OpenDNS As Quick-Fix To DNS Patch Dilemma

CWmike writes "It turns out that problems with the July 8 patch that was rolled out to fix a cache poisoning flaw discovered by researcher Dan Kaminsky are causing headaches for admins. Preston Gralla suggests a 30-second quick-fix, perhaps until everyone is patched up: Use OpenDNS, which has been patched, as your personal DNS. If you run a corporate network and need help getting OpenDNS set up, your best bet is to go to the OpenDNS FAQ page, he writes."

If you run a corporate network

[77Punker]

If you run a corporate network and need the FAQ page to help, you should not be running a corporate network.

Then your job should promptly be given to me.

Re:If you run a corporate network

[MeanMF]

Right, because everybody has the OpenDNS server IP addresses memorized.

Re:If you run a corporate network

[CastrTroy]

You sure you want to take on that much extra workload. There's probably tons of people running corporate networks who have no idea how to set up OpenDNS. They are probably using the MS DNS server and have never touched or even heard of OpenDNS.

Re:If you run a corporate network

[77Punker]

You don't need it memorized, and you don't need to look at the FAQ. The addresses are on the front page, in the bottom right corner.

Re:If you run a corporate network

[snoyberg]

Unless someone already hacked your DNS server and are serving you a fake OpenDNS page that points to their own server...

Re:If you run a corporate network

[Spy+der+Mann]

208.67.222.222
208.67.220.220

There :)

Re:If you run a corporate network

You don't need it memorized, and you don't need to look at the FAQ. The addresses are on the front page, in the bottom right corner.

You missed the joke. If your upstream servers aren't patched yet, how can you be sure that the openDNS page's DNS info on your system hasn't already been poisoned to point you to a copycat openDNS page?

Re:If you run a corporate network

[dgatwood]

How do you know your upstream DNS isn't poisoned with the IP number of a site that passes Slashdot through a filter that substitutes the IP numbers with other values?

You did say 74.125.19.147 and 74.125.19.104, right?

Re:If you run a corporate network

[lazlo]

Unless someone already hacked your DNS server and are serving you a fake OpenDNS page that points to their own server...

Good point. Try this: https://www.opendns.com/. If your browser doesn't complain about a mis-matched certificate, then either you're going to the OpenDNS servers, or whoever's hacked your upstream DNS server has either hacked your list of trusted root CA certificates, or has hacked Thawte's private key. If either of those latter is true, you're pretty much screwed, DNS flaw or not.

Biggest boom for Open DNS's busineess

[mehemiah]

but how does this stop us from being exploided by upstream dns servers?

Re:Biggest boom for Open DNS's busineess

[BSAtHome]

How do you get this to work with a corporate split DNS infrastructure. This is not a fix but a hack which does not work in many scenarios...

Re:Biggest boom for Open DNS's busineess

Hush now, we're trying to advertise OpenDNS. Just use it and shut up like a good lemming.

Re:Biggest boom for Open DNS's busineess

[shri]

Thank you for being the first person to spot this.. ever! :)

Re:Biggest boom for Open DNS's busineess

[AkumaKuruma]

whatever DNS server you are using for inside your corporate network to resolve internet domains should be set up to forward to OpenDNS instead of your ISP's DNS servers so that your employees will benefit from the overall idea behind OpenDNS as well as the fact of having an almost 100% guaranteed secure DNS system. Your external DNS servers should be patched so that they do not become hijacked.

Re:Biggest boom for Open DNS's busineess

[Lennie]

Unless you hace a shitty NAT-firewall in between. And if a lot of people use OpenDNS, you'll all be an easy target.

Re:Biggest boom for Open DNS's busineess

[AkumaKuruma]

whether or not you have a NAT firewall is irrelevant to the setup i described. It does not have any effect on a split-horizon DNS setup. and OpenDNS is a no more bigger target than nailing the DNS servers for comcast or even a root level system. OpenDNS actively scrubs their records of malicious websites and malsites.

Re:Biggest boom for Open DNS's busineess

[Lennie]

No I'm talking about someone trying to spoof answers for your questions to OpenDNS. If your NAT messes up your source-port-randomisation, you'll still be in trouble.

Re:Biggest boom for Open DNS's busineess

[AkumaKuruma]

at that point, its the admins fault for running an enterprise with split-horizon DNS setup yet maintaining a crappy NAT firewall. there are free firewalls (software is free, still need hardware) that are enterprise level such as pfSense, so no excuse for the admin.

