gmail blocked by open dns
I can't access my gmail now that I'm using open dns. Here is the error message:
-
OpenDNS does not block anything except Phishing and Malware sites. So, if something is blocked, it is because of your settings, likely mail.google.com. Because you tried to reach this with HTTPS, you get a browser generated security warning. The certificate for the OpenDNS block page is clearly from OpenDNS, not from Google. This is what the message says.
Solution: don't block what you don't want to be blocked. I.e. either uncheck the related category, or add the blocked domains to the "never block" list.
If you are unsure what is blocked, simply visit your domain stats to find it out: https://dashboard.opendns.com/stats/all/blockeddomains
-
I'm having trouble as well. I have google.com and google.ca and mail.google.com as "never blocked"… but they are still blocked. And so is youtube. even though I DO NOT have video sharing checked off. This is extremely frustrating. I'm beginning to really hate OpenDns. I'd really appreciate if some of the answers were easier to understand for normal people.
I have tried everything to unblock google, although I don't want google I only want my gmail… I've tried to unblock all of it… it just won't let me. I'd love some help. -
As said, OpenDNS doesn't block this by default, so it must be your settings, e.g. of categories, blocking it.
Visit https://dashboard.opendns.com/stats/all/blockeddomains to see what related domains are still being blocked and why. Then unblock or whitelist them.
When I visit Google mail, the following domains (and their aliases) are being queried:
mail.google.com googlemail.l.google.com
accounts.google.com accounts.l.google.com
clients1.google.com clients.l.google.com
gtglobal-ocsp.geotrust.com ocsp.ws.symantec.com.edgekey.net e8218.ce.akamaiedge.net
fonts.googleapis.com googleapis.l.google.com
ssl.gstatic.com
lh5.googleusercontent.com googlehosted.l.googleusercontent.com
accounts.youtube.com www3.l.google.com
www.google.com
accounts.google.de accounts-cctld.l.google.com
mail-attachment.googleusercontent.com googlehosted.l.googleusercontent.com
www.gstatic.com
lh3.googleusercontent.com googlehosted.l.googleusercontent.com
clients2.google.com clients.l.google.com
plus.google.com
oauth.googleusercontent.com googlehosted.l.googleusercontent.com
www.google.com
chatenabled.mail.google.com b.googlemail.l.google.com
themes.googleusercontent.com googlehosted.l.googleusercontent.com
apis.google.com plus.l.google.com"This is extremely frustrating. I'm beginning to really hate OpenDns."
As you can see, it's Google, not OpenDNS.
-
I should still add that not all domains being listed above are needed to access Gmail. I believe at least the following domains (and their subdomains) should not be blocked to use Gmail.
mail.google.com
accounts.google.com
clients.l.google.com
geotrust.com
edgekey.net
akamaiedge.net
googleapis.com
ssl.gstatic.com
googleusercontent.com
gstatic.com
googlemail.l.google.com
apis.google.com -
Hi @cocoathedog,
I'm sorry to hear that you're experiencing difficulties. There are a couple of things we noticed with your account. Your account shows that you have a network configured with your OpenDNS Dashboard and the Netgear Live Parental Controls (LPC), having both configured for your home network will cause conflicts with the service and we advise our users to choose which configuration they wish to use.
Keep the Netgear LPC
Please do the following to remove your OpenDNS Dashboard Network
- Log into your dashboard at http://dashboard.opendns.com/settings
- Delete the network in your dashbaord (Note, this will delete all whitelist/blacklists)
Keep the OpenDNS Dashboard Network
Please do the following to disable the Netgear LPC
- Log into your LPC Device using the LPC Manager from http://netgear.opendns.com and your OpenDNS account.
- Click on the "Disable Live Parental Controls" button
- Please be sure that you're using the OpenDNS IP Updater from this point, so that your IP address is updated correctly.
After completing one of the above steps, please flush your browser and DNS cache by following the instructions below:
http://www.opendns.com/support/article/67
http://www.opendns.com/support/article/68Let us know if you continue to experience difficulties and we'll be happy to help you.
