VPN Connection unblocks filter
I recently installed OpenDNS. It seems to work fine for my Netgear network. All devices connected seem to be properly filtered. However, I just noticed that when I'm connected to my work VPN connection, the parental filter did not block previously blocked sites. Any idea on how to fix this?
-
@gman18 - I am in the same boat as many other parents and schools who have web filters running on their network. Kids are simply using Firefox or Chrome VPN plugins which do not require admin accounts to download and install, bypasses any and all filtering even at the router level.
I know it can be done because I have tried to use those vpn plugins at work and it does not connect, but If I use it at home, it connects fine. So, I guess some type of proxy server would have to be setup along with some firewall settings..but that is pretty complicated for us parents.
I've been reading some of the responses here and some seem to be border line rude.. and I've noticed most of the time it's from the same person.."the know it all".. no need to mention any names, but you know who you are.- -
For the "non Opendns know-it-all" --- if you like to hang around these forums trying to "help" with questions, have a little more patience and try to remember most people that come here for help are not as knowledgeable as you are. Try to point them in the right direction or answer their questions without making them look like idiots for asking a "stupid" question.
I've read your responses in other topics and most of the time you come across like a jerk and I've seen people call you out on that.. just chill dude.. you're not getting paid by OpenDns, but honestly, you have ZERO customer service or technical support quality... you may know your stuff, but you suck at helping others.
-
If the apps are downloadable via the Android Play store the only way OpenDNS can do anything about them is if they somehow use OpenDNS in their operation *before* the VPN tunnel is created. That's pretty unlikely.
OpenDNS can do nothing to prevent installing these apps unless you block the entire appstore since once you are already in the store any app is available.
Aside from that, if they want to bypass OpenDNS all they need to do is use their data connection or someone else's WiFi.
Your first step would be finding a way to prevent installing these apps in the first place, but OpenDNS certainly can't do that for you.
-
There's nothing to fix but all normal. If you configured OpenDNS for your network, most likely on the router, it cannot work on your work place's network, same as it doesn't work on my network. You may ask the network admins of your work place to use OpenDNS too. :)
If your work place is a school, you have good reasons for "parental filter", else less.Depending on how this VPN is set up, you may be able to configure OpenDNS resolver addresses on the computer you establish the VPN connection with. Your router configuration is totally out of scope here though.
-
Hi gman18,
While using a VPN connection, or another connection that routes your DNS and other traffic through a remote host, your DNS settings will change and reflect the DNS settings of the hosting server or computer.
As a result, It is not possible to specify a DNS resolver to be used while on these types of connections. To remedy this issue, you will need to request that the hosting server or computer be set to also use OpenDNS as its DNS resolver.
We have instructions for configuring our DNS services available here: <https://store.opendns.com/setup/>
-Chris
Customer Support Representative
-
I've been using this VPN provider https://www.iwasel.com/en/ for over a year and it always helps me to unblock internet filters perfectly and anonymously everywhere. -
I had the same problem. The company I work for uses the Cisco AnyConnect Client with split-tunneling disabled. What this means is that when I connect to my work VPN, my local DNS servers are changed and all DNS queries are forced to go through my work DNS/AD servers. If I pull up a command/DOS prompt before I connect to VPN and do type "ipconfig /all" my DNS server is 192.168.1.1 (which is my ISP router where my OpenDNS DNS servers are configured). If I do the same thing after connecting to VPN, my DNS servers are changed to 10.x.x.x (my work DNS/AD servers).
The fix for me was to remove the OpenDNS Updater from the PC that I use to connect to VPN on and install it on my wife's laptop (she doesn't use VPN at all). This way, the OpenDNS Updater will only change my public IP when my ISP changes it every so often.
-
You could also try creating a Firewall rule that forces DNS requests through OpenDNS using the instructions here: https://support.opendns.com/entries/26374985-Preventing-circumvention-of-OpenDNS-with-firewall-rules. This may not help with VPNs but it prevents users who manually change their DNS settings from bypassing OpenDNS and is another way to 'lock down' the use of our service. Also, as rotblitz said if these VPNs are DNS based you can block their domains by adding them to your **Always Block** list, we have instructions to block domains here: https://support.opendns.com/entries/34435010-Getting-Started-Blocking-Allowing-Specific-Domains-with-Whitelist-Blacklist
-
I have the same problem - OpenDNS worked great for a me for a number of years and I felt safe to allow them use their smartphones until my children discovered the joys of VPN. they now doenload and install various VPN applications and bypass the dns filters (as well as various router filtering rules I have configured) these are downlaodable from android play. any advice?
