OpenDNS Updater and filtering settings.

Comments

23 comments

  • Avatar
    rotblitz

    Post the complete plain text output of the following diagnostic commands here:

       nslookup -type=txt debug.opendns.com.

       nslookup www.exampleadultsite.com.

    0
    Comment actions Permalink
  • Avatar
    xxhuwm

    Hi, Rotblitz. Here are the results:

    Microsoft Windows [Version 6.1.7601]
    Copyright (c) 2009 Microsoft Corporation.  All rights reserved.

    C:\Users\User> nslookup -type=txt debug.opendns.com.
    Server:  resolver1.opendns.com
    Address:  208.67.222.222

    Non-authoritative answer:
    debug.opendns.com       text =

            "server 9.dfw"
    debug.opendns.com       text =

            "flags 20 0 2F4 5950800000000000000"
    debug.opendns.com       text =

            "originid 0"
    debug.opendns.com       text =

            "actype 0"
    debug.opendns.com       text =

            "source 201.***.***.1:23***"

     

    Microsoft Windows [Version 6.1.7601]
    Copyright (c) 2009 Microsoft Corporation.  All rights reserved.

    C:\Users\User> nslookup www.exampleadultsite.com.
    Server:  resolver1.opendns.com
    Address:  208.67.222.222

    Non-authoritative answer:
    Name:    www.exampleadultsite.com
    Address:  67.215.92.210

     

    Thank you.

    0
    Comment actions Permalink
  • Avatar
    rotblitz

    The problem with the filtering not working is because your network at https://dashboard.opendns.com/settings/ is not updated with your IP address 201.***.***.1.  Therefore OpenDNS cannot associate your DNS queries with your settings, and these cannot take effect.

    "Now the Updater shows: "Your OpenDNS filtering settings might not work due to DNS IP address (2...) and HTTP IP address (1...) mismatch.""

    Your DNS IP address is 201.***.***.1 (nslookup myip.opendns.com.), and your HTTP IP address is as of http://myip.dnsomatic.com/ If these are different, then your ISP does some tricky things with your internet connection, be it a proxy or NAT or caching.
    In order for your filtering settings and stats to take effect, your DNS IP address must be registered with OpenDNS, not your web IP address.

    And you may want to perform the following tests to see if there's something your ISP does with your connection.

    http://www.lagado.com/proxy-test
    http://www.lagado.com/tools/cache-test

    0
    Comment actions Permalink
  • Avatar
    xxhuwm

    Yes, the DNS IP starts with 201. and the HTTP IP starts with 177. (http://myip.dnsomatic.com/).

    Then they must be doing something differently because, as I said, it had been working just fine in 2014 and early 2015 (I haven't changed ISP).

     

    My results were:

    http://www.lagado.com/proxy-test

    The Raw Details

    Here are the raw details of the request received by this server.

    Remote   Host 177-***-**-**1-cable.cybercable.net.mx   IP Address 177.***.**.**1

    Request   Protocol HTTP/1.1   Method GET

    Request Headers

    Host www.lagado.com
    User-Agent Mozilla/5.0 (Windows NT 6.1; rv:36.0) Gecko/20100101 Firefox/36.0
    Accept text/html,​application/xhtml+xml,​application/xml;q=0.9,​*/*;q=0.8
    Accept-Language en-GB,en;q=0.5
    Accept-Encoding gzip, deflate
    DNT 1
    Connection keep-alive

    This Server   Host www.lagado.com   IP Address 27.131.76.84

    Date: Friday 13 Mar 2015 6:22:28 GMT+1100

    Please Note: The conclusion that the request did not come via a proxy is based on the absense of the Via, Forwarded, X-Forwarded-For and Client-ip headers. It is still possible that a proxy is handling the request without announcing itself in the recommended way. (see rfc2616 & draft-ietf-http-v10-spec-01 & Squid Configuration Guide & Squid Release Notes 1.1)

     

    http://www.lagado.com/tools/cache-test

    · Serial number changed ("If the page serial number has changed you may not be using a caching proxy. To be more certain check the page age.")

    · The page was only a few seconds old ("If the page age is no more than a few seconds there is no evidence of caching occuring so a proxy is not evident; stop here - No Proxy Found")

    0
    Comment actions Permalink
  • Avatar
    rotblitz

    Ok, most likely no proxy and no caching, but could still be NAT.

    As I said, you must register your DNS IP address at https://dashboard.opendns.com/settings/ to make filtering and stats work.  And you cannot use the usual updaters to keep it updated, because these would overwrite it with your web IP address. Therefore, registering your DNS IP address with OpenDNS makes sense only if your DNS IP address doesn't change.  You had to find this out by looking yourself or by asking your ISP.

