Slashdot Mirror

You're missing the fact that your laptop, server, or ISP can remember the DNS resolver addresses.

But if I forget the DNS resolver addresses, and I'm on a system that has never remembered the addresses in the first place, how do I look them up without already having working DNS? At least under IPv4, it's easier to remember the IPv4 addresses of Google Public DNS or OpenDNS in my head than to remember to carry a USB flash drive containing a text file of the addresses. And it's a lot cheaper to remember the IPv4 addresses in my head than to subscribe to smartphone service, which according to Sprint and T-Mobile costs $65 per month more than my current cell phone service through Virgin Mobile USA.

You might assume that I am unlikely to run into a system that has never remembered the addresses in the first place. But I often troubleshoot problems with Internet access for family members, and many of these problems come from problems with the DNS server whose IPv4 address the ISP has provided through DHCP. For example, not only does Comcast hijack NXDOMAIN responses to its own "Comcast Domain Helper service" advertising pages, but in a lot of cases, Comcast's DNS servers intermittently forget that a subscriber's account is still subscribed and acts as a captive portal to the "self-install" setup page where the user can download a Windows executable file to configure the modem for a first-time installation. Hardcoding Google Public DNS solves this problem every time.

There's something very wrong if you have to type public DNS server addresses often enough that memorization is a big help. However, even in that case, I don't think IPv6 is necessarily more burdensome. For example, compare OpenDNS's IPv4 vs. IPv6 addresses. Is it harder to remember "2620:0:ccc::2" than "208.67.220.220"? I think I'd actually prefer the former since it has letters as well as numbers.

Another subtlety that I'd forgotten is that nothing in the DNS protocol prevents queries over IPv4 from being answered with AAAA IPv6 records or queries over IPv6 from being answered with IPv4 A records. Google Public DNS explicitly supports queries for AAAA records even though the service itself is only available via IPv4. The addresses you've already memorized (8.8.8.8 and 8.8.4.4) will work fine for looking up IPv6 addresses.

"OpenDNS gives you the option to block dozens of categories on your networks, for free. From social networking to job sites, from gambling to video sharing, from webmail to alcohol and more: with OpenDNS, you make the choice about what's available on your network" link

A quick Gogle shows OpenDNS has been aware of issues with Geographic caching since at least 2008:

http://ideabank.opendns.com/story.php?title=exceptions_to_permit_geographic_caching_download_sites_to_work

Also, Apple claims to have resolved the issue for AppleTV in the US:

http://www.cultofmac.com/opendns-we-offer-fast-appletv-streaming-in-north-america-but-international-performance-is-akamais-fault/74342

"Keeping your family safe online can be a daunting task. Luckily there's OpenDNS, the easiest way to filter unsafe or inappropriate Web sites on your home network. Award-winning OpenDNS Parental Controls divides the Internet's content into more than 50 categories. Simply choose your desired filtering level, from "High" to "Minimal," and check a box" link

So, he wants that all ISPs implement OpenDNS? Why not just telling parents that they can go there and subscribe for their family?

Whether you keep him using Windows or load up a flavor of Linux I'd put a good hosts file on there to block adware and other known sources of crapware. Beyond that, you could setup something like Dans Guardian or set the machine to use filtered DNS services, such as OpenDNS. If you are gonna keep Windows on there then there are tons of commercial filtering products out there, all the stuff I mentioned is free.

http://www.opendns.com/ Pretty simple DNS service, which I've used for a while.

An alternate DNS server might work for you: http://www.opendns.com/start/

Their speeds appear to be based upon not the sustained transfer rate but a normalized rate that incorporates the DNS lookup(s), latency, etc. into the calculation

On a side note, for those stuck with Crapcast (TM), at least those in the Twin Cities area you can achieve substantially snappier web browsing if you replace their DNS server with something decent. Of which there are plenty of free DNS server providers such as OpenDNS among others.

I stopped using that when I realised that, for some reason, it breaks Spotify. At least in the UK, and at least with my combination of ISP / Router / Mac. I would recommend Open DNS. Fast, free, and they give you some level of filtering if you like that sort of thing (it's a good way of transparently blocking hardcore porn without annoying keyword matching).

So you want to explain why you hijack google traffic?

So, why exactly couldn't you find this information in their knowledge base again?

Failure to provide a non-"computer illiterate" reason will require you to hand in your geek card.

