OpenDNS To Block and Monitor Conficker Worm 175
Linker3000 writes "According to The Register, OpenDNS plans to introduce an new service that will prevent PCs infected with the Conficker (aka Downadup) malware from contacting its control servers, and will also make it easy for admins to know if even a single machine under their control has been infected by Conficker: 'Starting Monday, any networks with PCs that try to connect to the Conficker addresses will be flagged on an admin's private statistics page. The service is available for free to both businesses and home users.' With the amount of trouble this worm has caused, perhaps this is a good time to take a look at OpenDNS if you haven't done so already."
More free advertising for a duibous service... (Score:3, Insightful)
Heh, didnt they cash in enough on the Kempinsky non-disclosure-scare already, getting a large user base for their information trading business (heh, as if they offer costly service "for free". Get real! It'll cost you no money but your privacy.) /. the platform for pusing bogus services?
Re:Do not use OpenDNS (Score:5, Informative)
They make money by monitoring your habits. Can any one tell me how they pay their CDN and caching servers bills for millions and millions queries everyday? They sale your private info.
OpenDNS redirects all your Google search queries though their servers.
They redirect web browser users or scripts accessing nonexistent domains to a page containing sponsored search results, ads, and a search form. The DNS protocol requires that a query for a nonexistent domain must return the "NXDOMAIN" error response.
Re:Do not use OpenDNS (Score:5, Informative)
You can turn this feature off. http://www.opendns.com/support/article/244 [opendns.com] is their response to questions about privacy.
For those that have OpenDNS running, you go to Settings, Advanced and then at the bottom there is the Network Shortcuts section. Uncheck the box "Enable OpenDNS Proxy".
I have the service and I am quite happy to trade a little privacy for the content filtering done by someone else, without requiring any software installs or any maintenance of IPTables or anything else on my part. It is passive safety, I know, but gives some peace of mind with a teenager who knows his way around computers. It blocks proxies too. If there is an alternative, I'd love to read about it.
Re: (Score:3, Informative)
You're relying on OpenDNS for content filtering? Cute. That might work in a home for the elderly, but I doubt it'll stop any teenager, much less one who is technologically inclined. Would have stopped me for all of 45 seconds. But if it gives you peace of mind, that's something I guess.
Re: (Score:2)
After that was accomplished, both my kids had a significant increase in the school grades.
I know , it's called withdrawal. It will pass.
Re: (Score:2)
You can turn this feature off. http://www.opendns.com/support/article/244 [opendns.com] is their response to questions about privacy.
For those that have OpenDNS running, you go to Settings, Advanced and then at the bottom there is the Network Shortcuts section. Uncheck the box "Enable OpenDNS Proxy".
I have the service and I am quite happy to trade a little privacy for the content filtering done by someone else, without requiring any software installs or any maintenance of IPTables or anything else on my part. It is passi
Re: (Score:2, Informative)
Yep, I believe you can use OpenDNS servers by themselves without any account setup. However you can also set up an account with them to enable setting custom filtering among other things, and control over your proxy/privacy settings. So it is, indeed, on their website after you set up an account. They don't ask for much of anything to set up an account, so I have used a throwaway email address in the past... tho they do still have your IP if you are really worried.
Re: (Score:2, Informative)
You are an idiot.
This is no more shadowy than the NTP pool.
Re: (Score:2)
What don't you get about "you can turn that off"?
Re:Do not use OpenDNS (Score:5, Insightful)
Agree'd. The "Open" in their name is misleading. In reality many consider OpenDNS to be a scam operation.
Furthermore nobody should rely on a DNS provider (of all things!) to report worm infections. The idea is so wrong, it reminds me of the TV scams where they want to sell you a worthless product, bundled with 5 other, totally unrelated worthless products. "Buy this quality home-trainer for only $499 and you'll get this USB-stick, a bar of soap, two lightbulbs and a chinese ipod-knockoff, for free!".
If you're concerned with worm infections then you run antivirus software and maybe an IDS (e.g. snort) on your internet gateway.
Both will report malicious traffic much more reliable than OpenDNS because that's what they're designed to do.
Re: (Score:3, Funny)
You consider bar of soap to be worthless?
*sniff* Hmm... no wonder your hygene is questionable.
Re: (Score:2)
How are they scam operation?
And if you are concerned with worm infections, why not run OpenDNS + IDS + Antivir? Who says that if you use OpenDNS you cannot use anything else to protect yourself.
I Don't See A Scam (Score:3, Informative)
I don't see a scam here. You might not like their approach, but that's different.