-
The standard home OpenDNS service only affects DNS lookups. So you can go into your content filtering settings and block proxy/anonymizer/vpn access, and that will prevent access to the VPN sites and will block the VPN clients from connecting unless the VPN client isn't using DNS. If it is using hard-coded IP addresses, OpenDNS isn't going to stop it. The OpenDNS Umbrella service might address the issue, and it works regardless of what network the device is connected to, but that isn't free, and unless you're using parental control software on your kids' devices, they have control over what apps are on their devices anyway. But can we please get people to stop submitting VPN sites as porn sites? They aren't. If you don't want to allow VPN access on your network, then block VPN sites in your content filter settigns (proxy's, anonymizers, vpn's), but please people, stop mislabeling URL's as something they aren't. It makes the service unusable in many instances, which is really unfortunate.
-
-
Here's a litte problem I've ben running into. My son is a clever kid and has apparently installed some proxy plugins. I'm looking for a way to stop him from using those as we've discovered his porn habit recently. I've looked in my history and found a bunch of these domains clearing even though I have proxy's and anonymizers blocked.
Hoxx appears to be a proxy service made to defeat domain filtering, but it seems to rely on a formulaic domain name. I thought I might be able to block this in OpenDNS by explicitly blocking hoxxproxy*.com, but this is rejected as an invalid domain. I suppose there could be a solution along the lines of blocking the ip address and or port of the service.
Any Ideas? I'll keep digging and report back on my findings.
-
Well, a domain hoxxproxytesthelper96259.com does not exist in DNS, therefore it cannot be accessed. No reason to be concerned.
nslookup hoxxproxytesthelper96259.com.
Server: 192.168.178.1
Address: 192.168.178.1#53
** server can't find hoxxproxytesthelper96259.com: NXDOMAINAnother measure would be to provide your son with a regular user account as should be, not with an admin account. This prevents him from installing many things and from changing network settings (e.g. DNS server addresses).
"I thought I might be able to block this in OpenDNS by explicitly blocking hoxxproxy*.com, but this is rejected as an invalid domain."
You cannot block wildcards or keywords this way. You only can block domains, where example.com covers this and all its subdomains like www.example.com, images.example.com, etc.
"I suppose there could be a solution along the lines of blocking the ip address and or port of the service.."
Definitely. But this has nothing to do with DNS and therefore cannot be done with OpenDNS. You block IP addresses and ports directly on your router if this has the capability.
-
@magdiel1975 Agree! There is an assumption here by at least one responder that parents give their kids access to do whatever they want. Not true. My kids are NOT admins are their computers. Each of their computers has Norton Parental Control as well. Their phones' data plan locks down to no data after 10 pm via my service provider. However, wifi is still available. Guess what, they are using VPN to get to places they shouldn't be. And my son told me they use it at school as well to get past what the school blocks. Taking away phones is not an option, I need to be able to contact them if I need to. And there is an assumption by teachers that every kid has a phone or laptop during class to do research.
I just bought a new router with OpenDNS control. I bought it for the parental controls alone. OpenDNS is advertised as a great way to impose parental controls. Well, after two days of trying all kinds of restrictions and looking through the support I now find I can't stop VPN.
My teens are tech savvy and they talk with other kids at school about how to get around controls. They go to homes where there is no controls to get what they need to circumvent controls. I can't stop what goes on outside my home, but I at least want the ability to control at my own home. If there is a way for OpenDNS to impose VPN blocking in future builds I suggest they do. It would close a gapping hole in their product.
-
"If there is a way for OpenDNS to impose VPN blocking in future builds I suggest they do."
You'll have to block the Proxy/Anonymizer category. Also, you have to block the protocols and ports being used by VPN on the router. This cannot covered by OpenDNS, because it is connectivity related, not necessarily DNS related.
If you configure the OpenDNS FamilyShield addresses 208.67.222.123 and 208.67.220.123 directly on the end user devices (i.e. your kids' devices), you are able to block the Proxy/Anonymizer category also outside your home network.
-
"If there is a way for OpenDNS to impose VPN blocking in future builds I suggest they do."
This is now there - in Cisco Umbrella. They wont give Umbrella features away for free.
https://support.umbrella.com/hc/en-us/articles/115001077988 -
@rotblitz Thank you for the quick response! Yes, I tried blocking the protocols/ports on the router. Unfortunately, it caused problems getting to other sites. Amazon Prime music stopped, even though I couldn't find where they had overlapping protocols/ports. I will take a look at the Umbrella features.
-
Great! Then get these blacklists and simply submit them at
https://community.opendns.com/domaintagging/submit/
You can submit 1000 at a time, just by copying & pasting! Why don't you do it?If you want to speed it up, raise the same list from your submission as support ticket to OpenDNS. Then you can use the checkbox above very soon again!
-
@enegron68 Without a specific list of these VPN's it's impossible to say whethe or not OpenDNS could block them, or if they are already in the proper category.
OpenDNS is a DNS based system, meaning that if a VPN doesn't use a domain then OpenDNS won't even know about it, let alone have a way to block it. In order to block domains using categories someone will have had to start that process by submitting domain names to the system to be voted up.
If you have a particular list of VPN domains that is not categorized as such you are certainly welcome to submit them, and tet the whole process started.
Please sign in to leave a comment.
Comments
35 comments