zaterdag 14 mei 2016

Another illustration why mandatory IP changes for DSL subscribers are a royal PITA

Originally this was a different article where I wrongly accused OpenDNS of blocking perfectly harmless websites, more specifically my favourite internet radio station, Radio Paradise. Eventually it proved to be a case of utter confusion caused by factors that only became apparent after some sleuthing.

Long story short, I was suddenly locked out from certain websites due to OpenDNS filters that some other customer of the same DSL service had previously set up. This customer may have been unaware that IP addresses on this service are forcibly changed every 36 hours, and did not take the necessary steps to keep their OpenDNS account up-to-date. When I received the same IP from the dynamic address pool, I also inherited the blocks. Eventually my only way out was either removing the OpenDNS servers from my config, or waiting 36 hours, or resetting the modem to get a new IP. This again makes me wonder why ISPs still enforce this idiotic IP change on customers. It is ineffective in preventing people from running servers because that can be mitigated mostly through a dynamic DNS. I guess this is simply another case of artificially degrading a product in order to be able to sell a ‘premium’ product with a static IP, at a higher price.

Here's the entire detective story for the interested.
On a certain day, I suddenly saw the following when I tried to visit the Radio Paradise site:

OpenDNS: This domain is blocked due to content filtering.

The OpenDNS servers and have been in my system settings for many years, and never had I seen this kind of block. Actually I had specifically switched to those servers to circumvent some idiotic blocks that were implemented in my ISP's DNS servers.

Radio Paradise being blocked made no sense at all. At first sight, there were only two plausible explanations:

  1. Somehow I was now being defaulted to one of the OpenDNS flavours that filter potentially offensive content.
  2. Some law prohibits listening to USA radio streams from within Belgium, and OpenDNS enforced this.
The second explanation was very implausible because I have never heard of any law like that, it certainly would have caused a ruckus on the Web. The first explanation seemed plausible because from a quick glance at the OpenDNS home security plans, it appeared that ‘Family Shield’ is the default when merely using the OpenDNS servers without configuring anything. Then I noticed this actually required configuring different servers, but nothing changed when I did: RP was still blocked. Hence I assumed that using OpenDNS without creating an account, had become equivalent to Family Shield.

This (incorrect) assumption implied two things: first, RP would somehow have been considered ‘adult’ content and second, many visitors would suddenly be locked out. They would need to go through the effort of creating an OpenDNS account to choose what is being blocked. For DSL subscribers whose IP is forcibly changed at regular intervals, this would be particularly annoying because they also need to install a daemon that keeps their IP address up-to-date with their OpenDNS account.

Even though the apparent ‘adult’ categorisation of RP still made no sense, this angered me enough to write an article where I accused OpenDNS of behaving like the great firewall of China. I also posted this on the Radio Paradise forum. No other OpenDNS users could reproduce this problem however, they did not see certain websites suddenly being blocked. In the meantime I also had created an OpenDNS account, which requires registering the network you're currently on. This proved impossible: the IP address was already registered! These two facts lead to the ‘eureka’ moment and the conclusion I started this article with. I immediately reset the modem to force it to obtain a new IP and indeed: everything worked as before.

This does illustrate that maybe OpenDNS could have done a better job at detecting that someone tried to register a static network with an address that belongs to a dynamic address pool, although I do realise this is not a trivial task. I now have added my home network to the OpenDNS account and installed an update client to keep the dynamic IP in sync, but I'm not sure if this will prevent this same scenario in the future. Well at least now I know how to fix it and how I can use OpenDNS to block the things I want, like spam domains or annoying ads that slip through Adblock, so this whole story does have a happy ending.