OpnenDNS tells you they run a proxy. They tell you how to disable it.
Sending a raw error code to 99 percent of Internet users is bad service. Better to catch the code and deliver a plain language message.
As for the ads: Would you feel better if OpenDNS billed your credit card on a regular basis? Ads are everywhere. Get used to it. Just ignore them, like the rest of us do.
Short of running their own DNS, what's a better app
Re:I Don't See A Scam (Score:5, Insightful)
Guess what browsers and web-proxies have done for, umm, 10 years? Mine says "Name Error: The domain name does not exist". What could OpenDNS possibly add to this simple message, other than their spam?
Better approach to what?
Why not just use your ISPs nameserver?
Re: (Score:3, Informative)
Well, I can't vouch for the GP, but my ISP has a very flaky DNS service. For some reason, every 3 out of 10 queries for a given DNS returns a NX - or (in layman's terms), every 3 (at least) out 10 times I try to access a website (that is, one specific website, 10 times), Firefox says the domain doesn't exist. After the first 3 errors the domain is found and cached, and all is well, but this annoyed me to no end.
There were some days when it was bad, and others days the problem never showed up. After trying t
Re: (Score:2)
It's fine that you found a workaround for your particular problem.
Others would probably just switch to a working ISP...
If OpenDNS Is Evil, Why Aren't Admins? (Score:4, Insightful)
So, you are equating all ads with spam?
If I use my ISP's nameservers,I get slower responses plus error pages from the ISP with ads on them.
The notion that OpenDNS is evil because they run ads is juvenile. So is the notion that they're evil because they keep logs and records. Name me a Unix system or any provider of any kind of Internet services that doesn't keep logs and records.
The phone company knows who you call. What are you doing about that great evil?
It seems you want me to be indifferent about the possibility that endless anonymous admins might get curious about my net behavior, but I'm supposed to be paranoid about OpenDNS?
Re: (Score:2)
The point is that they hijack both your NX responses and google searches without telling you either upfront. They broadly advertise [opendns.com] Web Content Filtering, Phishing Protection, Zero-Downtime Network, Faster Internet, Statistics etc. but not a single word about ad inject
OpenDNS Does Tell You (Score:2)
OpenDNS does tell you about their proxy and their handling of BX responses. It's on their website. I knew all that before I started using them.
I have no more concerns about OpenDNS "monitoring" (not exactly the word I'd use) than I do about my grocery tracking my purchases. I feel no loss of privacy when my data is aggregated with that of many others, or when software keys on my buying habits to flaunt a product.
Re: (Score:3, Insightful)
Where on their website is it?
I honestly clicked through most of it (short of digging through the knowledge base) and didn't find a trace of it.
Proxying google queries should be worth a note along with the setup instructions, don't you think?
Re: (Score:2)
There are public resolvers that you could use, for example 4.2.2.1 (google will find you more). /etc/resolv.conf - a one minute task.
If you're on a unix OS you could also install a local resolver like dnsmasq or dnscache (part of djbdns). The distro packages usually come with a reasonable default config, thus it's mostly just a matter of installing the package and editing your
Re: (Score:2)
Last time I tried 4.2.2.2 and 4.2.2.1, they appeared to ignore queries. Are they back to being public again?
Re: (Score:3, Informative)
Interesting. I get modded flame-bait without a single reply. Anyone mind to explain what on earth was flame-bait about my post?
Absolutely nothing, yet that won't stop incompetent or malicious moderators from pretending that "flamebait" is the same thing as "I disagree". Surprised? Don't be. This is simply how lesser men respond to criticism, no matter how constructive, because they don't have what it takes to handle it gracefully. If they did, they wouldn't be lesser men.
This has happened to some degree or another for as long as I have used Slashdot, but ever since they got rid of the old metamoderation system it has become
Re: (Score:2)
Thanks for the backup fire. Needless to say, I agree with all you said. :-)
And yes, nothing against a company making good money by providing an ad-supported product. I wouldn't be complaining if there was at least a small note about their "special" treatment of google and NX anywhere on that page.
Re: (Score:2)
Certainly not "most" ISPs. I don't know a single one that does that. Can you name any?
Re: (Score:2)
Short of running their own DNS, what's a better approach? (BTW, I've run my own DNS. Not dong that again. Life's too short to think running servers is fun.)
I had to deal with an ISP's flakey DNS, so I ran my own server. On Debian Linux, this was very easy:
1) Install the bind9 package. /etc/dhcp3/dhclient.conf and uncomment the line:
2) Edit
#prepend domain-name-servers 127.0.0.1
These instructions are probably out of date, but I've had this setup for years now with no problems or maintenance whatsoever. Maybe other operating systems have similar solutions.
