OpenDNS has Stopped Working

Comments

24 comments

  • Avatar
    rotblitz

    It is essential that you have the correct IP address information registered with OpenDNS.

    https://dashboard.opendns.com/settings/

    0
    Comment actions Permalink
  • Avatar
    magdiel1975

    Hi joannamakk..

    Mine has too stopped working as well. From time to time I like to check and make sure OpenDns is doing what it's supposed to, so a few days ago, I checked and I was able to pull websites that were not supposed to be pulling up... So, I checked my router settings and everything is fine there.. 208.67.222.123 - 208.67.220.123, as I use the family shield dns IP. - I also opened CMD and flushed the cache by typing ipconfig /flushdns. I get a msg that says "Successfully flushed the DNS Resolver Cache" -

    I also cleared the history and cache on all the internet browsers I use (Chrome, FireFox and IE) and rebooted the computer - Nothing has worked.. I even installed a fresh WIn 7 pro on a laptop I have and it still does not work.. even if I set the Family Shield DNS directly on the DNS settings of the computer (TCP/IPV4).. I also noticed that I am unable to create a ticket with OpenDns because I get a webpage saying.. "Oh no. Something went wrong, we've been notified about this issue and we'll take a look at it ASAP"... maybe this has something to do with the filters not working?..It's been a few days now.

    0
    Comment actions Permalink
  • Avatar
    magdiel1975

    Oh, I forgot to mention that I have also reset my router settings to factory and applied the DNS IPs again..but no change.

    0
    Comment actions Permalink
  • Avatar
    rotblitz

    Post the complete plain text output of the following diagnostic commands here:

       nslookup -type=txt debug.opendns.com.

       nslookup -type=txt which.opendns.com. 208.67.220.123

       nslookup www.exampleadultsite.com.

       netsh interface ip show dns

    0
    Comment actions Permalink
  • Avatar
    magdiel1975

    you mean using CMD? - do I input each of those commands in CMD and post the results?

    0
    Comment actions Permalink
  • Avatar
    Patrick Colford

    Yes, you can either post the results as a screenshot or type the output as a reply.

    0
    Comment actions Permalink
  • Avatar
    magdiel1975

    Microsoft Windows [Version 6.1.7601]
    Copyright (c) 2009 Microsoft Corporation. All rights reserved.

    C:\Users\Magdiel>nslookup -type=txt debug.opendns.com.
    Server: unknown
    Address: 192.168.1.1

    *** unknown can't find debug.opendns.com.: Non-existent domain

    C:\Users\Magdiel>nslookup -type=txt which.opendns.com. 208.67.220.123
    Server: resolver2-fs.opendns.com
    Address: 208.67.220.123

    Non-authoritative answer:
    which.opendns.com text =

    "I am not an OpenDNS resolver."

    opendns.com nameserver = auth1.opendns.com
    opendns.com nameserver = auth2.opendns.com
    opendns.com nameserver = auth3.opendns.com
    auth1.opendns.com internet address = 208.69.39.2
    auth2.opendns.com internet address = 67.215.92.66
    auth3.opendns.com internet address = 208.69.39.2
    (root) ??? unknown type 41 ???

    C:\Users\Magdiel>nslookup www.exampleadultsite.com.
    Server: unknown
    Address: 192.168.1.1

    Non-authoritative answer:
    Name: www.exampleadultsite.com
    Addresses: 67.215.65.130
    67.215.92.210


    C:\Users\Magdiel>netsh interface ip show dns

    Configuration for interface "Wireless Network Connection"
    DNS servers configured through DHCP: 192.168.1.1
    Register with which suffix: Primary only

    Configuration for interface "Local Area Connection"
    DNS servers configured through DHCP: 192.168.1.1
    Register with which suffix: Primary only

    Configuration for interface "VMware Network Adapter VMnet1"
    Statically Configured DNS Servers: None
    Register with which suffix: Primary only

    Configuration for interface "VMware Network Adapter VMnet8"
    Statically Configured DNS Servers: None
    Register with which suffix: Primary only

