Your IP:

Support

K-12 Forums

Talk with other K-12 network administrators in your state.

Or see all states.

Categories

Vanilla 1.1.4 is a product of Lussumo. More Information: Documentation, Community Support.

This discussion has been inactive for longer than 30 days, and is thus closed.

Domain Name System (DNS) troubles: Domains are not being blocked anymore

Bottom of Page

1 to 15 of 15

  1.  
  1.  permalink
    About a two weeks ago i noticed that websites are not being blocked anymore (i have pornography, weapons etc blocked). I reset my router (Netgear DG834) and changed to my ISP's DNS (chossing the "Get Automatically From ISP" option). I tried to change back a week later to Opendns but nothing had changed, the websites are not being blocked anymore. It is also strange to see that when i visit "http://www.opendns.com/welcome", i get the oops you aren't using OpenDNS yet. These are the DNS addresses i have on my router:
    1) Primary DNS : 208.67.222.222
    2) Secondary DNS : 208.67.220.220
    They are exactly like they should be. I have not changed anything, the service stopped randomly. I am using Opendns updater at latest version. My dynamic IP changes and is updated in Opendns but the service is still not working.

    Further info:
    Windows 7 Ultimate 32-Bit
    Netgear DG834

    Thanks in advance.
    • CommentAuthorleosin
    • CommentTimeMay 17th 2012
     permalink
    I have noticed the same with my opendns account. I still have the same settings for blocking specific websites, however these sites are no longer blocked by the opendns service.
    Any comment/help will be welcome.

    Thanks,
    • CommentAuthorrotblitz
    • CommentTimeMay 17th 2012 edited
     permalink
    @oneeyedsnake
    The test page is http://welcome.opendns.com/
    To see if you could use OpenDNS, post the complete plain text output of the following commands here:
    nslookup -type=txt which.opendns.com. 208.67.222.222
    ipconfig /all

    @leosin
    I do not respond to people hi-jacking threads. You *never* have the same problem, it is *your* problem. :angry:
  4.  permalink
    Thanks for the quick reply. Here's the requested information. I still get the "oops you're not using Opendns yet" message.

    nslookup -type=txt which.opendns.com. 208.67.222.222
    DNS request timed out.
    timeout was 2 seconds.
    Server: UnKnown
    Address: 208.67.222.222

    Non-authoritative answer:
    which.opendns.com text =

    "I am not an OpenDNS resolver."

    ipconfig /all

    Windows IP Configuration

    Host Name . . . . . . . . . . . . : HP-Laptop
    Primary Dns Suffix . . . . . . . :
    Node Type . . . . . . . . . . . . : Hybrid
    IP Routing Enabled. . . . . . . . : No
    WINS Proxy Enabled. . . . . . . . : No

    Wireless LAN adapter Wireless Network Connection:

    Connection-specific DNS Suffix . :
    Description . . . . . . . . . . . : Intel(R) WiFi Link 5100 AGN
    Physical Address. . . . . . . . . : 00-81-7B-37-3C-E0
    DHCP Enabled. . . . . . . . . . . : Yes
    Autoconfiguration Enabled . . . . : Yes
    Link-local IPv6 Address . . . . . : fe80::f490:dc0b:c1d5:4934%11(Preferred)
    IPv4 Address. . . . . . . . . . . : 192.168.0.6(Preferred)
    Subnet Mask . . . . . . . . . . . : 255.255.255.0
    Lease Obtained. . . . . . . . . . : Thursday, May 17, 2012 7:16:05 PM
    Lease Expires . . . . . . . . . . : Friday, May 18, 2012 7:16:08 PM
    Default Gateway . . . . . . . . . : 192.168.0.1
    DHCP Server . . . . . . . . . . . : 192.168.0.1
    DHCPv6 IAID . . . . . . . . . . . : 218112363
    DHCPv6 Client DUID. . . . . . . . : 00-01-00-01-12-82-B4-3F-00-23-8B-26-0F-7F