Re: (Score:2)
Near-zero value product? Hmm, they do have all kinds of filter lists available that are quite handy in business environments. The google thingy is silly I admit, but it can be disabled (should be disabled by default IMHO). And if you disable the google hijacking, what kind of personal data can they collect? And the typo correction can be useful for people who like that kind of stuff. They might make money from your (my?) typos, but who cares, it is not my money that is wasted and in any case, it is opt-in s
Re: (Score:2)
The domains that you resolve, obviously. Good for a nice browsing profile.
Re: (Score:2)
You must be kidding..
Re: (Score:2)
Re: (Score:2)
Re: (Score:3, Funny)
Thank's for reminding me.
Re:Do not use OpenDNS (Score:5, Informative)
But they are breaking the standard. In particular rfc2308 [faqs.org],
under 8:
Note the absence of statements like "lookup failures should silently map to A records that point to webservers serving spam".
Re: (Score:3, Insightful)
They are "Open" in sense of DNS terminology. Open DNS is one of the significant misconfiguration of an ordinary DNS server can have but their business works by opening it to planet and add extra features to decades old service without breaking standards.
But they do break the DNS standard. As several other posters have pointed out, the DNS protocol calls for an "NXDOMAIN" response to a non-existent hostname. Instead of sending this response, they are showing sponsored links. Not to mention that DNS is already "open to the planet". There are about 13 root DNS servers. Anyone who wants to can run their own DNS server that contacts those root servers to handle DNS queries. For free. With open-source software that is also free. OpenDNS isn't providing a
Re: (Score:3, Interesting)
To those moderators who think that what you do and don't agree with is what determines "Flamebait" and "Offtopic", you will be more effective if you choose an easier
Re: (Score:2)
Well, they are a documented company backed by big finance and based in USA and especially more important, California.
If you think they are spamming by showing couple of text ads and rough guesses instead of a "server not found" message, you should sue them. In fact, state of California should sue them.
That Google proxying is a real interesting one. Apparently nobody has problem that Google itself is hijacking their queries.
As you pointed an "undisclosed relationship" and thanks to the same tone of all "open
Aren't ISP's, Etc., Selling Data, Too? (Score:2)
Is there any evidence that major ISP's or DNS providers are not also selling customer behavior data?
I'm a Time-Warner customer. When I use their nameservers, I see a Time-Warner error page when I try to access a nonexistent domain.
The DNS protocol may require an "NXDOMAIN" repsonse on a bogus domain, but making that visible to the typical Internet user is pointless.
Re:Aren't ISP's, Etc., Selling Data, Too? (Score:5, Informative)
Re: (Score:2)
Not just that, DNS queries have "hostname" only so it is near worthless if they were a evil spyware operation. What matters to advertisers and behaviour watchers is the address after "/".
Funnily, people have no problem with Google Analytics which is almost like a viral type threat, pyramid scheme. I said "almost".
Re: (Score:3, Informative)
They make money by monitoring your habits. Can any one tell me how they pay their CDN and caching servers bills for millions and millions queries everyday?
From the site:
"OpenDNS partners with hardware and service providers to deliver our award-winning security, infrastructure and navigation services."
They sale your private info.
There's nothing private about my public IP address. If they can manage to glean personal info from my IP address then, damn, they're good.
OpenDNS redirects all your Google search queries though their servers.
From the site:
"Is OpenDNS running a proxy?
Yes. Some software, including your (and our) beloved Google Toolbar, intercepts requests made via the address bar so that DNS requests never occur. This creates some usability issues,
Re:Do not use OpenDNS (Score:5, Informative)
We have never sold user data, ever. We also have no CDN bills, we don't even use a CDN. We've built a global BGP-speaking network with hundreds of peers around the world. I know, because I built it. We peer at LoNAP, LINX, PAIX, SeattleIX and on a few of the Equinix peering fabrics around the US.
The idea that we would build our business based on monitoring user data is preposterous. I wouldn't stand for it, nor would our employees. I'm confident that all our engineers are just as vocal or more vocal about doing the right thing than you are. We make it very clear how we make money, and it's all over our website. Go to http://guide.opendns.com [opendns.com] and do a search. The sponsored results are ads where we get paid, the organic results are regular search results. That's how we make money. We might offer an enterprise for-pay service down the road as some of our customers begin to demand tighter integration with their network but for now, we're happy with our business. And I'm happy to report that we're profitable and stable, even in this economy.