Right...

[statemachine]

Like I'm going to switch out my name server on a high-availability server farm, which would require even more testing.

"During the development cycle, we became aware of a potential performance issue on high-traffic recursive servers, defined as those seeing a query volume of greater than 10,000/queries per second," said Vixie.

Emphasis mine.

It's almost as useful as saying the solution to BSoD is Linux. Amusing though. :)

"Quick Fx"?

[Lord+Byron+II]

As a rule, I try to avoid applying quick fxes to my servers. After all, if the poster and editor can't even be bothered to spell check, how can I be sure the programmer bug tested their fx? =)

Re:"Quick Fx"?

[Lord+Byron+II]

They just fixed the spelling! Now that was a quick fix!

Great idea.

[casualsax3]

Quick everyone - all of our eggs in the OpenDNS basket!

Thank God my parents don't trust me...

[supersloshy]

Just a bit ago my parents bought a new router JUST so they could install OpenDNS to protect me from porn... for once I'm actually glad that did it =P

Re:Thank God my parents don't trust me...

Quick! In the name of humanity, provide this kid with some OpenDNS-bypassing pRon links!

Re:Thank God my parents don't trust me...

[moderatorrater]

supersloshy: "Come on, mom, I'm 32 years old, I can look at porn if I want to."
mom: "Not while you're living under my roof without paying rent!"
step-dad: "Besides, son, I hear it can help protect you against that dns cache poisoning that's been going on."
supersloshy: "Shut up! You're not my real dad!"
real dad: "Now supersloshy, you obey your step father, even if he does dress funny and try too hard."
supersloshy: "I hate you! I wish I'd never been born!"

Whole thing sounds kind of silly now, huh?

Re:Thank God my parents don't trust me...

[socsoc]

I switched my corporate lan's proxy to use OpenDNS and I thought a few of the blocking categories looked useful so I selected them. I quickly disabled those after the first day. I don't see how Monster.com qualifies as an Adware site, but it sure pissed off my HR dept when they got a blocked message in their browser. Those categories are so overreaching, it's laughable. The typo correction and shortcuts are useful though.

Great

So we can replace possible random DNS hijacking with guaranteed DNS hijacking that's passed off as a feature.

Didn't we get extremely upset at Verizon when they served up adverts and returned bogus DNS responses on domains that don't exist?

Re:Great

[michrech]

You can actually turn that off when you log in (creating an account is free).

Just log in, click the "settings" tab, and the settings you are looking for are in there.

Re:Great

They are there, just not very clearly labeled. You want to disable shortcuts/typo correction, which includes disabling the guide.

Replace a distributed system with a SPOF?

[Briareos]

What's with the constant OpenDNS slashvertisements?

Why would anyone in their right mind replace a distributed system that gets overloaded often enough with a single point of failure?

Have oodles of servers been slashdotted in vain?

np: Spooky - Belong (Open (Disc 1))

Re:Replace a distributed system with a SPOF?

[caerwyn]

I did because Comcast is the only service provider in my area, and OpenDNS actually provides better DNS reliability than Comcast's DNS servers. The switch was actually driven by a Comcast DNS outage.

Does Slashdot really need Computer World ads?

[duplicate-nickname]

Seriously, this solution has been posted in response to every DNS article on Slashdot this past month and has been mentioned by just about every article talking about the issue.

Does Slashdot really need to post links to Computer World that rehash was has been discussed 100 times already?

Re:Does Slashdot really need Computer World ads?

[neomunk]

Hey, if all you have is a hammer, but people keep tossing you nails...

Re:Does Slashdot really need Computer World ads?

Sell the nails and hammer the people.

Thankfully...

[Inquisitor911]

Thankfully, I've been using OpenDNS for almost a year now.

Privacy? Effectiveness?

[shogarth]

Given the near fanatical privacy concerns on Slashdot, I'm surprised nobody is screaming over this "recommendation." Imagine how valuable it would be to know every web site visited by "millions of people a day." Does anyone think the for-profit company isn't mining then reselling the lookup->client-ip information?

On a technical issue, how effective is their service? I've had hotel/hot-spot links that were proxying DNS queries regardless of my settings. It seems to me that unless you know that your ISP's DNS is way broken and that they aren't intercepting DNS queries, this is of questionable use.

