DNS properly configured to router but fails the test

Comments

17 comments

  • Avatar
    mattwilson9090

    Two things jump out at me. First it appears that you are sending your internet traffic out via IPv6, as shown by auth1.opendns.com AAAA IPv6 address = 2620:119:30::53 and auth2.opendns.com AAAA IPv6 address = 2a04:e4c0:53::53.OpenDNS cannot filter DNS requests that come in via IPv6. Your best option is to disable IPv6 on the router itself, but for testing purposes you could disable it on the computer and test again.

    Also, you seem to be using server DNS servers that are not OpenDNS (auth1.opendns.com internet address = 208.69.39.2, auth2.opendns.com internet address = 146.112.60.53, and auth3.opendns.com internet address = 208.69.39.2). If you have non-OpenDNS servers configured then at least some of your DNS traffic will be sent to them and you will get inconsistent results at best. You need to remove those additional DNS servers. Since DNS for your computer is pointing to your router from DHCP you will either need to remove those servers on the router itself, or manually configure the DNS servers on the computer to point to 208.67.222.222 and 208.67.220.220. Though I'd only do that last part for testing.

    0
    Comment actions Permalink
  • Avatar
    ammeximportation

    sir kindly check attached file it seems that i cant disable my ipv6 in my router

     

     




    2.JPG
    1.JPG
    0
    Comment actions Permalink
  • Avatar
    mattwilson9090

    It looks to me as if your router is actually a combination ADSL modem/router provided by your ISP. Assuming that's correct, that does limit your options, but there is some further testing you can do that will help us determine your best options.

    Disable IPv6 on your computer, and manually set the IPv4 DNS addresses to 208.67.222.222 and 208.67.220.200. Then clear the DNS caches on your computer (https://support.opendns.com/entries/26336865) We can change these things back later (actually we should) but we need to make the changes to get some accurate results.

    Once that's done let us know happens when you go to http://welcome.opendns.com/

    After that rerun nslookup -type=txt debug.opendns.com. and ipconfig/all and let us know the results like you did before.

    There are a few different things that I'd expect to see, and based on what we actually see we should be able to provide a few options to get OpenDNS working on this computer as well as everything else on your network.

    0
    Comment actions Permalink
  • Avatar
    ammeximportation

    Microsoft Windows [Version 6.1.7600]
    Copyright (c) 2009 Microsoft Corporation. All rights reserved.

    C:\Users\SPI>nslookup -type=txt debug.opendns.com.
    Server: resolver1.opendns.com
    Address: 208.67.222.222

    *** resolver1.opendns.com can't find debug.opendns.com.: Non-existent domain

    C:\Users\SPI>nslookup -type=txt which.opendns.com. 208.67.220.220
    Server: resolver2.opendns.com
    Address: 208.67.220.220

    Non-authoritative answer:
    which.opendns.com text =

    "I am not an OpenDNS resolver."

    opendns.com nameserver = auth3.opendns.com
    opendns.com nameserver = auth1.opendns.com
    opendns.com nameserver = auth2.opendns.com
    auth1.opendns.com AAAA IPv6 address = 2620:119:30::53
    auth1.opendns.com internet address = 208.69.39.2
    auth2.opendns.com AAAA IPv6 address = 2a04:e4c0:53::53
    auth2.opendns.com internet address = 146.112.60.53
    auth3.opendns.com internet address = 208.69.39.2

    C:\Users\SPI>ipconfig /all

    Windows IP Configuration

    Host Name . . . . . . . . . . . . : LEO
    Primary Dns Suffix . . . . . . . :
    Node Type . . . . . . . . . . . . : Hybrid
    IP Routing Enabled. . . . . . . . : No
    WINS Proxy Enabled. . . . . . . . : No
    DNS Suffix Search List. . . . . . : domain.name

    Wireless LAN adapter Wireless Network Connection 2:

    Media State . . . . . . . . . . . : Media disconnected
    Connection-specific DNS Suffix . :
    Description . . . . . . . . . . . : Microsoft Virtual WiFi Miniport Adapter
    Physical Address. . . . . . . . . : 00-87-32-18-81-7A
    DHCP Enabled. . . . . . . . . . . : Yes
    Autoconfiguration Enabled . . . . : Yes

    Wireless LAN adapter Wireless Network Connection:

    Connection-specific DNS Suffix . : domain.name
    Description . . . . . . . . . . . : 802.11n USB Wireless LAN Card
    Physical Address. . . . . . . . . : 00-87-32-18-81-7B
    DHCP Enabled. . . . . . . . . . . : Yes
    Autoconfiguration Enabled . . . . : Yes
    IPv4 Address. . . . . . . . . . . : 192.168.1.4(Preferred)
    Subnet Mask . . . . . . . . . . . : 255.255.255.0
    Lease Obtained. . . . . . . . . . : Thursday, September 08, 2016 4:00:47 PM
    Lease Expires . . . . . . . . . . : Friday, September 09, 2016 4:00:46 PM
    Default Gateway . . . . . . . . . : 192.168.1.1
    DHCP Server . . . . . . . . . . . : 192.168.1.1
    DNS Servers . . . . . . . . . . . : 208.67.222.222
    208.67.220.200
    NetBIOS over Tcpip. . . . . . . . : Enabled

    Ethernet adapter Local Area Connection:

    Media State . . . . . . . . . . . : Media disconnected
    Connection-specific DNS Suffix . :
    Description . . . . . . . . . . . : Realtek PCIe GBE Family Controller
    Physical Address. . . . . . . . . : EC-A8-6B-73-88-4E
    DHCP Enabled. . . . . . . . . . . : Yes
    Autoconfiguration Enabled . . . . : Yes

    Tunnel adapter isatap.domain.name:

    Media State . . . . . . . . . . . : Media disconnected
    Connection-specific DNS Suffix . : domain.name
    Description . . . . . . . . . . . : Microsoft ISATAP Adapter
    Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0
    DHCP Enabled. . . . . . . . . . . : No
    Autoconfiguration Enabled . . . . : Yes

    C:\Users\SPI>

     

     

     




    2.JPG
    1.JPG
    0
    Comment actions Permalink
  • Avatar
    rotblitz

    @mattwilson9090
    His problem does not have to do with IPv6.  His DNS traffic is solely over IPv4.