And as to the OpenDNS proxy. It's true, we do redirect certain Google requests through a proxy so that we can make our OpenDNS shortcuts and some other features work more reliably. Two important things here: First, we peer with Google at every datacenter, so we aren't adding to your latency or anything else. Second, we don't log and store any data and we certainly don't care about it. We prefer to be able to confidently say we aren't keeping data on it. Of course, you are welcome to disable it by going into your settings and disabling the OpenDNS proxy. That's it. Do that and we don't ever see the request. Pretty easy. End of story.
David Ulevitch
Founder, OpenDNS
Re:Do not use OpenDNS (Score:4, Informative)
This guy has a 2-digit UID, how could he possibly not be on the level? ;-)
Seriously, I've been using OpenDNS for a year or so, and based on what I know and everything I've read here minus David Ulevitch's description I don't really see a problem, just a lot of people overreacting. After reading what he had to say, I am confident that my gut feeling was accurate... unless of course he's lying, which I have no reason to believe.
Re: (Score:3, Interesting)
Some questions, then:
Re: (Score:2)
Before I get into that, I'll note that when I tried your DNS on by box, I did an ethernet trace and found my local 196.168.*.* IPs where being looked up on your
service. Apparently I need to run my own BIND to avoid that.
On the one hand you're pretty annoying, but on the other hand you're undoubtedly suffering the effects of a debilitating mental illness. So I think of that as a no score draw.
I just hope your life sucks hard enough to make up for me having read that comment. Frankly it had better involve electro shock therapy at the very least.
OpenDNS (Score:5, Informative)
OpenDNS redirects www.google.com to OpenDNS servers.
Re:OpenDNS (Score:5, Informative)
http://blog.opendns.com/2007/05/22/google-turns-the-page/ [opendns.com]
Don't know if it's a good enough justification by itself, but at least it's a logical explanation.
Re: (Score:3, Interesting)
Don't know if it's a good enough justification by itself, but at least it's a logical explanation.
Breaking DNS in order to help people whose computers are set up to provide a poor search system when an unknown URL is added. No, that's not a good enough justification. If I attempt to access www.google.com, I should access www.google.com, not have my searches proxied through OpenDNS's servers. I've found google searches to be slower and less reliable when using OpenDNS, with the home page sometimes taking 1
Re: (Score:2)
Without OpenDNS, I get almost instant access to the home page, almost every time.
I would recommend you switch off OpenDNS' proxying then.
Re: (Score:2)
I would recommend you switch off OpenDNS' proxying then.
Switching it off doesn't work. When my dynamic DNS changes, it takes about 5 minutes for their server settings to update. By that time I usually have a google.com address in my local cache, which lasts for a further 10 minutes.
Re: (Score:3, Informative)
By default, yes it does. Since your post is right on top at the moment, I'll post something I shared earlier: Here is OpenDNS response to the privacy concerns: http://www.opendns.com/support/article/244 [opendns.com]
You can easily turn off the proxy by changing your settings, under the Advanced section at the bottom.
Re: (Score:2)
And what the hell is your point, exactly?
Whoopty doo to all of it, they redirect your packets through their servers. Is it going to kill you? Is it going to get your details stolen? It it going to screw up your connection? Didn't think so.
It's completely unnecessary and cannot possibly help or benefit you in any way. Do you really need any other reason to avoid it?
"If everything is going well and there are no problems, it will do absolutely nothing for you" is not what I consider a selling point. How much simpler than that do you need it to be?
Censorship advocates (Score:2, Interesting)
I'd like to see a response on this from the censorship advocates. Because that's what this is, isn't it? Censorship?
I thought the whole idea of using OpenDNS is that it wouldn't be doing this type of blocking. Who's to say they don't just accidentally prevent PCs from contacting other servers?
This smells bad.
Re:Censorship advocates (Score:4, Insightful)
Well if this is censorship (and that's debatable) then it's "opt-in". Personally I have no problem with that, as long as you know and have opted FOR it, then that seems fine.
The biggest problem with censorship is it distorts your ability to know the truth - if you say: "Don't show me this or that" you still have the ability to know the truth, you're just choosing what you see and what you don't. But we do this everyday, we read one newspaper over another, we listen to particular commentators over others - we all self-censor.
Re:Censorship advocates (Score:5, Funny)
Freedom of speech is very important, but there are exceptions. For example, we don't have the right to watch child porn in a crowded theatre, because that would harm children.
We don't have the right to hijack music vessels on the high seas because it would harm the corporate interests that sheltered us when we were still huddled around dark fires, marveling at shadows on the cave wall.