Just use patched, NX-replying public DNS servers

No.
OpenDNS does terrible NX-overriding and other useless, annoying things (logins, etc..)

Instead, just use public, geo-distributed DNS servers which FOLLOW RFC and are patched. Here are the standard suggestions (Level7):
4.2.2.1 through 4.2.2.6.

These have good randomness and are multi-cast addresses for DNS servers all over the country. They are VERY fast in most areas.
 

Uhh... is this an ad?

How much does Slashdot get paid for running this story?

Re:Uhh... is this an ad?

No more so than every other DNS article in the past month that has ended with.... OMG OPENDNS !!!!

Performance of OpenDNS?

[antdude]

I wonder how OpenDNS' performance with more users using it due to this flaw.

Re:Performance of OpenDNS?

[Shados]

I just switched to it right now because my ISP -still- didnt do anything about it. Its pretty zippy honestly (my ISP's DNS servers were actually the bottleneck of my connection). I'm happy.

Re:Performance of OpenDNS?

[nfsilkey]

Unpatched _still_? Latent, too? Who are these jokers?

Re:Performance of OpenDNS?

[Shados]

As far as I can tell, and from the information I gather on the patch, and the tests I ran... the losers DID patch the darn thing, but they stuck their DNS servers behind a firewall that blocks most ports (probably a 2 headed department, where the people in charge of firewall and the ones in charge of DNS arent the same and dont talk much), so while the ports are randomized, there's only a couple that can go through, so it kills the point.

Re:Performance of OpenDNS?

[Shados]

Oh, and while not naming em, let just say I have a screenshot from long ago that I took from a trace route to Google that I did, and all of the routers that my ISP owned on the way had been renamed to something like "xyz-cannot-secure-their-routers.xyz.com" and such things. Nuff said :)

Re:Performance of OpenDNS?

[mboz62]

I did a bit of research into OpenDNS a while ago, the link is here

I've been a little intrigued by what sort of real benefit the likes of OpenDNS might actually have on, so I thought I'd do a bit of a test of, and see what it does.

SO I thought I'd start with the worlds most popular websites, according to http://www.alexa.com/ I got a list of the top 100 global websites.

the basic results turned out to be...
1. OpenDNS server at 208.67.222.222 average = 108.8787879 min = 15 max = 1273

2. my ISP's DNS server at ns0.zen.co.uk average = 16.9798 min = 13 max = 24

3. a local server running bind 9.2.4 server, having done a rndc flush (this will force a full DNS tree root name resolution - hence the very large times) average = 828.4747475 min = 43 max = 4983

4. the same server as 3, run without flushing the cache average = 1.424242424 min = 0 max = 93

which I think is pretty much what I expected! a local ISP's DNS servers will generally be faster than anything elsewhere because they take advantage of being well used and hence having full cache, and being local so traffic doesn't have to go very far.

a local server doing full root DNS resolutions will take the longest to resolve simply because there is a DNS tree that it needs to propagate through.

Re:Just use patched, NX-replying public DNS server

4.2.2.1 through 4.2.2.6.

^^This AC speaks 100% solid truthnuggets.

I use it

[al0ha]

for my home and to address the privacy concerns have written a script which deletes my history automatically, I don't have to personally log in to do it. In any event, I don't care if OpenDNS knows I made a lookup request for any of the sites I visit. If I really want to cover my tracks, I would not use it. However that said, I would never, ever, recommend this service for an enterprise.

Re:I use it

[Praetor.Zero]

for my home and to address the privacy concerns have written a script which deletes my history automatically, I don't have to personally log in to do it. In any event, I don't care if OpenDNS knows I made a lookup request for any of the sites I visit. If I really want to cover my tracks, I would not use it. However that said, I would never, ever, recommend this service for an enterprise.

Care to share this script?

Astroturfing gone pro!

[grasshoppa]

Ok, so I can deal with all the 'turfing on EVERY FUCKING DNS story that slashdot posts. Fine. I just ignore it and move on.

But now we're getting editors astroturfing..their..own site...

opendns isn't that special. I've looked at it. Anybody who uses it for a corporate network should be shot. You are purposely exposing your internal users to the whims of an external company.

Cache forced refresh

[vetman]

I use opendns because it allows me to manually refresh the cache (opendns.com/cache) when I am making name server changes on my domains. Then I know immediately if the changes are correct and will propagate to the rest of the internet eventually.

