OpenDNS is logging but not blocking

Comments

9 comments

  • Avatar
    rotblitz (Edited )

    It seems that you're using OpenDNS only randomly, not consistently, or only with certain devices.  That means also that your stats and logs are not complete, but contain only the DNS queries having reached OpenDNS.

    Copy & paste the complete plain text output of the following diagnostic commands to here, from the PC where the other outputs come from, so that I may see what the problem is.

    nslookup -type=txt debug.opendns.com.
    nslookup whoami.akamai.net.
    netsh interface ipv4 show config

    Also, what browser do you use on this PC?

  • Avatar
    yitzhak

    Hello rotblitz

     

    Thanks for the reply.  A couple of things:

    1.  There is only one PC on this network.  The only other devices are 3 TVs and 2 voip desktop phones.  The PC is the only device that is doing "browsing".   We do not use any other PCs or wifi phones on this network.  All of the logging in the OpenDNS dashboard is from this PC.  The TVs have DNS settings that are hardwired (we figured this out with the TVs when the router was misconfigured and they still were able to stream.  The FortiNet phones don't use DNS, they point directly to the IP address of the phone system)

    2.  The OpenDNS logging on my dashboard shows the websites I am trying with the one PC.  

    3.  Browser is Chrome or Edge on windows 10.

    Here are the results of your commands:

    ==============

    C:\Users\Administrator>nslookup -type=txt debug.opendns.com.
    Server: resolver2.opendns.com
    Address: 208.67.220.220

    opendns.com
    primary name server = auth1.opendns.com
    responsible mail addr = noc.opendns.com
    serial = 1555098324
    refresh = 16384 (4 hours 33 mins 4 secs)
    retry = 2048 (34 mins 8 secs)
    expire = 1048576 (12 days 3 hours 16 mins 16 secs)
    default TTL = 2560 (42 mins 40 secs)

    ====================

     

    C:\Users\Administrator>nslookup whoami.akamai.net.
    Server: resolver2.opendns.com
    Address: 208.67.220.220

    Non-authoritative answer:
    Name: whoami.akamai.net
    Addresses: 2620:0:ccb::76
    207.244.98.94


    ========================

     

    C:\Users\Administrator>netsh interface ipv4 show config

    Configuration for interface "WiFi"
    DHCP enabled: No
    IP Address: 192.168.1.200
    Subnet Prefix: 192.168.1.0/24 (mask 255.255.255.0)
    Default Gateway: 192.168.1.1
    Gateway Metric: 256
    InterfaceMetric: 40
    Statically Configured DNS Servers: 208.67.220.220
    208.67.222.222
    Register with which suffix: None
    Statically Configured WINS Servers: None

    Configuration for interface "Loopback Pseudo-Interface 1"
    DHCP enabled: No
    IP Address: 127.0.0.1
    Subnet Prefix: 127.0.0.0/8 (mask 255.0.0.0)
    InterfaceMetric: 75
    Statically Configured DNS Servers: None
    Register with which suffix: Primary only
    Statically Configured WINS Servers: None

    =========================

    C:\Users\Administrator>ver

    Microsoft Windows [Version 10.0.17134.706]

    =======================

     

     

    Let me know your ideas.  PC still shows as point to OpenDNS, but still no filtering.

    "welcome.opendns.com" still says we are not using OpenDNS, despite the ip info.

  • Avatar
    yitzhak

    Also, have a look at this.  I had installed the OpenDNS Updater because our Verizon IP address is DHCP on the wan side.  They seem to think it is pointing at OpenDNS

  • Avatar
    rotblitz

    That looks strange.  If you cannot obtain the TXT records for debug.opendns.com, then you don't use OpenDNS, at least not consistently.  This is also shown in your screen shot of whatsmydnsserver.com where Leaseweb is being listed in addition to OpenDNS.  Also, 2620:0:ccb::76 is an OpenDNS address whereas 207.244.98.94 is not, it may be Leaseweb, so your DNS traffic seem to go different paths.

    After all, it seems something intercepts your DNS traffic.  It may be your router or your ISP.  What is your router, and what is your ISP?

    I'm running out of ideas here.  Your best bet is to open a support ticket, link "Submit a request" above, so that staff can investigate this.  They have much more opportunities than we other users.  If they provide you with a solution, please post it here, so that it helps others with the same issue.

  • Avatar
    yitzhak

    Hello, yes, it looks strange to me too when I saw the "Leaseweb" entry.

    Router/isp is Verizon Fios with the G1100 router/bridge.

    I opened a ticket before posting here -- I still haven't gotten a reply from them.  I posted all the same info and screenshots.

    Just to recap:

    1.  I removed the DNS entries from the router (as a test).  I confirmed this by running a tracert with the router diagnostic tools -- ip addresses replied, but name resolution failed.

    2.  I manually set the DNS entries on the PC to OpenDNS servers as above.  

    3.  I tried Chrome, Edge and now Opera browsers (to make sure it wasn't a BHO or somesuch crap re-routing my DNS.  I know that was a tactic a while back).  All performed the same.

     

    next step, i may try to sniff the network and look at udp 53 and see where it is going/returning.  if it is going out to 208.67.222.222 but returning from a different IP then it is Verizon re-routing.  But why.

  • Avatar
    yitzhak

    Still fiddling with it and this is very troubling.

    I removed all the OpenDNS server entries and added the google dns 8.8.8.8 only to the IP settings. I confirmed it's the only DNS server.

    This is what I got when I re-ran the test on whatsmydnsserver:

     

    I expected the Google DNS server to show up, but WTH is LeaseWeb and why are my DNS queries going there?

    I poked around and found out that Windows 10 does "Smart Multi-Homed Name Resolution" and disabled it (gpedit) but that LeaseWeb DNS server still shows up.  I'm not happy about this.  I am going to block that address range in the router and see what happens

  • Avatar
    rotblitz

    Well, as I said, I assume that the interception is at a router or modem or ISP level.  If it's at the ISP level, then blocking IP address ranges on the router is meaningless.  And as you can see with the Google Public DNS experiment, this isn't an OpenDNS problem, but affects any 3rd party DNS service you would be using.

    Propagated response time to tickets is up to 72 hours on business days, sometimes more, so don't expect a response before mid/end of the coming week.

    In the meantime you may want to add to your ticket the results link of these diagnostics.  This may speed up the support process.

  • Avatar
    yitzhak

    Rotblitz-

     

    After an absurd amount of hairpulling, cursing, and staying up until 3 am yesterday (because I began to think i had malware on my system) I finally figured out the culprit.  Avast SecureDNS.

    We use Avast on the home PC.  I disabled the SecureDNS feature and boom. 

    Avast does a simultaneous DNS check on all queries to ensure they are legit.  Great feature, until it's not.

    Thanks for your ideas, and I'll update the ticket with my finding.  THis is somethign that I am sure affects many other people.  The "LeaseWeb" DNS is Avast's secure hosted DNS.  Nothing sinister.

     

  • Avatar
    rotblitz (Edited )

    Wow, what a surprise!  I certainly know about this issue with the Avast/AVG Secure DNS option, but the symptoms looked differently before, therefore I didn't point this out now.  It has been reported and documented a lot before, see for example this (now outdated) knowledge base article.  It seems they changed the underlying technology a bit, so that the symptoms are different now.  Leaseweb was not involved before, and there were no simultaneous DNS lookups.  Good to know!

Please sign in to leave a comment.