I fully support OpenDNS's sensible actions, or "sens-orship", as I like to call it. Surely we can trust any corporation with "open" in the title to control our minds in a way we will soon be programmed to approve of.
Re: (Score:2)
Shhhh, don't give them ideas! Keep saying that and how long until someone [disney.com] will claim the copyright on the pictures [google.com]?
Re: (Score:2)
I got an open wireless network and it has damn good censorship, P2P, porn, crack and even gambling sites are "censored" thanks to OpenDNS.
The other option would be watching people (via Squid for example), asking them their ID cards (already happens in Europe) and give them access.
If guy just wants to check his mail or browse ordinary web? It is fine but our service isn't a tool for others who doesn't respect the ones on network.
It is the "best of the worst". I don't want to watch people habits (via squid or
Re: (Score:2)
Re: (Score:2)
I think it's time to free your head from the idea that censorship is necessarily and always bad. If somebody wants to publish information about me that I'd rather not have shared, I'm tickled pink if someone can censor that expression. My problem with censorship is when it's done by the government in the form of prior restraint based on arbitrary standards which are, for the most part, unconstitutional. With a few other similar exceptions, a bit of well thought out censorship is a very good idea when use
The IP Adresses. (Score:3, Informative)
Would it be so hard to add the OpenDNS IP addresses to the story... It's not all that hard for home users to change their DNS server addresses.
Addresses: 208.67.222.222 and 208.67.220.220
Or if you need more help, look here: https://www.opendns.com/smb/start [opendns.com]
cat and mouse. (Score:4, Interesting)
Nice idea, but what do you do when a worm alters your dns settings?
OpenDNS can't block access if the queries go to a server controlled by the bad guys.
You can firewall off access to dns ports to all but known servers, but then the worms just tunnel through a port 80 proxy.
Cat and mouse forever. Plus a false sense of security.
Re: (Score:2)
Use an OS with security policies that only allow specific software that shipped with the OS to modify those settings? Honestly, I do not understand why Microsoft does not at least ship that as a default policy, especially since Windows can also check program hashes and thus prevent tampering (in theory; I guess "mitigate" is a better way to describe it).
Re:cat and mouse. (Score:4, Interesting)
Well, yes, but admins have to support what their organizations use/demand.
A couple of years ago, there was a Macintosh Trojan that altered DNS settings and added a crontab to re-alter every minute if the user tried to fix the change.
Social engineering works at least some of the time. There are zero-day exploits.
If you think that *nix is a panacea against malware, you will eventually be disappointed. Better than Win, but not perfect.
Maybe good in theory (Score:4, Interesting)
Except, OpenDNS is not a budding geek or regular office wank type tool.
It's a tool that requires you to know what you are doing. There are all sorts of subtle problems that can crop up, so I have at this point just simply refused to help any of my clients until they switch back to their regular ISP's DNS. Amazingly, a good 50% of the certificate and "cant find web site" errors go away after that. Imagine!
OpenDNS has the right idea, but it's not ready for the "everyday internet user" crowd yet.
This is without really considering the massive privacy problems with using it.
Re:Maybe good in theory (Score:4, Interesting)
Could you elaborate on this massive privacy problem you talk about? Like you don't have this massive privacy problem by using your ISP's DNS servers who can actually match DNS queries to user account?
And who asked if OpenDNS is about "Everyday internet user" crowd? It's A DNS service! Do you want a CSI type frontend with it?
Re: (Score:2)
The right idea for places like China, North Korea and the US of A.
Love how you stick the U.S. in with China. There's no Great Firewall here yet, so we're really not in China's league. Domestic surveillance is an issue, of course, but at least here it is an issue. In the other places you mention it's not even on The People's radar.
Of course, the bulk of people in the U.S. go through the major ISPs, which means the likes of Comcast and AT&T. Both companies have already proven to be very (ahem) "law enforcement friendly", shall we say. Using an alternate DNS service (
Re: (Score:2)
Still better than most Telcos DNS.
I agree. That's the reason why I did my first DNS server install at home. My ISP was a telco and their DNS server was down a lot more frequently than their IP routing. Most of my Internet usage was evenings and weekends. The ISP was a 9-5 business for home users (i.e. not 5 nines). So, I'd have to wait hours, even days sometimes for name resolving to return. I've maintained my own DNS server ever since and never had to worry about it.
It's obviously not for everyone and there are reliable servers beyond many
Re: (Score:2)
ISPs never updated DNS servers with horrible management is a real big risk, an accident waiting to happen.
