OpenDNS setup

Comments

5 comments

  • Avatar
    rotblitz (Edited )

    "when I am not at home (school, coffee shop, wherever)."

    OpenDNS is a service for networks you own, not for your devices in other networks.  Full stop.
    (You don't question that a car cannot fly and swim, do you?)

    "What am I exactly doing when I choose the Computers Workstations and Laptops option?"

    You normally overwrite the router's DNS configuration, i.e. the end user device configuration takes normally priority.

    "What is that option for: to connect to OpenDNS servers when using a different network (that has their own settings with its ISP?"

    You still can try it.  It may work sometimes or even not if the network admins prevent you from using 3rd party DNS services.  But you cannot and should not register your IP address with your dashboard network.  One reason is that you lose your individual settings for the home network then, the other reason that you may impact other users in this other network.

    "Do I also need to set up OpenDNS in the OpenVPN icon of my active networks (open networks and sharing center in windows 8.1)?"

    Yes, if you want to use OpenDNS with a VPN, you need to configure the OpenDNS resolver addresses (or the router's IP address if your router is configured to use OpenDNS) in the virtual VPN network adapter, else your DNS traffic goes through the VPN tunnel, and this uses the DNS service configured on the remote VPN server.  Please note, if you do this, your DNS traffic leaks, i.e. it is no longer protected and encrypted through the VPN tunnel.  You do not necessarily worry about that.

    "Actually, do I need to do the same for every single active network I may use: Ethernet, Wi-Fi, Wireless adapter, and OpenVPN?"

    Yes and no.  If you configured OpenDNS on the router, you only need to configure OpenDNS for VPN connections on the computer, not for Ethernet and WLAN.  However, if you want to configure OpenDNS only on the computer, not on the router, then you must configure every single used network with the OpenDNS resolver addresses - if you want to use OpenDNS.

    0
    Comment actions Permalink
  • Avatar
    open2learn

    Hi Rotbliz,

    Many thanks for your quick feedback. You have really made OpenDNS clearer for me, but your answers have also triggered some other questions:

    1. If I set up (as I will) the Home Router to direct the DNS request to OpenDNS servers, what is the point of the Computers Workstations and Laptops option? The only answer that I can think of is that the former will direct the DNS requests of all the devices connected to that home router, while the latter will allow each device to handle the DNS requests individually.

    You mentioned that the Computes Workstations and Laptops option takes priority over the router configuration, so I guess that setting up both (home router and laptop) should not interfere each other. However, what if I set up the laptop and mobile phone connected to my home router to send DNS requests to OpenDNS servers? Can that cause any (potential) conflict or problem?

    2. So far, my attempts to make it work have been unsuccessful. I have entered the OpenDNS addresses (208.67.222.222 preferred server; 208.67.220.220 alternate server) for the Ethernet, wi-fi, wireless adapter, and OpenVPN connections, following the setup guide. Then, I flushed the dns cache in CMD (ipconfig /flushdns) and deleted all history in my browser before restarting the laptop. The OpenDNS test showed instead that I am not connected to their servers, which is very frustrating because I followed the instructions step by step. Did I miss something? Just in case you think of it, I have disabled IPv6 in Properties for each connection and also Teredo in CMD (netsh interface teredo set state disabled).

    OpenDNS tells me that I am not connected to their servers and prompts me to enter my IP address in the dashboard. At first, I thought it was indispensable to do that in order to fully complete the setup, but you advised me not to. I assume that you are connected without doing that, so I wonder how and why I am not.

    3. "Yes, if you want to use OpenDNS with a VPN, you need to configure the OpenDNS resolver addresses (or the router's IP address if your router is configured to use OpenDNS) in the virtual VPN network adapter, else your DNS traffic goes through the VPN tunnel, and this uses the DNS service configured on the remote VPN server. Please note, if you do this, your DNS traffic leaks, i.e. it is no longer protected and encrypted through the VPN tunnel".

    This is confusing. The whole point for me to be connected to OpenDNS servers is that sometimes the browser or Windows may continue sending DNS requests to the ISP's servers, even if you are using OpenVPN or any other VPN provider, and consequently causing DNS leaks (please check https://thebestvpn.com/dns-leaks-causes-fixes/, specifically "The Problem #1: Improperly configured network" and "The Fix") (also https://www.makeuseof.com/tag/dns-leaks-can-destroy-anonymity-using-vpn-stop/). Therefore, it is advised to force Windows to use OpenDNS servers (or any other provider) and thus avoid potential leaks. Based on what you wrote above, that causes the opposite. Could you clarify it for me, please? Basically, I am trying to maximise security here just in case OpenVPN is overwritten by the browser or Windows (in this sense, I have also done this: https://www.dnsleaktest.com/how-to-fix-a-dns-leak.html).

    Thank you very much in advance.