I use a small, local telephone company for my DSL. They're reliable, not the fastest or the cheapest, but hey, it's pretty much a monopoly unless I want the cruddy cable service provider that is unreliable in their connectivity and just as expensive.

For six years now I've dealt with this. At work I just type a keyword and end up at the site I wanted. At home I do that by mistake and I get a page with an advertisement for something local saying the page couldn't be found.

Extremely annoying, but I don't have much choice as I don't want cable or their cruddy service, so I deal with it.

You don't have to use your ISP's DNS servers, which is probably what is enabling the redirection. Use OpenDNS instead.

a fair followup to show that mainly OpenDNS was just trying to fix what google/dell/others? broke:
http://blog.opendns.com/2007/05/22/google-turns-the-page/

Exhibit A: OpenDNS
http://forums.opendns.com/comments.php?DiscussionID=226

The page on Dell laptops looks something like this, though that's the version shown for a DNS error - the version when you actually do a search is, if anything, even worse.

My sister did a search for the Firefox installer on her new Dell laptop, and with the default IE window size and placement the only result visible without scrolling was the first sponsored result. Which was some shady site offering Firefox downloads.

okay, what do you think a laptop is? It's portable. So let's look at what happens when you give a kid laptops. a: they will take it with them and get access elsewhere as necessary
b: they will get into the "locked" room as necessary. Remember "locked" and "children" are oxymorons. This should be a given.

I'm not saying it has to be a complicated access filter, people have provided good software solutions that do 97% of the work for you. However, the general concept of "I have the computers in a room and you can't get in when I say so" only works until a kid is about 3 years old. These kids are 12-15 years old. A locked room means absolutely nothing.

mono.ch/wall and untangle are absolutely a better solution (and not that complicated) in comparison to what you get with a simple locked room which won't work. Also, openDNS on the router is a significantly more simple and easy to control method. Checkbox for "hours of usage" etc.

To think that trying to keep the physical devices away from kids will *never* work at the age of the poster's kids.

As a parent and as also an admin who has to worry that co-workers will act like kids, I have both some experience and some tips in this area. The most important tip is to know your kids and care about them. Train them to be safe and teach them morals. With my kids, I use the motto: Trust but verify.

1. Basic Security: The kids shouldn't have Administrator access, the bios needs a password you don't type in front of them and the boot sequence should be set to boot from hard drive first. They might still get around that security by moving drives around, so you may want tamper evident tape.
2. Command line tools: go ahead and install an ssh server on the windows clients, but do it the easy way with something like sshwindows*. You don't really need it if you enable RPC, but it does come in handy, particularly in combination with unixutils* and Sysinternals*.
3. Remote commands: I use winexe* and enable remote access services on the client machines. You can then run the shutdown command or pretty much any other command remotely. If you have set the boot password as required for startup, shutting the PC down is the same as locking it. I don't really recommend requiring a password for boot if you can avoid it since it is a pain, but if the situation calls for it, it is useful to know that you can. In most cases the bios will let you set a password for modification without requiring one for booting and this is usually much easier to work with, particularly when it comes to automatic updates that reboot.
4. IP tables with static IPs: Since you have admin and they don't, you can set static IPs on the workstations pretty reliably which also allows you to use IP tables effectively to limit or control access.
5. Logs and web control: If you use OpenDNS* and intercept DNS*, then you have pretty decent logs. If you use a transparent squid proxy in combination with strict IP tables rules, you can get really good logs. Beware of SSL proxies and VPNs.

All this comes with a cost of your time and effort. The tools built into the typical router can do a lot of the work for you, but you give up some control. Also, consider your target audience, if your kids are bright teenagers, then they will look at ways around the system. They will almost certainly try to browse by IP or through proxies. If this is a potential issue, then you should also look at setting up a transparent squid proxy and blocking 443 and other ports for addresses not explicitly allowed.

VNC: I didn't list VNC because I don't personally use it at the moment, but I have in the past and it can be a very useful tool. If you use it, I recommend you don't set it to run automatically, but rather start the service when you want to use it with remote commands. In a few cases I've done this so that I could monitor activity without any obvious indication.

