I failed to setup my router for OpenDns

Comments

16 comments

  • Avatar
    maintenance

    Do it on the WAN, that's always best. Flush your browser and local resolver caches. Test again. Still not working? What is the output of these commands?

    dig -t txt which.opendns.com

    dig -t txt which.opendns.com 208.67.220.220

    0
    Comment actions Permalink
  • Avatar
    jedi_tetsu

    ok I changed DNS on WAN. Flushed with sudo killall -HUP mDNSResponder

    cleared browsing data

    restarted.

     

    Timurs-Mac-mini:~ timur$ dig -t txt which.opendns.com

    ; <<>> DiG 9.7.6-P1 <<>> -t txt which.opendns.com
    ;; global options: +cmd
    ;; Got answer:
    ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 17274
    ;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0

    ;; QUESTION SECTION:
    ;which.opendns.com. IN TXT

    ;; ANSWER SECTION:
    which.opendns.com. 0 IN TXT "I am not an OpenDNS resolver."

    ;; Query time: 79 msec
    ;; SERVER: 208.122.23.22#53(208.122.23.22)
    ;; WHEN: Mon Aug 12 23:27:28 2013
    ;; MSG SIZE rcvd: 77

     

    ---

     

    Timurs-Mac-mini:~ timur$ dig -t txt which.opendns.com 208.67.220.220

    ; <<>> DiG 9.7.6-P1 <<>> -t txt which.opendns.com 208.67.220.220
    ;; global options: +cmd
    ;; Got answer:
    ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 56189
    ;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0

    ;; QUESTION SECTION:
    ;which.opendns.com. IN TXT

    ;; ANSWER SECTION:
    which.opendns.com. 0 IN TXT "I am not an OpenDNS resolver."

    ;; Query time: 129 msec
    ;; SERVER: 208.122.23.22#53(208.122.23.22)
    ;; WHEN: Mon Aug 12 23:28:46 2013
    ;; MSG SIZE rcvd: 77

    ;; Got answer:
    ;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 8962
    ;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 0

    ;; QUESTION SECTION:
    ;208.67.220.220. IN TXT

    ;; AUTHORITY SECTION:
    . 10800 IN SOA a.root-servers.net. nstld.verisign-grs.com. 2013081201 1800 900 604800 86400

    ;; Query time: 80 msec
    ;; SERVER: 208.122.23.22#53(208.122.23.22)
    ;; WHEN: Mon Aug 12 23:28:46 2013
    ;; MSG SIZE rcvd: 107

    0
    Comment actions Permalink
  • Avatar
    maintenance

    It would seem that you are prevented from using third-party DNS by your ISP.  At least their DNS server doesn't lie about it: 208.122.23.22 : VOXEL-NET.

    You can see if you may opt out of their DNS redirection/proxy. You may also try DNSCrypt - the encrypted lookups should be ignored by their server.

    0
    Comment actions Permalink
  • Avatar
    jedi_tetsu

    Ah thank you, good to know that.

    That dns # belongs to unblock-us.com :)

    Thank you for your help

    Cheers

    Timur

    0
    Comment actions Permalink
  • Avatar
    jedi_tetsu

    Ah thank you, good to know that.

    That dns # belongs to unblock-us.com :)

    Thank you for your help

    Cheers

    Timur

    0
    Comment actions Permalink
  • Avatar
    jedi_tetsu

    Ah thank you, good to know that.

    That dns # belongs to unblock-us.com :)

    Thank you for your help

    Cheers

    Timur

    0
    Comment actions Permalink
  • Avatar
    maintenance

    Ah, good. Heard of it, but don't know how that is configured. I assume you know how to adjust.

    I guess the forum software liked your post. :D

     

    0
    Comment actions Permalink
  • Avatar
    jedi_tetsu

    Yep, thank you very much for the guidance. 

    :)

    cheers

    0
    Comment actions Permalink
  • Avatar
    rotblitz

    The second command had a syntax error. The right command you want to use to see if your DNS lookups are redirected is:

    dig -t txt which.opendns.com @208.67.220.220

    Even after you configured the OpenDNS resolver addresses, you're still using this 208.122.23.22. Therefore OpenDNS is used only randomly if at all. You must remove all other non-OpenDNS resolver addresses. If you need additional OpenDNS resolver addresses to fill all DNS server slots, use 208.67.222.220 nad 208.67.220.222.

