OpenDNS To Block and Monitor Conficker Worm 175
Linker3000 writes "According to The Register, OpenDNS plans to introduce an new service that will prevent PCs infected with the Conficker (aka Downadup) malware from contacting its control servers, and will also make it easy for admins to know if even a single machine under their control has been infected by Conficker: 'Starting Monday, any networks with PCs that try to connect to the Conficker addresses will be flagged on an admin's private statistics page. The service is available for free to both businesses and home users.' With the amount of trouble this worm has caused, perhaps this is a good time to take a look at OpenDNS if you haven't done so already."
OpenDNS (Score:5, Informative)
OpenDNS redirects www.google.com to OpenDNS servers.
Re:Do not use OpenDNS (Score:5, Informative)
They make money by monitoring your habits. Can any one tell me how they pay their CDN and caching servers bills for millions and millions queries everyday? They sale your private info.
OpenDNS redirects all your Google search queries though their servers.
They redirect web browser users or scripts accessing nonexistent domains to a page containing sponsored search results, ads, and a search form. The DNS protocol requires that a query for a nonexistent domain must return the "NXDOMAIN" error response.
Comment removed (Score:3, Informative)
The IP Adresses. (Score:3, Informative)
Would it be so hard to add the OpenDNS IP addresses to the story... It's not all that hard for home users to change their DNS server addresses.
Addresses: 208.67.222.222 and 208.67.220.220
Or if you need more help, look here: https://www.opendns.com/smb/start [opendns.com]
Re:Do not use OpenDNS (Score:5, Informative)
You can turn this feature off. http://www.opendns.com/support/article/244 [opendns.com] is their response to questions about privacy.
For those that have OpenDNS running, you go to Settings, Advanced and then at the bottom there is the Network Shortcuts section. Uncheck the box "Enable OpenDNS Proxy".
I have the service and I am quite happy to trade a little privacy for the content filtering done by someone else, without requiring any software installs or any maintenance of IPTables or anything else on my part. It is passive safety, I know, but gives some peace of mind with a teenager who knows his way around computers. It blocks proxies too. If there is an alternative, I'd love to read about it.
Re:OpenDNS (Score:5, Informative)
http://blog.opendns.com/2007/05/22/google-turns-the-page/ [opendns.com]
Don't know if it's a good enough justification by itself, but at least it's a logical explanation.
Re:Do not use OpenDNS (Score:2, Informative)
You are an idiot.
This is no more shadowy than the NTP pool.
Re:OpenDNS (Score:3, Informative)
By default, yes it does. Since your post is right on top at the moment, I'll post something I shared earlier: Here is OpenDNS response to the privacy concerns: http://www.opendns.com/support/article/244 [opendns.com]
You can easily turn off the proxy by changing your settings, under the Advanced section at the bottom.
Re:I just found out about this. (Score:3, Informative)
Not really, no.
For the NTP pool you send and recieve time data; funnily enough the time is public information.
Switching your DNS servers to OpenDNS means you end up sending them every domain you visit, and apparently every Google search too.
Most people would probably want their search terms and domains they visit to stay private, so your analogy between the NTP pool and commercial DNS providers breaks down here.
(note: I'm not implying sending your DNS data to OpenDNS means it's made public!)
Re:Do not use OpenDNS (Score:3, Informative)
You're relying on OpenDNS for content filtering? Cute. That might work in a home for the elderly, but I doubt it'll stop any teenager, much less one who is technologically inclined. Would have stopped me for all of 45 seconds. But if it gives you peace of mind, that's something I guess.
Re:I just found out about this. (Score:4, Informative)
Re:I just found out about this. (Score:3, Informative)
Re:Maybe I'm off base here but (Score:5, Informative)
FTFA:
.....instructs its drone machines to report to 250 different internet addresses each day. Without the service, admins would have to manually block 1,750 domains each week, or 91,250 each year.
Wouldn't blocking "this weeks" known IP addresses stop the addition of new ones, rendering the infection impotent?
That would address a symptom and would do nothing about the actual problem. We keep doing that because we don't want to admit that addressing only symptoms is a failed idea; trying harder and harder to find new ways to implement this idea won't change the fact that it's a failed idea.
