OpenDNS won't stop blocking a website
For some reason Snapchat is blocked and I can't figure out why. When I try to access it, I'm blocked and it states, "This site was categorized in: Instant Messaging, Chat, Video Sharing, Photo Sharing"
NONE of those categories are checked off (I have custom settings). I tried ipconfig /flushdns and it's still not working. It's been hours. What is going on?
-
Check your blocked domains at https://dashboard.opendns.com/stats/all/blockeddomains to see what related domains are blocked, and add those to your "never block" list.
If you want to know why it is blocked for your, post the following command output:
nslookup example.com.
where example.com is the domain name being blocked as found in your stats.""This site was categorized in: Instant Messaging, Chat, Video Sharing, Photo Sharing""
"NONE of those categories are checked off (I have custom settings)."Don't worry. This is for your information only. It is not the reason why it is blocked for you.
-
YouTube is doing it now too. I whitelisted just snapchat.com, and I can access the website now. I am trying to determine if snapchat works now. Last night while scrolling through the stats, it showed that l.google.com was blocked (feelinsonice.appspot.com is a snapchat server; and in nslookup the name of the server is appspot.l.google.com). But when I would click on it, it would say, "This domain is no longer blocked."
Now this morning, YouTube is doing the same thing. I can see *.youtube.com in the list of blocked domains, but when I click on it, it would say "This domain is no longer blocked." Yet when I go to youtube.com it is blocked by OpenDNS.
The following was my nslookup for youtube.com:
C:\Windows\system32>nslookup youtube.com
Server: (myserver)
Address: 192.168.1.1Non-authoritative answer:
Name: youtube.com
Addresses: 2607:f8b0:400d:c01::5d
173.237.115.231
173.237.115.216
173.237.115.232
173.237.115.227
173.237.115.221
173.237.115.217
173.237.115.226
173.237.115.247
173.237.115.251
173.237.115.242
173.237.115.236
173.237.115.241
173.237.115.246
173.237.115.212
173.237.115.237
173.237.115.222And I checked feelinsonice.appspot.com:
C:\Windows\system32>nslookup feelinsonice.appspot.com
Server: Kubik
Address: 192.168.1.1Non-authoritative answer:
Name: appspot.l.google.com
Address: 67.215.65.130
Aliases: feelinsonice.appspot.comI have checked off "Search Engines" in OpenDNS to block all search engines and then whitelisted Bing. The reason is because Google was being used for searching explicit images. Now, I could use Google SafeSearch, but all a user has to do is clear the cookies and it renders it useless. Bing, on the other hand, does not search for explicit images unless you go to explicit.bing.net (which is already blocked by OpenDNS if the pornography and adult content categories are ticked off).
So I've had to monitor the stats to see necessary google sites being accessed (mail.google.com, accounts.google.com, www.youtube-nocookie.com, etc).
I don't understand what is going on. The domain youtube.com is *only* categorized as Video Sharing. So I should at least be able to get to the domain. I understand that YouTube might use some services (from Google) that are categorized under search engine, but I had whitelisted a bunch of them that were being blocked. And YouTube worked fine yesterday.
-
Uggghhh! It's doing it to talkgadget.google.com! It's categorized as Instant Messaging, Chat, so it shouldn't be blocked. Did another nslookup:
C:\Windows\System32>nslookup talkgadget.google.com
Server: (myserver)
Address: 192.168.1.1Non-authoritative answer:
Name: talkgadget.l.google.com
Address: 67.215.65.130
Aliases: talkgadget.google.com -
According to your nslookup, youtube.com itself is not blocked, but subdomains or CDN domains (like www.youtube.com or ytimg.com) may still be blocked though. This cannot be seen from your posting. YouTube use so many many domains...
feelinsonice.appspot.com is an alias for appspot.l.google.com which is apparently blocked by your settings. 67.215.65.130 (hit-adult.opendns.com) indicates that it is blocked by category. Same for talkgadget.google.com being an alias for talkgadget.l.google.com.
"I don't understand what is going on"
But I understand. Also real names of aliases (CNAMEs) are effective for blacklisting or whitelisting, of course, to prevent from circumventing with another name..
