Slashdot Mirror

← Back to Stories (view on slashdot.org)

OpenDNS As Quick-Fix To DNS Patch Dilemma

Posted by timothy on

CWmike writes "It turns out that problems with the July 8 patch that was rolled out to fix a cache poisoning flaw discovered by researcher Dan Kaminsky are causing headaches for admins. Preston Gralla suggests a 30-second quick-fix, perhaps until everyone is patched up: Use OpenDNS, which has been patched, as your personal DNS. If you run a corporate network and need help getting OpenDNS set up, your best bet is to go to the OpenDNS FAQ page, he writes."

11 of 61 comments (clear)

  1. If you run a corporate network by 77Punker · · Score: 4, Funny

    If you run a corporate network and need the FAQ page to help, you should not be running a corporate network.

    Then your job should promptly be given to me.

    1. Re:If you run a corporate network by snoyberg · · Score: 5, Funny

      Unless someone already hacked your DNS server and are serving you a fake OpenDNS page that points to their own server...

      --
      Thank God for evolution.
    2. Re:If you run a corporate network by Spy+der+Mann · · Score: 4, Informative

      208.67.222.222
      208.67.220.220

      There :)

    3. Re:If you run a corporate network by lazlo · · Score: 3, Insightful

      Unless someone already hacked your DNS server and are serving you a fake OpenDNS page that points to their own server...

      Good point. Try this: https://www.opendns.com/. If your browser doesn't complain about a mis-matched certificate, then either you're going to the OpenDNS servers, or whoever's hacked your upstream DNS server has either hacked your list of trusted root CA certificates, or has hacked Thawte's private key. If either of those latter is true, you're pretty much screwed, DNS flaw or not.

      --
      Pound! Bang! Bin! Bash! is this a shell script or a Batman comic?
  2. Great idea. by casualsax3 · · Score: 3, Funny

    Quick everyone - all of our eggs in the OpenDNS basket!

  3. Re:Great by michrech · · Score: 3, Informative

    You can actually turn that off when you log in (creating an account is free).

    Just log in, click the "settings" tab, and the settings you are looking for are in there.

    --
    bork bork bork!
  4. Does Slashdot really need Computer World ads? by duplicate-nickname · · Score: 3, Insightful

    Seriously, this solution has been posted in response to every DNS article on Slashdot this past month and has been mentioned by just about every article talking about the issue.

    Does Slashdot really need to post links to Computer World that rehash was has been discussed 100 times already?

    --

    ÕÕ

  5. Re:Biggest boom for Open DNS's busineess by Anonymous Coward · · Score: 4, Funny

    Hush now, we're trying to advertise OpenDNS. Just use it and shut up like a good lemming.

  6. Just use patched, NX-replying public DNS servers by Anonymous Coward · · Score: 5, Informative

    No.
    OpenDNS does terrible NX-overriding and other useless, annoying things (logins, etc..)

    Instead, just use public, geo-distributed DNS servers which FOLLOW RFC and are patched. Here are the standard suggestions (Level7):
    4.2.2.1 through 4.2.2.6.

    These have good randomness and are multi-cast addresses for DNS servers all over the country. They are VERY fast in most areas.
     

  7. Re:Thank God my parents don't trust me... by moderatorrater · · Score: 4, Funny

    supersloshy: "Come on, mom, I'm 32 years old, I can look at porn if I want to."
    mom: "Not while you're living under my roof without paying rent!"
    step-dad: "Besides, son, I hear it can help protect you against that dns cache poisoning that's been going on."
    supersloshy: "Shut up! You're not my real dad!"
    real dad: "Now supersloshy, you obey your step father, even if he does dress funny and try too hard."
    supersloshy: "I hate you! I wish I'd never been born!"

    Whole thing sounds kind of silly now, huh?

  8. Re:Performance of OpenDNS? by Shados · · Score: 3, Funny

    Oh, and while not naming em, let just say I have a screenshot from long ago that I took from a trace route to Google that I did, and all of the routers that my ISP owned on the way had been renamed to something like "xyz-cannot-secure-their-routers.xyz.com" and such things. Nuff said :)