    Configuration for interface "Loopback Pseudo-Interface 1"
    Statically Configured DNS Servers: None
    Register with which suffix: Primary only


    C:\Users\Magdiel>

    0
    Comment actions Permalink
  • Avatar
    magdiel1975

    I have noticed the weirdest thing.. The filter does not work on any of the PC's connected to the router, but it works on the smartphones. - I just don't get why the deskptops connected to the router do not work..even after flushing the dns cache on all of them and clearing the cache and history on all the browsers..I just don't understand why all of a sudden it stopped working...I would maybe understand if 1 computer is not being filtered, but all 3 computers? - and thing is it, non of them accept the manually set dns server..they act as if there is no setting applied whatsoever on their network settings.




    dns settings.png
    0
    Comment actions Permalink
  • Avatar
    rotblitz

    It seems your ISP started to redirect your DNS queries to their own DNS service.

    Verify at https://dnsleaktest.com/

    0
    Comment actions Permalink
  • Avatar
    rotblitz

    That said, your DNS queries do not go to OpenDNS, but to something else, and your FamilyShield filtering indeed cannot take effect then.

    "I would maybe understand if 1 computer is not being filtered, but all 3 computers?"

    No reason to wonder, because this is a good sign of consistency, although not as you expect it to be.

    "The filter does not work on any of the PC's connected to the router, but it works on the smartphones."

    Then your smartphones use a different internet connection, right?  This makes sense, because these other internet connections may not have DNS hi-jacking enabled by their ISPs.

    Re dns settings.png (quick view), click Advanced and then go to the DNS tab to see if there are more than the two FamilyShield addresses configured.

    0
    Comment actions Permalink
  • Avatar
    magdiel1975

    "Then your smartphones use a different internet connection, right?"

    What do you mean by this?.. they are connected using the same wifi connection as the desktops.

    "click Advanced and then go to the DNS tab to see if there are more than the two FamilyShield addresses configured"

    I will check this once I get home.

    0
    Comment actions Permalink
  • Avatar
    rotblitz

    No matter, your command outputs clearly show that your DNS lookups are being redirected to a non-OpenDNS DNS service, whatever you configure.

    You may be able to circumvent this redirection by using DNSCrypt (http://dnscrypt.org/).

    0
    Comment actions Permalink
  • Avatar
    magdiel1975

    "click Advanced and then go to the DNS tab to see if there are more than the two FamilyShield addresses configured"

    checked, there are none.

    "your command outputs clearly show that your DNS lookups are being redirected to a non-OpenDNS DNS service,"

    but why does is it only redirecting the desktop PCs and not the smartphones which are using the same router and are connected to the same wifi network?

    0
    Comment actions Permalink
  • Avatar
    rotblitz

    "why does is it only redirecting the desktop PCs and not the smartphones which are using the same router and are connected to the same wifi network?"

    I don't know off-hand, because it is not my network.  If it is different, then it should be reflected also by visiting http://welcome.opendns.com/

    • On the PC:  Oops, you're not using OpenDNS.
    • On the smartphones:  You're using OpenDNS.

    Is this the case?

    0
    Comment actions Permalink
  • Avatar
    magdiel1975

    WOW.. you're not going to believe what the issue was... Friggin Avast "Secure DNS" was on.. I guess it must have turned on or maybe the feature was added on one of the updates.. Just in case someone else runs into this problem.. check Avast or your anti-virus software and make sure it's not bypassing your set DNS settings.

    I stumbled accross this because I had turned off Avast (I can't remember why) and noticed that my computer was working fine and sites were being blocked, so turned on Avast and OpenDNS stopped working, so I was like, hmm.. so I went throught the sttings and found "Secure DNS" was ON.. turned it OFF and voila... went to the other computer and did the same thing and now all of the computers are woking with OpenDNS as they were before... what a pain in the rear this was, lol 

    0
    Comment actions Permalink
  • Avatar
    magdiel1975

    you know what?

    now that I think about it.. that means that this is a loophole that anyone can use to bypass OpenDNS... how can a piece of software bypass the DNS settings of the router? - I really hope OpenDNS takes look at this.

