Phantom blocking in reports?

Comments

18 comments

  • Avatar
    rotblitz

    The phantom will remain a phantom as long as you don't reveal the details, i.e. what domains you're talking about.
    E.g. a screen shot of https://dashboard.opendns.com/stats/all/blockeddomains could help.

    And yes, someone else may log against your stats if your IP address is not correctly updated at https://dashboard.opendns.com/settings/
    or if this IP address address is shared between several users of your ISP.  This may also reflect domains being referenced on any web page.  Most browsers have DNS prefetching enabled nowadays and raise a lookup for every domain found on any web page, no matter if the destination will ever be visited.

    0
    Comment actions Permalink
  • Avatar
    coquitlam-craig
    My IP is correct. The sites I know are being accessed do show up in the stats. Here's an example of blocked items which do not show up in my LAN web filter logs (or matching hits on the OpenDNS block pages): https://www.evernote.com/shard/s1/sh/7f9cc407-f023-42fc-a3da-3c7116954b47/94039549aafd9f0293383661d8cac45f The IP is not used by anyone else. I have never seen this pattern in my other IP location on the account. I have never seen this pattern at work with my OpenDNS umbrella account. At least there I can put an umbrella agent on every device and see clearly the source. The only account collision I have observed is when my laptop users go to other locations which also use openDNS. With the agent installed they would normally be opted into our block and unblock policies even when off the LAN. Except that there can be some merging of policies when they roam onto other OpenDNS networks. And our users can be blocked from our own SharePoint or websites.
    0
    Comment actions Permalink
  • Avatar
    rotblitz

    From your blocked domain stats it looks someone indeed tried to visit porn sites, or at least visited web pages where these blocked porn domains were referenced.  Pretty clear that nobody else can guess more details, because it's your network, and you should know your network at best.

    Also, DNS lookups and visiting websites are loosely related.  E.g the times can significantly differ due to local caching techniques, resolver cache and browser cache and also router caches.  It could also be that VPNs or proxies are being used by users in your network.  All this may be the reason why your Untangle logs and OpenDNS stats hardly match.  Also the above mentioned DNS prefetching would cause to appear in the OpenDNS stats, but not in your Untangle log.  Exactly "that would once per day do an NSLookup on a long list of pornography sites, but not attempt to connect to them" to say it with your words.  You may want to disable DNS prefetching in your browsers to see if this changes the situation.

    0
    Comment actions Permalink
  • Avatar
    aliene280

    I am having the same issue of the same random porn sites showing in my logs and  am 100% positive those sites have not been visited.  I have disabled DNS prefetching on the browsers and the caches on the devices.  I have turned of all devices but one and the site still show up. Is there something that we could be missing?

    0
    Comment actions Permalink
  • Avatar
    rotblitz

    You're saying that there are still DNS lookups against these domain names out of your network.  You may want find out what raises these DNS queries, e.g. by installing network sniffers or by enabling router logging or by investigating browser histories.

    0
    Comment actions Permalink
  • Avatar
    Chris Frost

    @aliene are you using Avast Security?

    0
    Comment actions Permalink
  • Avatar
    aliene280

    Chris, yes we are.  We have used it for quite some time and didn't notice any issues until a few months back.  

    0
    Comment actions Permalink
  • Avatar
    sysadmin3

    I'm seeing the same blocked porn sites, same scenario, twice a day the blocked sites show up, no way is anyone visiting these sites.  This cannot be a coincidence.  

    0
    Comment actions Permalink
  • Avatar
    mattwilson9090

    See rotblitz initial reply (and later) where he talk where he refers to browser prefetching, not having your address properly registered with OpenDNS, or even "sharing" your public IP address with others. He also talks about ways that you can track down exactly what is doing these DNS lookups. And again, without knowing what domains you are referring to, it's even more difficult to offer any substantial input.

    Plus, be aware that OpenDNS does not deal with sites, it only deals with domain names. It entirely possible that someone is visiting a site, or perhaps a service is doing some sort of internet connection, that in addition to the primary information on that site, has ads or other links that trigger a DNS lookup without anyone actually clicking the link or visting that that.

    It's also possible that something is infected with some form of malware which is causing these DNS lookups.

    The important thing is that OpenDNS is BLOCKING the DNS lookups to the types of domains that you don't want people interacting with. That means that if someone or something is trying to access some website or service that you don't want on your network it is being blocked. That is exactly what OpenDNS is supposed to do. It then remains to you to track down who or what is causing these DNS lookups in the first place, since unless you are sharing your IP address with others the traffic is originating in your network.

    0
    Comment actions Permalink
  • Avatar
    mattwilson9090

    Also, are you using Avast Security? I have seen references in here and other locations about some versions of their software generating a lot of DNS lookup traffic as part of their background functioning that have nothing to do what anyone on the network is doing.

    0
    Comment actions Permalink
  • Avatar
    Chris Frost

    There have been reports of "phantom" requests when using Avast Security. If you remove Avast, you will notice that those requests will be reduced (down to zero if no one is actually making those requests). 

    0
    Comment actions Permalink
  • Avatar
    sysadmin3

    Thank you for reply.  Yes I had Avast.  I've uninstalled and will let you know in a few days if the blocked sites do not come across again.   Thanks for your help.  

    0
    Comment actions Permalink
  • Avatar
    providencecc

    @sysadmin3 Can you comment on whether removing Avast resolved your issues? Thank you.

    0
    Comment actions Permalink
  • Avatar
    sysadmin3

    yes it did correct the issue.  Thank you very much for your help.

    0
    Comment actions Permalink
  • Avatar
    mcmayor

    Is there anyway to resolve this without removing Avast?

    0
    Comment actions Permalink
  • Avatar
    mattwilson9090

    OpenDNS is actually behaving how it's supposed to in this case and there is nothing they can do to "resolve" things, it's entirely an Avast issue. Assuming you want to keep using OpenDNS, if you don't want to see the lookups, or the domains that are blocked as a result, you'll need to prevent the requests from being made in the first place, which means either removing Avast or finding a setting within Avast that changes the software's behavior.

    0
    Comment actions Permalink
  • Avatar
    rotblitz

    "Is there anyway to resolve this without removing Avast?"

    Sure, there is.  You simply disable "Secure DNS".
    https://support.opendns.com/entries/57943894

    0
    Comment actions Permalink
  • Avatar
    mcmayor

    Thanks I will give this a try.

    0
    Comment actions Permalink

Please sign in to leave a comment.