gmail blocked by open dns

Comments

34 comments

  • Avatar
    rotblitz

    OpenDNS does not block anything except Phishing and Malware sites.  So, if something is blocked, it is because of  your settings, likely mail.google.com.  Because you tried to reach this with HTTPS, you get a browser generated security warning.  The certificate for the OpenDNS block page is clearly from OpenDNS, not from Google.  This is what the message says.

    Solution: don't block what you don't want to be blocked.  I.e. either uncheck the related category, or add the blocked domains to the "never block" list.

    If you are unsure what is blocked, simply visit your domain stats to find it out: https://dashboard.opendns.com/stats/all/blockeddomains

    0
    Comment actions Permalink
  • Avatar
    mimismama

    I'm having trouble as well. I have google.com and google.ca and mail.google.com as "never blocked"… but they are still blocked. And so is youtube. even though I DO NOT have video sharing checked off. This is extremely frustrating. I'm beginning to really hate OpenDns.  I'd really appreciate if some of the answers were easier to understand for normal people.

    I have tried everything to unblock google, although I don't want google I only want my gmail… I've tried to unblock all of it… it just won't let me. I'd love some help.

    0
    Comment actions Permalink
  • Avatar
    rotblitz

    As said, OpenDNS doesn't block this by default, so it must be your settings, e.g. of categories, blocking it.

    Visit https://dashboard.opendns.com/stats/all/blockeddomains to see what related domains are still being blocked and why.  Then unblock or whitelist them.

    When I visit Google mail, the following domains (and their aliases) are being queried:

    mail.google.com  googlemail.l.google.com
    accounts.google.com  accounts.l.google.com
    clients1.google.com  clients.l.google.com
    gtglobal-ocsp.geotrust.com  ocsp.ws.symantec.com.edgekey.net  e8218.ce.akamaiedge.net
    fonts.googleapis.com  googleapis.l.google.com
    ssl.gstatic.com
    lh5.googleusercontent.com  googlehosted.l.googleusercontent.com
    accounts.youtube.com  www3.l.google.com
    www.google.com
    accounts.google.de  accounts-cctld.l.google.com
    mail-attachment.googleusercontent.com  googlehosted.l.googleusercontent.com
    www.gstatic.com
    lh3.googleusercontent.com  googlehosted.l.googleusercontent.com
    clients2.google.com  clients.l.google.com
    plus.google.com
    oauth.googleusercontent.com  googlehosted.l.googleusercontent.com
    www.google.com
    chatenabled.mail.google.com  b.googlemail.l.google.com
    themes.googleusercontent.com  googlehosted.l.googleusercontent.com
    apis.google.com  plus.l.google.com

    "This is extremely frustrating. I'm beginning to really hate OpenDns."

    As you can see, it's Google, not OpenDNS.

    0
    Comment actions Permalink
  • Avatar
    rotblitz

    I should still add that not all domains being listed above are needed to access Gmail.  I believe at least the following domains (and their subdomains) should not be blocked to use Gmail.

    mail.google.com
    accounts.google.com
    clients.l.google.com
    geotrust.com
    edgekey.net
    akamaiedge.net
    googleapis.com
    ssl.gstatic.com
    googleusercontent.com
    gstatic.com
    googlemail.l.google.com
    apis.google.com

    0
    Comment actions Permalink
  • Avatar
    Anthony Honciano

    Hi @cocoathedog,

    I'm sorry to hear that you're experiencing difficulties. There are a couple of things we noticed with your account. Your account shows that you have a network configured with your OpenDNS Dashboard and the Netgear Live Parental Controls (LPC), having both configured for your home network will cause conflicts with the service and we advise our users to choose which configuration they wish to use.