    Alternatively, you can call up your ISP to find out why they route your DNS traffic differently from the rest of your traffic, and if there's a possibility to opt out from this different DNS traffic routing.

    0
    Comment actions Permalink
  • Avatar
    Kristy Patullo

    xxhuwm, would you please run the following diagnostic tool on one of the computers on your network and copy, paste and comment the URL of the results so that we can further investigate why you are seeing the mismatch error?:

    [Windows Diagnostic Tool](http://www.opendns.com/download/windows/diagnostic)
    [Mac Diagnostic Tool](http://www.opendns.com/download/mac/diagnostic)

    The link required after the test will look like the one found here:

    https://support.opendns.com/entries/21841580

    The results in the URL are only viewable to OpenDNS support staff and may reveal more information about why your DNS and HTTP IPs are different.

    0
    Comment actions Permalink
  • Avatar
    xxhuwm

    @Rotblitz Thank you for your help, my friend. I'll see if I can get any assistance from my ISP.

     

    @Kristy Here's the result: https://diagnostic.opendns.com/d/4823553283194880

    Thank you very much. :)

    0
    Comment actions Permalink
  • Avatar
    Kristy Patullo

    I'm not sure why this didn't come up when you initially ran the command nslookup -type=txt debug.opendns.com. for rotbliz, but I'm seeing Comcast's IPv6 DNS servers configured on your machine.  Please try using the instructions here to disable IPv6: https://support.opendns.com/entries/54333874 and see if that removes the mismatch error on the updater client.

    0
    Comment actions Permalink
  • Avatar
    xxhuwm

    Oh! I'm sorry, I've tried everything I can think of these last few days, so I implemented this (didn't work): https://support.opendns.com/entries/26056194-Does-OpenDNS-support-IPv6-  and I forgot to revert it.

    I also tried disabling IPv6, yesterday (and a few minutes ago, after I saw your reply), and it didn't work either.

    I reverted that setting to "Obtain DNS server address automatically": https://diagnostic.opendns.com/d/6004950945497088

     

    P.S. It seems like the DNS IP address remains the same (201...), after I reset the modem. It's only the HTTP IP address that changes.

    0
    Comment actions Permalink
  • Avatar
    Kristy Patullo

    Would you please disable IPv6 and re-run the diagnostic tool?  It may reveal what is actually happening but based on your current results that is the only issue I see.

    Once IPv6 is disabled please clear your caches and run the standard test here: https://www.dnsleaktest.com/ and confirm that you only see OpenDNS resolvers.  If you see a different DNS service please specify which one.

     

    0
    Comment actions Permalink
  • Avatar
    xxhuwm

    OK.

    · IPv6 disabled: https://diagnostic.opendns.com/d/5914294386425856

     

    · DNSleaktest: There's 5 servers (302 Direct Media LLC) and they all start with 204.194.238.

    0
    Comment actions Permalink
  • Avatar
    tedkramer

    Hi, I'm the original poster (I get an error when I try to login to the forum). Could someone from OpenDNS please have a look at the information I provided above?

    Thank you so much.

    0
    Comment actions Permalink
  • Avatar
    Alexander Harrison

    Based on the diagnostic test, it looks like your configuration is good; however, the IP registered to your Dashboard doesn't match your current IP. To resolve this, please confirm that your updater client in it's settings has the check box for "Send updates to DNS-O-Matic" not checked. 

    Note the servers 204.194.238.X are all part of our Dallas datacenter (you can see the list at https://www.opendns.com/data-center-locations/) and that confirms you are using OpenDNS on IPv4 at this time. 

    0
    Comment actions Permalink
  • Avatar
    tedkramer

    "Send updates to DNS-O-Matic" is unchecked.

    OpenDNS Updater still shows: "Your OpenDNS filtering settings might not work due to DNS IP address (201.130...) and HTTP IP address (177.249...) mismatch. Learn more."

    0
    Comment actions Permalink
  • Avatar
    Alexander Harrison

    I can confirm that your DNS IP is the 201 one, and the HTTP one may be a proxy on network. To test for one, use the following tests:

    What do you see when you visit the following four websites:
    http://myip.dnsomatic.com
    https://myip.dnsomatic.com (you may need to accept the security certificate exception, but it is safe to proceed to this site)
    http://www.whatismyip.com
    http://www.lagado.com/proxy-test
    Also, would you mind sending in a screenshot of the updater client? Instructions to take a screenshot can be found here: http://take-a-screenshot.org. You may wish to do so to support@opendns.com to post it privately (and update this to let us know you've submitted one). 

