Blacklist Domains Not Being Blocked

Comments

20 comments

  • Avatar
    rotblitz

    Where is this "blacklist" where you added example.com?  Are you sure this is the Netgear LPC dashboard at https://netgear.opendns.com/, or is it the OpenDNS Home dashboard at https://dashboard.opendns.com/, or is it even something different?

    Netgear LPC and OpenDNS Home are incompatible services.  You can just use one of them at any time.

  • Avatar
    pawelsoft

    Hi rotblitz, thanks for your follow-up.

    The Blacklist settings I'm talking about are here:

    netgear.opendns.com (Parental Controls) --> Account Settings (top right of web page) --> Blacklist/Whitelist tab (next to Time Zone tab)

    Screenshot below:

  • Avatar
    rotblitz

    That looks right.  However, your IP address could still be registered with another OpenDNS Home user's network which confuses the system and delivers inconsistent and confusing results.  The command:

    nslookup -type=txt debug.opendns.com.

    would show this.  If the fields "originid", "actype" and "bundle" are not all zero, then you're partially using another user's settings.

    It could also be you.  Visit https://dashboard.opendns.com/settings/ to ensure that you don't have a network with your IP address defined.

  • Avatar
    pawelsoft (Edited )

    Thank you, rotblitz.

    Using Linux, the results of your command are

    Server: 127.0.0.53
    Address: 127.0.0.53#53

    Non-authoritative answer:
    *** Can't find debug.opendns.com: No answer

    Even using Windows (on VPN) I was unable to see the "originid", "actype", and "bundle" fields you mentioned.

    Some interesting observations, though:

    1. From another thread, you mentioned "device_id=" in the URL might refer to a MAC address. I confirmed the one in my URL is not my router's MAC address, and I don't know how it was assigned. Should it be changed?
    2. After LPC failing to Blacklist the sites, I tried setting up another Blacklist via the OpenDNS Home Dashboard (without disabling LPC). This failed as well. I then disabled LPC but maintained the network and Blacklist settings in OpendDNS Home Dashboard. This also failed to block the blacklisted domains.
      You mentioned the two services are incompatible. So...

    If my goal is to block the sites I want blacklisted, and I'm indifferent to using LPC or Dashboard, how would you recommend I proceed?

    Thanks!

  • Avatar
    rotblitz

    You got a timeout from your internal DNS server 127.0.0.53.  Try again:

    nslookup -type=txt -timeout=12 debug.opendns.com.

    LPC and OpenDNS Home are incompatible.  You can use only one service at any time.

  • Avatar
    pawelsoft (Edited )
    > nslookup -type=any -timeout=24 debug.opendns.com.
    Server: 127.0.0.53
    Address: 127.0.0.53#53

    Non-authoritative answer:
    debug.opendns.com rdata_99 = ""

    The result above is the same for any combination of type or timeout.

    Alternatively,

    > nslookup -type=any -timeout=24 debug.opendns.com. 208.67.220.220
    Server: 208.67.220.220
    Address: 208.67.220.220#53

    Non-authoritative answer:
    debug.opendns.com text = "server mXX.nyc"

    with varying XX. There is still no output for originid, actype, or bundle.

    Thank you for your help, rotblitz. I understand the two services are incompatible. I am on this forum because neither one is working for me.

    If my goal is to block the sites I want blacklisted, and I'm indifferent to using LPC or OpenDNS Home Dashboard, how would you recommend I proceed?

  • Avatar
    rotblitz (Edited )

    Currently your internal DNS server at 127.0.0.53 does not forward DNS traffic to your router's IP address at all, or is not configured to obtain the forwarder addresses via DHCP.  The problem is on your computer.  Therefore you don't use neither of the services.
    Check it at http://welcome.opendns.com/

    Regarding the service to use, I do not have a special recommendation.  It depends on what service features you want to use.  OpenDNS Home comes with stats and logs, Netgear LPC comes with bypass accounts and time scheduled blocking of domain categories, but no stats and logs.

  • Avatar
    pawelsoft (Edited )

    Thank you, rotblitz.

    http://welcome.opendns.com/ states I'm using OpenDNS. After following the Netgear LPC setup instructions, the router auto-configured the DNS servers to use OpenDNS.
    The only step I skipped was setting up a bypass account. I want no exceptions to the filtering rules.

    Respectfully, I don't understand why you say the problem is with the devices on the network. My understanding is that all devices using the router have no choice but to accept what the router serves up to them. Otherwise, how can the filtering service work?

    As I stated, I am only interested in the Blacklist feature functioning properly, and I have no preference between OpenDNS Home and Netgear LPC. I just want either one to work.

  • Avatar
    rotblitz

    "I don't understand why you say the problem is with the devices on the network."

    Because your command outputs returned things I've never seen before.  The outputs indicated you not using OpenDNS or LPC.

    "My understanding is that all devices using the router have no choice but to accept what the router serves up to them."