The root problem is the vulnerability of Windows to these types of worms. Yes I am selectively speaking about Microsoft Windows; if I ever start seeing widespread (keyword) worms in the wild (keyword) for *nix operating systems then on that day I'll include them too. Anti-virus seeks to remove or contain an external object to which Windows is vulnerable, so it too addresses only the symptom and not the vulnerability. The reason why *nix operating systems don't generally need anti-virus (unless of course you ask an anti-virus vendor) is because they have a security model that is able to prevent infections from occurring in the first place. This is much simpler and more practical (but creates fewer cottage industries) than sophisticated scanners and high-maintainence databases of tens of thousands of signatures that must be applied to every file or every file operation. It's a lot simpler than pretending that DNS is the correct tool for host security as well.
If OpenDNS maintains a highly effective, well-maintained blocklist and if many people start using it, what happens next is rather predictable. A worm/virus that can compromise the machine can also alter that machine's DNS settings. It could make the machine stop using OpenDNS or worse (as another poster has pointed out) it could make it use a hostile DNS server. You can expect this to be a standard malware feature if OpenDNS's efforts are successful. That's the downside of participating in an arms race. The best way to avoid an arms race is to realize that mitigation techniques, while not completely useless, have extremely limited utility and that prevention is the only actual cure.
Re:Aren't ISP's, Etc., Selling Data, Too? (Score:5, Informative)
Re:Do not use OpenDNS (Score:1, Informative)
They're providing a near-zero value product, spam you with ads in dubious locations (NX) and collect a lot of personal data with borderline phishing methods (google proxy) without announcing either of that clearly upfront.
Because OpenDNS provides no added protection? The other two are plenty sufficient while nobody knows whether the OpenDNS detection is reliable nor whether they will bother to add detection of future worms etc.
Remember many phishing toolbars claim to protect you against other phishing toolbars. OpenDNS is running the same model here.
Re:I just found out about this. (Score:1, Informative)
Dude.
dig @208.67.222.222 www.google.com ;; ANSWER SECTION:
[..]
www.google.com. 30 IN CNAME google.navigation.opendns.com.
google.navigation.opendns.com. 30 IN A 208.67.217.230
google.navigation.opendns.com. 30 IN A 208.67.217.231
Your browser will issue an HTTP request to the OpenDNS servers. If that's not a man in the middle, I don't know what is.
I Don't See A Scam (Score:3, Informative)
I don't see a scam here. You might not like their approach, but that's different.
OpnenDNS tells you they run a proxy. They tell you how to disable it.
Sending a raw error code to 99 percent of Internet users is bad service. Better to catch the code and deliver a plain language message.
As for the ads: Would you feel better if OpenDNS billed your credit card on a regular basis? Ads are everywhere. Get used to it. Just ignore them, like the rest of us do.
Short of running their own DNS, what's a better approach? (BTW, I've run my own DNS. Not dong that again. Life's too short to think running servers is fun.)
Re:Do not use OpenDNS (Score:3, Informative)
They make money by monitoring your habits. Can any one tell me how they pay their CDN and caching servers bills for millions and millions queries everyday?
From the site:
"OpenDNS partners with hardware and service providers to deliver our award-winning security, infrastructure and navigation services."
They sale your private info.
There's nothing private about my public IP address. If they can manage to glean personal info from my IP address then, damn, they're good.
OpenDNS redirects all your Google search queries though their servers.
From the site:
"Is OpenDNS running a proxy?
Yes. Some software, including your (and our) beloved Google Toolbar, intercepts requests made via the address bar so that DNS requests never occur. This creates some usability issues, including making shortcuts - which require DNS requests to be made from the address bar - unreliable. We've designed a simple proxy that ensures the best of Google and OpenDNS work without causing problems.
When enabled, we route certain requests to a simple proxy which checks for the origin of the request. Shortcut-related traffic gets handled (and redirected) while all other traffic goes to the intended destination untouched. We are not storing or mining any of the data that passes through the proxy. The proxy does nothing malicious - it's designed to make your shortcuts work seamlessly with the Google Toolbar and similar services, giving you the best of both worlds.
Like all OpenDNS services, the proxy is respectful of your privacy. We do not track any of the searches made through the proxy. In fact, since so many people use Google we automatically rotate and delete the logs frequently. We do not store any of those logs, nor do we perform any non-operational-related analysis of the traffic sent through the proxy at any time. Protecting your privacy and delivering a fantastic navigational experience will always be two of our main goals at OpenDNS. We believe that this solution provides just that, and continues our tradition of innovative services that make your Internet experience with OpenDNS faster, safer and more reliable.
Ultimately, this proxy serves to enhance the OpenDNS experience and we recommend you leave it enabled.