Best regards,
-
We (users) cannot really advice what you need to unblock, because we don't know what you have blocked with your individual settings. So you'll have to find out yourself. It is not trivial wanting a part of a service blocked and a part being unblocked at the same time due to the complex DNS configuration of some services like Google.
You check the blocked domains by your settings to whitelist the ones needed for Gmail.
https://dashboard.opendns.com/stats/all/blockeddomainsIf you're unsure what domains these could be, run a DNS query sniffer like http://www.nirsoft.net/utils/dns_query_sniffer.html when visiting Gmail.
-
The issue appears to be that OPENDNS is issuing a proxy HTTPS certificate when parental blocking is turned on, this certificate is used as a man in the middle (read attack to the browser) proxy to view the encrypted data. Gmail and other very secure sites are using HTTP Strict Transport Security (HSTS) which doesn't allow this proxy to work. Is there a setting in OPENDNS to not inspect ssl using HSTS so that it will succeed instead of being blocked? Or is the only option turning off controls?
-
@baffoni
This is because of HSTS security settings and the way a browser interacts with responses. There's no way to disable this in Firefox, and the only way to disable it in Chrome is through a control setting that we don't recommend. Ideally, you'll want to configure OpenDNS not to block resources you want your users to access. So, if you want them to be able to use Gmail, allow gmail.com.
If you don't know how OpenDNS was configured on your system, or you're not the administrator, you'll need to submit a ticket so that we can help you use OpenDNS, or disable it from your system. -
The FamilyShield resolver addresses shouldn't block gmail unless one or more domains needed by gmail are tagged in a wrong (adult or proxy) category. Check the cert warning closer to possibly see what (non-OpenDNS) domain is being mentioned. Or check at https://dashboard.opendns.com/stats/all/blockeddomains what gmail related domain(s) is/are being blocked now.
You may want to report the wrongly categorized/blocked gmail related domains via support ticket to OpenDNS to get it corrected.
As a temporary workaround, you could switch back to the normal OpenDNS resolver addresses (don't forget to flush your caches!), or to introduce entries in your local hosts file with these impacted domains and their real IP addresses.
-
Patrick, thank you for your advice. I have personal settings on my computer that block certain things, like accessing internet after 11pm, but I knew my gmail was being blocked because of the openDNS, since it was working before I added webmail category to the block list. I wanted to only white list the email accounts that I have set up for my kids, that I have passwords for, so they are not able to make another and check it at home. After I added gmail.com to the white list, my gmail and my kids' works. Thank you
-
I am finding this very frustrating, too, particularly because I know the cause of the problem and what OpenDNS has to do to solve it. However, buffoni is the first person to accurately state the problem. The correct solution is what Windows Family Safety software does to resolve: issue a trust certificate that makes the man in the middle attack be allowed because the opendns.com certificate must be from a trusted certification authority. Although users can self certify that opendns.com is a trusted authority, it is complicated to do this and get it working correctly. Avoiding the HSTS cannot work either because otherwise OpenDNS won't know if the encrypted content should be blocked or not. Please create a trusted CA and make it available to the users. If that isn't possible, I'm sure I will rely on my proxy server for all filtering and remove OpenDNS completely.
-
Buffoni's post was wrong in several ways. Although he throws around some correct terms, he has some fundamental misunderstandings of how DNS and the internet work in general, and how OpenDNS works in particular. OpenDNS has nothing to do with man in the middle attacks or determining whether content is encrypted or not. OpenDNS (like any DNS system) does not care at all about websites, webpages, content, protocol, encryption, or anything else but a domain name. It either returns the DNS results for an allowed domain, or returns one of several OpenDNS addresses that correspond to one of their blocked pages. In this particular case, since that blocked page is returning results different from the certificate that the browser expects to receive as a result of HSTS, an error/warning is displayed. In other words the error is happening because of what happens in your browser *after* OpenDNS does the lookup and returns the results in accordance with your own settings.
