What are the IPv6 addresses for OpenDNS?
Are they 6001:0:ccc:2?
-
Official comment
OpenDNS supports recursive IPv6 DNS resolution and security filtering for IPv6 traffic. Our IPv6 DNS server addresses are:
2620:119:35::35
2620:119:53::53Currently, it is not possible for users to register IPv6 addresses in the OpenDNS Dashboard. Custom content filtering cannot be set for IPv6 traffic.
For users with both IPv4 and IPv6 on their internal network, we would recommend that you do not configure an IPv6 DNS server if possible, in order to force your clients to use IPv4 for DNS.
If this is not possible for some reason, and an IPv6 DNS server must be specified, then you can use the IPv4-mapped IPv6 addresses of the OpenDNS resolvers in order to redirect clients to IPv4:
::ffff:d043:dede
::ffff:d043:dcdc
::ffff:d043:dedc
::ffff:d043:dcdeFor users looking for an RFC-compliant DNS service that does not provide any level of filtering, the following IPv6 DNS server addresses can be used instead:
2620:0:ccc::2
2620:0:ccd::2Comment actions -
In case you just want pure DNS without enhanced features:
https://www.opendns.com/about/innovations/ipv6/2620:0:ccc::2
2620:0:ccd::2In case you want to use the enhanced features like content filtering and logs and stats:
::ffff:d043:dede
::ffff:d043:dcdc
::ffff:d043:dedc
::ffff:d043:dcde -
@joeg123 You need to read the entire thread, your answer about OpenDNS resuming filtering is already answered there.
As for the 8 fields, IPv6 notation allows for :: to replace consecutive octets (one of the eight groups of 4 characters) of all 0's, so in the address you listed, the :: takes the place of 0000:0000:0000:0000. Also in IPv6 notation leading 0's in an octet can be dropped, so technically ccc is actually 0ccc and 2 is actually 0002
-
Just to clarify, while the old IPv6 addresses that don't provide filtering still work, if you want normal resolver filtering for OpenDNS, you can use the following addresses:
2620:119:35::35
2620:119:53::53
Those would be preferable to using the ::ffff:d043:dede ones mentioned above.
-
Unless these IPv6 destinations are able to obtain your IPv4 address too, to be applied to your dashboard settings, using these addresses will have no effect regarding dashboard settings, because you cannot register your IPv6 address (range), just your IPv4 address (range).
If you just want plain DNS without any customization, then these addresses may work, although they are thought to be used with Cisco Umbrella only. When I find time, I will investigate further about 2620:119:35::35 and 2620:119:53::53.
-
I have tested out now 2620:119:35::35 and 2620:119:53::53. These are not DNS resolver addresses and do not respond on DNS queries. If you configure them, your system might detect this and may fall back to IPv4 in the ideal case. But you will see much delays with everything, because the timeout must be reached first. Not a good idea to use these addresses at all.
-
I can assure you that they are valid DNS resolvers and respond fully. Here's an example from one of my VPCs in LA (I've modified my origin ID, org ID, and source address for privacy):
robbie@server ~ > dig @2620:119:35::35 debug.opendns.com txt
; <<>> DiG 9.9.5-3ubuntu0.17-Ubuntu <<>> @2620:119:35::35 debug.opendns.com txt
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 64146
;; flags: qr rd ra; QUERY: 1, ANSWER: 8, AUTHORITY: 0, ADDITIONAL: 1;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;debug.opendns.com. IN TXT;; ANSWER SECTION:
debug.opendns.com. 0 IN TXT "server m37.pao"
debug.opendns.com. 0 IN TXT "flags 20 0 1040 1C00000000070000000039FF000000000000000"
debug.opendns.com. 0 IN TXT "originid 00000000"
debug.opendns.com. 0 IN TXT "orgid 00000"
debug.opendns.com. 0 IN TXT "orgflags 27"
debug.opendns.com. 0 IN TXT "actype 0"
debug.opendns.com. 0 IN TXT "bundle 00000"
debug.opendns.com. 0 IN TXT "source [IP_obscured]:56673";; Query time: 2 msec
;; SERVER: 2620:119:35::35#53(2620:119:35::35)
;; WHEN: Thu Aug 23 21:51:01 UTC 2018
;; MSG SIZE rcvd: 323This is obviously an Umbrella account instead of an OpenDNS account, but both use the same set of resolvers. While you're correct that there is currently no way to register your IPv6 addresses in OpenDNS, these resolvers would function properly for any identities that could be sent to them, eg, network devices using a device ID. As such, they are preferred over the sandbox IPs so that protection can take effect when OpenDNS adds support for registering IPv6 addresses in the future.
-
"This is obviously an Umbrella account instead of an OpenDNS account"
Correct, this is the difference. And therefore these resolvers cannot be used outside of Umbrella, i.e. for OpenDNS Home versions, because they do not respond, as I said.
nslookup -timeout=8 -type=txt debug.opendns.com. 2620:119:35::35
;; connection timed out; no servers could be reached
nslookup -timeout=8 -type=txt debug.opendns.com. 2620:119:53::53
;; connection timed out; no servers could be reachedSo please do not recommend things which cannot be used yet. You are here in the OpenDNS forum, not the Umbrella forum...
"I can assure you that they are valid DNS resolvers and respond fully."
After all, this is not true for the audience represented here.
"they are preferred over the sandbox IPs so that protection can take effect when OpenDNS adds support for registering IPv6 addresses in the future."
Even more, they are to be used instead of the sandbox resolvers. OpenDNS are working on it. We have to wait for the solution coming up.
Edit:
I have tested again 2620:119:35::35 and 2620:119:53::53 today. Now I get DNS responses from them. But still they cannot be used yet to use OpenDNS with dashboard settings, because IPv6 addresses (prefixes) cannot be registered at the dashboard.
Not sure what the problem was yesterday, but it was most likely something with my ISP or the network carriers involved.
Please sign in to leave a comment.
Comments
12 comments