    DNS Servers . . . . . . . . . . . : 208.67.222.222
    208.67.220.220
    NetBIOS over Tcpip. . . . . . . . : Enabled

    Ethernet adapter Local Area Connection:

    Media State . . . . . . . . . . . : Media disconnected
    Connection-specific DNS Suffix . :
    Description . . . . . . . . . . . : Realtek PCIe GBE Family Controller
    Physical Address. . . . . . . . . : "removed"
    DHCP Enabled. . . . . . . . . . . : Yes
    Autoconfiguration Enabled . . . . : Yes

    Tunnel adapter isatap.{A233AD24-4DD8-492A-9BFF-ABB0B392A957}:

    Media State . . . . . . . . . . . : Media disconnected
    Connection-specific DNS Suffix . :
    Description . . . . . . . . . . . : Microsoft ISATAP Adapter
    Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0
    DHCP Enabled. . . . . . . . . . . : No
    Autoconfiguration Enabled . . . . : Yes

    Tunnel adapter Local Area Connection* 29:

    Connection-specific DNS Suffix . :
    Description . . . . . . . . . . . : Teredo Tunneling Pseudo-Interface
    Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0
    DHCP Enabled. . . . . . . . . . . : No
    Autoconfiguration Enabled . . . . : Yes
    IPv6 Address. . . . . . . . . . . : 2001:0:5ef5:79fd:307a:895:3f57:fff9(Prefe
    rred)
    Link-local IPv6 Address . . . . . : fe80::307a:895:3f57:fff9%35(Preferred)
    Default Gateway . . . . . . . . . : ::
    NetBIOS over Tcpip. . . . . . . . : Disabled

    Tunnel adapter isatap.{EC774BA0-B68B-4091-8237-7C63D46CED95}:

    Media State . . . . . . . . . . . : Media disconnected
    Connection-specific DNS Suffix . :
    Description . . . . . . . . . . . : Microsoft ISATAP Adapter #2
    Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0
    DHCP Enabled. . . . . . . . . . . : No
    Autoconfiguration Enabled . . . . : Yes

    Tunnel adapter isatap.{BC476051-5C8A-4359-A938-4FD8A80BC14C}:

    Media State . . . . . . . . . . . : Media disconnected
    Connection-specific DNS Suffix . :
    Description . . . . . . . . . . . : Microsoft ISATAP Adapter #3
    Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0
    DHCP Enabled. . . . . . . . . . . : No
    Autoconfiguration Enabled . . . . : Yes

    Tunnel adapter isatap.{641ABB60-EE82-4A7D-83E0-3646D4C37208}:

    Media State . . . . . . . . . . . : Media disconnected
    Connection-specific DNS Suffix . :
    Description . . . . . . . . . . . : Microsoft ISATAP Adapter #4
    Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0
    DHCP Enabled. . . . . . . . . . . : No
    Autoconfiguration Enabled . . . . : Yes

    Tunnel adapter isatap.{67C32859-BBA4-4835-8014-8F0CFA41D55A}:

    Media State . . . . . . . . . . . : Media disconnected
    Connection-specific DNS Suffix . :
    Description . . . . . . . . . . . : Microsoft ISATAP Adapter #5
    Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0
    DHCP Enabled. . . . . . . . . . . : No
    Autoconfiguration Enabled . . . . : Yes


    Thanks again.
    • CommentAuthorrotblitz
    • CommentTimeMay 17th 2012
     permalink
    "I am not an OpenDNS resolver."

    No, you cannot use OpenDNS via the normal way over port 53, because your ISP redirects your DNS lookups to their DNS service.

    You still may try to use OpenDNS over port 443 or 5353.
    For using port 443 install DNSCrypt and select "DNSCrypt over TCP/443".
    For using port 5353 see http://forums.opendns.com/comments.php?DiscussionID=6021#Item_30
  6.  permalink
    Thanks again for the quick reply. When I enable the DNSCrypt over TCP/443 option, i lose internet connectivity, i.e. the browser gives a DNS error. DNSCrypt dislays a "protected" and "using DNSCrypt" when i choose that option. If I uncheck it, I get an "unprotected" message but internet is working again. I understand that this problem is from my ISP's end, is there a way round it? Do all DNS requests have to go through my ISP even if i am using a different DNS provider? Lastly, does this option mean i cannot implement OpenDNS on all devices in the network, "iPads, PS3" etc? The DeleGate seems a little too much to be honest, It seems pointless to have to do all of this for every device.