    0
    Comment actions Permalink
  • Avatar
    mattwilson9090

    Is the version of Avast you are using one of the "internet security" packages that are available from most vendors? I generally encourage people not to use those types of packages, only the "anti-virus only" version because the "internet security" versions do too much behind protecting against viruses/malware, and often have "hidden" features, such as redirecting DNS or website or domain blocking that the average user doesn't know about, and then usually blames on something else, in this case OpenDNS.

    It's also why when someone gets a new or updates "security package" that they need to go through *every single setting* to look for surprises or things that could break what you want to work.

    0
    Comment actions Permalink
  • Avatar
    mattwilson9090

    A piece of software could bypass the DNS settings of the router by bypassing all DNS calls originating from the computer and then using some non-traditional method to send DNS calls to wherever they like. There is nothing that OpenDNS can do about that since in order for OpenDNS to function it must get the traffic in the first place.

    There are ways to prevent this kind of thing from getting on the computer in the first place. The first is for no one to run the computer in administrator mode. That is one reason why businesses do not let their employees have administrator level access to the computers they use. It's also why families should not let children have admin level access. Yes, sometimes specific software has to be run that way, but then it is a choice between security risks and using that software. One side effect of this is that unauthorized software generally cannot be installed and run on the computer. (There are exceptions to that, such as Chrome, but even then there are way to work around that).

    Another way is to keep antivirus and antimalware installed, running, and up to date.

    Another method is to not install software, plug-ins, or extensions that are not actually needed.

    Another method is to not use "internet security" packages that often go too far in what they do.

    All of this though comes down to local responsibility, making sure that a computer is properly configured and setup, that unauthorized software is not run on it, and that unauthorized people (and software) cannot run software on it that should not be run there.

    0
    Comment actions Permalink
  • Avatar
    magdiel1975

    I see what you mean.. 

    But for example, we use OpenDNS in our church. So, from time to time, we need to provide internet to some visitors via wifi. So, this means that if any of them have Avast Internet Security, and the the "Secure DNS" enabled, there is nothing we can do about that. We can't control or change someone else's computer settings and we would not want to anyway. - The problem is, that if a visitor using the church's wifi is a potential threat to the organization becaue we would not have control of where that individual computer is going while surfing the net. - I know that we should invest in a proxy-server, but we are a small church and the resources are very limited and we are also lacking lots of knowledge as well. - I thought OpenDNS was a fast and cheap way to go around such things, but we have now realized there are too many loopholes.

    0
    Comment actions Permalink
  • Avatar
    mattwilson9090

    No security solution is one size fits all, protects against all threats, or can cover all situations. OpenDNS *is* a fast and cheap way to protect any network, but it can't protect against every potential threat out there. You have to examine what you are trying to protect against, and the capabilities a solution has?

    In your case, what threats to the organization are you concerned about? Are you concerned about one of these visitors using the WiFi and somehow accessing church computers or servers? Or is this just a vague concern about "hackers" somehow doing damage to something because someone went to a "bad site"? Or something else? It really does make a big difference.

    Why do you think you should invest in a proxy server?

    You are right that you can't control or change someone else's computer, but you *can* control what they access on your network. First of all, no visitor or guest should have access via WiFi or any other method to your business network, meaning the internal computers or servers that the church uses for it's internal business, stores documents on etc. The reason they want access doesn't matter, they shouldn't have it.

    If however you want to provide WiFi to visitors that can be done without compromising the "business" network. Depending on how things are physically set up there you could get a separate access point (or a repurposed WiFi router) that is configured so that people connecting to it can only "see" the internet, and can't even see other laptops or other devices using the same WiFi connection. Alternatively, many modern WiFI routers also offer a guest WiFi option which accomplishes the same thing. Which route you choose depends on a number of factors, including where the users of WiFi might be located, potential numbers of expected users, etc. Exactly how you set it up depends on the individual hardware and the firmware that is on it.