    @ammeximportation
    This has nothing to do with your router or computer.  Your ISP is hi-jacking your DNS traffic and redirects it to their own DNS service.  You may call your ISP to see if you can opt out from this DNS hi-jacking to become able using a 3rd party DNS service like OpenDNS.

    If this is not with success, you may try with DNSCrypt at https://dnscrypt.org/ to circumvent this restriction.

    0
    Comment actions Permalink
  • Avatar
    ammeximportation

    after i install DNSCrypt what should i do?

    @rotblitz and mattwilson9090 thanks for the help i glady appreciate it :)

    0
    Comment actions Permalink
  • Avatar
    mattwilson9090

    Assuming dnscrypt works properly for you and you are able to get OpenDNS filtering working (your ISP might still block or intercept this) you've got 3 basic options, listed in order of preference.

    1) Run dnscrypt on your router so that all DNS requests from your network go to it, and from the router to OpenDNS. Your router firmware may or may not support this, but many 3rd party firmwares such as Toastman have it built on. Some 3rd party firmware such as OpenWRT would allow you to add additional software such as DNSCrypt

    2) Run dnscrypt on one computer on your network, configure the network so that all devices point to it for DNS, and it then connects to OpenDNS. The big disadvantage to running it this way instead of on your router is that that computer will always have to be running to get DNS resolution for your network, but it might be your only choice if dnscrypt doesn't work on your router

    3) install Dnscrypt on every device on your network that can run it. Not only is this the hardest to setup and get working, there are a lot of devices, such as Roku's and smartphones that probably won't let you install a dnscrypt client

    0
    Comment actions Permalink
  • Avatar
    ammeximportation

    question

    is it better if i just buy a router that can block websites?

    0
    Comment actions Permalink
  • Avatar
    mattwilson9090

    A router that can block websites is like comparing apples and oranges. Each does something that the other can't, and can actually complement each other. However, with a router that can block websites you'll have to put each website in manually, you won't have the advantage of blocking entire categories, PLUS the whitelist/blacklist abilities of OpenDNS.

    I always recommend that people get their own router however, whether or not the ISP provides one. Put that router "inside" the one provided by the ISP and you full control over what your internal network and WiFi are doing, and you have a number of options the ISP's router can't do. It can't offset the ISP intercepting DNS, but it provides a lot of options. Plus, if you get a router that allows 3rd party firmware such as Toastman with jus a couple of clicks you can enable DNSCrypt and provide it's functionality to the entire network. That can be handy if the ISP is intercepting DNS, but they could also be intercepting or blocking DNSCrypt traffic.

    0
    Comment actions Permalink
  • Avatar
    ammeximportation

    thanks matt

    may i ask if what kind of router can you recommend?

    0
    Comment actions Permalink
  • Avatar
    mattwilson9090

    I wouldn't exactly call it a recommendation, but I've been using an ASUS RT-N66U with Toastman firmware. I wanted the N Wi-Fi, gigabit (though I only use one port) and the extra processor performance and RAM. It cost a bit more than lower cost ones like the 12 and 16 from ASUS, but it meets my needs. I have a very fast fiber internet connection, 300 Mbps, but configured as it is, this router can only handled 125 Mbps on a speedtest. Then again, when I got it, the fast they offered was 100 Mbps. To get faster I'll need to get one of their faster AC models.

    Depending on the ISP's speed this model should be more than adequate for most needs, but a 12 or 16 should also be very good with a slower connection.

    0
    Comment actions Permalink
  • Avatar
    rotblitz

    @ammeximportation 
    We came to this because your ISP redirects your DNS traffic.  So, this is not really a router problem.  Did you contact your ISP already?  What was the outcome?

    If you''re asking for a router because you want to run DNSCrypt on it, then you'll read https://dnscrypt.org/#dnscrypt-routers

    0
    Comment actions Permalink
  • Avatar
    ammeximportation

    they are charging us for extra and we need to pay it monthly

    0
    Comment actions Permalink
  • Avatar
    mattwilson9090

    I'm not sure what you are referring to there

    0
    Comment actions Permalink
  • Avatar
    ammeximportation

    im referring to this

     

    "Did you contact your ISP already?  What was the outcome?"

     

    i talked to them and asked if they can give me a permanent public address they said that yes they can but we need to terminate our current plan change it to business package and we need to pay for the termination fee with extra charges every month.

    0
    Comment actions Permalink
  • Avatar
    mattwilson9090

    You asked for the wrong thing. Your ISP is intercepting your DNS calls and routing them somewhere other than where you want them to go. That's what you need to ask them to stop doing. It's possible that they'll only do that if they give you the static IP address you referred to in your last message, but it's also possible that it won't do anything about the DNS intercepts.

    0
    Comment actions Permalink
  • Avatar
    ammeximportation

    ok sir matt will call them again ill keep you updated once i talked to them

    thank you

    0
    Comment actions Permalink

Please sign in to leave a comment.