My OpenDNS is not blocking web sites

Comments

79 comments

  • Avatar
    rotblitz

    As you can see, you use fe80::22aa:4bff:fe84:52c5 as your DNS resolver address which is not an OpenDNS address.  So you use OpenDNS randomly at best.

    As I said above on May 15, 2015, 11:09 already, you need to disable IPv6 connectivity on the router or on the computer.  The enhanced features like content filtering and stats do not work with IPv6 yet.  You can vote for IPv6 support here: https://support.opendns.com/entries/21786344

    0
    Comment actions Permalink
  • Avatar
    rotblitz

    I may be partially wrong with my first section.  This fe80::22aa:4bff:fe84:52c5 is your router's IPv6 DNS resolver address, and you may have configured your router with the OpenDNS IPv6 sandbox resolvers, because Akamai sees an OpenDNS Chicago router address 208.69.36.11 from you.  But as you cannot register an IPv6 address at your dashboard, the second section still applies: you cannot use the enhanced features beyond pure recursive DNS with IPv6 yet.

    0
    Comment actions Permalink
  • Avatar
    wrtdns

    Thank you RotBlitz. I appreciate you investing your time. Granted I had seen that point up above about IPV6.I had turned off the Wan6 Interface on OpenWRT as a result. However I didn't know what to look for in that result so I posted it here. Any chance you know or can guide me on what else to turn off in OpenWRT ? I don't know what that mac address or ipv6 address is or which interface is that.

    Yes I do know, I should go post this on the openwrt forum instead of here. But I genuinely do not know what to ask there.

    I did go vote on the link you provided.

     

    0
    Comment actions Permalink
  • Avatar
    wrtdns

    After More Sleuthing around the OpenWRT settings, I now have,

    C:\Users>nslookup whoami.akamai.net.
    Server:  Router.lan
    Address:  192.168.0.1

    Non-authoritative answer:
    Name:    whoami.akamai.net
    Address:  208.69.36.11

    So does that mean the IPV6 is shut down ? If so should the Filter apply now ?

     

    0
    Comment actions Permalink
  • Avatar
    rotblitz

    "Yes I do know, I should go post this on the openwrt forum instead of here. But I genuinely do not know what to ask there."

    Yes, this is your best bet.  I can help you out.  The simple question would be: "How does one disable IPv6 connectivity in OpenWRT?"

    In addition, you could ask the more complex question: "Is it possible to force DNS traffic to go out over IPv4 instead of IPv6?"
    If someone had an answer for this, you'd really be fine, because you could still use IPv6 connectivity for everything else except for DNS traffic.
    This would be the ideal solution as long as OpenDNS do not support IPv6 for the enhanced features.

    "I did go vote on the link you provided."

    Great, thanks, this helps us all who would be able to use IPv6 but cannot yet if wanting to use OpenDNS.

    0
    Comment actions Permalink
  • Avatar
    wrtdns

    Thank you. I will go ask that question. Now that you explained it, it makes sense to me.

    Did you see second post I made since then after removing the IPV6 ?

    0
    Comment actions Permalink
  • Avatar
    rotblitz

    "So does that mean the IPV6 is shut down ? If so should the Filter apply now ?"

    Not sure, this could be a random result.  What does this command return?

       nslookup whoami.akamai.net.  fe80::22aa:4bff:fe84:52c5

    0
    Comment actions Permalink
  • Avatar
    wrtdns

    C:\Users>nslookup whoami.akamai.net.  fe80::22aa:4bff:fe84:52c5
    DNS request timed out.
        timeout was 2 seconds.
    Server:  UnKnown
    Address:  fe80::22aa:4bff:fe84:52c5

    DNS request timed out.
        timeout was 2 seconds.
    DNS request timed out.
        timeout was 2 seconds.
    *** Request to UnKnown timed-out

    0
    Comment actions Permalink
  • Avatar
    rotblitz

    It looks like that DNS traffic via IPv6 is not possible anymore.  IPv6 is shutdown at least for DNS.  This is what you want unless it causes any kind of trouble instead of meeting your expectations about content filtering.

    0
    Comment actions Permalink
  • Avatar
    wrtdns

    Thanks for confirming. Since my ISP does not issue IPV6 addresses anyway, I shut down that interface.