They redirect web browser users or scripts accessing nonexistent domains to a page containing sponsored search results, ads, and a search form. The DNS protocol requires that a query for a nonexistent domain must return the "NXDOMAIN" error response.
You mean if I try to navigate to a nonexistent domain that OpenDNS will A) Inform me of my error B) Present me with a search form and C) Display a few innocuous text ads on the page?
I'm crushed. Damn, how could they?
How is that any worse than Google displaying text ads on their search results page? How hard can it be to block those text ads if they really get your panties in that big of a twist? If it bothers you that much, it's not like anyone is holding a gun to your head and forcing you to use their service.
Re:Do not use OpenDNS (Score:5, Informative)
But they are breaking the standard. In particular rfc2308 [faqs.org],
under 8:
Note the absence of statements like "lookup failures should silently map to A records that point to webservers serving spam".
Re:I Don't See A Scam (Score:3, Informative)
Well, I can't vouch for the GP, but my ISP has a very flaky DNS service. For some reason, every 3 out of 10 queries for a given DNS returns a NX - or (in layman's terms), every 3 (at least) out 10 times I try to access a website (that is, one specific website, 10 times), Firefox says the domain doesn't exist. After the first 3 errors the domain is found and cached, and all is well, but this annoyed me to no end.
There were some days when it was bad, and others days the problem never showed up. After trying to diagnose the problem on my end, I finally concluded the problem were my ISP's servers, so I gave up and switched to OpenDNS. Never had the problem again.
Re:Do not use OpenDNS (Score:5, Informative)
We have never sold user data, ever. We also have no CDN bills, we don't even use a CDN. We've built a global BGP-speaking network with hundreds of peers around the world. I know, because I built it. We peer at LoNAP, LINX, PAIX, SeattleIX and on a few of the Equinix peering fabrics around the US.
The idea that we would build our business based on monitoring user data is preposterous. I wouldn't stand for it, nor would our employees. I'm confident that all our engineers are just as vocal or more vocal about doing the right thing than you are. We make it very clear how we make money, and it's all over our website. Go to http://guide.opendns.com [opendns.com] and do a search. The sponsored results are ads where we get paid, the organic results are regular search results. That's how we make money. We might offer an enterprise for-pay service down the road as some of our customers begin to demand tighter integration with their network but for now, we're happy with our business. And I'm happy to report that we're profitable and stable, even in this economy.
And as to the OpenDNS proxy. It's true, we do redirect certain Google requests through a proxy so that we can make our OpenDNS shortcuts and some other features work more reliably. Two important things here: First, we peer with Google at every datacenter, so we aren't adding to your latency or anything else. Second, we don't log and store any data and we certainly don't care about it. We prefer to be able to confidently say we aren't keeping data on it. Of course, you are welcome to disable it by going into your settings and disabling the OpenDNS proxy. That's it. Do that and we don't ever see the request. Pretty easy. End of story.
David Ulevitch
Founder, OpenDNS
Re:Do not use OpenDNS (Score:4, Informative)
This guy has a 2-digit UID, how could he possibly not be on the level? ;-)
Seriously, I've been using OpenDNS for a year or so, and based on what I know and everything I've read here minus David Ulevitch's description I don't really see a problem, just a lot of people overreacting. After reading what he had to say, I am confident that my gut feeling was accurate... unless of course he's lying, which I have no reason to believe.
Re:Do not use OpenDNS (Score:2, Informative)
Yep, I believe you can use OpenDNS servers by themselves without any account setup. However you can also set up an account with them to enable setting custom filtering among other things, and control over your proxy/privacy settings. So it is, indeed, on their website after you set up an account. They don't ask for much of anything to set up an account, so I have used a throwaway email address in the past... tho they do still have your IP if you are really worried.
Re:I Don't See A Scam (Score:3, Informative)
Interesting. I get modded flame-bait without a single reply. Anyone mind to explain what on earth was flame-bait about my post?
Absolutely nothing, yet that won't stop incompetent or malicious moderators from pretending that "flamebait" is the same thing as "I disagree". Surprised? Don't be. This is simply how lesser men respond to criticism, no matter how constructive, because they don't have what it takes to handle it gracefully. If they did, they wouldn't be lesser men.
This has happened to some degree or another for as long as I have used Slashdot, but ever since they got rid of the old metamoderation system it has become much worse. I speak out against it when I see it too, but I do that knowing that they will try to have their petty revenge in the form of further down-mods. I can picture them now, saying something like "how DARE you point out what you believe to be unfair in a non-inflammatory tone and then offer reasoning to explain how you feel!" As I've said before, I bet these people wonder why they have inner conflict. Oh well, I have karma to burn so let them do their worst. Maybe one day the abusers of the moderation system will realize how petty and impotent they really are. I hope this does not discourage you. There are good moderators, too, and you should never allow lesser men to get under your skin for it is how they get their power.