They setup a FreeBSD to the worst box, never update it, even ignore the massive security alert, there is zero privacy policy and ISPs and these "opendns is evil" guys expect us to keep the junk coming from DHCP (again, horribly managed) server.
Of course one can setup own DNS but how to do it for normal, non techie user who probably runs Windows? Even setting DNS servers by hand is big deal for them. Ope
Re: (Score:3, Interesting)
Specifically, highjacking SSL sessions.
Several of my customers have had problems with their domain names not resolving, which is just a run of the mill reliability problem. Remove OpenDNs and it goes away. Not a biggie.
However, two of them had pop up warnings from Firefox (but not IE for some reason) about a security certificate not matching the domain name, "*.opendns.org" (org? gimmie a fucking break they are selling aggregated data, that is not an "org".) while the users were logging into or just using
Maybe I'm off base here but (Score:3, Insightful)
.....instructs its drone machines to report to 250 different internet addresses each day. Without the service, admins would have to manually block 1,750 domains each week, or 91,250 each year.
Wouldn't blocking "this weeks" known IP addresses stop the addition of new ones, rendering the infection impotent?
Re:Maybe I'm off base here but (Score:5, Informative)
FTFA:
.....instructs its drone machines to report to 250 different internet addresses each day. Without the service, admins would have to manually block 1,750 domains each week, or 91,250 each year.
Wouldn't blocking "this weeks" known IP addresses stop the addition of new ones, rendering the infection impotent?
That would address a symptom and would do nothing about the actual problem. We keep doing that because we don't want to admit that addressing only symptoms is a failed idea; trying harder and harder to find new ways to implement this idea won't change the fact that it's a failed idea.
The root problem is the vulnerability of Windows to these types of worms. Yes I am selectively speaking about Microsoft Windows; if I ever start seeing widespread (keyword) worms in the wild (keyword) for *nix operating systems then on that day I'll include them too. Anti-virus seeks to remove or contain an external object to which Windows is vulnerable, so it too addresses only the symptom and not the vulnerability. The reason why *nix operating systems don't generally need anti-virus (unless of course you ask an anti-virus vendor) is because they have a security model that is able to prevent infections from occurring in the first place. This is much simpler and more practical (but creates fewer cottage industries) than sophisticated scanners and high-maintainence databases of tens of thousands of signatures that must be applied to every file or every file operation. It's a lot simpler than pretending that DNS is the correct tool for host security as well.
If OpenDNS maintains a highly effective, well-maintained blocklist and if many people start using it, what happens next is rather predictable. A worm/virus that can compromise the machine can also alter that machine's DNS settings. It could make the machine stop using OpenDNS or worse (as another poster has pointed out) it could make it use a hostile DNS server. You can expect this to be a standard malware feature if OpenDNS's efforts are successful. That's the downside of participating in an arms race. The best way to avoid an arms race is to realize that mitigation techniques, while not completely useless, have extremely limited utility and that prevention is the only actual cure.
Re: (Score:2)
happy with it (Score:2)
I'll probably get "OMG what are you doing?" comments for this, but my internal DNS forwarders look to OpenDNS for my small business network and I'm very satisfied.
Typo correction (yahoo.cmo) and shortcuts are very handy. I only use the categories try and block some malware/phishing and while it's definitely not the solution, every little bit of protection helps.
My machines that actually need to know whether a domain is valid or not simply use other DNS, redirects are not a big deal and don't many cable
Worms will use IP addresses instead (Score:2, Insightful)
Please Mod Parent Up (Score:2)
Besides everything (scary) that is involved on using OpenDNS as your resolver, it's true that it can block the Conficker Worm. However, Conficker worm might be the last one that OpenDNS can stop. Once the evil minds realize the power of OpenDNS, they'll start using IP addresses instead of names within their worms (period).
You know I didn't even think of that. I did speculate that malware which can compromise the system can also alter DNS settings, either removing OpenDNS or (worse) replacing it with a hostile DNS server operated by the attacker. Your prediction is even simpler than that and sounds more likely.
That's really the problem with all of these blocklist solutions. None of them actually harden the host or address any of the widespread security problems that make these worms possible in the first place. The way
Re: (Score:2)
By using IPs, you make it easier to block it on a firewall level- just block the IPs. And if they can have the worm algorithmically generate IP addresses- that they can be sure to have each day- that would be damn impressive. That's pretty mu
Re:I just found out about this. (Score:5, Interesting)
You're giving another entity access to all your DNS lookups and your computer won't talk to Google's servers anymore when you connect to www.google.com, but to a company which isn't very upfront about this redirection. Whether that's an advantage or a drawback is up to you.