    However, youtube is still not gone. For a minute I got "Unable to connect" error on that website. It did not give the OpenDNS Block page with my custom message. So I changed the block page back to default and tried again. This time youtube was back.

    0
    Comment actions Permalink
  • Avatar
    wrtdns

    Correction, after flushing DNS with

    /etc/init.d/dnsmasq restart

    youtube appears gone again. I still get "Unable to connect" in firefox instead of OpenWRT Block Page.

    0
    Comment actions Permalink
  • Avatar
    wrtdns

    Oh and, youtube app on Android is still able to access content.

    0
    Comment actions Permalink
  • Avatar
    rotblitz

    Yes, your problem with YouTube was a caching problem.  If you want settings changes to take effect immediately, you must always flush your local resolver cache and your browser cache, else you will be served with outdated content from these caches.

    "I still get "Unable to connect" in firefox instead of OpenWRT Block Page."

    Did you mean "OpenDNS Block Page" instead?  Nothing is easier than to prove if this is a DNS problem our a browser problem:

        nslookup www.youtube.com.

    If this returns an OpenDNS IP address, then it is blocked by OpenDNS, no matter what the browser makes out of it.  The rest is a browser problem.

    "Oh and, youtube app on Android is still able to access content."

    I have seen that many smart device apps use IP addressing instead of hostnames which means they do not make use of DNS.  Nothing what goes to OpenDNS then, so OpenDNS cannot do anything for you.  Your option is to block the related IP address ranges on the router.

    0
    Comment actions Permalink
  • Avatar
    wrtdns

    Thanks for taking the time.

    1. Yes I was going to say OPENDNS Block page but wrote OpenWRT instead. There's no way to edit these posts.

    2. Output of the command is


    C:\Users>nslookup www.youtube.com.
    Server:  Router.lan
    Address:  192.168.0.1

    Non-authoritative answer:
    Name:    www.youtube.com
    Addresses:  146.112.61.104
              146.112.61.104

    I don't think that's a OpenDNS IP. It does not appear to be Youtube IP either. From what I can tell, for every device, my Router is the DNS lookup. I want this to be the case anyway.

    As to Smart Devices, you could be right. If I search for youtube on google and click one of the resulting links, I can still access Youtube.

    0
    Comment actions Permalink
  • Avatar
    rotblitz

    "I don't think that's a OpenDNS IP."

    Don't think, but measure.  Your thought is wrong.


    nslookup 146.112.61.104
    Server:  dns1.lcoal.prv
    Address:  10.165.161.13

    Name:    hit-block.opendns.com
    Address:  146.112.61.104


    That shown, www.youtube.com is indeed blocked for you by OpenDNS, by your "always block" list.

    "From what I can tell, for every device, my Router is the DNS lookup. I want this to be the case anyway."

    Not sure if I understand.  What is "this"?

    "If I search for youtube on google and click one of the resulting links, I can still access Youtube."

    Is this on a smart device?  If so, then this smart device ignores or circumvents your settings in some way, e.g. by using Google's proxy (cache) service, or your settings are wrong.  Visit http://welcome.opendns.com/ on this smart device to see if you're using OpenDNS at all on it.  If not, you cannot expect your filtering settings taking effect as long as you don't use OpenDNS.

    0
    Comment actions Permalink
  • Avatar
    wrtdns

    Ok So OpenDNS is indeed blocking the site when On a PC. Especially where welcome page has confirmed that I am using openDNS.So this takes care of the main problem. I understand your point about smart devices using Google Proxy or IP Access.

    Another issue, bit less critical, On the PC, where OpenDNS is confirmed to have blocked, now instead of the Blocking Page I expect to get (like for internetbadguys ), I get "Unable to connect" page. However, if I go into my settings and switch to default block page instead of custom message, then I get standard block page. https://block.opendns.com/?url=9080868586677015688078&server=chi15&prefs=&tagging=&nref is the URL in question when I get Unable to connect.

    As to smart devices, welcome page confirmed that I am using OpenDNS. Accessing straight up youtube.com via browser gives me the same error/message as above. Youtube app is using something else to circumvent my connection and that has nothing to do with OpenDNS as you said.

     

    0
    Comment actions Permalink
  • Avatar
    rotblitz

    "Especially where welcome page has confirmed..." should read "Only in case where welcome page has confirmed...".

