I have a ticket open with OpenDNS about filtering happening on some of our CGNAT IP space where a customer has “claimed” the IP as theirs so other customers using that same IP and OpenDNS are being filtered and not able to access sites that fall under their chosen filter.
I have a ticket open from 6 days ago but it’s not going anywhere fast.
Can someone from OpenDNS contact me or point me to a contact there to help get this resolved? I believe we need to claim our CGNAT IP space so residential users can’t claim IP’s of their own.
I have a ticket open with OpenDNS about filtering happening on some of our CGNAT IP space where a customer has “claimed” the IP as theirs so other customers using that same IP and OpenDNS are being filtered and not able to access sites that fall under their chosen filter.
I have a ticket open from 6 days ago but it’s not going anywhere fast.
Can someone from OpenDNS contact me or point me to a contact there to help get this resolved? I believe we need to claim our CGNAT IP space so residential users can’t claim IP’s of their own.
Thank you!
You should provide your users ipv6, opendns supports ipv6 and likely will not have this issue you see
I am sure it may cost you time / money / effort. But this old thing we call ipv4 is in a death spiral, and it will just get worse and worse for you without ipv6.
OpenDNS does not support IPv6 for their customisable services “Home” etc. which I believe is the service the OP is using as he refers to the end-user wanting to register their IP address.
Incidentally, I hope OpenDNS considers 100.64.0.0/10 as space that can’t be registered to any end-user.
That isn’t a solution. He still will need to dual stack and CGNat that.
But the flows that can support ipv6, will go ipv6 and not be subject to these abuse triggers.
Look, this list has monthly reports from some small network operator hurting their customers with CGN NAT. Meanwhile, the big guys like Comcast / Charter / ATT / Cox have moved onto ipv6.
Where does that leave the little guy with CGN?
Right here. Screaming into the avoid begging for help. Some special exception.
And, me, saying you had 10+ years of not deploying ipv6. Here’s to the next 10 years of you email this list about your own failure to keep up with the times.
We will have this discussion again and again. Not sure your customers will stick around, all they know is your CGN space got black listed from yet another service
As long as you don’t deploy ipv6, you should be good.
Seriously. Not sure why this is so hard. IPv4 does not scale. Your customers, like my customers, probably mostly go to Youtube, google, fb, netflix, … all which have ipv6. Giving your existing customers ipv6 moves this traffic off your cgn. And gives them a path to dns services.
But you do you. if you ask NANOG, how to solve this problem, and missed the 3 NANOG meeting presos at every meeting about how ipv6 is good … not sure what you expect here. Definately not a shoulder to cry on, but i wm sure some v4 brokers and cgn box pushers see your customers blood in the water.
"Where does that leave the little guy with CGN?
Right here. Screaming into the avoid begging for help. Some special exception. "
As a group that you’d consider a “little” guy, we’ve always ran full dual stack ipv4/ipv6. The issue is being dual stack literally takes twice as long to configure everything, it causes twice as many potential routing problems, and you must now monitor twice as many routes, etc… As a little guy who has to fight tooth and nail for every customer, we hardly have time in the day to run it this way, but we do, and guess what, every single day we get ipv4 issues. Not CGNAT ipv4 issues, we actually have not seen a single issue with CGNAT for our customer base, our techs ask a simple question at install, “what do you use the internet for?”, “gaming”, “Okay, dedicated public it is”. And yet, with all those publics out there, we still get calls everyday about some site not letting them in. It’s all ipv4 issues. So not only do we have to expend the energy to implement dual stack in our network, it doesn’t save us any headaches. Until web hosting companies, and cloud services offer ipv6 only as the defacto instead of the premium service, only then will you see ipv4 not be an issue on the web.
