Your IP:

Our Forums Have Moved!

Visit our new forums at http://community.opendns.com/forums/ to post on topics and read the latest content. These forums are now read-only archives.

K-12 Forums

Talk with other K-12 network administrators in your state.

Or see all states.

Categories

Vanilla 1.1.4 is a product of Lussumo. More Information: Documentation, Community Support.

This discussion has been inactive for longer than 30 days, and is thus closed.
    • CommentAuthorstahl
    • CommentTimeMay 6th 2011
     permalink
    Since resent we get a security warning when we are rerouted to the Opendns warning page. The message sas:

    The current webpage is trying to open a site on your intranet. Do you want to allow this?

    Current Site: xxxx
    Intranet Site: http://10.120.56.50.blocked.e.id.opendns.com

    Can we do something about this or is this a problem with Opendns?
  1.  permalink
    A security warning from where? Also, do you expect Current Site XXX to "open a site on your intranet"?

    Oh, I see that this is a standard Windows/IE warning message. I'm not sure what this would mean in your case, or why you would have a site in your network named 10.120.56.50.blocked.e.id.opendns.com

    You may want to open a support ticket.
    • CommentAuthorrotblitz
    • CommentTimeMay 6th 2011 edited
     permalink
    Hmm, I've recently seen that I also have a lot of such *.blocked.x.id.opendns.com entries in my Top Domains stats, but could not really find out yet what's behind.

    I may research this phenomenon further. My hypothesis is that OpenDNS changed the way of blocking or block page redirection to be more sophisticated. Or it is related to rebind attack prevention.
    Thankful People: maintenance
    • CommentAuthorrotblitz
    • CommentTimeMay 7th 2011 edited
     permalink
    Well, here some reseach results. OpenDNS apparently have changed the blocking mechanism dramatically.

    Here an example of the lookup sequence for a p0rn site when the category is selected:

    www.redtube.com,67.215.65.130 - rDNS = hit-adult.opendns.com
    block.a.id.opendns.com,67.215.67.14
    14.block.b.id.opendns.com,67.215.67.112
    112.14.block.c.id.opendns.com,67.215.67.24
    24.112.14.block.d.id.opendns.com,67.215.67.10
    10.24.112.14.block.e.id.opendns.com,67.215.67.10
    block.opendns.com,208.69.33.135

    See the "rule"? The last octet of the IP address becomes the first part of the next domain name. So the resulting 10.24.112.14 is not an IP address, but reflects the reverse sequence of last octets of IP addresses having walked through...
    Also, note the block.a, block.b, block.c, block.d and block.e sequence as part of these domain names...

    Interesting, this 302 redirection sequence from a HTTP perspective before the final block page is reached:

    wget -O - http://www.redtube.com/
    --18:24:05-- http://www.redtube.com/
    => `-'
    Resolving www.redtube.com... done.
    Connecting to www.redtube.com[67.215.65.130]:80... connected.
    HTTP request sent, awaiting response... 302 Found
    Location: http://block.a.id.opendns.com/?url=888888158370698586677015688078&ablock [following]
    --18:24:06-- http://block.a.id.opendns.com/?url=888888158370698586677015688078&ablock
    => `-'
    Resolving block.a.id.opendns.com... done.
    Connecting to block.a.id.opendns.com[67.215.67.14]:80... connected.
    HTTP request sent, awaiting response... 302 Found
    Location: http://14.block.b.id.opendns.com/?url=888888158370698586677015688078&ablock [following]
    --18:24:06-- http://14.block.b.id.opendns.com/?url=888888158370698586677015688078&ablock
    => `-'
    Resolving 14.block.b.id.opendns.com... done.
    Connecting to 14.block.b.id.opendns.com[67.215.67.112]:80... connected.
    HTTP request sent, awaiting response... 302 Found
    Location: http://112.14.block.c.id.opendns.com/?url=888888158370698586677015688078&ablock [following]
    --18:24:06-- http://112.14.block.c.id.opendns.com/?url=888888158370698586677015688078&ablock
    => `-'
    Resolving 112.14.block.c.id.opendns.com... done.
    Connecting to 112.14.block.c.id.opendns.com[67.215.67.24]:80... connected.
    HTTP request sent, awaiting response... 302 Found
    Location: http://24.112.14.block.d.id.opendns.com/?url=888888158370698586677015688078&ablock [following]
    --18:24:06-- http://24.112.14.block.d.id.opendns.com/?url=888888158370698586677015688078&ablock
    => `-'
    Resolving 24.112.14.block.d.id.opendns.com... done.
    Connecting to 24.112.14.block.d.id.opendns.com[67.215.67.10]:80... connected.
    HTTP request sent, awaiting response... 302 Found
    Location: http://10.24.112.14.block.e.id.opendns.com/?url=888888158370698586677015688078&ablock [following]
    --18:24:06-- http://10.24.112.14.block.e.id.opendns.com/?url=888888158370698586677015688078&ablock
    => `-'
    Resolving 10.24.112.14.block.e.id.opendns.com... done.
    Connecting to 10.24.112.14.block.e.id.opendns.com[67.215.67.10]:80... connected.
    HTTP request sent, awaiting response... 302 Found
    Location: http://block.opendns.com/?url=888888158370698586677015688078&ablock [following]
    --18:24:06-- http://block.opendns.com/?url=888888158370698586677015688078&ablock
    => `-'
    Resolving block.opendns.com... done.
    Connecting to block.opendns.com[208.69.33.135]:80... connected.
    HTTP request sent, awaiting response... 200 OK
    Length: unspecified [text/html]

    Hmm, I'm having still no clue what the intention or purpose is except that it (unnecessarily?) increases the number of DNS lookups and HTTP connects significantly. Also, depending on browser security settings (especially FF4 and Iron/Chromium so far), these redirections will cause many warning messages, the ones @stahl has reported.

