Opendns blocking more than phishing/malware by default?

Comments

8 comments

  • Avatar
    rotblitz

    "Today, I noticed that proxy sites are blocked.  Is that a new default setting or is something else wrong?"

    Yes, you did it wrong:

    "uninstalling the opendns updater program"

    That's the problem.  Your current IP address may still be registered with another user's OpenDNS network, so you're using his/her settings now.  If you use the normal OpenDNS resolver addresses, you have to maintain a network at your dashboard (with e.g. nothing blocked) and to run an Updater to keep your IP address information current at OpenDNS, else it might well happen that you might be bound to another user's settings occasionally.

    "I also took off opendns from my router and found I could access the blocked sites but when I put the 'regular/non-family' dns setting (208.67.222.222 etc) the site(s) were blocked again."

    Well, after every OpenDNS related settings change you are to flush your two caches, else you will still be served out of them.
    https://support.opendns.com/entries/23739610-Clearing-the-DNS-Cache-on-Browsers
    https://support.opendns.com/entries/23281284-Clearing-the-DNS-Cache-on-Computers-and-Servers

    0
    Comment actions Permalink
  • Avatar
    rotblitz

    I forget to mention how you can see if your IP address is registered with an OpenDNS network:

    nslookup -type=txt debug.opendns.com. 208.67.220.220

    Look after the "id" field.  It should be zero, else your IP address is registered with the OpenDNS network ID number referenced there.

    0
    Comment actions Permalink
  • Avatar
    aggies

    Bummer.  I switched ISPs and the updater always had a message about a mismatch and never would update.  I ran nslookup and there was an id number in the field so it looks like another user has an account with the IP registered so their settings are getting applied to me. 

    When I was having the mismatch problems with the updater I talked to the ISP and they said it was the way the broadband network is operated and there isn't anything I could do about it.  It looks like my option is to accept the other user's configuration or disable opendns.

    0
    Comment actions Permalink
  • Avatar
    aggies

    I did a bit more digging and here is the problem I am facing:

    in many situations this error occurs when your Internet connection is being sent through a proxy server. Check with your ISP to see if they use proxy servers for DNS or HTTP traffic. Many wireless and satellite broadband providers do use proxy servers. From: http://www.opendns.com/support/article/83

    I don't see a solution so it doesn't look like I can do much about it...

    0
    Comment actions Permalink
  • Avatar
    rotblitz

    "the updater always had a message about a mismatch and never would update."

    This is a clear symtom of your IP address registered with another network or being disabled to be registered at all.

    "they said it was the way the broadband network is operated and there isn't anything I could do about it."

    What a non-sense!  You can switch of and switch on your internet facing device (modem, router) to possibly obtain another IP address which would work.  Also, your best bet is to open a support ticket.  OpenDNS staff can release your current IP address from the other account's network.

    "It looks like my option is to accept the other user's configuration or disable opendns."

    No, your best option is to open a support ticket.

    "I did a bit more digging and here is the problem I am facing:"

    Check the IP address returned at http://myip.dnsomatic.com/ and compare with the output of:
    nslookup myip.opendns.com.

    If the IP addresses are the same, then your "problem" is a non-issue.

     

    0
    Comment actions Permalink
  • Avatar
    aggies

    Thanks for the response.  Looks like I'll have to open up a ticket.  I turned my modem and router off and on and compared the result of the "myip" requests (they were very different addresses).

    0
    Comment actions Permalink
  • Avatar
    aggies

    Ok.  I thought this would be the best place to put up an update (per Chris Frost's request) with the results of the ticket I opened ("My IP address registered with another network or being disabled to be registered at all") and working with the ISP.  I'll try to briefly summarize what was learned so that others in the same situation (ie using a shared IP on a network) may be able to understand the issue and, hopefully figure out a solution.  Here is the copy/paste of the troubleshooting:

    I changed ISPs to a wireless broadband provider a few months ago and started to get "mismatch" errors (see: http://www.opendns.com/support/article/83) on the opendns updater (v2.2.1). I lived with it as the filtering still worked but recently I noticed other sites I've used in the past were blocked which appears to be from another user's settings.