    0
    Comment actions Permalink
  • Avatar
    tonieja

    I also get Oops. Here's my dig output:

    $ dig -t txt which.opendns.com @208.67.220.220

    ; <<>> DiG 9.8.5-P1 <<>> -t txt which.opendns.com @208.67.220.220
    ;; global options: +cmd
    ;; Got answer:
    ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 1031
    ;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0

    ;; QUESTION SECTION:
    ;which.opendns.com.        IN    TXT

    ;; ANSWER SECTION:
    which.opendns.com.    0    IN    TXT    "I am not an OpenDNS resolver."

    ;; Query time: 334 msec
    ;; SERVER: 208.67.220.220#53(208.67.220.220)
    ;; WHEN: Tue Nov 05 14:53:54 CST 2013
    ;; MSG SIZE  rcvd: 77

    I am connected through a VPN provider. I got once the confirmation page, but it immediately reverted to oops.

    0
    Comment actions Permalink
  • Avatar
    rotblitz

    ""I am not an OpenDNS resolver.""

    Same as with the case above, this VPN provider or your ISP redirects your DNS queries to their own DNS service.  You cannot use OpenDNS this way.

    ";; Query time: 334 msec"

    And the redirection and response time is lousy slow too.  It should happen within the 10th of this time.

    0
    Comment actions Permalink
  • Avatar
    tonieja

    Thanks for response. I hope the ISP provider is not involved because I am routing all my traffic through the VPN tunnel. The end of the tunnel is in California, but I am on another side of the globe. I wonder why would the VPN provider care to intercept DNS traffic. How to tell that this is indeed the case?

    sudo nmap -sS -sV -p53 208.67.222.222
    Password:

    Starting Nmap 6.40 ( http://nmap.org ) at 2013-11-05 21:10 CST
    Nmap scan report for resolver1.opendns.com (208.67.222.222)
    Host is up (0.27s latency).
    PORT   STATE SERVICE VERSION
    53/tcp open  domain

    Service detection performed. Please report any incorrect results at http://nmap.org/submit/ .
    Nmap done: 1 IP address (1 host up) scanned in 7.67 seconds

    0
    Comment actions Permalink
  • Avatar
    rotblitz

    "I hope the ISP provider is not involved because I am routing all my traffic through the VPN tunnel."

    This alone can prevent you from using a 3rd party DNS service like OpenDNS, depending on the working method of your VPN.

    "I wonder why would the VPN provider care to intercept DNS traffic."

    They as the remote network owner can configure what they want.  And they do configure what they want, for whatever reason...

    "How to tell that this is indeed the case?"

    You already did with "dig -t txt which.opendns.com @208.67.220.220".

    "53/tcp open  domain"

    Sure, pretty clear that port 53 (udp and tcp) is open, no matter if an OpenDNS server or another, else you would not have DNS at all.  This doesn't prove anything of this kind.

    0
    Comment actions Permalink
  • Avatar
    rotblitz

    Btw, you may be able to circumvent this redirection restriction by using the dnscrypt-proxy over port 443 or 5353.

    http://dnscrypt.org/

    0
    Comment actions Permalink
  • Avatar
    tonieja

    Are you saying that nmap detection is not intercepted, but DNS connection is? Both dig and nmap got response from 208.67.222.222.

    How can I use dnscrypt on a router (edgerouter lite)?

     

     

    0
    Comment actions Permalink
  • Avatar
    rotblitz

    "Are you saying that nmap detection is not intercepted, but DNS connection is?"

    No, I didn't say this.  If the redirecting party sees something on port 53, they redirect it, no matter what.

    "Both dig and nmap got response from 208.67.222.222."

    Yes, a fake response.  They must provide the IP address as source address which was the destination address of your query, else it would not work.  This is how the internet functions.  A "traceroute 208.67.222.222" may show that you are routed to the wrong destination, or even not, depending on how tricky their redirection is.  ICMP is not UDP or TCP and is portless.

    "How can I use dnscrypt on a router (edgerouter lite)?"

    If this is Linux based, you follow the instruction for Linux.

    0
    Comment actions Permalink

Please sign in to leave a comment.