OpenDNS won't stop blocking a website

Comments

33 comments

  • Avatar
    rotblitz

    Check your blocked domains at https://dashboard.opendns.com/stats/all/blockeddomains to see what related domains are blocked, and add those to your "never block" list.

    If you want to know why it is blocked for your, post the following command output:
    nslookup example.com.
    where example.com is the domain name being blocked as found in your stats.

    ""This site was categorized in: Instant Messaging, Chat, Video Sharing, Photo Sharing""
    "NONE of those categories are checked off (I have custom settings)."

    Don't worry.  This is for your information only.  It is not the reason why it is blocked for you.

  • Avatar
    threehappypenguins

    YouTube is doing it now too. I whitelisted just snapchat.com, and I can access the website now. I am trying to determine if snapchat works now. Last night while scrolling through the stats, it showed that l.google.com was blocked (feelinsonice.appspot.com is a snapchat server; and in nslookup the name of the server is appspot.l.google.com). But when I would click on it, it would say, "This domain is no longer blocked."

    Now this morning, YouTube is doing the same thing. I can see *.youtube.com in the list of blocked domains, but when I click on it, it would say "This domain is no longer blocked." Yet when I go to youtube.com it is blocked by OpenDNS.

    The following was my nslookup for youtube.com:

    C:\Windows\system32>nslookup youtube.com
    Server: (myserver)
    Address: 192.168.1.1

    Non-authoritative answer:
    Name: youtube.com
    Addresses: 2607:f8b0:400d:c01::5d
    173.237.115.231
    173.237.115.216
    173.237.115.232
    173.237.115.227
    173.237.115.221
    173.237.115.217
    173.237.115.226
    173.237.115.247
    173.237.115.251
    173.237.115.242
    173.237.115.236
    173.237.115.241
    173.237.115.246
    173.237.115.212
    173.237.115.237
    173.237.115.222

    And I checked feelinsonice.appspot.com:

    C:\Windows\system32>nslookup feelinsonice.appspot.com
    Server: Kubik
    Address: 192.168.1.1

    Non-authoritative answer:
    Name: appspot.l.google.com
    Address: 67.215.65.130
    Aliases: feelinsonice.appspot.com

    I have checked off "Search Engines" in OpenDNS to block all search engines and then whitelisted Bing. The reason is because Google was being used for searching explicit images. Now, I could use Google SafeSearch, but all a user has to do is clear the cookies and it renders it useless. Bing, on the other hand, does not search for explicit images unless you go to explicit.bing.net (which is already blocked by OpenDNS if the pornography and adult content categories are ticked off).

    So I've had to monitor the stats to see necessary google sites being accessed (mail.google.com, accounts.google.com, www.youtube-nocookie.com, etc).

    I don't understand what is going on. The domain youtube.com is *only* categorized as Video Sharing. So I should at least be able to get to the domain. I understand that YouTube might use some services (from Google) that are categorized under search engine, but I had whitelisted a bunch of them that were being blocked. And YouTube worked fine yesterday.

  • Avatar
    threehappypenguins

    Uggghhh! It's doing it to talkgadget.google.com! It's categorized as Instant Messaging, Chat, so it shouldn't be blocked. Did another nslookup:

    C:\Windows\System32>nslookup talkgadget.google.com
    Server: (myserver)
    Address: 192.168.1.1

    Non-authoritative answer:
    Name: talkgadget.l.google.com
    Address: 67.215.65.130
    Aliases: talkgadget.google.com

  • Avatar
    threehappypenguins

    I need to edit one of my previous messages (need to take out the server name). Is there any way to do that. I wanted to change it to (myserver) for security purposes.

  • Avatar
    rotblitz

    According to your nslookup, youtube.com itself is not blocked, but subdomains or CDN domains (like www.youtube.com or ytimg.com) may still be blocked though.  This cannot be seen from your posting.  YouTube use so many many domains...

    feelinsonice.appspot.com is an alias for appspot.l.google.com which is apparently blocked by your settings.  67.215.65.130 (hit-adult.opendns.com) indicates that it is blocked by category.  Same for talkgadget.google.com being an alias for talkgadget.l.google.com.

    "I don't understand what is going on"

    But I understand.  Also real names of aliases (CNAMEs) are effective for blacklisting or whitelisting, of course, to prevent from circumventing with another name..

    "I understand that YouTube might use some services (from Google)"

    No, even more, YouTube is Google.  If you block major parts of Google, it renders YouTube unusable too.  They share many domains and their aliases.

  • Avatar
    threehappypenguins

    www.youtube.com is already whitelisted, and I whitelisted ytimg.com after you suggestion and its still not working. I just need to figure out how it loads its videos so I can whitelist it... uggghhhhh!

