OpenDNS To Block and Monitor Conficker Worm

Linker3000 writes "According to The Register, OpenDNS plans to introduce an new service that will prevent PCs infected with the Conficker (aka Downadup) malware from contacting its control servers, and will also make it easy for admins to know if even a single machine under their control has been infected by Conficker: 'Starting Monday, any networks with PCs that try to connect to the Conficker addresses will be flagged on an admin's private statistics page. The service is available for free to both businesses and home users.' With the amount of trouble this worm has caused, perhaps this is a good time to take a look at OpenDNS if you haven't done so already."

Censorship advocates

[Anonymous Coward]

I'd like to see a response on this from the censorship advocates. Because that's what this is, isn't it? Censorship?

I thought the whole idea of using OpenDNS is that it wouldn't be doing this type of blocking. Who's to say they don't just accidentally prevent PCs from contacting other servers?

This smells bad.

Re:I just found out about this.

[Anonymous Coward]

You're giving another entity access to all your DNS lookups and your computer won't talk to Google's servers anymore when you connect to www.google.com, but to a company which isn't very upfront about this redirection. Whether that's an advantage or a drawback is up to you.

cat and mouse.

[Cmdr-Absurd]

Nice idea, but what do you do when a worm alters your dns settings?
OpenDNS can't block access if the queries go to a server controlled by the bad guys.
You can firewall off access to dns ports to all but known servers, but then the worms just tunnel through a port 80 proxy.
Cat and mouse forever. Plus a false sense of security.

Maybe good in theory

[jafiwam]

Except, OpenDNS is not a budding geek or regular office wank type tool.

It's a tool that requires you to know what you are doing. There are all sorts of subtle problems that can crop up, so I have at this point just simply refused to help any of my clients until they switch back to their regular ISP's DNS. Amazingly, a good 50% of the certificate and "cant find web site" errors go away after that. Imagine!

OpenDNS has the right idea, but it's not ready for the "everyday internet user" crowd yet.

This is without really considering the massive privacy problems with using it.

Re:cat and mouse.

[Cmdr-Absurd]

Use an OS with security policies that only allow specific software that shipped with the OS to modify those settings? Honestly, I do not understand why Microsoft does not at least ship that as a default policy

Well, yes, but admins have to support what their organizations use/demand.

A couple of years ago, there was a Macintosh Trojan that altered DNS settings and added a crontab to re-alter every minute if the user tried to fix the change.

Social engineering works at least some of the time. There are zero-day exploits.
If you think that *nix is a panacea against malware, you will eventually be disappointed. Better than Win, but not perfect.

Re:Maybe good in theory

[tom1974]

Could you elaborate on this massive privacy problem you talk about? Like you don't have this massive privacy problem by using your ISP's DNS servers who can actually match DNS queries to user account?

And who asked if OpenDNS is about "Everyday internet user" crowd? It's A DNS service! Do you want a CSI type frontend with it?

Re:OpenDNS

[julesh]

Don't know if it's a good enough justification by itself, but at least it's a logical explanation.

Breaking DNS in order to help people whose computers are set up to provide a poor search system when an unknown URL is added. No, that's not a good enough justification. If I attempt to access www.google.com, I should access www.google.com, not have my searches proxied through OpenDNS's servers. I've found google searches to be slower and less reliable when using OpenDNS, with the home page sometimes taking 10 seconds or so to load. Without OpenDNS, I get almost instant access to the home page, almost every time.

Re:Do not use OpenDNS

[Anonymous Coward]

What makes you think every teenager knows how to circumvent blocks and filters? I use OpenDNS to prevent access to WoW and other game sites. After that was accomplished, both my kids had a significant increase in the school grades. Don't excoriate me about how I should monitor their habits and surfing. If I did that every minute, that would make me an ogre and guys like you would beat me up about denying their rights.

Re:fud injection à deux ..

[jafiwam]

Specifically, highjacking SSL sessions.

Several of my customers have had problems with their domain names not resolving, which is just a run of the mill reliability problem. Remove OpenDNs and it goes away. Not a biggie.

However, two of them had pop up warnings from Firefox (but not IE for some reason) about a security certificate not matching the domain name, "*.opendns.org" (org? gimmie a fucking break they are selling aggregated data, that is not an "org".) while the users were logging into or just using bank related web sites. Other users on the same network were having no such problems.

Because the sites are hosted on my stuff, they think that MY stuff is off. Even though I can show them the source code and say "ok, where is this pulled from in your HTML?"

Most sites worked, except for a few bank sites. I don't know about you, but SSL is supposed to verify the domain and web server were authorized by the certificate issuing party, as well as make the data flow between the server and computer inspection-proof. OpenDNS tried to get in the way of that. (I don't think it was malicious, THIS time.)

So, OpenDNS not only caused a pain in the ass for me, but also were doing something with SSL certificates when users tried to use SSL on a bank web site.

I found out later, that some idiot IT guy was putting the stuff in because he was too lazy to update his domain controller (or didn't know how). Something he would have not needed to do had he read the instructions in the first place. Typical complicated response to a simple RTFM problem.

Re:Do not use OpenDNS

[causality]

Ah, yes. A "Flamebait" moderation in response to facts and reasoning that were presented in a relatively mild way. I wouldn't mind being a fly on the wall of such a moderator to see whether they feel better about themselves after doing this. My bet is that they do it only to find out that it's not so satisfying as they thought it would be.

To those moderators who think that what you do and don't agree with is what determines "Flamebait" and "Offtopic", you will be more effective if you choose an easier target than me. I have karma to burn, which I have earned, and I am not at all intimidated by your inability to handle reasoned criticism or your little temper tantrums that result from it. If anything, I'm going to post more when you do this because I will call you on it. You are lesser men who don't have what it takes to openly take me on, which is why you cower behind the moderation system when what you would really like to do is prove me wrong. This isn't because I am so great, because I am not; it is because you are so ridiculously weak and cowardly that you consider losing an Internet debate to be an unacceptable risk. If you ever try it, I'll tell you this much: I learned a lot more from those who were able to find the flaws in my reasoning than I ever did from those who said "me too!"

To those moderators who have a clue, please pardon the tone of this post. I ask that you understand that lots of low-quality moderators are operating unchecked and that this goes on because so few are willing to stand up to them (i.e. most people don't seem to care). Of course, the removal or alteration of the old metamod system also has a lot to do with this.

Re:Do not use OpenDNS

[Achromatic1978]

And as to the OpenDNS proxy. It's true, we do redirect certain Google requests through a proxy so that we can make our OpenDNS shortcuts and some other features work more reliably.

Some questions, then:

1. Certain requests, or all? If 'certain', which are, and which aren't?
2. Shortcuts, sure. You need to be able to redirect 'g blah blah' to 'http://www.google.com/search?q=blah+blah&ie=utf-8&oe=utf-8' or whatever. What other features require 'certain' requests to be run through your servers? Why not simple HTTP redirection? You say "you add no latency" - but that's absolutely wrong - are you saying your servers are adding absolutely zero processing, have absolutely zero network overhead, are never starved for resources when proxying the response? Because that would be a laughable claim. Even if you do peer with Google at every data center, the request is now going through another network, another server, through another CPU - don't pretend it "doesn't add latency or anything else", it's disingenuous