    I turned to the forums (see: https://support.opendns.com/entries/23772610-Opendns-blocking-more-than-phishing-malware-by-default-?page=1#post_21730184) for help and was instructed to try turning off/on my modem and router as well as "Check the IP address returned at http://myip.dnsomatic.com/ and compare with the output of...

    [Snip]

    This problem will only occur when another OpenDNS user does not keep their network settings properly maintained and your Internet Service Provider (ISP) or carrier leases you the improperly maintained network. Notifying us about this issue is the fastest way for us to help you resolve it.

    As such, we have removed the settings on the registered network, and we advise that flush your web browser caches and restart your computer now to fully remove any erroneous content filtering applied to your current network. You can see http://www.opendns.com/support/article/67 for more information...

    [Snip - the above did not work - problem persisted]

    Thank you for the updates. Who is your current ISP?

    Would you please run the following diagnostic tool on one of the computers on the network having issues, enter vpnbook.com in the optional domain field, and copy, paste and send us the URL of the results so that we can have a look:

    Windows Diagnostic Tool

    Mac Diagnostic Tool

    The link required after the test will look like the one found here:

    https://support.opendns.com/entries/21841580...

    [Snip - I provided the output to the support folks who escalated the issue]

    It appears there are potentially several different IP addresses that your DNS lookups are using. I'm seeing three different IP addresses in that diagnostic, which means they may be doing some sort of load balancing for traffic (and more specifically DNS traffic). Have you reached out to them to confirm if they are doing that, and if they can stop it for you?

    Here's the ISP response:

    We use a carrier grade NAT on our residential network, which allows us to use a single public IP address for several connections, however OpdenDNS uses these public IP Addresses as a way to identify your connection. Our recommendation to resolve this issue is to purchase a public IP address for your connection, we charge $5.00/per month for a public address.

    OpenDNS Tech support response:

    ...they must cycle your IPs very quickly, which is good for us to know, since any user with your ISP will have similar issues. The real issue isn't that they change your public internet browsing IP, it's how often they change the address for DNS traffic. From a networking perspective that just sounds like it would break things (badly), and a good way to generate revenue.
    If you are interested in going that route, make sure that applies to all of your traffic.

    [Snip - tried working with the ISP one last time.  Here's the summary]

    ...Thought I would provide a bit more information (I don't think it will change anything, however). Since I put in the request, as predicted, other users with different filtering settings have obtained the shared IP address and at one time had blocked webmail (such as my work email), VPN, and video sites with a very restrictive filter. I've tried to contact them with the "contact your network administrator" form and explain the situation and politely asked that they shift their filtering to "none" so other OpenDNS users on the ISP wouldn't be blocked by their personal filters (also let them know the ISP offers a public IP for $5/month if they wanted to apply their personal filters).

    It seems that either they didn't get the email from the form or the request fell on deaf ears. I contacted the ISP to see if anything else could be done and it seems that there isn't anything they can do:

    "In researching this issue it appears that other users on our network are using OpenDNS and causing this issue, because we have no way of knowing who and how many are using OpenDNS our best suggestion is to add a public IP to you account...."

    ...[My conclusion:] It looks like I'm going to have to stop using OpenDNS for now so that I can get on to the necessary websites. I don't feel like paying $5/month as I think those that want the restrictive and customized filters should be paying the fee rather than expecting everyone else to deal with their filters. Hopefully this information will help in addressing others' concerns who may fall into a similar situation in the future or lead to some sort of a solution.

    Sincerely hope this will shed some light for others in a similar situation or help them resolve their issue.

    0
    Comment actions Permalink
  • Avatar
    rotblitz

    Many thanks for the detailed feed-back, and Happy New Year!

    0
    Comment actions Permalink

Please sign in to leave a comment.