Link to home
Start Free TrialLog in
Avatar of YD_IT_Guy
YD_IT_Guy

asked on

Allow TEREDO. and 6TO4.ipv6.microsoft.com in OpenDNS Whitelist?

Similar to my earlier question regarding ISATAP and WPAD (here http://rdsrc.us/WZIRbe), I am wondering if it is safe to allow teredo. and 6to4.ipv6.microsoft.com.  I believe the latter enables ipv6 addresses to be encapsulated in an ipv4 for routing, but I am less clear on the teredo.ipv6.microsoft.com.  

My situation and environment:
I have recently implemented OpenDNS web content filtering at all of my company's retail locations.  I've chosen to use their Whitelist available with the Enterprise package to limit access.  Choosing this method required us to compose a list not only of sites they will need to browse but sites necessary for all related technology to function and update.

In monitoring the blocked domains I constantly encounter teredo.ipv6.microsoft.com and 6to4.ipv6.microsoft.com entries.  I have researched these but I have not yet found anything which can assure me that it will be safe to allow them.  OpenDNS, naturally, uses their DNS servers to enforce the filtering so I need to be absolutely sure these will not allow users to bypass this.

I would like to be 100% sure allowing these will 1) not create any potential security risks and 2) not enable my users to bypass OpenDNS and access restricted sites.

Thank you for your help!
SOLUTION
Avatar of harbor235
harbor235
Flag of United States of America image

Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
Avatar of YD_IT_Guy
YD_IT_Guy

ASKER

Hi harbor235

I've learned from KBs and forums that teredo and 6to4 are built into Windows 7 and enabled by default.  All of my store POS machines are Win7, these are devices being protected by OpenDNS and reporting these blocked communications.  (http://technet.microsoft.com/en-us/library/bb457011.aspx)

We do use Cisco VPN clients for the POS software, but this should be the only tunneling.  Only the POS traffic goes through the tunnel, all browsing goes through the standard local area connection filtered by OpenDNS's name servers. It's more difficult for me to inspect the traffic because it's from dozens of remote locations.

We are currently using IPv4 exclusively, so I don't believe we need this but would like to confirm with experts.  However, I would prefer to ALLOW teredo and 6to4 if there is no associated security risk or chance of allowing access to restricted sites. These entries are cluttering up my blocked domain reports. If they should be blocked I can do this by hosts file.

To simplify my question - would allowing teredo and 6to4 (dot ipv6 dot microsoft) enable unauthorized access to any DNS or proxy servers which my employees could use to browse the interpipes?  Could this technology be used by some bleep to trick my store machines and gain access to them?  I imagine neither is unlikely since this is default behavior for the OS, but want to hear it form those who know more about networking.

Thanks
ASKER CERTIFIED SOLUTION
Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
Hi ve3ofa,

Thank you for you reply.  The 'maybe' you mentioned is reason enough in my mind to disabled these.

I do not yet have my stores on a domain, the VPN is only to access an application server at our parent company overseas.  I assume I can slap these commands in a batch file and run on all store machines when I (painfully) access them one-by-one for updating and tweaking.

This is even better than blocking, I hadn't thought to disable the service!

Cheers