OpenDNS is logging but not blocking
I configured our network and PC to use OpenDNS.
- nslookup reports that the system is pointed at 208.67.222.222 for lookups
- ipv6 is disabled on the system
- the OpenDNS dashboard reports that our network is registered
- dashboard also shows the logs of lookups from our network including domains that were blocked.
- going to "welcome.opendns.com" says we are NOT using OpenDNS!
the domains listed in the Dashboard are not being blocked even though the log says they are (??!!)
welcome.opendns.com says we aren't using OpenDNS even though all of our resolution requests are showing up in the logs in the Dashboard (???!!)
I've verified using whatsmydnsserver.com that we are pointed to the OpenDNS servers.
ipV6 is disabled
I have deleted the DNS server entries in our router (just in case) and verified the only DNS addresses are on this PC
Help? Attached are screen shots of various settings and info I've referred to. I'm at my wits' end. The PC is pointed correctly, and OpenDNS sees the requests, but thinks we are not..
-
It seems that you're using OpenDNS only randomly, not consistently, or only with certain devices. That means also that your stats and logs are not complete, but contain only the DNS queries having reached OpenDNS.
Copy & paste the complete plain text output of the following diagnostic commands to here, from the PC where the other outputs come from, so that I may see what the problem is.
nslookup -type=txt debug.opendns.com.
nslookup whoami.akamai.net.
netsh interface ipv4 show configAlso, what browser do you use on this PC?
-
Hello rotblitz
Thanks for the reply. A couple of things:
1. There is only one PC on this network. The only other devices are 3 TVs and 2 voip desktop phones. The PC is the only device that is doing "browsing". We do not use any other PCs or wifi phones on this network. All of the logging in the OpenDNS dashboard is from this PC. The TVs have DNS settings that are hardwired (we figured this out with the TVs when the router was misconfigured and they still were able to stream. The FortiNet phones don't use DNS, they point directly to the IP address of the phone system)
2. The OpenDNS logging on my dashboard shows the websites I am trying with the one PC.3. Browser is Chrome or Edge on windows 10.
Here are the results of your commands:
==============C:\Users\Administrator>nslookup -type=txt debug.opendns.com.
Server: resolver2.opendns.com
Address: 208.67.220.220opendns.com
primary name server = auth1.opendns.com
responsible mail addr = noc.opendns.com
serial = 1555098324
refresh = 16384 (4 hours 33 mins 4 secs)
retry = 2048 (34 mins 8 secs)
expire = 1048576 (12 days 3 hours 16 mins 16 secs)
default TTL = 2560 (42 mins 40 secs)====================
C:\Users\Administrator>nslookup whoami.akamai.net.
Server: resolver2.opendns.com
Address: 208.67.220.220Non-authoritative answer:
Name: whoami.akamai.net
Addresses: 2620:0:ccb::76
207.244.98.94
========================C:\Users\Administrator>netsh interface ipv4 show config
Configuration for interface "WiFi"
DHCP enabled: No
IP Address: 192.168.1.200
Subnet Prefix: 192.168.1.0/24 (mask 255.255.255.0)
Default Gateway: 192.168.1.1
Gateway Metric: 256
InterfaceMetric: 40
Statically Configured DNS Servers: 208.67.220.220
208.67.222.222
Register with which suffix: None
Statically Configured WINS Servers: NoneConfiguration for interface "Loopback Pseudo-Interface 1"
DHCP enabled: No
IP Address: 127.0.0.1
Subnet Prefix: 127.0.0.0/8 (mask 255.0.0.0)
InterfaceMetric: 75
Statically Configured DNS Servers: None
Register with which suffix: Primary only
Statically Configured WINS Servers: None=========================
C:\Users\Administrator>ver
Microsoft Windows [Version 10.0.17134.706]
=======================
Let me know your ideas. PC still shows as point to OpenDNS, but still no filtering.
"welcome.opendns.com" still says we are not using OpenDNS, despite the ip info.
-
That looks strange. If you cannot obtain the TXT records for debug.opendns.com, then you don't use OpenDNS, at least not consistently. This is also shown in your screen shot of whatsmydnsserver.com where Leaseweb is being listed in addition to OpenDNS. Also, 2620:0:ccb::76 is an OpenDNS address whereas 207.244.98.94 is not, it may be Leaseweb, so your DNS traffic seem to go different paths.
After all, it seems something intercepts your DNS traffic. It may be your router or your ISP. What is your router, and what is your ISP?
I'm running out of ideas here. Your best bet is to open a support ticket, link "Submit a request" above, so that staff can investigate this. They have much more opportunities than we other users. If they provide you with a solution, please post it here, so that it helps others with the same issue.
-
Hello, yes, it looks strange to me too when I saw the "Leaseweb" entry.
Router/isp is Verizon Fios with the G1100 router/bridge.I opened a ticket before posting here -- I still haven't gotten a reply from them. I posted all the same info and screenshots.
Just to recap:
1. I removed the DNS entries from the router (as a test). I confirmed this by running a tracert with the router diagnostic tools -- ip addresses replied, but name resolution failed.
2. I manually set the DNS entries on the PC to OpenDNS servers as above.
3. I tried Chrome, Edge and now Opera browsers (to make sure it wasn't a BHO or somesuch crap re-routing my DNS. I know that was a tactic a while back). All performed the same.
next step, i may try to sniff the network and look at udp 53 and see where it is going/returning. if it is going out to 208.67.222.222 but returning from a different IP then it is Verizon re-routing. But why.
-
Still fiddling with it and this is very troubling.
I removed all the OpenDNS server entries and added the google dns 8.8.8.8 only to the IP settings. I confirmed it's the only DNS server.
This is what I got when I re-ran the test on whatsmydnsserver:
I expected the Google DNS server to show up, but WTH is LeaseWeb and why are my DNS queries going there?
I poked around and found out that Windows 10 does "Smart Multi-Homed Name Resolution" and disabled it (gpedit) but that LeaseWeb DNS server still shows up. I'm not happy about this. I am going to block that address range in the router and see what happens -
Well, as I said, I assume that the interception is at a router or modem or ISP level. If it's at the ISP level, then blocking IP address ranges on the router is meaningless. And as you can see with the Google Public DNS experiment, this isn't an OpenDNS problem, but affects any 3rd party DNS service you would be using.
Propagated response time to tickets is up to 72 hours on business days, sometimes more, so don't expect a response before mid/end of the coming week.
In the meantime you may want to add to your ticket the results link of these diagnostics. This may speed up the support process.
-
Rotblitz-
After an absurd amount of hairpulling, cursing, and staying up until 3 am yesterday (because I began to think i had malware on my system) I finally figured out the culprit. Avast SecureDNS.
We use Avast on the home PC. I disabled the SecureDNS feature and boom.
Avast does a simultaneous DNS check on all queries to ensure they are legit. Great feature, until it's not.
Thanks for your ideas, and I'll update the ticket with my finding. THis is somethign that I am sure affects many other people. The "LeaseWeb" DNS is Avast's secure hosted DNS. Nothing sinister. -
Wow, what a surprise! I certainly know about this issue with the Avast/AVG Secure DNS option, but the symptoms looked differently before, therefore I didn't point this out now. It has been reported and documented a lot before, see for example this (now outdated) knowledge base article. It seems they changed the underlying technology a bit, so that the symptoms are different now. Leaseweb was not involved before, and there were no simultaneous DNS lookups. Good to know!
Please sign in to leave a comment.
Comments
9 comments