that won't work currently, so these holes can be fixed without having to fall back to IPv4.
Right now, and increasingly in the future, there are networks and customers where OpenDNS over IPv4 simply will not work. IPv6-only networks obviously cannot use OpenDNS for site access control at the moment. Customers of the rapidly growing numbers of providers using CGNAT to multiplex tens or hundreds of subscribers onto a single IPv4 address cannot either. Even North America has run out of IPv4 address space to allocate, AsiaPacific, with the five globally fastest growing national userbases have been dealing with IPv4 exhaustion for many years with NAT behind NAT behind NAT - up to seven layers of NAT in India. As even North American ISPs start deploying CGNAT in order to cope with growing subscriber numbers and IoT devices, having a unique IPv4 address for each customer that only changes slowly over weeks or days will become a luxury.
Already, here in Australia (and we started with lots of IPv4 space), each of the mobile 3G/4G cellular networks implements CGNAT to preserve IPv4 addresses for data sessions. Customers that have 'cut the cord' and run their house on cellular data cannot use the OpenDNS service, since each DNS lookup might come from a different source IPv4 address chosen by the CGNAT gateway, and IPv4 lookups from a given IPv4 source address might emanate from any one of tens or hundreds of customer sessions.
So really, I'm thinking mainly of the longevity of OpenDNS and its service. Gradually, globally, the number of subscribers where a single IPv4 address can be used to identify a particular user or network over timescales of days or weeks will shrink. Allowing an OpenDNS subscriber/network to be identified from an IPv6 source address subnet range is simply planning for the future. Encouraging the OpenDNS organisation to set this functionality up is one way of ensuring the service stays relevant and viable.
-
"Their dogmatic support person commenting here is not painting them with a consumer advocate/friendly brush."
The only one comment from OpenDNS staff was back in April 17, 2014, 12:05. I do not see why you treat this comment or person as "dogmatic".
OpenDNS supports DNS resolution with our IPv6 resolvers, but not yet content filtering because an IPv4 address cannot be registered to your account. We suggest disabling IPv6 connectivity or ensuring your DNS server is IPv4 only. If you are seeing filtering, it would mean that your DNS requests are being sent via IPv4 to 208.67.220.220 and 208.67.222.222.If you have any questions or concerns, please don't hesitate to respond to this message.
But you and the other people are really right. It's time for IPv6 since a while. I've voted for this idea from begin already.
From our user perspective it would be only to allow registering also an IPv6 address at the dashboard, so that not only FamilyShield content filtering works, but also customized content filtering.I guess their problem is the huge engine behind the user interface, with stats and logs and checking against a registered IPv6 address and all this stuff. It sounds easy but may be hard efforts and hardly feasible yet. I'm quite sure there are already plans in the cupboards. OpenDNS was always good for positive surprises in the past.
-
It may be a big project, it might not take much at all. Adding a second field to ask for and store an IPv6 subnet prefix shouldn't be too hard. Searching and Matching an incoming source address against the collection of registered addresses - the logic is already there, although the IPv6 code will need to check a source address against being inside each subnet range, not just against a single address. The reporting & charting needn't change at all.
In any case, a change like this would need to be managed like a project, and a project has an expected end date - a comment from OpenDNS support saying something like "yes, we're aware of it, its in the queue, planned to be ready for testing by (insert month here)" would go a long way.
In any case, responses like 'use ::ffff:d043:dede', whether from an official rep or some a well meaning but misguided forum user, don't cut it - thats IPv4 displayed a different way, not IPv6.
-
Well, my ISP finally enabled IPv6 this last Friday (November 29, 2015), and immediately OpenDNS Updater told me I'm not using OpenDNS.
I am using OpenDNS for both IPv6 and IPv4, but the OpenDNS Updater doesn't seem to know about the IPv6 sandbox. I also ran the test filtering sites and they didn't get blocked.