"I understand that YouTube might use some services (from Google)"
No, even more, YouTube is Google. If you block major parts of Google, it renders YouTube unusable too. They share many domains and their aliases.
-
www.youtube.com is already whitelisted, and I whitelisted ytimg.com after you suggestion and its still not working. I just need to figure out how it loads its videos so I can whitelist it... uggghhhhh!
I wish there was some kind of workaround. I tried the other way around where I blocked google images by blacklisting:
gstatic.com
t0.gstatic.com
t1.gstatic.com
t2.gstatic.com
t3.gstatic.com
tbn.l.google.comIt works... kind of. But the first few images still show up. Tried Googling and I can't find a workaround for that either (so far). I just simply want to block Google images (completely) and allow YouTube. Why does this have to be so difficult?! Hasn't ANYONE out there had any success?!
-
"I just need to figure out how it loads its videos so I can whitelist it."
This tool may be of big use: http://www.nirsoft.net/utils/dns_query_sniffer.html
"I just simply want to block Google images (completely) and allow YouTube. Why does this have to be so difficult?!"
Because of Google. Some images are embedded in the HTML, not distinct image objects. There is no way to block this with DNS methods. SafeSearch is the way to go.
See also https://support.opendns.com/categories/search?utf8=%E2%9C%93&query=google+image+search&for_search=1 -
As for YouTube, I figured it out. I right clicked on the page, went to source and started looking and various domains it was calling on; one of which is googlevideo.com
I whitelisted it, and, BINGO! Videos are streaming fine now. So I needed to whitelist youtube.com and googlevideo.com. I might still have needed ytimg.com whitelisted too. I'm going to take it off the whitelist and see what happens. I've run out of room, so I need to get stuff off there that don't need to be whitelisted.
-
Safesearch is useless. You just have to clear the cookies and then be on your merry explicit images way.
I have to disagree; if you follow directions (and do not let kids use your Google account) you can pretty well lock-down most (but certainly not all) explicit results.
-
"Still can't find out why the first set of Google images isn't being blocked. This is craaaazy."
I said it already: Some images are embedded in the HTML, not distinct image objects. You can block/whitelist domains only, not webpages, not part of webpages, not images, not keywords, not anything else.
"Safesearch is useless. You just have to clear the cookies and then be on your merry explicit images way."
Nope, you can make SafeSearch persistent. It cannot be disabled by regular users then. See the Google documentation.
-
"I said it already: Some images are embedded in the HTML, not distinct image objects. You can block/whitelist domains only, not webpages, not part of webpages, not images, not keywords, not anything else."
I didn't see your comment until after I replied the first time. Sorry.
As for Safesearch, I DID lock it. With each and every browser. Then I experimented by clearing the cookies. And it was as if I never set Safe Search at all. Plus, the user can simply download another browser as a workaround. For example, I don't have Opera. So the user can go to Opera and download the browser.
Google Safe Search is not *truly* lockable if all it goes on is the cookies and the cookies can be deleted.
-
I need very comprehensive settings. I have DD-WRT firmware in the router, and port 53 blocked because the user was setting their own DNS. Blocking the port fixed the problem. So as you can see, Safe Search is not going to solve anything. This is at a friend's house. I use safe search at my house because I have small children and I want to protect their little eyes. They aren't going to go out of their way to look for porn. Safe Search is great to prevent accidental exposure. But it's not good to stop an addict who is seeking it out.
-
Plus, the user can simply download another browser as a workaround.
Ah, now I see your problem. If your users have ADMIN privileges then everything you're doing with respect to OpenDNS is for naught; the user will be able to defeat your efforts and see whatever content they want.
Trust me: no one should surf as ADMIN. Ever.
-
Safe Search is great to prevent accidental exposure. But it's not good to stop an addict who is seeking it out.
If you're trying to protect an addict, step one is to disconnect the device. THAT will be the only way to ensure compliance.
Then, if you really believe that person needs online access, you MUST remove ADMIN privs.
Otherwise you're fooling yourself if you think you're stopping an addict.
-
My husband has gotten me to block all devices that connect the internet (it was his request). It depends on the level of addiction. However, in my friend's case, I believe he is trying to prevent getting to that point. There are some issues, but not to the point of what it's like in my house. I may just convince him to have his kids sign into a separate profile.