    One more thing, does my current situation mean I am still using my ISP's DNS even though I have OpenDNS settings on my router?

    Again, thanks for your help.
    • CommentAuthorrotblitz
    • CommentTimeMay 18th 2012
     permalink
    "When I enable the DNSCrypt over TCP/443 option, i lose internet connectivity, i.e. the browser gives a DNS error."

    See, if you could use port 443 at all:
    nslookup -port=443 -type=txt which.opendns.com. 208.67.220.220
    nslookup -port=443 -vc -type=txt which.opendns.com. 208.67.220.220

    "I understand that this problem is from my ISP's end, is there a way round it?"

    I have pointed to the ways around it. An alternative would be to change the ISP or the ISP's product. Btw, what is this?

    "Do all DNS requests have to go through my ISP even if i am using a different DNS provider?"

    *Every* traffic, not DNS requests alone, goes through your ISP, because it is your ISP providing you with internet access.

    "Lastly, does this option mean i cannot implement OpenDNS on all devices in the network, "iPads, PS3" etc?"

    Sure, you can, if you find a way to use OpenDNS at all. Run an internal DNS server with OpenDNS as forwarder addresses and all devices pointing their DNS to it.

    "The DeleGate seems a little too much to be honest, It seems pointless to have to do all of this for every device."

    No, just on one computer. You point all other devices to this one computer which now serves as DNS server and forwarder.
    See if you can use port 5353 at all:
    nslookup -port=5353 -type=txt which.opendns.com. 208.67.220.220
    nslookup -port=5353 -vc -type=txt which.opendns.com. 208.67.220.220

    "does my current situation mean I am still using my ISP's DNS even though I have OpenDNS settings on my router?"

    Yes, you say it, as long as the nslookup commands above return "I am not an OpenDNS resolver" and http://welcome.opendns.com/ returns "Oops!" or so.
  8.  permalink
    This is what I get:

    nslookup -port=443 -type=txt which.opendns.com. 208.67.220.220
    Server: resolver2.opendns.com
    Address: 208.67.220.220

    Non-authoritative answer:
    which.opendns.com text =

    "I am not an OpenDNS resolver."

    nslookup -port=443 -vc type=txt which.opendns.com. 208.67.220.22
    0
    Usage:
    nslookup [-opt ...] # interactive mode using default server
    nslookup [-opt ...] - server # interactive mode using 'server'
    nslookup [-opt ...] host # just look up 'host' using default server
    nslookup [-opt ...] host server # just look up 'host' using 'server'

    nslookup -port=443 -type=txt which.opendns.com. 208.67.220.220
    Server: resolver2.opendns.com
    Address: 208.67.220.220

    Non-authoritative answer:
    which.opendns.com text =

    "I am not an OpenDNS resolver."

    nslookup -port=5353 -type=txt which.opendns.com. 208.67.220.220
    Server: resolver2.opendns.com
    Address: 208.67.220.220

    Non-authoritative answer:
    which.opendns.com text =

    "I am not an OpenDNS resolver."

    nslookup -port=5353 -vc type=txt which.opendns.com. 208.67.220.2
    20
    Usage:
    nslookup [-opt ...] # interactive mode using default server
    nslookup [-opt ...] - server # interactive mode using 'server'
    nslookup [-opt ...] host # just look up 'host' using default server
    nslookup [-opt ...] host server # just look up 'host' using 'server'

    What are you referring to "Btw, what is this?" ?
    If I run an internal DNS server, that means I have to have that machine on all the time right?

    Thanks again.

    One more thing, do these ports rely on my router? Do i have to open these ports on my router?