OpenDNS used to be a leader on this in that it got the IPv6 sandbox up so early, but it seems the world (or at least my ISP) is finally catching up. If OpenDNS wants to remain a leader, they need to get full support for this implemented soon.
-
It has been said many times in many threads that if you want OpenDNS to work consistently and reliably you *must* disable IPv6 internet traffic. The easiest way to do that is to disable IPv6 on your router. It's good that your ISP is offering IPv6 now, but if you intend to use OpenDNS with your IPv6 you won't be able to take advantage of the new offering.
The Updater doesn't know anything about the IPv6 Sandbox, nor does it know about the IPv4 OpenDNS DNS server addresses. It's only function is to update your IPv4 address registration against your OpenDNS network *if* you have a dynamic IPv4 address. It has no other purpose and has no other function.
OpenDNS is still a leader in the DNS field, including offering IPv6 DNS services. Across the entire technology field, especially internet security, just about every company and service provider is being extremely slow to fully support IPv6 just like they do with IPv4. I have no idea why that is, but it's not like OpenDNS is the only company that isn't making a making a comprehensive IPv6 product.
That said, did you follow my advice in the preceding post? Namely to vote that you like this topic and to open a support ticket asking about IPv6 status? I was advised to do a long while ago from an OpenDNS support employee when I made my own inquiries about IPv6 support. They seem to be the only metrics that management is tracking regarding this and other issues, but at least you wrote something instead of just being lazy and typing +1.
-
I see pbbear already explained my problem in detail, with the slight difference that he addresses CGNAT for mobile data users instead of CGNAT for home broadband.
I encourage OpenDNS to add native IPv6 support for web content filtering (and applying any other user defined preferences).
-
There are so many other support threads and community threads where the problem is a variant of "OpenDNS is not working for me" and the resolution ends up being "you are using IPv6 without knowing - turn off IPv6 and all is well" that surely there is a message there - increasingly people are getting and using IPv6 by default, as they should expect to in this century, and OpenDNS should filter identically, whether people are using IPv4, or IPv6, or both at the same time. Turning off IPv6 is not an acceptable resolution.
-
Yeah - they need to get their act together on IPv6. I'm a corporate user and Web Filtering doesn't work for us either on IPv6. Funny - we purchased Umbrella because we wanted a cloud solution to secure web traffic on Laptops when they're off the corporate network - like at home on Comcast or Verizon. But now because new modems from Comcast & Verizon are IPv6 capable, machines attached to them (wifi or wired) are getting IPv6 IP and DNS settings automatically when connected. That means the Umbrella client will no longer provide any web filter functions as it does when machines are connected on the IPv4 Corportate LAN back in the office. So our options are to wait for Open DNS to fix this, or start looking at other options from BlueCoat, zScaler, and Websense. Come on OpenDNS - support IPv6 and IPv4 in the Roaming Client...!!!
-
Yes, to support IPv6 OpenDNS will need to allow the customer to register the full /64 address block they'll be allocated by the ISP, just like the single IPv4 they are allocated now.
In my case:
IPv4 : 220.239.110.56
IPv6 : 2001:4830:1200:806E/64
Yes, every device will have a different address, and most devices will have multiple address and change addresses frequently - but all the public source addresses that OpenDNS sees will be from within the assigned address block.
This doesn't make the algorithm any harder - it goes from:
Receive DNS request from IPv4 address X.X.X.X
Look up account associated with IPv4 address X.X.X.X
Lookup rules associated with account
Apply rule to DNS query string
to
Receive DNS request from IPv6 address XXXX;YYYY:ZZZZ::abcd
Lookup account with IPv6 subnet XXXX:YYYY:ZZZZ/MM that this source address sits in
Lookup rules associated with account
Apply rule to DNS query string
Seriously, its no more difficult than adding a couple of AND operations for the subnet bitmask when searching for the account.
Please sign in to leave a comment.
Comments
129 comments