    Keep the Netgear LPC


    Please do the following to remove your OpenDNS Dashboard Network

    1. Log into your dashboard at http://dashboard.opendns.com/settings
    2. Delete the network in your dashbaord (Note, this will delete all whitelist/blacklists)

    Keep the OpenDNS Dashboard Network


    Please do the following to disable the Netgear LPC

    1. Log into your LPC Device using the LPC Manager from http://netgear.opendns.com and your OpenDNS account.
    2. Click on the "Disable Live Parental Controls" button
    3. Please be sure that you're using the OpenDNS IP Updater from this point, so that your IP address is updated correctly.

    After completing one of the above steps, please flush your browser and DNS cache by following the instructions below:

    http://www.opendns.com/support/article/67
    http://www.opendns.com/support/article/68

    Let us know if you continue to experience difficulties and we'll be happy to help you.

    Best regards,

    0
    Comment actions Permalink
  • Avatar
    lamakova

    i'm also having difficulty opening gmail since i added open dns . i added the websites listed above to the never block domains but i still haven't been successful if it isn't solved i will have stop with it could you please help!!

    0
    Comment actions Permalink
  • Avatar
    rotblitz

    We (users) cannot really advice what you need to unblock, because we don't know what you have blocked with your individual settings.  So you'll have to find out yourself.  It is not trivial wanting a part of a service blocked and a part being unblocked at the same time due to the complex DNS configuration of some services like Google.

    You check the blocked domains by your settings to whitelist the ones needed for Gmail. 
    https://dashboard.opendns.com/stats/all/blockeddomains 

    If you're unsure what domains these could be, run a DNS query sniffer like http://www.nirsoft.net/utils/dns_query_sniffer.html when visiting Gmail.

    0
    Comment actions Permalink
  • Avatar
    stantonattree

    Thanks Anthony.  I had the same problem as other users.  As soon as I unchecked the parental controls on my router, gmail worked straight away.

    Regards.  Stanton.

    0
    Comment actions Permalink
  • Avatar
    baffoni

    The issue appears to be that OPENDNS is issuing a proxy HTTPS certificate when parental blocking is turned on, this certificate is used as a man in the middle (read attack to the browser) proxy to view the encrypted data.  Gmail and other very secure sites are using HTTP Strict Transport Security (HSTS) which doesn't allow this proxy to work.  Is there a setting in OPENDNS to not inspect ssl using HSTS so that it will succeed instead of being blocked?  Or is the only option turning off controls?

    0
    Comment actions Permalink
  • Avatar
    baffoni

    FWIW this only seems to be an issue on Firefox; Chrome and IE seem to pass it through without an error.

    0
    Comment actions Permalink
  • Avatar
    Patrick Colford

    @baffoni

    This is because of HSTS security settings and the way a browser interacts with responses. There's no way to disable this in Firefox, and the only way to disable it in Chrome is through a control setting that we don't recommend. Ideally, you'll want to configure OpenDNS not to block resources you want your users to access. So, if you want them to be able to use Gmail, allow gmail.com.

    If you don't know how OpenDNS was configured on your system, or you're not the administrator, you'll need to submit a ticket so that we can help you use OpenDNS, or disable it from your system. 

    0
    Comment actions Permalink
  • Avatar
    addseo1118

    Thanks Anthony.

    0
    Comment actions Permalink
  • Avatar
    jymmi

    Why is OpenDNS injecting it's cert when trying to go to gmail? This started happening when I moved from the regular opendns names servers to the family shield name servers. Does this mean the only way around it, is to switch back?

    0
    Comment actions Permalink
  • Avatar
    rotblitz

    The FamilyShield resolver addresses shouldn't block gmail unless one or more domains needed by gmail are tagged in a wrong (adult or proxy) category.  Check the cert warning closer to possibly see what (non-OpenDNS) domain is being mentioned.  Or check at https://dashboard.opendns.com/stats/all/blockeddomains what gmail related domain(s) is/are being blocked now.

    You may want to report the wrongly categorized/blocked gmail related domains via support ticket to OpenDNS to get it corrected.

