browse
Overview
When a page is blocked by the Cisco Umbrella service, our DNS resolvers display a block page instead of the page with the blocked content. These block pages are served from Cisco Umbrella servers. The Anycast IP address and associated block type for these servers are outlined in the table below.
Note:
We do not expect these IPs to change again in the near future, but if they did change, that update would be included in this article.
Solution
Requests using the “Block Page Bypass” feature could use any of the IP addresses listed on the following website: https://www.opendns.com/data-center-locations/
Name | Record Type | Address |
Domain List Block Page | a | 146.112.61.104 |
Domain List Block Page | aaaa | ::ffff:146.112.61.104 |
Command and Control Callback Block Page | a | 146.112.61.105 |
Command and Control Callback Block Page | aaaa | ::ffff:146.112.61.105 |
Content Category or Application Block Page | a | 146.112.61.106 |
Content Category or Application Block Page | aaaa | ::ffff:146.112.61.106 |
Malware Block Page | a | 146.112.61.107 |
Malware Block Page | aaaa | ::ffff:146.112.61.107 |
Phishing Block Page | a | 146.112.61.108 |
Phishing Block Page | aaaa | ::ffff:146.112.61.108 |
Security Integrations Block Page, Newly Seen Domains, DNS Tunneling VPN, Potentially Harmful, & Dynamic DNS | a | 146.112.61.110 |
Security Integrations Block Page, Newly Seen Domains, DNS Tunneling VPN, Potentially Harmful, & Dynamic DNS | aaaa |
::ffff:146.112.61.110 |
Comments
6 comments
Is this list up to date? I keep getting another IP address (208.69.36.159) that is registered to OpenDNS.
Same here. Any updates on this?
Why do you think you get different addresses returned. Is there any evidence for this? I.e. how did you find out?
They basically told me that the list was fluid and they don't publish it for that reason.
I can see the logs from my firewall, of users visiting the block page on 208.69.36.159, as well as some of the IPs above in the 146 range.
Well, the IP addresses on the list above are the first ones Cisco/OpenDNS returns if a blocked domain is being queried like:
But the browser continues to attempt accessing the hostname, using the returned 146.112.61.* IP address and is redirected with HTTP 301/302 several times until the final block page or block page bypass is being reached, using several different hostnames and IP addresses. This is what you see if you check your firewall only instead of tracing what happens with the real DNS and HTTP/HTTPS traffic. You would be able to analyze it with e.g.:
Possible final DNS query results are for example:
Hey, here you got such 208.69.36.15* addresses!
Any more questions, or does this make sense now?
Article is closed for comments.