Re: (Score:2)
In the same manner that you give another entity access to all your NTP syncs.
OpenDNS is basically the same thing as the NTP pool.
Put the tinfoil down, and back away slowly...
Shill/Astroturfer/whatever (Score:4, Insightful)
Boy, talk about not understanding Internet protocols.
NTP packets are basically "I think it's this time...what do you think", while DNS is "I want to know the IP for www.childpr0n.com".
There just isn't any possible privacy issue with NTP packets, while DNS is basically a record of everything you visit. Heck, if OpenDNS were to modify the TTL in their DNS replies, they could even get more complete data about how often you request each site.
Actually, I must be wrong about you misunderstanding. Nobody could be that dumb, so you must work for OpenDNS (or another company that benefits from their data collection).
Re: (Score:2)
Ask any gray hat or black hat how much it matters that single IP, in this NAT crazy planet resolved Facebook.com or not or even what site they visit after that.
What matters is the URLs (not just domains), cookies and how long one stays on that URL, which part of site they visit after it. Do you know the service offering it for free? Google Analytics. That is your issue, not OpenDNS instead of using some ISPs worst security breached, censored DNS server.
Run Wireshark in a free time, that is what your ISP pro
Re: (Score:3, Informative)
Not really, no.
For the NTP pool you send and recieve time data; funnily enough the time is public information.
Switching your DNS servers to OpenDNS means you end up sending them every domain you visit, and apparently every Google search too.
Most people would probably want their search terms and domains they visit to stay private, so your analogy between the NTP pool and commercial DNS providers breaks down here.
(note: I'm not implying sending your DNS data to OpenDNS means it's made public!)
Re:I just found out about this. (Score:5, Insightful)
In the same manner that you give another entity access to all your NTP syncs.
OpenDNS is basically the same thing as the NTP pool.
Put the tinfoil down, and back away slowly...
I'm really not sure why people keep comparing OpenDNS to NTP [wikipedia.org]. NTP shares the current time, in UTC. This information is not secret and is not a privacy violation because it was already available to anyone who wants it. If knowing your system time helps an attacker to i.e. guess your TCP sequence numbers, that is a weakness in your (pseudo)random number generator, not a weakness in running an NTP daemon.
Compare that to the data that OpenDNS can collect. They can see every hostname you resolve with their service. Not unlike application-level techniques used by various advertisers (web bugs, third-party cookies, redirections, HTTP "ping", etc.) to track your browsing, a list of every hostname you resolve can certainly compromise your privacy. Every site I visit, when I visited it, and an idea of how often I visited it is not "already available to anyone who wants it." Normally, to obtain this sort of information, an attacker would need to either break into this computer and install a program to log and transmit it, or they would need to conduct a man-in-the-middle type of attack against my ISP's network. There's a reason for that.
Why would I volunteer this data to a third-party who otherwise would have no access to it? What's my incentive to unnecessarily trust them in exchange for a service I don't need? It's not like there is anything difficult about running my own caching DNS server (and you can bet I don't use BIND), not to mention that DNS has to be one of the worst ways to deal with the problem of host security. It's just not a tool that was ever designed for this type of job; meanwhile, better tools that are designed for this job are readily and freely available. This might tempt someone who doesn't want to take responsibility for their own security and thinks anyone else should handle it for them, but I recognize that as a personal shortcoming, a flawed idea. The product of a flawed idea is also flawed, so with this arrangement you are merely trading one threat (the Conflicker worm) for another threat (reduced privacy). I can't call that a solution with a straight face.
Re: (Score:2)
Compare that to the data that OpenDNS can collect. They can see every hostname you resolve with their service. Not unlike application-level techniques used by various advertisers (web bugs, third-party cookies, redirections, HTTP "ping", etc.) to track your browsing, a list of every hostname you resolve can certainly compromise your privacy. Every site I visit, when I visited it, and an idea of how often I visited it is not "already available to anyone who wants it." Normally, to obtain this sort of informa
Re: (Score:2)
Why don't you use BIND?
Re: (Score:3, Informative)
Why don't you use BIND?
For the same reason I'll consider using nearly any MTA except Sendmail, which is because it has a poor security history. BIND and Sendmail both hail from a time when the Internet was a much friendlier place and I consider neither trustworthy on the hostile network that the Internet has since become. I know that version 9 of BIND was a complete rewrite, yet that too has had more security issues than I would like to see.
In my opinion, BIND is written for functionality first and security second. History
Re: (Score:3, Insightful)
Stop spreading FUD. Their privacy policy [opendns.com] says that "OpenDNS removes the IP address from its logs within 2 business days." That's better than Google and probably any other search engine you might use.