    As a temporary workaround, you could switch back to the normal OpenDNS resolver addresses (don't forget to flush your caches!), or to introduce entries in your local hosts file with these impacted domains and their real IP addresses.

    0
    Comment actions Permalink
  • Avatar
    farrisfamily00

    Patrick, thank you for your advice. I have personal settings on my computer that block certain things, like accessing internet after 11pm, but I knew my gmail was being blocked because of the openDNS, since it was working before I added webmail category to the block list. I wanted to only white list the email accounts that I have set up for my kids, that I have passwords for, so they are not able to make another and check it at home. After I added gmail.com to the white list, my gmail and my kids' works. Thank you

    0
    Comment actions Permalink
  • Avatar
    wakkorotti

    I am finding this very frustrating, too, particularly because I know the cause of the problem and what OpenDNS has to do to solve it.  However, buffoni is the first person to accurately state the problem.  The correct solution is what Windows Family Safety software does to resolve: issue a trust certificate that makes the man in the middle attack be allowed because the opendns.com certificate must be from a trusted certification authority.  Although users can self certify that opendns.com is a trusted authority, it is complicated to do this and get it working correctly.  Avoiding the HSTS cannot work either because otherwise OpenDNS won't know if the encrypted content should be blocked or not.  Please create a trusted CA and make it available to the users.  If that isn't possible, I'm sure I will rely on my proxy server for all filtering and remove OpenDNS completely.

    0
    Comment actions Permalink
  • Avatar
    mattwilson9090

    Buffoni's post was wrong in several ways. Although he throws around some correct terms, he has some fundamental misunderstandings of how DNS and the internet work in general, and how OpenDNS works in particular. OpenDNS has nothing to do with man in the middle attacks or determining whether content is encrypted or not. OpenDNS (like any DNS system) does not care at all about websites, webpages, content, protocol, encryption, or anything else but a domain name. It either returns the DNS results for an allowed domain, or returns one of several OpenDNS addresses that correspond to one of their blocked pages. In this particular case, since that blocked page is returning results different from the certificate that the browser expects to receive as a result of HSTS, an error/warning is displayed. In other words the error is happening because of what happens in your browser *after* OpenDNS does the lookup and returns the results in accordance with your own settings.

     

    OpenDNS creating a certificate to impersonate gmail.com, let alone creating an entire CA would do nothing about an HSTS related error since any certificates generated would not be properly signed, so would still generate the error.

    What problem is it that you are trying to solve? What exactly is it that you want OpenDNS to "solve" it?

     

    Are you trying to block gmail and upset that you are getting a certificate error? If so then look at Patrick's explanation of what is going on in his two posts. Bottom line, you wanted OpenDNS to block gmail for you, and it is doing so, only the methods that it uses for every other site on the internet are throwing up a false positive for another problem.

    Are you trying to use gmail, but it is being blocked now that you are using OpenDNS. Then look to the posts by Patrick and rotblitz, because the problem lies with your OpenDNS settings and what you have blocked. You will either need to unblock some categories or whitelist some domains. Even if they could impersonate gmail.com's certificate to eliminate the HSTS error gmail would still be blocked for you because your OpenDNS settings are blocking gmail

    0
    Comment actions Permalink
  • Avatar
    rotblitz

    "I know the cause of the problem and what OpenDNS has to do to solve it."

    Interesting.  Then can you please:

    • Let us know the cause of the problem what you think it is.
    • What your suggestions are regarding to a solution to be done by OpenDNS.

    "I will ... remove OpenDNS completely."

    I'm sure they will not miss you, and they don't care.  Just someone who no longer takes resources of their free service.  With 50+ millions of users there are daily thousands joining and leaving...