    IS what my ISP doing referred to as "DNS-Hijacking" ?
    • CommentAuthorrotblitz
    • CommentTimeMay 18th 2012 edited
     permalink
    "I am not an OpenDNS resolver."

    You can't use OpenDNS, in no way. You can stop any further efforts as long as you have this kind of internet connection.

    (And your nslookup command doesn't support the -vc parameter for whatever reason. But no worries.)

    "What are you referring to "Btw, what is this?" ?"

    I meant what ISP and what ISP product (internet connection type) you have.

    "If I run an internal DNS server, that means I have to have that machine on all the time right?"

    Yes, you would have to run it all the time. But you don't need it, you can't use OpenDNS anyway currently.

    "One more thing, do these ports rely on my router? Do i have to open these ports on my router?"

    Outbound ports are almost open on home routers. Also in your case. No need to open something.

    "IS what my ISP doing referred to as "DNS-Hijacking" ?"

    One could express it this way, although DNS hi-jacking describes a different scenario, i.e. a hacker catching your DNS lookups to feed you with DNS responses which redirect you to a malicious server.
    • CommentAuthorRed Prince
    • CommentTimeMay 19th 2012
     permalink
    Ask your ISP why they do not allow you to use the DNS of your choice? Ask, nay demand, they let you use any DNS server you want. You are paying them to give you access to the Internet, not to restrict your use thereof.

    If they do not collaborate, switch to a different ISP and let your old ISP know why they lost you as a customer.
  11.  permalink
    @rotblitz
    I'm using LinkDSL one of the biggest two ISP in Egypt. It's quite strange that they starting doing this a month back, as I had Opendns for over two years now. If i contact them, I would probably get through to someone who doesnt know they are actually doing this. How do I explain to them that this is infact what is happening. For example should i tell them that an "nslookup" shows that?

    Thanks again for your help.

    @Red Prince

    Do all ISPs mention this in their terms of agreement, or is this something that is generally left to their judgment. Also, do ISPs do this so they can track website requests? What is their primary purpose in doing so? They don't redirect me to a search page with ads, so I don't think they're doing it for profits.

    Thanks.
    • CommentAuthorrotblitz
    • CommentTimeMay 20th 2012 edited
     permalink
    "If i contact them, I would probably get through to someone who doesnt know they are actually doing this."

    This might be. So insist of getting referred to a more technical person.

    "How do I explain to them that this is infact what is happening."

    In simple layman terms: You want to be able to use 3rd party DNS services, but they prevent you from doing so while redirecting your DNS lookups to their DNS service.

    "Do all ISPs mention this in their terms of agreement, or is this something that is generally left to their judgment."

    It may be worth to look into your particular service agreement to find anything related. These terms of service may vary massively from country to country due to different consumer regulations, and from ISP to ISP. I do not know anything about the situation in Egypt.

    "Also, do ISPs do this so they can track website requests? What is their primary purpose in doing so?"

    Good question! They may do this to reduce support efforts, because people being able to change settings like the DNS service may do it wrong, and this causes more support efforts for them. It is probably not for tracking website requests, because this information is not available from DNS traffic. It could be to prepare for blocking requested by the government or so, technically similar to filtering/blocking by OpenDNS.
  13.  permalink
    I just got off the phone with them. They denied that any redirection occurs on their end. They asked me to change the DNS addresses from my router and to try them from my computer instead. This changed nothing and I still got the "oops" message from http://welcome.opendns.com/. Should i try inputting another DNS like Google and seeing if that works?
  14.  permalink
    All you need to do to test is nslookup a domain name and define the resolver address like you had in the tests above.

    As you already see, it doesn't matter where you specify your DNS addresses, even directly in the command, your requests go elsewhere.
    • CommentAuthorrotblitz
    • CommentTimeMay 20th 2012
     permalink
    "They denied that any redirection occurs on their end."

    But this is not true. Your DNS lookups *are* redirected. This is not related to OpenDNS alone, but to any 3rd party DNS service, inc Google DNS.

1 to 15 of 15

  1.  

This discussion has been inactive for longer than 30 days, and is thus closed.