What are the Cisco Umbrella Block Page IP Addresses?

Follow

Comments

6 comments

  • Avatar
    bbrandeb49

    Is this list up to date?  I keep getting another IP address (208.69.36.159) that is registered to OpenDNS.

  • Avatar
    matt.griffiths

    Same here. Any updates on this?

  • Avatar
    rotblitz

    Why do you think you get different addresses returned.  Is there any evidence for this?  I.e. how did you find out?

  • Avatar
    bbrandeb49

    They basically told me that the list was fluid and they don't publish it for that reason.  

     

  • Avatar
    matt.griffiths

    I can see the logs from my firewall, of users visiting the block page on 208.69.36.159, as well as some of the IPs above in the 146 range.

  • Avatar
    rotblitz

    Well, the IP addresses on the list above are the first ones Cisco/OpenDNS returns if a blocked domain is being queried like:

    nslookup www.internetbadguys.com.

    But the browser continues to attempt accessing the hostname, using the returned 146.112.61.* IP address and is redirected with HTTP 301/302 several times until the final block page or block page bypass is being reached, using several different hostnames and IP addresses.  This is what you see if you check your firewall only instead of tracing what happens with the real DNS and HTTP/HTTPS traffic.  You would be able to analyze it with e.g.:

    wget -O - -S www.internetbadguys.com

    Possible final DNS query results are for example:

    nslookup block.opendns.com.
    Server:  local
    Address:  10.165.161.13

    Non-authoritative answer:
    Name:    block.proxy.umbrella.opendns.com
    Addresses:  208.69.36.152
              208.69.36.157
    Aliases:  block.opendns.com

    Hey, here you got such 208.69.36.15* addresses!

    Any more questions, or does this make sense now?

Please sign in to leave a comment.