    0
    Comment actions Permalink
  • Avatar
    wakkorotti

    If "OpenDNS has nothing to do with man in the middle attacks", then why suggest "you are getting a certificate error"?  The entire reason for the certificate error is because of OpenDNS (and because the URL is blocked as you pointed out, which constitutes a man-in-the-middle attack.)  However, determining why the URL is being blocked is not possible without avoiding the certificate error, which requires a valid certificate.  The certificate that OpenDNS sends back will be valid if the signer of the certificate coming from OpenDNS is included in the trusted certificate authority (CA) of the computer making the request (my laptop.)  The two ways that show that this is the problem:

    1. Access the webpage through another network not on OpenDNS (works of course, because it isn't blocked.)

    2. Access the webpage through another network not on OpenDNS using Windows Family Safety to block the URL:

    2a. If the Windows Family Safety CA is not installed, the error looks exactly like the one from OpenDNS, which is entirely unhelpful.

    2b. If the Windows Family Safety CA is installed, the error shows that Family Safety blocked the URL and why it was blocked.

    Presumably, having a trusted CA installed from OpenDNS would also allow a valid certificate to be returned and be able to show why OpenDNS blocked the site.

    If "Buffoni's post ... throws around some correct terms" is meant to suggest users only partially understand how to explain the problem, then the implication is insulting and the opposite of helpful.  I think I understand DNS quite well and agree with your assessment "returns one of several OpenDNS addresses that correspond to one of their blocked pages. ... different from the certificate that the browser expects to receive as a result of HSTS, an error/warning is displayed ... *after* OpenDNS does the lookup and returns the results in accordance with your own settings."

    My point is that returning an address different than the certificate would not be an error if a different certificate was sent back matching the OpenDNS address as long as the signer of that certificate was included in my trusted CA list.

    0
    Comment actions Permalink
  • Avatar
    rotblitz

    Again, what problem is it that you are trying to solve?

    Do you really believe that "having a trusted CA installed from OpenDNS would also allow a valid certificate to be returned and be able to show why OpenDNS blocked the site"?  Hardly!  The certificate attribute "Issued to CN" cannot match the domain name being queried and being blocked by OpenDNS.

    0
    Comment actions Permalink
  • Avatar
    wakkorotti

    Perhaps it will be more helpful to clarify statements already made:

    "It either returns the DNS results for an allowed domain, or returns one of several OpenDNS addresses that correspond to one of their blocked pages. In this particular case, since that blocked page is returning results different from the certificate that the browser expects to receive as a result of HSTS, an error/warning is displayed. In other words the error is happening because of what happens in your browser *after* OpenDNS does the lookup and returns the results in accordance with your own settings."

    In my case, I requested youtube.com, which I specifically blocked in OpenDNS.  OpenDNS should of course return an address that shows a blocked page.  If you are suggesting using OpenDNS to block youtube.com will result in a certificate for youtube.com not a certificate from OpenDNS, then I will concede your point, but then Chrome will never show the blocked page for HTTPS sites, and then OpenDNS has a bigger problem than just a few users that have this problem.

    If using OpenDNS results in a certificate for OpenDNS block page instead, then that certificate would have to be signed by a trusted authority.  In the case of Windows Family Safety, Microsoft did not send a certificate signed by a trusted authority already installed, so they provided their own certified authority for users to install to the trusted certificate authority list, which solves the problem.

    If I have completely misconstrued how anything works, it would be helpful if you tell me what is really happening, as I am only guessing based on my extensive technical background and limited information above (as well as using Microsoft Family Safety.)  I am sure I can test any statements you make against my multiple configurations sufficiently to be satisfied whether the information is accurate.

    As for what problem is being solved:

    Blocked secure sites should show the OpenDNS block page to show that the site was actually blocked rather than thinking there might be some other problem going on related to the service provider, my local proxy server, etc.

    As for Microsoft Family Safety, it is 100% unreliable (haven't tried the Live version, which might solve some issues.)  All you have to do is crash the program which is pretty easy it seems.  Although I like OpenDNS as a backup, I very much prefer the proxy server solution I installed to my 2nd computer.  My son on the other hand does not like it, because it works even better than OpenDNS.