OpenDNS creating a certificate to impersonate gmail.com, let alone creating an entire CA would do nothing about an HSTS related error since any certificates generated would not be properly signed, so would still generate the error.
What problem is it that you are trying to solve? What exactly is it that you want OpenDNS to "solve" it?
Are you trying to block gmail and upset that you are getting a certificate error? If so then look at Patrick's explanation of what is going on in his two posts. Bottom line, you wanted OpenDNS to block gmail for you, and it is doing so, only the methods that it uses for every other site on the internet are throwing up a false positive for another problem.
Are you trying to use gmail, but it is being blocked now that you are using OpenDNS. Then look to the posts by Patrick and rotblitz, because the problem lies with your OpenDNS settings and what you have blocked. You will either need to unblock some categories or whitelist some domains. Even if they could impersonate gmail.com's certificate to eliminate the HSTS error gmail would still be blocked for you because your OpenDNS settings are blocking gmail
-
"I know the cause of the problem and what OpenDNS has to do to solve it."
Interesting. Then can you please:
- Let us know the cause of the problem what you think it is.
- What your suggestions are regarding to a solution to be done by OpenDNS.
"I will ... remove OpenDNS completely."
I'm sure they will not miss you, and they don't care. Just someone who no longer takes resources of their free service. With 50+ millions of users there are daily thousands joining and leaving...
-
If "OpenDNS has nothing to do with man in the middle attacks", then why suggest "you are getting a certificate error"? The entire reason for the certificate error is because of OpenDNS (and because the URL is blocked as you pointed out, which constitutes a man-in-the-middle attack.) However, determining why the URL is being blocked is not possible without avoiding the certificate error, which requires a valid certificate. The certificate that OpenDNS sends back will be valid if the signer of the certificate coming from OpenDNS is included in the trusted certificate authority (CA) of the computer making the request (my laptop.) The two ways that show that this is the problem:
1. Access the webpage through another network not on OpenDNS (works of course, because it isn't blocked.)
2. Access the webpage through another network not on OpenDNS using Windows Family Safety to block the URL:
2a. If the Windows Family Safety CA is not installed, the error looks exactly like the one from OpenDNS, which is entirely unhelpful.
2b. If the Windows Family Safety CA is installed, the error shows that Family Safety blocked the URL and why it was blocked.
Presumably, having a trusted CA installed from OpenDNS would also allow a valid certificate to be returned and be able to show why OpenDNS blocked the site.
If "Buffoni's post ... throws around some correct terms" is meant to suggest users only partially understand how to explain the problem, then the implication is insulting and the opposite of helpful. I think I understand DNS quite well and agree with your assessment "returns one of several OpenDNS addresses that correspond to one of their blocked pages. ... different from the certificate that the browser expects to receive as a result of HSTS, an error/warning is displayed ... *after* OpenDNS does the lookup and returns the results in accordance with your own settings."
My point is that returning an address different than the certificate would not be an error if a different certificate was sent back matching the OpenDNS address as long as the signer of that certificate was included in my trusted CA list.
-
Again, what problem is it that you are trying to solve?
Do you really believe that "having a trusted CA installed from OpenDNS would also allow a valid certificate to be returned and be able to show why OpenDNS blocked the site"? Hardly! The certificate attribute "Issued to CN" cannot match the domain name being queried and being blocked by OpenDNS.
-
Perhaps it will be more helpful to clarify statements already made:
"It either returns the DNS results for an allowed domain, or returns one of several OpenDNS addresses that correspond to one of their blocked pages. In this particular case, since that blocked page is returning results different from the certificate that the browser expects to receive as a result of HSTS, an error/warning is displayed. In other words the error is happening because of what happens in your browser *after* OpenDNS does the lookup and returns the results in accordance with your own settings."
In my case, I requested youtube.com, which I specifically blocked in OpenDNS. OpenDNS should of course return an address that shows a blocked page. If you are suggesting using OpenDNS to block youtube.com will result in a certificate for youtube.com not a certificate from OpenDNS, then I will concede your point, but then Chrome will never show the blocked page for HTTPS sites, and then OpenDNS has a bigger problem than just a few users that have this problem.