    I wish there was some kind of workaround. I tried the other way around where I blocked google images by blacklisting:

    gstatic.com
    t0.gstatic.com
    t1.gstatic.com
    t2.gstatic.com
    t3.gstatic.com
    tbn.l.google.com

    It works... kind of. But the first few images still show up. Tried Googling and I can't find a workaround for that either (so far). I just simply want to block Google images (completely) and allow YouTube. Why does this have to be so difficult?! Hasn't ANYONE out there had any success?!

  • Avatar
    rotblitz

    "I just need to figure out how it loads its videos so I can whitelist it."

    This tool may be of big use: http://www.nirsoft.net/utils/dns_query_sniffer.html

    "I just simply want to block Google images (completely) and allow YouTube. Why does this have to be so difficult?!"

    Because of Google.  Some images are embedded in the HTML, not distinct image objects.  There is no way to block this with DNS methods.  SafeSearch is the way to go.
    See also https://support.opendns.com/categories/search?utf8=%E2%9C%93&query=google+image+search&for_search=1

  • Avatar
    rotblitz

    gstatic.com
    t0.gstatic.com
    t1.gstatic.com
    t2.gstatic.com
    t3.gstatic.com

    This is nonsense.  The entry gstatic.com already covers this and all subdomains, as general with any such whitelist/blacklist entries.

  • Avatar
    threehappypenguins

    I figured that. But I just added them anyway to see if something magical - like Google images being blocked - would happen. Still can't find out why the first set of Google images isn't being blocked. This is craaaazy.

  • Avatar
    threehappypenguins

    Safesearch is useless. You just have to clear the cookies and then be on your merry explicit images way.

  • Avatar
    threehappypenguins

    As for YouTube, I figured it out. I right clicked on the page, went to source and started looking and various domains it was calling on; one of which is googlevideo.com

    I whitelisted it, and, BINGO! Videos are streaming fine now. So I needed to whitelist youtube.com and googlevideo.com. I might still have needed ytimg.com whitelisted too. I'm going to take it off the whitelist and see what happens. I've run out of room, so I need to get stuff off there that don't need to be whitelisted.

  • Avatar
    cindelicato

    Safesearch is useless. You just have to clear the cookies and then be on your merry explicit images way.

    I have to disagree; if you follow directions (and do not let kids use your Google account) you can pretty well lock-down most (but certainly not all) explicit results.

     

    https://support.google.com/websearch/answer/144686

  • Avatar
    rotblitz

    "Still can't find out why the first set of Google images isn't being blocked. This is craaaazy."

    I said it already:  Some images are embedded in the HTML, not distinct image objects.  You can block/whitelist domains only, not webpages, not part of webpages, not images, not keywords, not anything else.

    "Safesearch is useless. You just have to clear the cookies and then be on your merry explicit images way."

    Nope, you can make SafeSearch persistent.  It cannot be disabled by regular users then.  See the Google documentation.

  • Avatar
    threehappypenguins

    "I said it already:  Some images are embedded in the HTML, not distinct image objects.  You can block/whitelist domains only, not webpages, not part of webpages, not images, not keywords, not anything else."

    I didn't see your comment until after I replied the first time. Sorry.

    As for Safesearch, I DID lock it. With each and every browser. Then I experimented by clearing the cookies. And it was as if I never set Safe Search at all. Plus, the user can simply download another browser as a workaround. For example, I don't have Opera. So the user can go to Opera and download the browser.

    Google Safe Search is not *truly* lockable if all it goes on is the cookies and the cookies can be deleted.

  • Avatar
    threehappypenguins

    I need very comprehensive settings. I have DD-WRT firmware in the router, and port 53 blocked because the user was setting their own DNS. Blocking the port fixed the problem. So as you can see, Safe Search is not going to solve anything. This is at a friend's house. I use safe search at my house because I have small children and I want to protect their little eyes. They aren't going to go out of their way to look for porn. Safe Search is great to prevent accidental exposure. But it's not good to stop an addict who is seeking it out.

  • Avatar
    cindelicato

    Plus, the user can simply download another browser as a workaround.

    Ah, now I see your problem.  If your users have ADMIN privileges then everything you're doing with respect to OpenDNS is for naught; the user will be able to defeat your efforts and see whatever content they want.

    Trust me: no one should surf as ADMIN. Ever.

     

  • Avatar
    cindelicato

    Safe Search is great to prevent accidental exposure. But it's not good to stop an addict who is seeking it out.

    If you're trying to protect an addict, step one is to disconnect the device. THAT will be the only way to ensure compliance.

    Then, if you really believe that person needs online access, you MUST remove ADMIN privs.  

     

    Otherwise you're fooling yourself if you think you're stopping an addict.

  • Avatar
    threehappypenguins

    My husband has gotten me to block all devices that connect the internet (it was his request). It depends on the level of addiction. However, in my friend's case, I believe he is trying to prevent getting to that point. There are some issues, but not to the point of what it's like in my house. I may just convince him to have his kids sign into a separate profile.

    But even with taking away privileges, a standard user can still delete cookies. So how would I stop that?

