OpenDNS To Block and Monitor Conficker Worm 175
Linker3000 writes "According to The Register, OpenDNS plans to introduce an new service that will prevent PCs infected with the Conficker (aka Downadup) malware from contacting its control servers, and will also make it easy for admins to know if even a single machine under their control has been infected by Conficker: 'Starting Monday, any networks with PCs that try to connect to the Conficker addresses will be flagged on an admin's private statistics page. The service is available for free to both businesses and home users.' With the amount of trouble this worm has caused, perhaps this is a good time to take a look at OpenDNS if you haven't done so already."
More free advertising for a duibous service... (Score:3, Insightful)
Heh, didnt they cash in enough on the Kempinsky non-disclosure-scare already, getting a large user base for their information trading business (heh, as if they offer costly service "for free". Get real! It'll cost you no money but your privacy.) /. the platform for pusing bogus services?
Re:I just found out about this. (Score:5, Insightful)
I'm not sure why people around here seem positive about using OpenDNS (as opposed to running your own say).
When I make a type I get an Address Not Found error and THAT'S THE WAY I LIKE IT.
Re:Censorship advocates (Score:4, Insightful)
Well if this is censorship (and that's debatable) then it's "opt-in". Personally I have no problem with that, as long as you know and have opted FOR it, then that seems fine.
The biggest problem with censorship is it distorts your ability to know the truth - if you say: "Don't show me this or that" you still have the ability to know the truth, you're just choosing what you see and what you don't. But we do this everyday, we read one newspaper over another, we listen to particular commentators over others - we all self-censor.
Re:Do not use OpenDNS (Score:5, Insightful)
Agree'd. The "Open" in their name is misleading. In reality many consider OpenDNS to be a scam operation.
Furthermore nobody should rely on a DNS provider (of all things!) to report worm infections. The idea is so wrong, it reminds me of the TV scams where they want to sell you a worthless product, bundled with 5 other, totally unrelated worthless products. "Buy this quality home-trainer for only $499 and you'll get this USB-stick, a bar of soap, two lightbulbs and a chinese ipod-knockoff, for free!".
If you're concerned with worm infections then you run antivirus software and maybe an IDS (e.g. snort) on your internet gateway.
Both will report malicious traffic much more reliable than OpenDNS because that's what they're designed to do.
Maybe I'm off base here but (Score:3, Insightful)
.....instructs its drone machines to report to 250 different internet addresses each day. Without the service, admins would have to manually block 1,750 domains each week, or 91,250 each year.
Wouldn't blocking "this weeks" known IP addresses stop the addition of new ones, rendering the infection impotent?
Shill/Astroturfer/whatever (Score:4, Insightful)
Boy, talk about not understanding Internet protocols.
NTP packets are basically "I think it's this time...what do you think", while DNS is "I want to know the IP for www.childpr0n.com".
There just isn't any possible privacy issue with NTP packets, while DNS is basically a record of everything you visit. Heck, if OpenDNS were to modify the TTL in their DNS replies, they could even get more complete data about how often you request each site.
Actually, I must be wrong about you misunderstanding. Nobody could be that dumb, so you must work for OpenDNS (or another company that benefits from their data collection).
Re:I just found out about this. (Score:5, Insightful)
In the same manner that you give another entity access to all your NTP syncs.
OpenDNS is basically the same thing as the NTP pool.
Put the tinfoil down, and back away slowly...
I'm really not sure why people keep comparing OpenDNS to NTP [wikipedia.org]. NTP shares the current time, in UTC. This information is not secret and is not a privacy violation because it was already available to anyone who wants it. If knowing your system time helps an attacker to i.e. guess your TCP sequence numbers, that is a weakness in your (pseudo)random number generator, not a weakness in running an NTP daemon.
Compare that to the data that OpenDNS can collect. They can see every hostname you resolve with their service. Not unlike application-level techniques used by various advertisers (web bugs, third-party cookies, redirections, HTTP "ping", etc.) to track your browsing, a list of every hostname you resolve can certainly compromise your privacy. Every site I visit, when I visited it, and an idea of how often I visited it is not "already available to anyone who wants it." Normally, to obtain this sort of information, an attacker would need to either break into this computer and install a program to log and transmit it, or they would need to conduct a man-in-the-middle type of attack against my ISP's network. There's a reason for that.
Why would I volunteer this data to a third-party who otherwise would have no access to it? What's my incentive to unnecessarily trust them in exchange for a service I don't need? It's not like there is anything difficult about running my own caching DNS server (and you can bet I don't use BIND), not to mention that DNS has to be one of the worst ways to deal with the problem of host security. It's just not a tool that was ever designed for this type of job; meanwhile, better tools that are designed for this job are readily and freely available. This might tempt someone who doesn't want to take responsibility for their own security and thinks anyone else should handle it for them, but I recognize that as a personal shortcoming, a flawed idea. The product of a flawed idea is also flawed, so with this arrangement you are merely trading one threat (the Conflicker worm) for another threat (reduced privacy). I can't call that a solution with a straight face.
Re:fp (Score:5, Insightful)
What you're showing is that the troll succeeded in making you rage. He'll now be more motivated to post it over and over, because he knows it works.