But even with taking away privileges, a standard user can still delete cookies. So how would I stop that?
-
Assuming you are correct about deleting cookies to defeat Safe Search -- I've successfully locked down more than 6 desktops using this method, and the teens have tried in vain to beat it, so I can't verify your claim -- I suggest you raise your concern with Google, as it is their product.
Kids SHOULD have their own profile. Again NO ONE should be ADMIN while surfing; that's an invitation for malware. It's also horrible practice that leads to system changes that the owner (the parents) do not want, including inappropriate (but not malware) software installations (i.e. Opera). You need to minimize the attack vector that addicts, kids and malware authors have, and allowing users to be ADMIN is clearly detrimental to that cause.
At this point, we're way into the weeds, far from OpenDNS specific. Best of luck to you.
-
"Then I experimented by clearing the cookies."
Yes, as admin, right? The same applies here. Regular users cannot delete this persistent cookie for Google SafeSearch. Your experiments simply don't apply with regular users.
I fully agree with cindelicato: start your efforts by configuring user accounts and user rights correctly. It saves you lot of time and efforts then, e.g. in conjunction with disabling Google SafeSearch, unwanted system settings changes (like DNS settings), installing unwanted programs and much more circumvention strategies and attacks.
Also, addiction problems cannot be solved technically, but just therapeutically. You'll have to wait another hundred years or so until you can switch on a machine to get rid of an addiction.....
-
You're right that addiction problems cannot be solved technically... but porn is something that once is seen, cannot be unseen. And I know there are a lot of people that disagree with me on this, but each time porn is viewed the worse the destruction on a person gets. But I'm not trying to get in a debate. I'm just trying to help keep porn out of people's mind's for our family and for a friend and for anyone else who wants to do so.
-
Yes, as admin, right? The same applies here. Regular users cannot delete this persistent cookie for Google SafeSearch. Your experiments simply don't apply with regular users.
Did a little experiment. I went into a Standard User account, enabled Google Safe Search, locked it; and then I went to (in Internet Explorer) Tools > Internet Options, clicked on Delete... and then deleted everything (including cookies). Google Safe Search was wiped as if I never set it. All as a Standard User. No password protected UAC... nothing. So a Standard User can very easily delete it. I figured this would happen (since I have worked with Standard User accounts), and it's pretty easy to delete cookies (even 'persistent' ones).
Google Safe Search is the way to go with small children who aren't trying to get around things and just protect them from accidental exposure.
-
Hmm, I believe you followed https://support.google.com/websearch/answer/144686 only, right?
Well, the next steps are to visit the location (directory / folder) where this cookie is as an admin. Right-click it and apply the following properties:
- Set the cookie to read-only (or in a CMD window: attrib +r cookie.name).
- Security tab: set to modify for administrators only, and set to read-only for the rest of the world.
Now try again to delete it as regular user.
-
Go to the top of the browser windows, click on "Community Help", which will display a list of topics in this forum, and if a thread doesn't already exist for your problem, click "Ask a Quesiton" to start a new thread.
In your new thread provide full details of the problem you are having, including error messages, and if useful, screenshots, as well as full detail of what you did for setup as well as attempts at troubleshooting and repair.
-
nevermnd i was using family shield dns numbers instead of regular open dns, is it possible to unblock family shield preset websites like you can do with open dns?
Also when i plug directly into ethernet cable (without router attached) it doesn't work with open dns but it does with family shield
-
No, you cannot whitelist any of the domains that are blocked by Family Shield. The only way you can modify Family Shield is if you have a dashboard account you can block additional categories or blacklist additional domains.
If you plug your computer directly into your internet connection, other than exposing yourself to huge security risks, you are likely getting a new IP address. Unless you are also updating your IP address with your OpenDNS account "normal" OpenDNS won't work beyond recursive DNS. It's basically the same as taking a laptop or other device to a different network that isn't registered with OpenDNS. The IP address isn't recognized, so OpenDNS doesn't know to apply your settings.
Family Shield continues to work when you do that because it doesn't need a registered IP address to work. Of course if you set up a dashboard account and block additional categories or domains those additional items won't be blocked either, since it's dependent on your IP address being registered.
Please sign in to leave a comment.
Comments
33 comments