If using OpenDNS results in a certificate for OpenDNS block page instead, then that certificate would have to be signed by a trusted authority. In the case of Windows Family Safety, Microsoft did not send a certificate signed by a trusted authority already installed, so they provided their own certified authority for users to install to the trusted certificate authority list, which solves the problem.
If I have completely misconstrued how anything works, it would be helpful if you tell me what is really happening, as I am only guessing based on my extensive technical background and limited information above (as well as using Microsoft Family Safety.) I am sure I can test any statements you make against my multiple configurations sufficiently to be satisfied whether the information is accurate.
As for what problem is being solved:
Blocked secure sites should show the OpenDNS block page to show that the site was actually blocked rather than thinking there might be some other problem going on related to the service provider, my local proxy server, etc.
As for Microsoft Family Safety, it is 100% unreliable (haven't tried the Live version, which might solve some issues.) All you have to do is crash the program which is pretty easy it seems. Although I like OpenDNS as a backup, I very much prefer the proxy server solution I installed to my 2nd computer. My son on the other hand does not like it, because it works even better than OpenDNS.
-
"I requested youtube.com, which I specifically blocked in OpenDNS. OpenDNS should of course return an address that shows a blocked page."
OpenDNS does return an own IP address (hit-block.opendns.com in your case) to redirect you to a block page. And your browser opens an HTTPS connection to this address with hostname www.youtube.com to find a certificate "Issued to *.opendns.com" and therefore complains about the mismatch. So, it's solely your browser preventing you from reaching the block page, not OpenDNS and not YouTube. There's nothing OpenDNS could do against it.
"Blocked secure sites should show the OpenDNS block page to show that the site was actually blocked"
Exactly this is done! But your browser has its own "mind" and does what its developers wanted it to do, not what OpenDNS or you wanted it to do.
Forget comparing Microsoft Family Safety with OpenDNS. These have nothing in common from a technical perspective and are totally different approaches.
-
Many websites that have HTTPS are being blocked by OpenDNS. That's not ideal. When I set my content filtering settings to High, I expect to have only the websites in that category to be blocked, not any other HTTPS website. This is an inaccurate behavior on the part of OpenDNS servers
-
What has your message to do with "gmail blocked by open dns"?
"Many websites that have HTTPS are being blocked by OpenDNS."
No, never! It's always by your settings, not by OpenDNS. And OpenDNS as DNS service doesn't know about HTTPS.
"not any other HTTPS website."
Which website would this be?
-
So, your problem is that Gmail is being blocked by your OpenDNS settings? This is what this thread is about.
Well, then work through my list above and compare against your blocked domain stats to unblock what needs to be unblocked.
If it is something else, you better open your own thread, and be more specific about this "anything".
Edit:
Just reading in another thread that you seem to be using a Netgear router with LPC enabled. You don't have stats then to compare with. And you should open your own thread in the "Netgear Live Parental Controls" section of the forum, being very specific and detailled about your problems. -
After checking the search engine category, suddenly gmail and google.com is block. Thanks to sir rotblitz, able to connect gmail now by unblocking the following sites below:
mail.google.com
accounts.google.com
clients.l.google.com
geotrust.com
edgekey.net
akamaiedge.net
googleapis.com
ssl.gstatic.com
googleusercontent.com
gstatic.com
googlemail.l.google.com
apis.google.com -
But note, to not unnecessarily fill up your 25 whitelist slots, you only need to enter the domains from my list which are actually being blocked by your settings, to be seen from https://dashboard.opendns.com/stats/all/blockeddomains
Entering any other domains from my list does not make sense.Also, my list is three years old now, and Google might have changed domains being used for the mail service, so you may have to find out from anew what domains are being used.
This tool can help: http://www.nirsoft.net/utils/dns_query_sniffer.html
Please sign in to leave a comment.
Comments
38 comments