Slashdot Mirror
OpenDNS To Block and Monitor Conficker Worm
Linker3000 writes "According to The Register, OpenDNS plans to introduce an new service that will prevent PCs infected with the Conficker (aka Downadup) malware from contacting its control servers, and will also make it easy for admins to know if even a single machine under their control has been infected by Conficker: 'Starting Monday, any networks with PCs that try to connect to the Conficker addresses will be flagged on an admin's private statistics page. The service is available for free to both businesses and home users.' With the amount of trouble this worm has caused, perhaps this is a good time to take a look at OpenDNS if you haven't done so already."
Heh, didnt they cash in enough on the Kempinsky non-disclosure-scare already, getting a large user base for their information trading business (heh, as if they offer costly service "for free". Get real! It'll cost you no money but your privacy.) /. the platform for pusing bogus services?
OpenDNS redirects www.google.com to OpenDNS servers.
They make money by monitoring your habits. Can any one tell me how they pay their CDN and caching servers bills for millions and millions queries everyday? They sale your private info.
OpenDNS redirects all your Google search queries though their servers.
They redirect web browser users or scripts accessing nonexistent domains to a page containing sponsored search results, ads, and a search form. The DNS protocol requires that a query for a nonexistent domain must return the "NXDOMAIN" error response.
I'd like to see a response on this from the censorship advocates. Because that's what this is, isn't it? Censorship?
I thought the whole idea of using OpenDNS is that it wouldn't be doing this type of blocking. Who's to say they don't just accidentally prevent PCs from contacting other servers?
This smells bad.
So since five minutes ago, I registered with OpenDNS after reading about the service and have started using it. Whats the advantages/drawbacks of using this over my own ISP DNS's?
Ballmer, is that you? Ok, now put down the hard liquor and step away from the internet. You shouldn't be so worried, it hasn't taken that much market-share. No, don't grab that chair. Wait what are you doing? Aaaaaaiiiieeee!
You moron. You might think you're being "funny" or "clever", but you've just managed "offensive" and "ignorant".
You're also "offtopic". It's 2009 try and keep up.
I was going to post this anonymously, but actually I want to stand up and be counted, to hell with my karma.
Would it be so hard to add the OpenDNS IP addresses to the story... It's not all that hard for home users to change their DNS server addresses.
Addresses: 208.67.222.222 and 208.67.220.220
Or if you need more help, look here: https://www.opendns.com/smb/start
Nothing in the world is more dangerous than sincere ignorance and conscientious stupidity.
You can turn off that privacy invasion. You need an account.
Nice idea, but what do you do when a worm alters your dns settings?
OpenDNS can't block access if the queries go to a server controlled by the bad guys.
You can firewall off access to dns ports to all but known servers, but then the worms just tunnel through a port 80 proxy.
Cat and mouse forever. Plus a false sense of security.
4.2.2.2
(Level 3, in case you're wondering who that is)
I've used this service a couple of times to help protect sites where corporate won't spend an extra buck on a true content filtering solution. I just redirect things that are obviously not business related like hacking, phishing, spyware, porn, nude, gambling, etc.
I realize that it's not full proof but it does help. It's just one extra layer that I can implement on top of other basic group policy settings, antivirus software and windows defender, and spam/virus filtering. I suppose that I could always implement something like ipcop with various add ons, but I don't have the time to manage something like that on an ongoing basis.
If you do create an account just to mess with it and then delete the account (or change your DNS server settings back to the auto setting) use 'ipconfig /flushdns' from a DOS prompt to clear your cache. All you're lookups will go back to your ISP (and not keep the ones obtained from any OpenDNS queries).
You can turn this feature off. http://www.opendns.com/support/article/244 is their response to questions about privacy.
For those that have OpenDNS running, you go to Settings, Advanced and then at the bottom there is the Network Shortcuts section. Uncheck the box "Enable OpenDNS Proxy".
I have the service and I am quite happy to trade a little privacy for the content filtering done by someone else, without requiring any software installs or any maintenance of IPTables or anything else on my part. It is passive safety, I know, but gives some peace of mind with a teenager who knows his way around computers. It blocks proxies too. If there is an alternative, I'd love to read about it.
This post brought to you by your friendly neighborhood MBA.
You are an idiot.
This is no more shadowy than the NTP pool.