    Once you have guests isolated to their own WiFI connection that is separated from all traffic other than accessing the internet is when you start considering services such as OpenDNS. Do you want it to protect your internal business network? I'd say that you would, for a number of different reasons. Do you want it to filter your guest network? Many places do, for various reasons that run from protecting their guests from potential threats, to not wanting certain kinds of traffic on their internet connection, such as adult related material.

    If OpenDNS is configured on your guest WiFi there are some ways to ensure that all port 53 traffic goes only to OpenDNS, but if something (like Avast) bypasses standard DNS and uses a different domain resolution scheme you might not have control of it. That is one reason to keep guest WiFi separated from the business network. Even if you use a different solution than OpenDNS there is always the chance the someone brining their own computer onto your WiFi would have a way to bypass it. There is only so much you can do with equipment you don't own or control, so you need to consider that when offering guest access, how to control it, if the realistic risks are acceptable, and to remind everyone that there is *always* a risk when they connect their own equipment to someone else's network.

    0
    Comment actions Permalink
  • Avatar
    magdiel1975

    Yes we have a guest wifi account for visitors. The concern of the church admin is of those users going to porn sites while connected through the church's inteternet, even though it's a guest account... it will show up as the church's IP address...so for example, if someone starts watching child porn using the church's internet connection, it could cause problems. - Let me ask you this.. wiht a proxy server, can Avast DNS bypass that as well or no?

    0
    Comment actions Permalink
  • Avatar
    mattwilson9090

    Realistically speaking, what problems could happen if someone starts watching child porn on your internet connection? I understand the concern about not wanting to facilitate it, but unless someone is actually saving it to church computer's a criminal case is not going to happen for a whole lot of reasons (at least in the US). If nothing else, despite what you see in movies and TV, an IP address is a lousy way to determine someone else's physical location or prove who did what on the internet. If that is the sole "evidence" against someone a first year law student could get acquittal.

    There are many of what vendor's call "proxy servers", and without knowing which one you are talking about, or what it can do, and without detailed knowledge of how Avast does what it does I can't even begin to guess if it would be effective at preventing that.

    That said, there are many ways for uncontrolled machines using guest WiFi to get to content you don't want them to get to. There are many proxy/anonymizer sites out there, as well as VPN's and things like TOR. All of them can be used to bypass services like OpenDNS and even local security/filtering devices. There is always a risk when providing guest WiFi that someone will get around what you try to block with since you don't have control over their device.  If your church considers that to be a serious enough concern the only thing you can really do it turn is it off, but don't base the decision solely on the possibility that someone could do bad or undesirable things with a specific feature in Avast. You really need to look at the totality of possibilities.

     

    0
    Comment actions Permalink
  • Avatar
    jmorin18

    I haven't read through all of your posts as I'm sure your issues are different than mine. However, I did find the solution to my specific problem a while back. If you go to the "Dashboard" and click the "Settings" page. It will give you a list of networks. Under the IP category, beside the IP number I noticed a green refresh button. I clicked that button (which disappeared thereafter) and the blocking was restored immediately. 

    Again, I'm not sure if your guys problems are caused by the same thing. But its something you may want to look into. It may be related to the Dynamic IP thing, for which I am downloading the client to perhaps prevent the same thing from occurring again.

     

     

    0
    Comment actions Permalink
  • Avatar
    mattwilson9090

    No, having the current IP address registered with OpenDNS is not the cause of this issue. We already eliminated that possibility and it turned out his problem was something else entirely.

    That said, most problems that people have with OpenDNS seem to boil down to not having the correct IP address registered. What described is the manually method of updating the IP address. The Updater, or something else that performs the same function, such as something built into a router's firmware, exists precisely to update your address whenever it changes. Without it, whenever your IP address changes OpenDNS will stop working until you update it again.

    0
    Comment actions Permalink

Please sign in to leave a comment.