The reason you only see the little guys screaming into the void is because the big guys already have the contacts and already have the pull to get it resolved in hours. I’ve posted in another forum the need for us as an industry to have an association directly in charge of maintaining contacts at all associations that have a history of aggressive filtering, so issues like these don’t take a little guy like us 2-4 weeks to resolve. If the little guys were all a part of this association, they would contact their membership rep for the contact and the membership rep would reach out as a representative of the group as a whole to resolve any IP filtering issue that occurs. Anything less than that will continue to have this forum clogged with requests like these.
The reason you are asking is because of a technical decision you have made that would be mitigated partially by deploying V6.
I get you may not care, may not like the message but all the people who are having more problems because of this and other decisions you make in this area are driving up the price of v4 and also making more work for yourselves in the long term.
You should provide your users ipv6, opendns supports ipv6 and likely will not have this issue you see
OpenDNS does not support IPv6 for their customisable services "Home" etc. which I believe is the service the OP is using as he refers to the end-user wanting to register their IP address.
We really should get away from using IP addresses for identifying anything. At the
DNS level you can use a EDNS option to identify the client rather than the IP address.
I believe their Umbrella product does this.
You can also use TSIG to identify clients independent of IP address.
We added TSIG support to libresolv right at the beginning of the century.
OpenDNS, or anyone for that matter, should never see 100.64/10 ip’s. If they do, something is wrong at the source, and OpenDNS wouldn’t be able to reply anyway (or at least have the reply route back to the user).
OpenDNS, or anyone for that matter, should never see 100.64/10 ip’s. If they do, something is wrong at the source, and OpenDNS wouldn’t be able to reply anyway (or at least have the reply route back to the user).
maybeopendns peers directly with such an eyeball network? and in that case maybe they have an agreement to accept traffic from the 100.64 space?
They’d only be able to do one such agreement per routing environment.
Managing that would be UGLY for the first one and UGLY at scale for anything more than one.
It also pretty much eliminates potential for geographic diversity and anycast for a provider in a local geography.
Certainly not something I’d choose to do if I were OpenDNS unless someone arrived with a very large truck full of gold, diamonds, or other valuable hard assets.
OpenDNS, or anyone for that matter, should never see 100.64/10 ip’s. If they do, something is wrong at the source, and OpenDNS wouldn’t be able to reply anyway (or at least have the reply route back to the user).
maybeopendns peers directly with such an eyeball network? and in that case maybe they have an agreement to accept traffic from the 100.64 space?
They’d only be able to do one such agreement per routing environment.
sure, I hear DNS servers are cheap and small, and easy to manage…
Managing that would be UGLY for the first one and UGLY at scale for anything more than one.
meh? it’s a dns server stack and router(s) for peering to the customer + world… it’s really not THAT hard to automate and deploy…
and really for ‘single customer’ or ‘non overlapping sets of customers’ it’s not like they need lots of horsepower here, right? this is … simple to do, simple to manage and simple to maintain.
It also pretty much eliminates potential for geographic diversity and anycast for a provider in a local geography.
there are more than one building in the georgrahy, and probably/maybe these providers appear in more than one local, right? so… a dns provider can arrive in the right matrix of locations and connect + provide routing-data … done.
Certainly not something I’d choose to do if I were OpenDNS unless someone arrived with a very large truck full of gold, diamonds, or other valuable hard assets.
meh… again, say the customer covers the cost of gear + network + maintenance for the previous parts… .then it’s just managing ‘another’ remote dns server … .something I understand they do fairly well even? once you have a hundred of somethign deployed you are automated or … you are doing it wrong.
Buy IPv4 addresses until CGN is cheaper. If a customer has to call, and you have to assign an IPv4 address, you have to recover the cost of that call and address.
While ((CostOfCall + CostOfAddress)*NumberOfCalls) > (CostOfAddress*NumberOfNewCustomers):
BuyAddresses(NumberOfNewCustomers)
Meanwhile, deploy IPv6, and move toward IPv4aaS, probably 464xlat or MAP, but your religion may vary. That way your "CGN" is an IPv6-IPv4 translator, and that's easier than managing dual-stack.
At the very least, dual-stack your web sites now, so the rest of us can get to it without translation.