ICSI Netalyzr says "Unable to contact an IPv6 only site" because of OpenDNS

Follow

dbfrye

June 22, 2013 18:13

My son ran a network test from http://netalyzr.icsi.berkeley.edu/index.html . It said I had a serious error.  Tried to find the option on the OpenDNS Dashboard that they refer but could not find this particular option. I would like to see what OpenDNS has to say about the complaints they list. 1:Unable to access IPv6 only sites and 2: issues with resolving unresolvable domains and transient failures.

--------------------------

The DNS resolver you are using deliberately manipulates results. This can prove problematic, as you will be unable to contact an IPv6-only site: the DNS resolver is giving incorrect results for a system which has only an IPv6 address. We expected the client to only receive cafe:babe:66:0:0:0:0:1 (an IPv6 address), instead it received the following addresses: 67.215.65.132, cafe:babe:66:0:0:0:0:1.
Your DNS resolver is on Google's IPv6 "whitelist", which means that Google enables IPv6 access to their services for you.

You appear to be using OpenDNS. OpenDNS, by default, deliberately returns addresses even for domain names which should not resolve. Instead of an error, the DNS server returns an address of 67.215.65.132, which resolves to hit-nxdomain.opendns.com. You can inspect the resulting HTML content here.

This is central to OpenDNS's business model. In order to support an otherwise free service, OpenDNS presents the users with advertisements whenever they make a typo in their web browser. You can disable this behavior through the OpenDNS Dashboard.

The big problem with this behavior is that it can potentially break any network application which relies on DNS properly returning an error when a name does not exist.

The following lists your DNS server's behavior in more detail.

• www.{random}.com is mapped to 67.215.65.132.
• www.{random}.org is mapped to 67.215.65.132.
• fubar.{random}.com is mapped to 67.215.65.132.
• www.yahoo.cmo [sic] is mapped to 67.215.65.132.
• nxdomain.{random}.netalyzr.icsi.berkeley.edu is correctly reported as an error.

Another problem with the DNS server is its response to a server failure. Instead of properly returning an error when it cannot contact the DNS authority, the DNS server returns an address of 67.215.66.132. Since transient failures are quite common this can be significantly disruptive, turning a transient failure into a wrong answer without any notification to the application doing the name lookup.

0

• 

  rotblitz June 22, 2013 22:24

  "I would like to see what OpenDNS has to say about the complaints they list.

  1. Unable to access IPv6 only sites and
  2. issues with resolving unresolvable domains and transient failures."

  Not sure what OpenDNS want to say about this. But here is my comment as a user:

  1. This is not really true, but related to point 2. Many clients try first to resolve to an IPv4 address (A record), and if this is not successful (NXDOMAIN), another attempt is made to obtain an IPv6 address (AAAA record). Because OpenDNS almost return a valid (non-error) result for IPv4 lookups, this attempt for IPv6 is not made at all.
     The culprit is not really OpenDNS, but the client trying IPv4 first instead of IPv6. The solution is to change the priority, to look for the AAAA record first.
  2. Same as many other ISPs and public DNS services, OpenDNS uses NXDOMAIN redirection by default, i.e. in case of querying a non-existing or badly DNS-configured domain it doesn't return an error, but redirects you to a page (called The Guide) showing search results and some ads. This is what the service gets paid for.
     You can disable NXDOMAIN redirection while disabling typo correction under advanced settings at your dashboard, but then you lose content filtering with a free account. If you want both, content filtering and no NXDOMAIN redirection, then you can upgrade to OpenDNS VIP.

  0

  Comment actions Permalink

Please sign in to leave a comment.