• sshwindows*: http://sshwindows.sourceforge.net/ - relatively easy ssh server for windows
• unixutils*: http://unxutils.sourceforge.net/ common linux/unix tools for windows, things like grep and wget
• Sysinternals*: http://technet.microsoft.com/en-us/sysinternals/bb842062.aspx handy things like pslist and pskill
• winexe*: from http://eol.ovh.org/winexe/
• OpenDNS* and intercept DNS*: see http://www.opendns.com/ and consider something like:
  /sbin/iptables -t nat -I PREROUTING -i ${LAN} -p udp --dport 53 -j DNAT --to ${ROUTERinternal}
  /sbin/iptables -t nat -I PREROUTING -i ${LAN} -p tcp --dport 53 -j DNAT --to ${ROUTERinternal}

I agree that what the poster's thinking of doing is not going to work from a practical POV, with the parent not likely being capable of administering the network they want to set up. But at the same time it's irritating to hear everyone give the same generic response of "I don't agree with filtering because blah blah blah therefore I won't dignify your stupid question with an answer". I'm not a parent, and while I don't think I would necessarily filter my child's internet access, I don't agree with people intervening in how a parent/parents want to bring up their child. I don't appreciate it when the gov't sanctimoniously decides what me/my children should see/think/do, so why is it better when an individual (or group of individuals, such as here on /.) impose their moral beliefs on someone?

This smacks of the same groupthink that hates MS/Google/Apple/Company-of-the-day without any thought behind it, just because it's the opinion-du-jour on /. It's actually funny how many +5 posts on Apple topics recently have berated Apple for trying to force their way of thinking on everybody, all the while the mods/posters missing the irony in their attempts at coercing others to agree with their anti-Apple opinions, a la Fox News' tactics. Yes, there are legitimate posts with legitimate concerns, and yet they are drowned out by hate-mongering.

Anyway, with that in mind, I agree with the DD-WRT/openWRT/whatever firmware on a decent router as part of the solution. Couple that with OpenDNS, enabling it as outlined here and elsewhere, will allow monitoring of internet activity, as well as filtering based on specific address as well as generic categories of websites if that's desired. This takes much of the work out of the hands of the parent/admin.

Keep the login/passwords private/secure, as well as the password for the DSL/Cable/Fios/satellite/whatever service you use to avoid bypassing. And if there are other open wireless networks nearby you might want to either eliminate wireless adapters from the computers, or lock it down to a single network (a la the dreaded Apple's network setting in Leopard/Snow Leopard to require admin creds to change networks)

Why, are you forced to use your ISP's DNS servers? here.

I use OpenDNS to block this stuff, as an added layer. I saw all the other recommendations, but noticed DNS style lists were not listed.

http://www.opendns.com/

It was similar to this issue, but that was back in March and maybe they've fixed it by now. But really, the benefit over my ISP's DNS really isn't worth the hassle.

I use OpenDNS at home and it is possible to disable the NXDomain redirect if you setup a free account. http://www.opendns.com/support/article/312

It looks like you can disable this behavior if you have an account. I haven't tested it extensively but it seems to work as advertised.

That may be true, but their preferences only work if OpenDNS can tell which networks are yours. They detect this when you use your browser to log into the control panel, or if you install client-side software (OpenDNS Updater, which is Win\Mac only). You could do it with DynDNS too, but not everyone uses that.

Anyway I'd rather not go through all that effort, and would prefer the NXDOMAIN behavior to be the default for anonymous requests.

That may be true, but their preferences only work if OpenDNS can tell which networks are yours. They detect this when you use your browser to log into the control panel, or if you install client-side software (OpenDNS Updater, which is Win\Mac only). You could do it with DynDNS too, but not everyone uses that.

Anyway I'd rather not go through all that effort, and would prefer the NXDOMAIN behavior to be the default for anonymous requests.

An excellent point. That's why I think OpenDNS is a better option. They at least appear to give you a choice in the matter. I'm not sure Google's services are equitable. There's a good blog post from the founder of OpenDNS where he critiques Google's service. It's a good read.

http://blog.opendns.com/2009/12/03/opendns-google-dns/

David Ulevitch, Founder of OpenDNS blogs on the issue.

Well to be fair I don't think I've seen the OpenDNS redirect in years. with OpenDNS you have to misspell something so horribly that even Google goes WTF? I've found that OpenDNS combined with Treewalk DNS on an old 1.1Ghz Win2K box makes for a VERY fast network experience. It also supports all the popular blocklists with the Confetch plugin so you can kill ads no matter what browser you are using.

