Unexpected routing to OpenDNS?

SOLVED
LegoGeek
Getting noticed

Unexpected routing to OpenDNS?

Our organization uses the Meraki Category Filtering (via BrightCloud).  This past week or so there is traffic being routed to OpenDNS and their categories are blocking sites that we have not categorized as needing to be blocked.

 

Example: sportsmansguide.com

 

Category

Meraki (Bright Cloud) = "Hunting and Fishing"

OpenDNS = "Weapons"

 

Neither of these categories are blocked in our Org.  I can't seem to find where it is getting routed to OpenDNS? I have a Syslog server running too and can't pinpoint exactly a reason either.  Might not know what I'm exactly looking at that could interpret the traffic correctly.

 

Where might the problem be?  We have Two Networks (The MX in one; Switches and AP's in the other) because of the Layer3 tracking by IP issue.

1 ACCEPTED SOLUTION
LegoGeek
Getting noticed

Sorry for the delay in response - week of vacation.

 

So we traced it down to our internal domain controller that have two forwarding rules set to OpenDNS's sites.  No one knows who put them there nor how they got there.  Technically I am the only one who would even be in those areas and I don't recall ever setting such things...

 

So, problem solved, except that we don't know how it got set that way.

View solution in original post

8 REPLIES 8
SoCalRacer
Kind of a big deal

Cisco technically owns OpenDNS now and is pulling it under the Umbrella name. Not sure if there is some overlap in the changes. I would check all DNS settings on the MX, MS, and AP, then if nothing is found to point to an OpenDNS server then dive down to the client level. If you can source the IP that OpenDNS is using then run a packet capture to find which clients are making calls there.

PhilipDAth
Kind of a big deal
Kind of a big deal

>This past week or so there is traffic being routed to OpenDNS

 

Are you using the free service (which you have no control over) or a paid Umbrella subscription (in which case go into the Umbrella console and check what it is saying).

To my knowledge we are not at all using OpenDNS hence why I'm confused. We are using Meraki's categories our MX. But is Cisco bought OpenDNS then is it "in play" somewhere that I'm unaware of?

PhilipDAth
Kind of a big deal
Kind of a big deal

If you have not configured anything to use OpenDNS or Umbrella then nothing will be going near or touching OpenDNS/Umbrella.

When it is blocked - what happens?

 

Do you get a page saying it is blocked by Meraki?

Let me try explaining this a different way...

 

A tale of two sites

sportsmansguide.com is an ok site to go to in our ORG but a site like playboy.com is not.

 

Currently, when a user tries: sportsmansguide.com they are greeted with a OpenDNS blocked page that says "This site was blocked due to the following categories: Weapons".  However, we DO NOT USE OpenDNS... this is the surprise type of traffic redirected that is unexpected.  We internally use the Meraki content filtering (BrightCloud) on the MX and "Weapons" is not even an option... the closest thing to it is "Violence" which is something we do block.

 

On the other hand... playboy.com is a category expected to be blocked by the Meraki Content Filtering (again BrightCloud) under such ideas like "Nudity", "Adult and Pornography", "Swimsuits & Intimate Apparel"... This IS Working.

However, When I whitelisted my client from the Content Filtering testing this site this morning I was again routed to a blocked OpenDNS under their category: "This site was blocked due to the following categories: Nudity, Pornography".  I'll state it again... We DO NOT USE OpenDNS so why are we being routed to here?

 

I suspect now our ISP?

SoCalRacer
Kind of a big deal

The data shows that you are getting to OpenDNS regardless of if you use it or not. Checking the DNS settings on the MX, MS, and AP are the first place to start.

LegoGeek
Getting noticed

Sorry for the delay in response - week of vacation.

 

So we traced it down to our internal domain controller that have two forwarding rules set to OpenDNS's sites.  No one knows who put them there nor how they got there.  Technically I am the only one who would even be in those areas and I don't recall ever setting such things...

 

So, problem solved, except that we don't know how it got set that way.

Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels