OpenDNS As Quick-Fix To DNS Patch Dilemma

← Back to Stories (view on slashdot.org)

OpenDNS As Quick-Fix To DNS Patch Dilemma

Posted by timothy on Wednesday July 30, 2008 @08:51AM

CWmike writes "It turns out that problems with the July 8 patch that was rolled out to fix a cache poisoning flaw discovered by researcher Dan Kaminsky are causing headaches for admins. Preston Gralla suggests a 30-second quick-fix, perhaps until everyone is patched up: Use OpenDNS, which has been patched, as your personal DNS. If you run a corporate network and need help getting OpenDNS set up, your best bet is to go to the OpenDNS FAQ page, he writes."

20 of 61 comments (clear)

Min score:

Reason:

Sort:

If you run a corporate network by 77Punker · 2008-07-30 08:52 · Score: 4, Funny

If you run a corporate network and need the FAQ page to help, you should not be running a corporate network.
Then your job should promptly be given to me.
1. Re:If you run a corporate network by 77Punker · 2008-07-30 09:07 · Score: 2, Informative
  
  You don't need it memorized, and you don't need to look at the FAQ. The addresses are on the front page, in the bottom right corner.
2. Re:If you run a corporate network by snoyberg · 2008-07-30 10:19 · Score: 5, Funny
  
  Unless someone already hacked your DNS server and are serving you a fake OpenDNS page that points to their own server...
  
  --
  Thank God for evolution.
3. Re:If you run a corporate network by Spy+der+Mann · 2008-07-30 10:25 · Score: 4, Informative
  
  208.67.222.222
  208.67.220.220
  There :)
4. Re:If you run a corporate network by dgatwood · 2008-07-30 13:21 · Score: 2, Funny
  
  How do you know your upstream DNS isn't poisoned with the IP number of a site that passes Slashdot through a filter that substitutes the IP numbers with other values?
  You did say 74.125.19.147 and 74.125.19.104, right?
  
  --
  Check out my sci-fi/humor trilogy at PatriotsBooks.
5. Re:If you run a corporate network by lazlo · 2008-07-31 00:56 · Score: 3, Insightful
  
  Unless someone already hacked your DNS server and are serving you a fake OpenDNS page that points to their own server...
  Good point. Try this: https://www.opendns.com/. If your browser doesn't complain about a mis-matched certificate, then either you're going to the OpenDNS servers, or whoever's hacked your upstream DNS server has either hacked your list of trusted root CA certificates, or has hacked Thawte's private key. If either of those latter is true, you're pretty much screwed, DNS flaw or not.
  
  --
  Pound! Bang! Bin! Bash! is this a shell script or a Batman comic?
Biggest boom for Open DNS's busineess by mehemiah · 2008-07-30 08:56 · Score: 2, Insightful

but how does this stop us from being exploided by upstream dns servers?
1. Re:Biggest boom for Open DNS's busineess by BSAtHome · 2008-07-30 09:33 · Score: 2, Interesting
  
  How do you get this to work with a corporate split DNS infrastructure. This is not a fix but a hack which does not work in many scenarios...
2. Re:Biggest boom for Open DNS's busineess by Anonymous Coward · 2008-07-30 09:45 · Score: 4, Funny
  
  Hush now, we're trying to advertise OpenDNS. Just use it and shut up like a good lemming.
Great idea. by casualsax3 · 2008-07-30 09:04 · Score: 3, Funny

Quick everyone - all of our eggs in the OpenDNS basket!
Thank God my parents don't trust me... by supersloshy · 2008-07-30 09:06 · Score: 2, Funny

Just a bit ago my parents bought a new router JUST so they could install OpenDNS to protect me from porn... for once I'm actually glad that did it =P

--
"Our country is not nearly so overrun with the bigoted as it is overrun with the broadminded." -Archbishop Fulton Sheen
1. Re:Thank God my parents don't trust me... by moderatorrater · 2008-07-30 10:11 · Score: 4, Funny
  
  supersloshy: "Come on, mom, I'm 32 years old, I can look at porn if I want to."
  mom: "Not while you're living under my roof without paying rent!"
  step-dad: "Besides, son, I hear it can help protect you against that dns cache poisoning that's been going on."
  supersloshy: "Shut up! You're not my real dad!"
  real dad: "Now supersloshy, you obey your step father, even if he does dress funny and try too hard."
  supersloshy: "I hate you! I wish I'd never been born!"
  
  Whole thing sounds kind of silly now, huh?
2. Re:Thank God my parents don't trust me... by socsoc · 2008-07-30 12:01 · Score: 2, Informative
  
  I switched my corporate lan's proxy to use OpenDNS and I thought a few of the blocking categories looked useful so I selected them. I quickly disabled those after the first day. I don't see how Monster.com qualifies as an Adware site, but it sure pissed off my HR dept when they got a blocked message in their browser. Those categories are so overreaching, it's laughable. The typo correction and shortcuts are useful though.
Great by Anonymous Coward · 2008-07-30 09:10 · Score: 2, Insightful

So we can replace possible random DNS hijacking with guaranteed DNS hijacking that's passed off as a feature.
Didn't we get extremely upset at Verizon when they served up adverts and returned bogus DNS responses on domains that don't exist?
1. Re:Great by michrech · 2008-07-30 09:22 · Score: 3, Informative
  
  You can actually turn that off when you log in (creating an account is free).
  Just log in, click the "settings" tab, and the settings you are looking for are in there.
  
  --
  bork bork bork!
Does Slashdot really need Computer World ads? by duplicate-nickname · 2008-07-30 09:23 · Score: 3, Insightful

Seriously, this solution has been posted in response to every DNS article on Slashdot this past month and has been mentioned by just about every article talking about the issue.
Does Slashdot really need to post links to Computer World that rehash was has been discussed 100 times already?

--
ÕÕ
Re:Replace a distributed system with a SPOF? by caerwyn · 2008-07-30 09:42 · Score: 2, Informative

I did because Comcast is the only service provider in my area, and OpenDNS actually provides better DNS reliability than Comcast's DNS servers. The switch was actually driven by a Comcast DNS outage.

--
The ringing of the division bell has begun... -PF
Privacy? Effectiveness? by shogarth · 2008-07-30 09:55 · Score: 2, Insightful

Given the near fanatical privacy concerns on Slashdot, I'm surprised nobody is screaming over this "recommendation." Imagine how valuable it would be to know every web site visited by "millions of people a day." Does anyone think the for-profit company isn't mining then reselling the lookup->client-ip information?
On a technical issue, how effective is their service? I've had hotel/hot-spot links that were proxying DNS queries regardless of my settings. It seems to me that unless you know that your ISP's DNS is way broken and that they aren't intercepting DNS queries, this is of questionable use.
Just use patched, NX-replying public DNS servers by Anonymous Coward · 2008-07-30 10:00 · Score: 5, Informative

No.
OpenDNS does terrible NX-overriding and other useless, annoying things (logins, etc..)
Instead, just use public, geo-distributed DNS servers which FOLLOW RFC and are patched. Here are the standard suggestions (Level7):
4.2.2.1 through 4.2.2.6.
These have good randomness and are multi-cast addresses for DNS servers all over the country. They are VERY fast in most areas.
Re:Performance of OpenDNS? by Shados · 2008-07-30 15:07 · Score: 3, Funny

Oh, and while not naming em, let just say I have a screenshot from long ago that I took from a trace route to Google that I did, and all of the routers that my ISP owned on the way had been renamed to something like "xyz-cannot-secure-their-routers.xyz.com" and such things. Nuff said :)