I've set Treewalk up for clients on boxes as old as a 400Mhz P2 with 128Mb and Win2K and it is rock solid, so if anyone out there needs an 'easy peasy' DNS setup i would recommend Treewalk on an old Win2K or XP box with it looking up to either OpenDNS or the new Google DNS if you prefer.

The Google is not providing malware & phishing blocks and parental/SFW controls.
DynDNS's redirects are honest searches, not ad-choked.
https://www.dyndns.com/services/dynguide/
http://www.opendns.com/

Setup OpenDNS servers in resolv.conf.

Go into Firefox.

Type something in location (URL) bar.

What is that?

The folks at OpenDNS are indeed a little pissy over this.

My favourite bit?

Google claims that this service is better because it has no ads or redirection. But you have to remember they are also the largest advertising and redirection company on the Internet. To think that Google’s DNS service is for the benefit of the Internet would be naive. They know there is value in controlling more of your Internet experience and I would expect them to explore that fully. And of course, we always have protected user privacy and have never sold our DNS data. Here’s a link to our privacy policy.

So, the folks making ads on redirecting failed DNS queries to their site criticises Google for being an advertising company (despite them not presenting any ads on their DNS services), and then implies (wrongly) that Google's TOS allows sale of their DNS data and poor privacy.

They've already posted their response: http://blog.opendns.com/2009/12/03/opendns-google-dns/

They are already!

OpenDNS is not hijacking google searches. They simply fix broken google searches.

I will still use my free http://www.opendns.com/ servers. The only redirect you get is a search page with is this what you mean.

OpenDNS actually hijacks all your Google searches.

I will still use my free http://www.opendns.com/ servers. The only redirect you get is a search page with is this what you mean.

OpenDNS actually hijacks all your Google searches.

Congratulations, this would then be the first free service that I know of which doesn't do redirect !

Actually, if you have a static ip or a rarely changing ip, you can use OpenDNS. Just create a free account, register the ip, and turn off the redirects. I do that at my home DSL connection.

I will still use my free http://www.opendns.com/ servers. The only redirect you get is a search page with is this what you mean. Other than that it will still try and get you where you want to be while also blocking a variety of sites, by your own choosing.

The Google is not providing malware & phishing blocks and parental/SFW controls.
DynDNS's redirects are honest searches, not ad-choked.
https://www.dyndns.com/services/dynguide/
http://www.opendns.com/

OpenDNS hijacks Google searches, which could be part of Google's motivation also.

Wow the people at OpenDNS are going to be pissed by this.

Still 8.8.8.8 is a bit more memorable than 208.67.222.222

OpenDNS Basic

        * Reliable DNS Infrastructure
        * Web Content Filtering
        * Basic Customization
        * Typo Correction
OpenDNS

See that, "Typo Correction" = broken DNS. DNS is not suppose to answer what It thinks you meant, it is supposed to answer what you asked!

Correct me if I'm wrong, as I'm no DNS expert here, but wouldn't running a caching DNS server pointed at OpenDNS work? Like say Treewalk DNS pointed to OpenDNS?

Correct me if I'm wrong, but I don't see how they could pull that douchebag behavior if you have a caching server that is only using OpenDNS for queries. And Treewalk is very low resource and runs on seriously old hardware (currently using 6Mb on this 1.1GHz Celeron) and is pretty damned simple to set up and use, so unless I'm missing something it looks like an easy way to avoid the DNS Douches.

http://www.opendns.com/

"I find the use of a good filtered DNS service that blacklists malware URL's upon discovery goes a long way towards limiting my exposure to this. Open DNS or Scrub IT works well. The only down side is they are often the target of DOS attacks, so their uptimes are limited. Be prepared to switch DNS settings when the "Internet" goes down. Most of my frequent sites, I keep in my local hosts file, so even if DNS goes down or DNS is hijacked, the link to my banking is still valid. Ruining as a normal user I can't be tricked into editing my hosts file. I don't have the privileges. Links; Open DNS http://www.opendns.com/ ScrubIT http://www.scrubit.com/ " - by Technician (215283) on Wednesday August 26, @01:53PM (#29204855)

See my subject-line, & this URL (especially points #'s 2 thru 5, because they cover a great deal of exactly what you state works, because, those points DO):

----

HOW TO SECURE Windows 2000/XP/Server 2003, & even VISTA, + make it "fun-to-do", via CIS Tool Guidance (&, beyond):

http://www.tcmagazine.com/forums/index.php?s=555c0485c3ad66d4020d3aa92778a1b2&showtopic=2662&st=0&start=0

----

IT WORKS...