    P.S._ Sorry about the length of this message, but I really want to learn how to do this properly.

    0
    Comment actions Permalink
  • Avatar
    rotblitz (Edited )

    "If I set up (as I will) the Home Router to direct the DNS request to OpenDNS servers, what is the point of the Computers Workstations and Laptops option?"

    No point, unless you want to exempt a computer from using OpenDNS while configuring another (non-OpenDNS) DNS service.

    "However, what if I set up the laptop and mobile phone connected to my home router to send DNS requests to OpenDNS servers? Can that cause any (potential) conflict or problem?"

    No conflict or problem, but possibly unnecessary work.  Also, if you configure external resolver addresses on end user devices, you impact or break local name resolution.  This is not a problem or conflict if you know what it means and how to overcome it.

    "deleted all history in my browser"

    This was not needed.  Only the browser's cache (temporary internet files) should be flushed.

    "So far, my attempts to make it work have been unsuccessful."

    Copy & paste the complete plain text output of the following diagnostic commands to here, so that I can see what the problem may be:

    nslookup -type=txt debug.opendns.com.
    nslookup whoami.akamai.net.
    netsh interface ipv4 show config

    "I have disabled IPv6 in Properties for each connection and also Teredo in CMD (netsh interface teredo set state disabled)."

    This was not needed.  You can use dual-stack connectivity with OpenDNS if you configure the IPv6 side from the following list of DNS server addresses: 
    ::ffff:d043:dedc  ::ffff:d043:dcde   ::ffff:d043:dede   ::ffff:d043:dcdc

    "Therefore, it is advised to force Windows to use OpenDNS servers (or any other provider) and thus avoid potential leaks. Based on what you wrote above, that causes the opposite. Could you clarify it for me, please?"

    Re DNS leak, this is everything where your DNS traffic does not go through the VPN tunnel, be it to OpenDNS, to your ISP's DNS service or to any other DNS service.  In other words, you create a DNS leak if you configure any other DNS service with a VPN connection.  As I said, you may not necessarily worry about that, but it may be what you really want.

    "Basically, I am trying to maximise security here"

    Then you may consider to use DNSCrypt with OpenDNS: https://dnscrypt.info/implementations/
    (The OpenDNS service is called "cisco".)

    0
    Comment actions Permalink
  • Avatar
    open2learn

    Hi Rotbliz,

    Many thanks again for your detailed feedback and apologies for the delay in getting back to you.

    I have re-installed OpenVPN and only imported one connection profile (downloaded from here - https://www.vpnbook.com/#openvpn). I have not made any change to that config file imported. IPv6 was disable (I have not tried your settings for now as I want to figure out what is wrong with IPv4), and I entered the (preferred) 208.67.222.222 and (alternate) 208.67.220.220 OpenDNS servers addresses in Ethernet IPv4 on my laptop (home network). It was not possible to connect to any website. After that, I removed the OpenDNS addresses from IPv4 and I could reach websites, but the online dns tests showed that OpenVPN was leaking my real IP address. Please find below the outcome of your commands (after entering the OpenDNS addresses). Hope it helps.

    nslookup -type=txt debug.opendns.com
    Server: resolver1.opendns.com
    Address: 208.67.222.222
    *** resolver1.opendns.com can't find debug.opendns.com: Non-existent domain


    nslookup whoami.akamai.net
    Server: resolver.opendns.com
    Address: 208.67.222.222

    Name: whoami.akamai.net
    Address: 2a04:e4c0:10:76

    netsh interface ipv4 show config

    Another doubt related to OpenVPN: I also noticed that my Internet connection was leaking when using OpenVPN in a public network (without OpenDNS servers involved). Although this is an OpenDNS forum, I assume that you are familiar with the topic, so is there any way to avoid those leaks?

    Many thanks again. Looking forward to your feedback.

    Regards.

    0
    Comment actions Permalink
  • Avatar
    rotblitz

    Something went wrong with one of the commands: 2a04:e4c0:10:76 is not a valid IPv6 address.  Did you copy only the first part of the address?

    Whatever, it looks like something prevents your DNS traffic from reaching OpenDNS, and your DNS queries seem to be redirected to another DNS service, e.g. by your ISP.

    Also, I do not see that you have had a VPN connection established when executing the commands, so I cannot comment on related traffic leaking.

    Regarding the redirection of your DNS traffic, let's see if you could circumvent it:

    nslookup -type=txt -vc debug.opendns.com.
    nslookup -type=txt -port=443 debug.opendns.com.
    nslookup -type=txt -port=443 -vc debug.opendns.com.
    nslookup -type=txt -port=5353 debug.opendns.com.
    nslookup -type=txt -port=5353 -vc debug.opendns.com.

     

    0
    Comment actions Permalink

Please sign in to leave a comment.