I said that use of their service would make them privy to information that I don't wish for them to have. Specifically, my information. I'd love to hear a self-consistent explanation of how that constitutes Fear, Uncertainty, and/or Doubt. In fact I hereby challenge you to provide one. I'd like to see you try, so I won't tell you right now why that will fail although it's qute possible Merriam Webster can fill you in. Extra points if it's not trivial for me to tear down your argument. I don't normally
Re: (Score:3, Insightful)
Re: (Score:2)
Another entity than your own ISP? Unless you're running your own DNS you can't really talk about it. I trust OpenDNS more than my ISP (Time Warner) just because of who betrays trust more often (TW is in bed with the RIAA). I also trust OpenDNS at work more than my uplink (AT&T) again for the same reasons (AT&T might just let the government wiretap their DNS without telling (and it says so in their agreements) while OpenDNS promises (again in an agreement) they won't).
On the other hand, I cache OpenD
Re:I just found out about this. (Score:5, Insightful)
I'm not sure why people around here seem positive about using OpenDNS (as opposed to running your own say).
When I make a type I get an Address Not Found error and THAT'S THE WAY I LIKE IT.
Re: (Score:2)
Each his own.
This is the reason I do not use it or support it. I want a pure DNS service not a tampered one.
Re:I just found out about this. (Score:4, Funny)
Try openerdns.org
Re: (Score:2)
Sure, just install your own caching DNS server on your machine and set your DNS server to 127.0.0.1.
For Linux, it's trivial...most distros include a caching nameserver package.
For Windows, it's a little harder to set up some of the open source nameservers, but you also have some free closed source and commercial software to choose from. Try searching for "DNS server Windows" and the results should get you started.
Re:I just found out about this. (Score:4, Informative)
Re: (Score:2)
Sure, just install your own caching DNS server on your machine and set your DNS server to 127.0.0.1.
For Linux, it's trivial...most distros include a caching nameserver package.
For Windows, it's a little harder to set up some of the open source nameservers, but you also have some free closed source and commercial software to choose from. Try searching for "DNS server Windows" and the results should get you started.
This gives you one advantage I haven't seen anyone else mention. If you run a caching DNS server on localhost, any queries for data that's already in the cache are answered instantly. You get to control how many objects are in the cache and how long they remain cached. The suggestions that others have made for Level 3's servers at 4.2.2.2 etc. do not and cannot have this advantage because you will always have the network latency of sending a request and awaiting their response.
I say that knowing that
Re: (Score:3, Informative)
Re: (Score:3, Informative)
Re: (Score:2)
I know there is the 4.2.2.2-3 (4-5 too?), any others?
Hold on... that's the unreliable DNS server that my last ISP (3 Mobile Broadband) used to hand out in the link configuration info when I connected to them. Are you saying this is a public service, and they couldn't even be bothered to run their own unreliable DNS service?
Re: (Score:2)
I've started using OpenDNS since Denmark started censoring the Piratebay. The easiest way to circumvent the block.
(TPB: My #1 source to bad 80's movies! (which I personally don't think is illegal to download, I'm assuming; since no one apparently want to sell them, it must be because they are worthless (which, honestly, most of them are :-)))
There is one way that is easier still, which is to resolve thepiratebay.org once (it is 83.140.65.11) and then add that to your hosts file. That way you don't need to surrender the privacy of which sites you visit or which Google search terms you use to the operators of OpenDNS.
Really I'd prefer to just run my own local caching DNS server, which is what I do. I'd recommend maradns or djbdns and I'd strongly suggest staying away from BIND and its poor security history (same reason I absolutely refuse to
Re:fp (Score:5, Insightful)
What you're showing is that the troll succeeded in making you rage. He'll now be more motivated to post it over and over, because he knows it works.
I think trying to explain this to people is a lot like back when AOL tried so hard to tell customers that their staff will never ask for their account password. Despite repeated warnings and prompts, the password phishers never seemed to have any problems. Those hardheaded users preferred the convenience of refusing to stop and think or to change their habits because both of those require a small amount of effort.
Likewise, people who feed trolls prefer their little emotional outbursts and the righteous feelings they get from them and are not interested in whether they are part of the problem. The idea that they are doing exactly what the troll wanted them to do does not get their attention. They may claim otherwise or feel inclined to argue with me about that, but this is very simple: when a person's words tell me one thing and their actions tell me another, I disregard their words every time. They don't really give me a choice in the matter.
Re: (Score:2)
Re: (Score:2)