    This is not the default.  Normally devices' DNS settings overwrite router DNS settings unless the router has special measures to prevent this from happening.  The good news is that LPC pretends to prevent from using alternative DNS services configured on the end user devices.  With OpenDNS Home you would have to configure prevention of outbound port 53 passthrough traffic.

    "I am only interested in the Blacklist feature functioning properly, and I have no preference between OpenDNS Home and Netgear LPC"

    You can achieve this with any of these two services.

    But back to your original issue: are the blacklisted domains now being blocked as should be?

  • Avatar
    pawelsoft (Edited )

    No, the blacklisted domains are not being blocked.

    To summarize, I have LPC enabled on the router by following the site's instructions. Doing so automatically populated the router's DNS servers to OpenDNS. I confirmed I do not also have a network set up via OpenDNS Home Dashboard. Additionally, I have cleared the DNS cache on all devices.
    welcome.opendns.com states I am using OpenDNS, and the nslookup command returns text "server mXX.nyc" (but only when 208.67.220.220 is appended to the end of the command you provided).

    From your replies, I'm guessing it's possible my local devices are "using alternative DNS services configured on the end user devices", although in my opinion that would be unlikely, since they're using "automatic" settings and I've cleared the DNS resolver caches. No special settings are configured in the router. However, I do not understand the significance of 127.0.0.53 in the output, or device_id=0000A32AA4CF4951 in the LPC settings URL.

  • Avatar
    rotblitz (Edited )

    This is really a tricky thing.  I'm not a Linux expert, but your issue seems to have to do with it.  You may want to read through some articles of this search result list.  Especially, check the current content of /etc/resolv.conf.  The goal is that all DNS queries are being forwarded to the private IP address of your Netgear router.  Currently the DNS queries seem to find their own way to OpenDNS.

    If all of this does not help, you better open a support ticket, link "Submit a request" above, so that staff can propose configuration on your computer and also may check the inconsistency regarding the device ID (MAC address) of your router and in your LPC account.

    Edit:
    Just seeing that you queried -type=any in the commands above.  This is not correct.  The domain debug.opendns.com just holds (or better: generates) TXT records.  Only with -type=txt a meaningful output is being obtained.

  • Avatar
    pawelsoft

    Thank you for the suggestions, rotblitz.

    I appreciate you giving me a head start on researching the settings on my Linux laptop. However, it's worth noting that no device on the LAN (including iOS, Android, Roku, Xbox, etc.) obey the Netgear LPC blacklist. While I don't doubt the settings on the laptop may need to be adjusted, I find it difficult to believe that every device's default settings are to bypass the router's DNS settings. That would make Parental Controls effectively useless, since children's devices won't be affected by the filtering. I really think the problem is either with the Router or with the Netgear LPC settings.

    It's frustrating to follow setup instructions and not have the product/service work as advertised, with no customer service number to call.

    What is the mean response time for open support tickets? Also, are you absolutely sure the device_id in the URL should match the router MAC?

  • Avatar
    rotblitz (Edited )

    "I find it difficult to believe that every device's default settings are to bypass the router's DNS settings."

    Who said this?  This is not true for Netgear LPC.  I rather assume you're using OpenDNS Home in parallel which does not work with Netgear LPC.  However, I'm not really able to help, as you do your own thing instead of providing the information I asked for, posting ANY instead of TXT outputs.

    Response time for tickets is up to 72 hours on business days, sometimes longer.  And I would expect the device ID in the URL to be the same as the device ID of your device.

  • Avatar
    pawelsoft (Edited )

    After further research, I noticed that many devices automatically obtain DNS settings via DHCP upon connecting for the first time, and then "cache" those settings locally for usage thereafter. This means that even after changing DNS servers on the router, the local devices retain the original settings, pre-change. And so, my hypothesis is that all newly-connected devices will obey the settings, while devices that had been on the LAN pre-change will not (i.e. they will "bypass" the new settings).

    This was known to me from the start, but...

    https://support.opendns.com/hc/en-us/articles/227988627-How-to-clear-the-DNS-Cache-
    This article describes the process to clear the DNS cache, but I determined that the instructions for Linux are outdated and/or incorrect. Furthermore, they omitted iOS, Android, Roku, and other devices.
    In general, for any device, the correct solution is to first change router DNS/LPC settings, then remove/forget the network connection completely on the local devices and then re-connect from scratch (aka input network password). The default Automatic (DHCP) settings are OK. A rule-of-thumb is that if you're not required to input the network password upon re-connection (as opposed to saved password), then the information related to that network connection wasn't fully deleted from the device.

    UPDATE: The above steps did not solve the problem. Blacklisted domains are still not being blocked.

  • Avatar
    pawelsoft

    After setting up Netgear LPC from scratch and clearing all device DNS caches, no device on the LAN (including iOS, Android, Roku, Xbox, etc.) obey the Netgear LPC blacklist.