    Anyone else?

    ---

    And back to the original message:
    @stahl
    "Can we do something about this or is this a problem with Opendns?"

    Your browser contains a security setting like "Warn me if a site tries to redirect me to a different page". If you think it is safe to do so, you may disable this option. This is the only thing you can do so far for the time being.
    Thankful People: maintenance
    • CommentAuthorrotblitz
    • CommentTimeMay 7th 2011 edited
     permalink
    Ah yeah, I begin to understand! This is more sophisticated.
    For example, a blocked image within a non-blocked web page (URL changed):

    wget -O - http://www.example.org/lena/nude-on-the-beach.jpg
    --01:31:43-- http://www.example.org/lena/nude-on-the-beach.jpg
    => `-'
    Resolving www.example.org... done.
    Connecting to www.example.org[67.215.65.130]:80... connected.
    HTTP request sent, awaiting response... 404 Not Found
    01:31:43 ERROR 404: Not Found.

    They apparently differenciate by object type now. No redirection for images, but an immediate HTTP 404 response.
    Thankful People: maintenance
    • CommentAuthorrotblitz
    • CommentTimeMay 8th 2011 edited
     permalink
    It is even not evident this being related to OpenDNS filtering, because the original URL remains intact. It really looks as if the object is no longer there.

    Btw, we have the same behaviour with the Guide for non-existing domains:

    www.trulalala.net,67.215.65.132 - rDNS = hit-nxdomain.opendns.com
    guide.a.id.opendns.com,67.215.67.14
    14.guide.b.id.opendns.com,67.215.67.112
    112.14.guide.c.id.opendns.com,67.215.67.24
    24.112.14.guide.d.id.opendns.com,67.215.67.10
    10.24.112.14.guide.e.id.opendns.com,67.215.67.10
    guide.opendns.com,208.69.33.136

    This may help to implement the free custom redirection with Enterprise, with a user exit at a certain stage.
    Thankful People: maintenance
  2.  permalink
    Yes, I do see the same behavior if I wget -O - www.trulalala.net. But I haven't seen any warnings when I have caused the Guide to appear in a browser.
    • CommentAuthorrotblitz
    • CommentTimeMay 8th 2011
     permalink
    Your browser may not have this security option enabled.
    For example FF4: Tools > Settings > Advanced > Warn me, if...
    (I have disabled this either. The warning came up far too often - at other occasions.)
  3.  permalink
    "Warn me, if websites try to redirect or reload the page." - checked

    Hrmmmm.
    • CommentAuthorrotblitz
    • CommentTimeMay 8th 2011
     permalink
    Only the inconsistency is consistent... :confused:

    @stahl
    What exact web browser(s) do you use?
    • CommentAuthormiked
    • CommentTimeMay 9th 2011
     permalink
    I don't work any OpenDNS anymore, so I don't want to discuss this too much. Hopefully someone from support will check the forums soon.

    Two helpful points I can make are:
    1. It's not doing anything bad (obviously, it's OpenDNS :))
    2. There should be a cookie getting set that caches the results. If your browser provides the cookie, you won't have to go through the extra redirects next time.
    Thankful People: rotblitz, maintenance
    •  
      CommentAuthordavidu
    • CommentTimeMay 9th 2011
     permalink
    Administrator
    I wonder if the FF intranet warning is because they see the URL start with http://10.

    We can resolve this quickly I think.

    -David
  4.  permalink
    @ davidu

    Yes, I think that is what is setting of the alarm. It looks like an RFC 1918 IP. Although I'd hope browsers would be well-designed enough to tell the difference.

    @miked
    If the cookie hypothesis is correct, it would explain why I never see a warning. I don't delete cookies from some sites, OpenDNS included.
    •  
      CommentAuthortabacco
    • CommentTimeMay 10th 2011
     permalink
    Administrator
    Please let me know if you're still seeing warnings as of a few minutes ago.
    • CommentAuthorrotblitz
    • CommentTimeMay 10th 2011
     permalink
    @maintenance
    ""Warn me, if websites try to redirect or reload the page." - checked"

    I checked it too for testing purposes - and no warning messages in case of OpenDNS redirection. So OP @stahl must have used another browser than FF4.

    @miked
    "There should be a cookie getting set that caches the results. If your browser provides the cookie, you won't have to go through the extra redirects next time."

    I do not block cookies (beside 3rd party cookies) and rarely delete cookies and have the OpenDNS cookies set as not to be deleted, but I run always through this sequence of redirects (guide & block) with text/html, not so for images and other objects.
    So I do not believe this hypothesis being correct.

    @tabacco
    Hmm, only the original poster @stahl has claimed the warning messages, and he didn't seem to come back since four days...
    So you may be out of luck regarding a response, unless you can send him a mail.
    Thankful People: maintenance

This discussion has been inactive for longer than 30 days, and is thus closed.