Open DNS Filtering Not Working

Follow

ed.k

August 31, 2019 22:36

Hello,

I've got OpenDNS setup and it was working for 6-8 months, however all of a sudden the filtering stopped working.

I went into the console and added a few sites that I wanted always blocked, and now nothing is blocked.

I have the settings on Moderate, which should block pornography however I can now access all porn sites.

I have verified that my public IP address is properly listed in OpenDNS

I have verified that my clients are using the Open DNS name servers - these DNS server addresses are handed out by my DHCP server.

What else can I look for to help resolve this?

3

• 

  rotblitz September 01, 2019 13:37

  Copy & paste the complete plain text output of the following diagnostic commands to here:
  nslookup -type=txt debug.opendns.com.
  nslookup whoami.akamai.net.
  nslookup www.exampleadultsite.com.

  0

  Comment actions Permalink
• 

  ed.k September 02, 2019 18:09

  C:\Users\edk>nslookup -type=txt debug.opendns.com
  Server: resolver1.opendns.com
  Address: 208.67.222.222

  opendns.com
  primary name server = auth1.opendns.com
  responsible mail addr = noc.opendns.com
  serial = 1567446110
  refresh = 16384 (4 hours 33 mins 4 secs)
  retry = 2048 (34 mins 8 secs)
  expire = 1048576 (12 days 3 hours 16 mins 16 secs)
  default TTL = 2560 (42 mins 40 secs)

  C:\Users\edk>nslookup whoami.akamai.net
  Server: resolver1.opendns.com
  Address: 208.67.222.222

  Non-authoritative answer:
  Name: whoami.akamai.net
  Address: 69.252.244.149

  
  C:\Users\edk>nslookup www.exampleadultsite.com
  Server: resolver1.opendns.com
  Address: 208.67.222.222

  Non-authoritative answer:
  Name: www.exampleadultsite.com
  Address: 146.112.255.155

  C:\Users\edk>nslookup www.pornhub.com
  Server: resolver1.opendns.com
  Address: 208.67.222.222

  Non-authoritative answer:
  Name: pornhub.com
  Address: 66.254.114.41
  Aliases: www.pornhub.com

  0

  Comment actions Permalink
• 

  rotblitz September 02, 2019 19:13

  You are not using OpenDNS, but Comcast’s DNS service. You must call Comcast to opt out from this DNS redirection.

  0

  Comment actions Permalink
• 

  ed.k September 02, 2019 22:17

  I don't understand - everything above shows that I'm using OpenDNS - where do you see Comcast?

   

  0

  Comment actions Permalink
• 

  rotblitz September 03, 2019 09:41 (Edited September 03, 2019 09:53)

  Nothing shows you're using OpenDNS, but to the contrary.  The evidences:

  1. A TXT request for debug.opendns.com returns NXDOMAIN and an SOA record for opendns.com.  This is being returned if OpenDNS is not being used.  OpenDNS would return a bunch of TXT records in this case.
  2. Querying the diagnostic domain whoami.akamai.net reveals 69.252.244.149 as the source of the DNS query which is a Comcast owned IP address, not an OpenDNS IP address, saying the query came from Comcast, not from OpenDNS.

  If you need another proof, you visit the test site http://welcome.opendns.com/
  or see the output of "nslookup -type=txt which.opendns.com.".

  Again, your DNS traffic is being redirected.  You must call your ISP to opt out from this redirection.

  1

  Comment actions Permalink
• 

  ed.k September 03, 2019 13:10

  ok - that makes sense now

  I wasn't sure how Comcast could be intercepting those DNS requests

  But apparently they turned on something called "Advanced Security"

  I went into my xFi settings and disabled it.

  I have a router sitting behind their modem, so apparently they are able to tweak settings on my behalf.

  Here's a screenshot for anyone down the road who might run into this - Under Network / Security

  

  0

  Comment actions Permalink
• 

  rotblitz September 03, 2019 14:57

  Great!  I think I have heard about this already before.
  And a similar issue is described at https://support.opendns.com/hc/en-us/articles/227988687

  And I've also seen cases where Comcast interfered with the DNS traffic for redirection - apparently not in your case.

  0

  Comment actions Permalink
• 

  denmarkten September 19, 2020 19:23

  Hi - please can someone help me too. The filtering was working for several years. I have recently upgraded my internet service with Utility Wharehouse and now, even though I have my filtering set to high, porn sites etc are visible. 

  Please can someone help me resolve this. Thanks

   

  0

  Comment actions Permalink
• 

  rotblitz September 19, 2020 19:37

  Ok, I’m waiting for the information I have asked for above.