    0
    Comment actions Permalink
  • Avatar
    rotblitz

    How frustrating is this?  Most tests have been performed and the results posted above already...

    Summarizing:

    • He does have a DNS and web IP address mismatch: DNS IP address (201.130.***.1) and HTTP IP address (177.249.***.**1.)
    • It seems he is not behind a proxy or caching server, so the ISP or peering network carriers may just do different routing for DNS and web traffic.
    • He's located in Mexico and uses the OpenDNS Dallas DC.
    • The IP address registered with his dashboard isn't the DNS IP address.
    • He should not run an updater, because this would update the dashboard with the web IP address.
    • He must keep IPv6 connectivity disabled.

    So, the anticipated solution can only be to manually update his dashboard network with the 201.130.***.1 IP address.  Fingers crossed that this DNS IP address doesn't change much often...

    0
    Comment actions Permalink
  • Avatar
    tedkramer

    @Alexander Harrison

    Rotblitz is right. But, here are the results, anyway:

    http://myip.dnsomatic.com/: 177...63
    https://myip.dnsomatic.com/: 177...63
    http://www.whatismyip.com/: 177...63
    (All IPs are exactly the same)
    http://www.lagado.com/proxy-test: "This request appears NOT to have come via a proxy."


    OK, I'll send you the screenshots. Although, here's what it says:
    · IP address: 201... (I believe this address hasn't changed since I started this thread)
    · Using OpenDNS: Yes
    · "Your OpenDNS filtering settings might not work due to DNS IP address (201...) and HTTP IP address (177...) mismatch."

    · Send Dns-O-Matic updates is unchecked.

    [By the way, I was able to log in to the forum just now, using the account with which I started this thread, but, only for a few minutes. I sent you an e-mail about this the other day. The error says: "We are unable to log you into the support portal at this time. Please email support@opendns.com and we can assist with your issue.
    Please mention that the error returned by the support portal was: User is invalid: Email: has already been taken."]

    Anyway, I would appreciate it if you could implement rotblitz proposed solution with either account (I can't seem to find an option to that myself).

     

    @rotblitz
    Thank you for your post. That was very helpful.

    "So, the anticipated solution can only be to manually update his dashboard network with the 201.130.***.1 IP address.  Fingers crossed that this DNS IP address doesn't change much often..."
    Yes, this seems like the only solution at this point.

    0
    Comment actions Permalink
  • Avatar
    Alexander Harrison

    The above does confirm that the mismatch isn't an issue of not being configured, but rather a DNS-HTTP IP mismatch on the network itself and you'll need to update your IP manually since there is the mismatch. 

    With regards to your account, it looks like you've changed the email on your account and the forum hasn't caught up with that. What's the email you use to log into your original account (you can send to support@opendns.com and note that you did here) and we can work on getting your forum account working once again by resolving the email conflict. 

    0
    Comment actions Permalink
  • Avatar
    tedkramer

    "...and you'll need to update your IP manually since there is the mismatch."

    Could you, please, tell me how to do that? If I login to my dashboard it only detects the HTTP IP address and, as I said above, I can't find an option to set the DNS IP address.

     

    About the e-mail: Yes, I've send a report about that and I confirmed that I had changed the e-mail address during the past few days.

    Thank you.

    0
    Comment actions Permalink
  • Avatar
    rotblitz

    "Could you, please, tell me how to do that? ... I can't find an option to set the DNS IP address."

    There is no such option.  If you want to do it yourself, you had to delete your network at https://dashboard.opendns.com/settings/
    Then you set one up from anew where you have the chance to enter any IP address manually.  Enter the IP address which is returned by the command:

       nslookup myip.opendns.com.

    This is most likely this 201.130.***.1 IP address.  You may get a notification then that the IP address must be approved by staff.

    0
    Comment actions Permalink
  • Avatar
    tedkramer

    Thank you rotblitz. I created a new network with that address but I couldn't verify it (received a link by e-mail). I got a message that says:

    "Your IP (177...) does not match the one you are trying to verify.
    If you can, please click the link from that IP address to verify it.
    If you cannot, please contact us and explain your ownership/management of the IP address in question."

    So, I created a request (#143290). Let's see how it goes...

    0
    Comment actions Permalink
  • Avatar
    Alexander Harrison

    Your network should be all set (the verification issue is due to the same HTTP DNS mismatch) and I've verified your network to your account on our end. 

    0
    Comment actions Permalink
  • Avatar
    tedkramer

    Thank you so much, guys. It works! :)

    0
    Comment actions Permalink

Post is closed for comments.