Ronny Lam

about://tech

OpenDNS and IPv6

I love OpenDNS and have been using it for quite some time now. I started using it, not for myself, but for my children. The internet can be a weird place with a lot of stuff that you don’t want to expose to small children. OpenDNS is helping me with that. I can filter the web on specific categories like porn, drugs, alcohol, etc. As an added bonus it makes my own internet a little safer, because OpenDNS also filters on malware and phishing. Which it does really well in my opinion, because there is a very active community behind. But today I felt a small bummer…

I came across a website that was using the above button. When you see it using OpenDNS you see “You’re using OpenDNS, Sweet!” and when you are not using OpenDNS you see “Use OpenDNS -> get started”. And I was seeing the wrong button, as if I was not using OpenDNS. So my first test was to go to a blocked website, bam! I get the blocked notification. The strange thing was that on the website with all the buttons there was only one which was incorrect, so I reported that through support mail.

But investigating it further I found the real problem. Some buttons were resolved through IPv4 and some were resolved through IPv6. And the ones through IPv6 went wrong. It sounded logical to me because I didn’t register my IPv6 address with them so when I query their DNS they do not know it is me so they can’t filter me. But it turned out to be more basic. On their IPv6 page they say:

> “Note: IPv6 support in the OpenDNS Sandbox is limited to standard recursive DNS initially. Additional functionality, like Web content filtering, malware and botnet protection, phishing protection, and more will be available on different IPs when IPv6 support is added to the OpenDNS Dashboard in the coming months. We have no plan to ever shut down or change the default features for the sandbox IPs.”

Queries to the IPv6 servers is not being filtered at all, at the moment. OpenDNS is very clear on this, but you just have to know. The solution for now is to not announce the IPv6 DNS servers to my LAN and only allow queries to the OpenDNS IPv4 servers. Thank God the IPv4 servers are resolving AAAA records, so my IPv6 connectivity is not in danger. But it is a bit strange to query IPv4 DNS servers to make an IPv6 connection. I hope IPv6 will be available soon, because last WorldIPv6Launch we turned IPv6 on to never turn it off again. IPv6-only is still years away.