    "I get "Unable to connect" page. However, if I go into my settings and switch to default block page instead of custom message, then I get standard block page."

    I visited that long URL you provided, and I get the normal OpenDNS block page.  As a proof, your customized message for youtube.com is "Access to this page was blocked because it may contain security threats".

    I would assume your browser or something specific to your environment is causing to get "Unable to connect".  You had to run a network or browser trace to see what's going on.  But no worries, the domain is blocked either way, as you want.

    "Accessing straight up youtube.com via browser gives me the same error/message as above."

    Yes, this is what I would have expected, because you must use DNS for name resolution in this case, so OpenDNS can do its job.

    "Youtube app is using something else to circumvent my connection and that has nothing to do with OpenDNS as you said."

    Correct.  This is what I have experienced with the smart devices in my household too.  I have a special sophisticated AVM router where I can block and report entering IP addresses for web access (i.e. cases were DNS is not being used), and I collected hundreds of those IP addresses in between, short time after the smart devices connected via WLAN.  These addresses were often registered to Google (which is the owner of YouTube), but also to other companies offering smart device apps for Android and iOS.  The only way to block this is to use a router supporting blocking this as mine, or to block the related IP address ranges outgoing if supported by the router, also as mine.

    0
    Comment actions Permalink
  • Avatar
    wrtdns

    My custom Message is set to

    "There are problems accessing content on the website. Please check back again later."

    not the one you mentioned. But if you're saying that link resolves to OpenDNS page, then could it be that openDNS depends on certain browsers for this url to work ? Anyway that's academic excercise anyway, since core purpose of blocking the website is served and I need to find alternate ways to block the app.

    0
    Comment actions Permalink
  • Avatar
    cobalt-phoenix

    "could it be that openDNS depends on certain browsers for this url to work ?"

    Certainly.  This is the case with nearly all web pages in the world.  It's the browser interpreting them.

    0
    Comment actions Permalink
  • Avatar
    crytical

    Like everyone else I'm having the same issue. I'm using a Mac so I'm not sure how to post the txt file that you are needing. I get the oops page as well. My ISP match up, DHCP is disabled and IPv6 is disabled. I've reset the router, cleared my cp cache along with OpenDNS cache. Please help

    0
    Comment actions Permalink
  • Avatar
    crytical

    I can't edit my account so I'm posting some screen shots that are confusing me about my IP. Which one is it? 




    Screenshot at Aug 12 11-03-34.png
    Screenshot at Aug 12 11-04-44.png
    Screenshot at Aug 12 11-06-12.png
    0
    Comment actions Permalink
  • Avatar
    wrtdns

    @Crytical

    The one 72.174.21.60 looks like ISP issued address. From screen 1 seems like the OpenDNS is perhaps not updated with this IP. The 3rd screen is confusing. It makes it seem like OpenDNS is updated.

    What do you see when you try the blocked site ?

    0
    Comment actions Permalink
  • Avatar
    crytical

    Checking the blocked site I get this. "InternetBadGuys.com is only a demonstration site." Grrrr.....  

    I updated my ISP using the OpenDNS updater.




    Screenshot at Aug 12 11-54-27.png
    0
    Comment actions Permalink
  • Avatar
    rotblitz

    Oops, this thread is very full and started one and a half year ago.  It would have been better you opened a thread on your own... :(

    What does "My ISP match up" mean, and why and where did you disable DHCP?  Was the latter part of any instruction to use OpenDNS?
    Also what is a "cp cache", and what is the "OpenDNS cache"?  All these sound suspect...

    And what does "I can't edit my account" mean?  Why would you need to edit your account?  What account?

    Well, checking your screen shots, it seems you're facing a so called "IP address mismatch", i.e. your ISP does funny things and routes your DNS traffic differently from your web traffic, so the internet will see two different IP addresses from you.  In this case it's hard to use OpenDNS with its enhanced features unless your ISP can change the behavior.

    In order to see more, copy & paste the complete plain text output of the following diagnostic commands here, taken from your Mac's terminal window:

       nslookup -type=txt debug.opendns.com.

       nslookup -type=txt debug.opendns.com. 208.67.220.220

       nslookup whoami.akamai.net.

    Also, what IP address does http://myip.dnsomatic.com/ return?