  • Avatar
    cindelicato

    Assuming you are correct about deleting cookies to defeat Safe Search -- I've successfully locked down more than 6 desktops using this method, and the teens have tried in vain to beat it, so I can't verify your claim -- I suggest you raise your concern with Google, as it is their product.

    Kids SHOULD have their own profile.  Again NO ONE should be ADMIN while surfing; that's an invitation for malware.  It's also horrible practice that leads to system changes that the owner (the parents) do not want, including inappropriate (but not malware) software installations (i.e. Opera).  You need to minimize the attack vector that addicts, kids and malware authors have, and allowing users to be ADMIN is clearly detrimental to that cause.

    At this point, we're way into the weeds, far from OpenDNS specific.  Best of luck to you.

  • Avatar
    rotblitz

    "Then I experimented by clearing the cookies."

    Yes, as admin, right?  The same applies here.  Regular users cannot delete this persistent cookie for Google SafeSearch.  Your experiments simply don't apply with regular users.

    I fully agree with cindelicato: start your efforts by configuring user accounts and user rights correctly.  It saves you lot of time and efforts then, e.g. in conjunction with disabling Google SafeSearch, unwanted system settings changes (like DNS settings), installing unwanted programs and much more circumvention strategies and attacks.

    Also, addiction problems cannot be solved technically, but just therapeutically.  You'll have to wait another hundred years or so until you can switch on a machine to get rid of an addiction.....

  • Avatar
    threehappypenguins

    You're right that addiction problems cannot be solved technically... but porn is something that once is seen, cannot be unseen. And I know there are a lot of people that disagree with me on this, but each time porn is viewed the worse the destruction on a person gets. But I'm not trying to get in a debate. I'm just trying to help keep porn out of people's mind's for our family and for a friend and for anyone else who wants to do so.

  • Avatar
    threehappypenguins

    Oh, and in case anybody else reading this also wishes to do something similar to what I did:

    whitelisting googlevideo.com will enable the videos to stream, and whitelisting ytimg.com will enable the thumbnail previews in YouTube. :)

  • Avatar
    threehappypenguins

    Yes, as admin, right?  The same applies here.  Regular users cannot delete this persistent cookie for Google SafeSearch.  Your experiments simply don't apply with regular users.

    Did a little experiment. I went into a Standard User account, enabled Google Safe Search, locked it; and then I went to (in Internet Explorer) Tools > Internet Options, clicked on Delete... and then deleted everything (including cookies). Google Safe Search was wiped as if I never set it. All as a Standard User. No password protected UAC... nothing. So a Standard User can very easily delete it. I figured this would happen (since I have worked with Standard User accounts), and it's pretty easy to delete cookies (even 'persistent' ones).

    Google Safe Search is the way to go with small children who aren't trying to get around things and just protect them from accidental exposure.

  • Avatar
    rotblitz

    Hmm, I believe you followed https://support.google.com/websearch/answer/144686 only, right?

    Well, the next steps are to visit the location (directory / folder) where this cookie is as an admin.  Right-click it and apply the following properties:

    1. Set the cookie to read-only (or in a CMD window: attrib +r cookie.name).
    2. Security tab: set to modify for administrators only, and set to read-only for the rest of the world.

    Now try again to delete it as regular user.

  • Avatar
    opendnsbro

    i forgot i had dns router changed

  • Avatar
    rotblitz

    What?

  • Avatar
    opendnsbro

    how does one open a new topic as i cant, also i set it up for my home network but it was interfering so i deleted it, i set it back up and none of the categories are blocked which i chose 

  • Avatar
    mattwilson9090

    Go to the top of the browser windows, click on "Community Help", which will display a list of topics in this forum, and if a thread doesn't already exist for your problem, click "Ask  a Quesiton" to start a new thread.

    In your new thread provide full details of the problem you are having, including error messages, and if useful, screenshots, as well as full detail of what you did for setup as well as attempts at troubleshooting and repair.

  • Avatar
    opendnsbro

    nevermnd i was using family shield dns numbers instead of regular open dns, is it possible to unblock family shield preset websites like you can do with open dns?

    Also when i plug directly into ethernet cable (without router attached) it doesn't work with open dns but it does with family shield 

  • Avatar
    mattwilson9090

    No, you cannot whitelist any of the domains that are blocked by Family Shield. The only way you can modify Family Shield is if you have a dashboard account you can block additional categories or blacklist additional domains.

    If you plug your computer directly into your internet connection, other than exposing yourself to huge security risks, you are likely getting a new IP address. Unless you are also updating your IP address with your OpenDNS account "normal" OpenDNS won't work beyond recursive DNS. It's basically the same as taking a laptop or other device to a different network that isn't registered with OpenDNS. The IP address isn't recognized, so OpenDNS doesn't know to apply your settings.

    Family Shield continues to work when you do that because it doesn't need a registered IP address to work. Of course if you set up a dashboard account and block additional categories or domains those additional items won't be blocked either, since it's dependent on your IP address being registered.

Please sign in to leave a comment.