    0
    Comment actions Permalink
  • Avatar
    rotblitz

    "I requested youtube.com, which I specifically blocked in OpenDNS.  OpenDNS should of course return an address that shows a blocked page."

    OpenDNS does return an own IP address (hit-block.opendns.com in your case) to redirect you to a block page.  And your browser opens an HTTPS connection to this address with hostname www.youtube.com to find a certificate "Issued to *.opendns.com" and therefore complains about the mismatch.  So, it's solely your browser preventing you from reaching the block page, not OpenDNS and not YouTube.  There's nothing OpenDNS could do against it.

    "Blocked secure sites should show the OpenDNS block page to show that the site was actually blocked"

    Exactly this is done!  But your browser has its own "mind" and does what its developers wanted it to do, not what OpenDNS or you wanted it to do.

    Forget comparing Microsoft Family Safety with OpenDNS.  These have nothing in common from a technical perspective and are totally different approaches.

    0
    Comment actions Permalink
  • Avatar
    kylorenault

    Many websites that have HTTPS are being blocked by OpenDNS. That's not ideal. When I set my content filtering settings to High, I expect to have only the websites in that category to be blocked, not any other HTTPS website. This is an inaccurate behavior on the part of OpenDNS servers

    0
    Comment actions Permalink
  • Avatar
    rotblitz

    What has your message to do with "gmail blocked by open dns"?

    "Many websites that have HTTPS are being blocked by OpenDNS."

    No, never!  It's always by your settings, not by OpenDNS.  And OpenDNS as DNS service doesn't know about HTTPS.

    "not any other HTTPS website."

    Which website would this be?

    0
    Comment actions Permalink
  • Avatar
    krisclark3

    Sorry, but I have the same problem.  Never had it before tonight when I installed OpenDNS.  Now I can't access anything.

     

    0
    Comment actions Permalink
  • Avatar
    rotblitz (Edited )

    So, your problem is that Gmail is being blocked by your OpenDNS settings?  This is what this thread is about.

    Well, then work through my list above and compare against your blocked domain stats to unblock what needs to be unblocked.

    If it is something else, you better open your own thread, and be more specific about this "anything".

    Edit:
    Just reading in another thread that you seem to be using a Netgear router with LPC enabled.  You don't have stats then to compare with.  And you should open your own thread in the "Netgear Live Parental Controls" section of the forum, being very specific and detailled about your problems.

    0
    Comment actions Permalink
  • Avatar
    princebds

    After checking the search engine category, suddenly gmail and google.com is block. Thanks to sir rotblitz, able to connect gmail now by unblocking the following sites below:

    mail.google.com
    accounts.google.com
    clients.l.google.com
    geotrust.com
    edgekey.net
    akamaiedge.net
    googleapis.com
    ssl.gstatic.com
    googleusercontent.com
    gstatic.com
    googlemail.l.google.com
    apis.google.com

    0
    Comment actions Permalink
  • Avatar
    rotblitz

    But note, to not unnecessarily fill up your 25 whitelist slots, you only need to enter the domains from my list which are actually being blocked by your settings, to be seen from https://dashboard.opendns.com/stats/all/blockeddomains 
    Entering any other domains from my list does not make sense.

    Also, my list is three years old now, and Google might have changed domains being used for the mail service, so you may have to find out from anew what domains are being used.

    This tool can help: http://www.nirsoft.net/utils/dns_query_sniffer.html

    0
    Comment actions Permalink
  • Avatar
    lands4 (Edited )

    I was able to only add:

    gmail.com

    mail.gmail.com 

    to never block, waited 5 min, and that worked.

    Good luck.

    0
    Comment actions Permalink
  • Avatar
    mattwilson9090

    Adding mail.gmail.com was redundant and unecessary since it is a subdomain of gmail.com

    gmail.com alone will whitelist ALL of it's subdomains, and has the benefit of only requiring 1 slots in your whitelist instead of the 2 you used.

    1
    Comment actions Permalink

Please sign in to leave a comment.