For what it's worth, I agree with you. Handling a DNS error in a user-friendly manner is up to the application that is processing said error. You are correct that this is a non-issue because Web browsers have taken care of it for a long time now (your figure of 10 years is modest). Breaking the DNS protocol to serve advertisements in the name of user-friendliness deserves to be exposed for the absurdity that it is. You know what I consider to be "user friendly?" Respecting your users enough to never insult their intelligence like this. I wouldn't complain or challenge them if they simply said up-front "this is how we make money" rather than the absurd volume of posts that amount to "this is for your own good of course; trust us, our motives are pure!"
I'll add one more thing. I'm not sure if I have ever seen so many posts in a single Slashdot discussion that smelled so strongly of astroturfing. I realize that normally, "astroturfing" or "shill" is brought up as a cop-out, but I encourage you to see that for yourself. Do a text search of this discussion for my username of "causality" and you'll see several posts of mine that are a direct response to this. They tend to post AC (though not all of them) and they tend to suddenly get very quiet when seriously challenged, as though they know that their position is absurd. It's ridiculous and I really wonder how stupid they think we are. I'm not saying for certain that astroturfing is going on because I can't prove it, but I can say is that I am convinced to my own satisfaction that this is the case.
Re:I just found out about this. (Score:3, Informative)
Why don't you use BIND?
For the same reason I'll consider using nearly any MTA except Sendmail, which is because it has a poor security history. BIND and Sendmail both hail from a time when the Internet was a much friendlier place and I consider neither trustworthy on the hostile network that the Internet has since become. I know that version 9 of BIND was a complete rewrite, yet that too has had more security issues than I would like to see.
In my opinion, BIND is written for functionality first and security second. History has shown that security needs to be a fundamental design goal from the beginning; trying to write a program and then secure it later as vulnerabilities are found is problematic at best and causes a lot of preventable problems. Good security is not an afterthought. I just don't see security as an integral part of BIND's design, not when compared to alternatives like djbdns or maradns. For example, from its very first release, maradns has always used a cryptographically secure RNG to randomize query IDs and source port numbers and was never once vulnerable to cache poisoning attacks. BIND didn't start doing this until people started exploiting it. I've just seen too many issues like that which were better solved by more proactive approaches. I really can't rigorously prove to you that one solution is inherently superior to some other solution, especially since your needs and priorities may differ from mine, but I can explain why I have strong preferences that contribute to what I will and won't do.
BIND is also bigger and more complex than what I actually need. I have never felt like there was some must-have feature provided by BIND, so there is really no compelling reason for me to use it. Even so, using a daemon whose authors more proactively consider security issues is just one step. I take other measures, including but not limited to a well-configured software firewall (Linux kernel/iptables) that is itself behind a hardware firewall/router, a PaX/Grsecurity kernel that provides things like non-executable stacks and randomized memory addresses and chroot jails that are much harder to break, and userland measures like compiling the daemon with SSP [wikipedia.org]. Many of those are part of running a Gentoo system with the Hardened profile [gentoo.org], which also implies a hardened toolchain. A source-based distribution is definitely not for everyone, but it offers some very good options like this and I'm quite happy with it. I also use Logsentry and a few other tools to help me keep an eye on things.
Yes I'm paranoid, but it's because I believe in preparedness and I've seen too many examples of what happens when administrators don't consider attacks to be an eventuality. I'm rather "old school" in a few ways; for example, I do not believe in after-the-fact removal tools (i.e. for rootkits) at all. Once a system has been compromised, the only way to ever trust it again is to wipe the drives and reinstall from known good media. Between the two, I consider the idea that I may have put an excess of effort into locking down the system (and in the process expanded my skill) to be far more acceptable than the idea of regretting that I didn't do enough. I know there is no such thing as absolutely perfect security, so I think about my threat model and I consider a system "secure" when the effort required to have a hope of breaking into it far exceeds (by a ridiculous margin) any value that might be obtained by doing so. To give a poor analogy, it doesn't make any sense to spend one million dollars in order to earn one thousand dollars. Unless it's a personal vendetta, attackers do understand this and they greatly prefer to go after the low-hanging fruit. The standard these days is so low that it doesn't even take very much to place yourself out of that category.