Re:Just use patched, NX-replying public DNS server

[Genocaust]

Thanks, learn something new (and useful) daily! I use OpenDNS currently, but wow, response times alone are amazing! = 10ms to the 4.* servers and ~100 to OpenDNS. I might still stick with OpenDNS for now since I use some of their features, but this is certainly food for thought and a useful tool when I get stuck without DNS during some of my travels -- very easy to remember IPs :)

Must be nice.....

[MrZaius]

I remember being stateside and getting to control my choice of DNS server. That said, many small third-world ISPs and plenty of colleges and other overly-controlled environments where bandwidth is expensive NAT you and run transparent proxies, locking you in to the DNS server used by said proxy and, even if the stray packet does get to OpenDNS, prevents you from using ddclient or anything else to effectively manage your settings there.

How 'bout an option for us? What ever happened to Tor? Any similar vulnerabilities there? How does it handle DNS?

ISC BIND

[Meneth]

I'm still using my own BIND installation to bypass Sweden's insane filter system. I've applied the patch now.

OpenDNS & Marketing

[mboz62]

I've just had a read around the opendns site, and it seems like a marketing thing more than a good technical idea.

they appear to make their money by sending you to an advertising site whenever a name doesn't resolve. to me, this seems a bad idea imagine the scenario - 'hey bob, the kitties getting a bit empty you know' - 'not a prob boss, just let me tweak some dns resolver timings'

also, their idea that they are 'quicker' because they use a 'large' cache is also bobbins. a dns time to live (ttl) is set by the domain owner, and with very good reason. if you host a website that you're about to change the ip address on, the best way to do it, is to set the ttl to zero, so every machine needs a fresh lookup, then as soon as the move is made, every box on the internet automatically finds it. after that you stretch the ttl back to normal again.

if you artificially change the cache time, you'll get a lot more failed lookups (woohoo! more revenue for opendns!!)

my advice, keep with the dns server your isp is giving, it is (usually) at the end of the wire you're connecting over, and unlikely to be thrashed at all, you need a LOT of dns queries to swamp even a mediocre dns server.

Re:OpenDNS & Marketing

Man, sure it is another man in the middle exerting money from you.

And it is much worse than just advertisement on web pages. The DNS server has no glue if the DNS resolution is for a web server or a mail server, ssh, XWindows, or a file sharing server or any other protocol. Off course the IP returned only serves web pages and nothing else. Which means your application fails but not with the correct error, that the serer does not exist, but simply it does not reply to your protocol. In other words it breaks all else but web pages (if you consider web page spam as a working web).

This kind of crap is false advertisement, because it does claim to deliver a service, that it actually cripples. ISPs using such crippling technology should be prosecuted, because they sell you Internet access and not limited .... And anybody using such services on a voluntary basis needs his/her head examined Shame on Kaminsky for promoting such scams (even if you can disable the "feature").

Re:Just use patched, NX-replying public DNS server

[Slashcrap]

Instead, just use public, geo-distributed DNS servers which FOLLOW RFC and are patched. Here are the standard suggestions (Level7):
4.2.2.1 through 4.2.2.6.

Those aren't actually public DNS servers though, are they? They are private DNS servers which just happen to publicly accessible at the moment. If at some point in the future they block all access from outside their network, which they have every right and incentive to do, you will lose DNS. They have in the past temporarily changed the reverse DNS names for those servers to please-do-not-steal-service.whatever.net, so don't say you weren't warned.

And when it comes to FOLLOWING RFC, I'm pretty sure that "don't use other people's DNS servers" is pretty high on the list.

Re:Just use patched, NX-replying public DNS server

[Conficio]

And when it comes to FOLLOWING RFC, I'm pretty sure that "don't use other people's DNS servers" is pretty high on the list.

And how do you do that? Isn't DNS a hierarchical system, where all the answers you are not authoritative on get resolved through queries to other servers? That implies you can't avoid other people's DNS servers.

Re:Just use patched, NX-replying public DNS server

Error: it's "Level3", not "Level 7".
Anyway, as far as I can tell, these are intentionally public, and they have been accessible for something like 10 years or more -- no real risk of them going down.

Re:Just use patched, NX-replying public DNS server

[stderr_dk]

These have good randomness and are any-cast addresses for DNS servers all over the country.

Fixed.