How well? Ok, a testimonial, from -> http://www.xtremepccentral.com/forums/showthread.php?s=79253c5b286c472a012ff2ef7e7f2230&t=28430&page=3

----

"Its 2009 - still trouble free! I was told last week by a co worker who does active directory administration, and he said I was doing overkill. I told him yes, but I just eliminated the half life in windows that you usually get. He said good point. So from 2008 till 2009. No speed decreases, its been to a lan party, moved around in a move, and it still NEVER has had the OS reinstalled besides the fact I imaged the drive over in 2008. Great stuff! My client STILL Hasn't called me back in regards to that one machine to get it locked down for the kid. I am glad it worked and I am sure her wallet is appreciated too now that it works. Speaking of which, I need to call her to see if I can get some leads. APK - I will say it again, the guide is FANTASTIC! Its made my PC experience much easier. Sandboxing was great. Getting my host file updated, setting services to system service, rather than system local." THRONKA, user @ xtremepccentral.com

----

That's 'how well'... For going on 2++ yrs. now for Thronka & his paying clients, & for myself? Since 1997-1998 or so, through many machines since those days, to the present today, same results here!

APK

P.S.=> AND, what is a MAJOR portion of that guide (as far as "the beyond" part, above CIS Tool Guidance)? HOSTS FILES, & OpenDNS or ScrubIT DNS... & you think just like I do, & it does work, for all that you noted, plus more - think about THIS one:

Like IPSecurity Policies (also covered in my guide, acting as "layered security")? HOSTS files can LIMIT what even an already "taken in" malware can do online - because, IF/WHEN you block KNOWN "bogus servers" or bad adbanners (or even malicious websites)??

Well, if YOU cannot get to them, guess what? NEITHER CAN THE MALWARE... sure, some of you might say "but the malware could just use a static IP address vs. using HOST names or URL's to communicate back to 'home base/the mothership'" but, they can't do that, because ISP/BSP's "take down" KNOWN bad servers fairly quickly once they're discovered... & thus, using an IP address would be, self-defeating - where using URLs or DOMAIN NAMES allows malware makers/botnet masters etc. et al the ability to QUICKLY re-register said domain name once more, albeit, on a diff. server next rou

OpenDNS has yet to have a service outage. Their massive redundancy has prevented that from happening thus far. BTW, I'm not associated with them in any way, other than being a happy user.

I find the use of a good filtered DNS service that blacklists malware URL's upon discovery goes a long way towards limiting my exposure to this.

Open DNS or Scrub IT works well. The only down side is they are often the target of DOS attacks, so their uptimes are limited. Be prepared to switch DNS settings when the "Internet" goes down. Most of my frequent sites, I keep in my local hosts file, so even if DNS goes down or DNS is hijacked, the link to my banking is still valid.

Ruining as a normal user I can't be tricked into editing my hosts file. I don't have the privileges.

Links;
Open DNS http://www.opendns.com/
ScrubIT http://www.scrubit.com/

You don't have the whole story, apparently, even given the references above:

http://blog.opendns.com/2007/05/22/google-turns-the-page/

I think you're cherry-picking.

Ah, I linked to the wrong article, so you don't see the severity: OpenDNS redirects www.google.com to it's own servers to capture any Google search. It's not just about doing searches in the address bar.

OpenDNS and Comcast may have different goals, but they both break Internet standards and behave poorly in order to meet them.

How about not using your ISP's own DNS servers? Why not use "agnostic" ones?

http://www.opendns.com/

OpenDNS is not the answer to this because they do the same thing.

Also when you use openDNS, you have a good chance of getting directed to CDN servers (like Limelight and Akamai) that are not as close as CDN providers you would get directed to if you use your ISP's DNS. The reason behind this is that (in layman's terms) the the DNS picks the closest server to it's location. By changing your DNS server to openDNS, unless you live in a city with a DNS server, your location will change.

So for example if you live in Chicago and use Comcast, you will most likely get directed to Limelight's Chicago servers. If you use openDNS, you may get directed to Limelight's Los Angeles or New York servers. This can result in slower downloads.

Finally the main reason not to use openDNS, is that the routing from Comcast is currently screwed up.