    I'm interested in hearing from someone who has successfully utilized the Netgear LPC blacklist:
    1. Does "device_id=0000XXXXXXXXXXXX" in the LPC settings URL correspond with your router's MAC address?
    2. What is the output for the blacklisted domain when using the Diagnostic commands found here:
    https://support.umbrella.com/hc/en-us/articles/234692027

  • Avatar
    rotblitz (Edited )
    1. I don't have a Netgear router, but yes.
    2. See https://support.umbrella.com/hc/en-us/articles/115001357688

    And again, if you post the correct command outputs, not ANY but TXT, I may be able to tell you more.

  • Avatar
    pawelsoft (Edited )

    Here we go; Windows 10 PC with flushed DNS cache and fresh connection to Wi-Fi network:

    > nslookup -timeout=12 -type=txt debug.opendns.com.
    Server: cdns01.comcast.net
    Address: 2001:558:feed::1

    opendns.com
    primary name server = auth1.opendns.com
    responsible mail addr = noc.opendns.com
    serial = 1557758955
    refresh = 16384 (4 hours 33 mins 4 secs)
    retry = 2048 (34 mins 8 secs)
    expire = 1048576 (12 days 3 hours 16 mins 16 secs)
    default TTL = 2560 (42 mins 40 secs)

    > nslookup -timeout=12 -type=txt debug.opendns.com. 208.67.222.222
    Server: resolver1.opendns.com
    Address: 208.67.222.222

    Non-authoritative answer:
    debug.opendns.com
    text = "server m57.nyc"
    debug.opendns.com
    text = "flags 20 0 8050 180000000000000000003950000000000000000"
    debug.opendns.com
    text = "originid 262214932"
    debug.opendns.com
    text = "actype 2"
    debug.opendns.com
    text = "bundle 12010518
    debug.opendns.com
    text = "source 73.149.250.101:57909"

    With -port=5353, similar output with minor differences:

    Non-authoritative answer:
    debug.opendns.com
    text = "server m29.nyc"
    debug.opendns.com
    text = "source 73.149.250.101:49662"

    With -port=443, similar output with minor differences:

    Non-authoritative answer:
    debug.opendns.com
    text = "server m49.nyc"
    debug.opendns.com
    text = "source 73.149.250.101:56999"

    Note doubleclick.net is an example of a domain I blacklisted, but only the second command below correctly reflects the "Domain List Block Page" IP address. I fear my ISP (Xfinity/Comcast) is engaged in DNS redirection/hijacking.

    > nslookup doubleclick.net
    Server: cdns01.comcast.net
    Address: 2001:558:feed::1

    Non-authoritative answer:
    Name: doubleclick.net
    Addresses: 2607:f8b0:4006:800::200e
    172.217.12.174

    >nslookup doubleclick.net 208.67.222.222
    Server: resolver1.opendns.com
    Address: 208.67.222.222

    Non-authoritative answer:
    Name: doubleclick.net
    Addresses: 146.112.61.104
    146.112.61.104
  • Avatar
    rotblitz

    Well, this is the DNS service you're using:

        Server: cdns01.comcast.net
        Address: 2001:558:feed::1

    This is not OpenDNS and not LPC, but Comcast's DNSv6 service.  Netgear clearly said that LPC is not supported with IPv6.  That is why your settings cannot take effect, because you don't use any of the services.  It could be that it works if you disable IPv6 on the router altogether.

    Another command output indicates that you do not have LPC enabled, but that you're using OpenDNS Home.  Not sure if this is because of IPv6 too.

    And regarding doubleclick.net, as soon as you explicitly specify OpenDNS' resolver, the block page address (146.112.61.104) is being returned, so it would work if you used either OpenDNS or LPC.

    And forget your theory about DHCP.  OpenDNS or LPC is configured on the WLAN side, not on the LAN/DHCP side.  You do not need to undergo the efforts you have described above.  Clearing the caches may still be useful once after a settings change though.

  • Avatar
    pawelsoft (Edited )

    Upon enabling LPC, the OpenDNS servers were automatically populated under IPv4 and IPv6 DNS settings.
    I really have no idea why Comcast DNS servers are being used. An internet search leads me to believe that Comcast no longer uses their "Domain Helper Service", a form of redirection/hijacking.

    Unfortunately, the C7000 router has no way to disable IPv6.
    Entering the long version of

    ::ffff:d043:dede
    ::ffff:d043:dcdc

    results in an error: "The primary DNS server is not valid. It has to be a global unicast address."

    However, content filtering appears to be available using IPv6 now:
    https://support.umbrella.com/hc/en-us/articles/230563727
    https://support.opendns.com/hc/en-us/articles/227986667-Does-OpenDNS-Support-IPv6-

  • Avatar
    rotblitz

    This is correct for Umbrella, but not for OpenDNS.  From the KB article:

    Currently, it is not possible for users to register IPv6 addresses in the OpenDNS Dashboard. Custom content filtering cannot be set for IPv6 traffic.

Please sign in to leave a comment.