  0

  Comment actions Permalink
• 

  fnovak313 March 31, 2021 09:12

  Hello, thank you rotblitz for posting this answer. I tried the command you recommended and got this:

  debug.opendns.com text =

  "server r6.prg1"
  debug.opendns.com text =

  "flags 40020 0 70 180000000000000000007950800000000000000"
  debug.opendns.com text =

  "originid 0"
  debug.opendns.com text =

  "orgflags 2000000"
  debug.opendns.com text =

  "actype 0"
  debug.opendns.com text =

  "source 46.13.45.172:34985"

  C:\Users\filip>nslookup whoami.akamai.net.
  Server: Comtrend.Home
  Address: 10.0.0.138

  Non-authoritative answer:
  Name: whoami.akamai.net
  Addresses: 2a04:e4c0:15::69
  146.112.129.69

  
  C:\Users\filip>nslookup www.exampleadultsite.com.

  Could you please point me to what is wrong with my openDNS? It doesn't filter at all.

  Thank you!

  Filip

  0

  Comment actions Permalink
• 

  stonelar August 10, 2021 10:22

  I'm having the same problem as described in this thread. Here are my query results:

  nslookup -type=txt debug.opendns.com
  Server: RT-AX82U-22F0
  Address: 10.0.0.1

  Non-authoritative answer:
  debug.opendns.com text =

  "server m55.lax"
  debug.opendns.com text =

  "flags 40020 0 50 180000000000000000003B504027F00F11896F3"
  debug.opendns.com text =

  "originid 526481053"
  debug.opendns.com text =

  "actype 2"
  debug.opendns.com text =

  "bundle 13172242"
  debug.opendns.com text =

  "source 76.221.173.243:41196"

  =================================================

  nslookup whoami.akamai.net
  Server: RT-AX82U-22F0
  Address: 10.0.0.1

  Non-authoritative answer:
  Name: whoami.akamai.net

  Address: 162.253.68.178

  =================================================

  nslookup www.exampleadultsite.com
  Server: RT-AX82U-22F0
  Address: 10.0.0.1

  Non-authoritative answer:
  Name: www.exampleadultsite.com
  Addresses: ::ffff:146.112.61.106
  146.112.255.155

  =================================================

  nslookup -type=txt which.opendns.com
  Server: RT-AX82U-22F0
  Address: 10.0.0.1

  Non-authoritative answer:
  which.opendns.com text =

  "r2001.lax"

   

  More info: When I try welcome.opendns.com I also get the big red "X" indicating that my configuration is not working with OpenDNS. Furthermore, I have an ASUS router which is successfully registered with DNS-O-Matic and it's updating my dynamic IP on a regular basis.

  Please help!

  1

  Comment actions Permalink
• 

  stonelar August 10, 2021 10:47 (Edited August 10, 2021 11:21)

  I think I may have solved my problem (above) by setting up "Firewall - Network Services Filter" rules on my router. This is something I tried before and it didn't work, but this time it seems I have all the puzzle pieces, and it's working. Here is the "deny" list I made in my (Asus) router config:

  P.S. I spoke too soon :( now it's back to not working again for unknown reasons. It was working fine for a couple of minutes though, which is more than I could ever get it to work before. Maybe I'm having the same issue as that Comcast person that needed to call his isp.

  P.S.S. My phone is showing positive working results, but my computer isn't. It's almost as if as soon as I opened the welcome.opendns.com page on my phone, my desktop stopped working... or is that a coincidence?

  0

  Comment actions Permalink
• 

  johnstest December 03, 2022 17:25

  I am in the same boat. Here are my query results:

  nslookup -type=txt debug.opendns.com.
  Server:  UnKnown
  Address:  192.168.1.1

  opendns.com
          primary name server = auth1.opendns.com
          responsible mail addr = noc.opendns.com
          serial  = 1670087805
          refresh = 16384 (4 hours 33 mins 4 secs)
          retry   = 2048 (34 mins 8 secs)
          expire  = 1048576 (12 days 3 hours 16 mins 16 secs)
          default TTL = 2560 (42 mins 40 secs)

  nslookup whoami.akamai.net.
  Server:  UnKnown
  Address:  192.168.1.1

  Non-authoritative answer:
  Name:    whoami.akamai.net
  Address:  204.17.177.153

  
  nslookup www.exampleadultsite.com.
  Server:  UnKnown
  Address:  192.168.1.1

  Non-authoritative answer:
  Name:    www.exampleadultsite.com
  Address:  146.112.255.155

  0

  Comment actions Permalink
• 

  johnstest December 03, 2022 17:26

  Except in my case, the filtering is working on our 2.4Ghz network, but not this 5Ghz network.

   

  0

  Comment actions Permalink

Please sign in to leave a comment.