I think trying to explain this to people is a lot like back when AOL tried so hard to tell customers that their staff will never ask for their account password. Despite repeated warnings and prompts, the password phishers never seemed to have any problems. Those hardheaded users preferred the convenience of refusing to stop and think or to change their habits because both of those require a small amount of effort.
Likewise, people who feed trolls prefer their little emotional outbursts and the righteous feelings they get from them and are not interested in whether they are part of the problem. The idea that they are doing exactly what the troll wanted them to do does not get their attention. They may claim otherwise or feel inclined to argue with me about that, but this is very simple: when a person's words tell me one thing and their actions tell me another, I disregard their words every time. They don't really give me a choice in the matter.
Re:I Don't See A Scam (Score:5, Insightful)
Guess what browsers and web-proxies have done for, umm, 10 years? Mine says "Name Error: The domain name does not exist". What could OpenDNS possibly add to this simple message, other than their spam?
Better approach to what?
Why not just use your ISPs nameserver?
Worms will use IP addresses instead (Score:2, Insightful)
Re:Do not use OpenDNS (Score:3, Insightful)
They are "Open" in sense of DNS terminology. Open DNS is one of the significant misconfiguration of an ordinary DNS server can have but their business works by opening it to planet and add extra features to decades old service without breaking standards.
But they do break the DNS standard. As several other posters have pointed out, the DNS protocol calls for an "NXDOMAIN" response to a non-existent hostname. Instead of sending this response, they are showing sponsored links. Not to mention that DNS is already "open to the planet". There are about 13 root DNS servers. Anyone who wants to can run their own DNS server that contacts those root servers to handle DNS queries. For free. With open-source software that is also free. OpenDNS isn't providing anything that I cannot easily do for myself AND they are failing to conform to the DNS standard in order to display what I consider spam. Why do I consider their "sponsored" links to be spam? That's easy -- if I cared about their sponsors, they would not have to direct me to their sites, I would go there on my own.
On top of all of this, there are two threats to privacy posted by OpenDNS. One is the Google request "proxying" ("hijacking" is another word that equally applies, in my opinion) that can be turned off. The other is the fact that they would know every site I visit, which cannot be turned off and is an inherent part of the arrangement. Using such a system doesn't make any rational sense whatsoever.
You are either speaking about what you don't remotely understand, or you're not really so ignorant and have some undisclosed financial relationship to OpenDNS and are not being honest with us about that. Both are rather foolish. My suggestion to you is that if you insist on doing this, try it on an audience that is less tech-savvy. Better yet, inform yourself about these matters or get a job that doesn't remove your self-respect. If that sounds like a strong response, it's because of how misleading your post was and because of how rapidly several posts very much like it (lots of praise and little to no evidence and reasoning) have appeared in this discussion.
Re:I just found out about this. (Score:3, Insightful)
Stop spreading FUD. Their privacy policy [opendns.com] says that "OpenDNS removes the IP address from its logs within 2 business days." That's better than Google and probably any other search engine you might use.
I said that use of their service would make them privy to information that I don't wish for them to have. Specifically, my information. I'd love to hear a self-consistent explanation of how that constitutes Fear, Uncertainty, and/or Doubt. In fact I hereby challenge you to provide one. I'd like to see you try, so I won't tell you right now why that will fail although it's qute possible Merriam Webster can fill you in. Extra points if it's not trivial for me to tear down your argument. I don't normally use a tone like this when I reply to someone, but you have made an accusation and I demand to see either your evidence or a concession that you have spoken amiss.
I'd also like a self-consistent explanation of how the privacy problems posed by various search engines somehow justifies unnecessarily supplying OpenDNS with my information. Considering that the services OpenDNS offers are worse for me than what I can do for myself using Open Source software, this would indeed be unnecessary. To justify what you just said, you would have to explain how one wrong thing justifies and excuses another, unrelated wrong thing. Good luck with that.
I strongly doubt I'm going to get either explanation. I fully expect you to quietly disappear from this thread and find an easier target for your apologist message, but on occasion people do surprise me. Having said that, I will add that I think you are misunderstanding something fundamental. I will explain what that is. I am not satisfied that they promise to play nice with my information or that they don't retain it for very long (nevermind that I cannot audit their systems, so I have no way to verify those claims and must take their word for it). I am satisfied when they have no access to my information. If other people don't feel that way, this is their business, but I considered all my options long before it ever occurred to you that a little two-liner from an AC was going to change my mind and I believe my stance is a solid one that I can back up. Can you say the same?
If OpenDNS Is Evil, Why Aren't Admins? (Score:4, Insightful)
So, you are equating all ads with spam?
If I use my ISP's nameservers,I get slower responses plus error pages from the ISP with ads on them.
The notion that OpenDNS is evil because they run ads is juvenile. So is the notion that they're evil because they keep logs and records. Name me a Unix system or any provider of any kind of Internet services that doesn't keep logs and records.
The phone company knows who you call. What are you doing about that great evil?
It seems you want me to be indifferent about the possibility that endless anonymous admins might get curious about my net behavior, but I'm supposed to be paranoid about OpenDNS?
Re:OpenDNS Does Tell You (Score:3, Insightful)
Where on their website is it?
I honestly clicked through most of it (short of digging through the knowledge base) and didn't find a trace of it.
Proxying google queries should be worth a note along with the setup instructions, don't you think?
Re:I just found out about this. (Score:3, Insightful)