    0
    Comment actions Permalink
  • Avatar
    rotblitz

    "I updated my ISP using the OpenDNS updater."  -  This is impossible, no way!

    0
    Comment actions Permalink
  • Avatar
    crytical

    I didn't want to start a new thread as some forums despise that. 

    My ISP match up. I meant that my IP addresses match up from my OpenDNS home page and asking Google what my IP address is. 72.174.21.60

    Disable DHCP  I was having constant wireless internet drops from my router. Once I disabled DHCP in my router the problem seemed to have been fixed as I no longer have drops in my internet connection.

    Use OpenDNS I only want to block a few websites so the children can't access....

    CP Cache More specifically, web browser cache, OpenDNS cache can be found under advanced settings. It was mentioned in another thread to try this route if the websites weren't being blocked.

    Can't edit my account I meant post. 

     

    Server: 192.168.0.1

    Address: 192.168.0.1#53

     

    ** server can't find debug.opendns.com.: NXDOMAIN

    nslookup -type=txt debug.opendns.com. 208.67.220.220

    Server: 208.67.220.220

    Address: 208.67.220.220#53

     

    Non-authoritative answer:

    debug.opendns.com text = "server 11.dfw"

    debug.opendns.com text = "flags 20 0 8050 1950000370000010020"

    debug.opendns.com text = "originid 52846173"

    debug.opendns.com text = "actype 2"

    debug.opendns.com text = "bundle 8980461"

    debug.opendns.com text = "source 72.174.21.60:64286"

     

    Authoritative answers can be found from:

     

    nslookup whoami.akamai.net.

    Server: 192.168.0.1

    Address: 192.168.0.1#53

     

    Non-authoritative answer:

    Name: whoami.akamai.net

    Address: 69.144.127.38

     

    myip.dnsomatic.com = 72.174.21.60

    Hope all this helps. 

     

    0
    Comment actions Permalink
  • Avatar
    rotblitz

    It does help!

    It's really hard to understand you if you use different and own terms, like "ISP" instead of "IP", "my OpenDNS home page" instead of whatever, "CP cache" instead of browser cache, "edit" instead of "post", etc... :(

    "Disable DHCP  I was having constant wireless internet drops from my router."

    This item is then totally unrelated to OpenDNS and its use.  You shouldn't have it mentioned here.

    "More specifically, web browser cache"

    Beside the browser cache, don't forget to flush the DNS resolver cache too: https://support.opendns.com/entries/26336865

    "OpenDNS cache can be found under advanced settings"  -  Where are these "advanced settings"?  At the OpenDNS dashboard or on the computer?
    Is it this? http://cachecheck.opendns.com/ - Well you cannot solve any of your listed problems with this tool.

    Now to your outputs:...

    Currently your DNS queries go to Charter's DNS service, not to OpenDNS, therefore your OpenDNS settings cannot take effect.  This looks as if you had not configured the OpenDNS resolver addresses 208.67.2**.*** on the router at 192.168.0.1 or on your computer, or this configuration doesn't take effect but is successfully ignored.  Review this part of configuration or post a screen shot of where these addresses are configured.

    The good news, if your DNS queries would be sent to OpenDNS, everything would work perfectly.  There is no IP address mismatch, and your IP address is 72.174.21.60 for both, DNS and web traffic, and your OpenDNS dashboard is correctly updated with it.

    0
    Comment actions Permalink
  • Avatar
    crytical

    "This looks as if you had not configured the OpenDNS resolver addresses 208.67.2**.*** on the router at 192.168.0.1"

    I was able to solve the issue by entering:

    • 208.67.222.222
    • 208.67.220.220

    into the DNS server.

    Everything works great now thanks for being patient and helping out.




    Screenshot at Aug 12 13-53-23.png
    Screenshot at Aug 12 13-40-05.png
    0
    Comment actions Permalink
  • Avatar
    rotblitz

    Well, if you followed the instructions provided for setting up OpenDNS, this is the first step.  Not sure why you did it differently, starting with something else...

    0
    Comment actions Permalink
  • Avatar
    Duke6marlo
    The open dns checker says it is working and yet nothing is being blocked. I have configured the router. I have changed the settings in the control panel. I have clicked the link to check and open dns says I am protected. Again, nothing is being blocked.
    0
    Comment actions Permalink

Please sign in to leave a comment.