For large sets, this will be our guide even unto death, for the LORD will work for each type of data it is applied to...
Except, OpenDNS is not a budding geek or regular office wank type tool.
It's a tool that requires you to know what you are doing. There are all sorts of subtle problems that can crop up, so I have at this point just simply refused to help any of my clients until they switch back to their regular ISP's DNS. Amazingly, a good 50% of the certificate and "cant find web site" errors go away after that. Imagine!
OpenDNS has the right idea, but it's not ready for the "everyday internet user" crowd yet.
This is without really considering the massive privacy problems with using it.
Agree'd. The "Open" in their name is misleading. In reality many consider OpenDNS to be a scam operation.
Furthermore nobody should rely on a DNS provider (of all things!) to report worm infections. The idea is so wrong, it reminds me of the TV scams where they want to sell you a worthless product, bundled with 5 other, totally unrelated worthless products. "Buy this quality home-trainer for only $499 and you'll get this USB-stick, a bar of soap, two lightbulbs and a chinese ipod-knockoff, for free!".
If you're concerned with worm infections then you run antivirus software and maybe an IDS (e.g. snort) on your internet gateway.
Both will report malicious traffic much more reliable than OpenDNS because that's what they're designed to do.
.....instructs its drone machines to report to 250 different internet addresses each day. Without the service, admins would have to manually block 1,750 domains each week, or 91,250 each year.
Wouldn't blocking "this weeks" known IP addresses stop the addition of new ones, rendering the infection impotent?
Enlightenment? It's just a flush in the pan.
Boy, talk about not understanding Internet protocols.
NTP packets are basically "I think it's this time...what do you think", while DNS is "I want to know the IP for www.childpr0n.com".
There just isn't any possible privacy issue with NTP packets, while DNS is basically a record of everything you visit. Heck, if OpenDNS were to modify the TTL in their DNS replies, they could even get more complete data about how often you request each site.
Actually, I must be wrong about you misunderstanding. Nobody could be that dumb, so you must work for OpenDNS (or another company that benefits from their data collection).
You consider bar of soap to be worthless?
*sniff* Hmm... no wonder your hygene is questionable.
Those of you whose ISP is Reliance Broadband, please note that this won't work for you. Reliance Broadband intercepts all DNS / port 53 traffic.
Which means Reliance's DNS server replies to the query you sent to OpenDNS.
(Mods, I'm posting anonymously, please treat this as a PSA.)
You're relying on OpenDNS for content filtering? Cute. That might work in a home for the elderly, but I doubt it'll stop any teenager, much less one who is technologically inclined. Would have stopped me for all of 45 seconds. But if it gives you peace of mind, that's something I guess.
Switch back to Slashdot's D1 system.
Is there any evidence that major ISP's or DNS providers are not also selling customer behavior data?
I'm a Time-Warner customer. When I use their nameservers, I see a Time-Warner error page when I try to access a nonexistent domain.
The DNS protocol may require an "NXDOMAIN" repsonse on a bogus domain, but making that visible to the typical Internet user is pointless.
-- Slashdot: When Public Access TV Says "No"
What are other solutions?
I know there is the 4.2.2.2-3 (4-5 too?), any others?
How are they scam operation?
And if you are concerned with worm infections, why not run OpenDNS + IDS + Antivir? Who says that if you use OpenDNS you cannot use anything else to protect yourself.
- Raynet --> .
"I have at this point just simply refused to help any of my clients until they switch back to their regular ISP's DNS"
What's the name of your company and please enumerate the problems your clients experienced.
"This is without really considering the massive privacy problems with using it"
What privacy problems would that be in comparison to other DNS providers?
I've started using OpenDNS since Denmark started censoring the Piratebay. The easiest way to circumvent the block.
(TPB: My #1 source to bad 80's movies! (which I personally don't think is illegal to download, I'm assuming; since no one apparently want to sell them, it must be because they are worthless (which, honestly, most of them are :-)))
All you've really done is shown that you're a noob, slashdot gets these troll post in every story.
Did you buy your account off ebay?
Really? Because I don't recall *ever* seeing these particular brands of posts until after President Obama was elected and sworn in.
Power does not corrupt - power attracts the corrupt.
What you're showing is that the troll succeeded in making you rage. He'll now be more motivated to post it over and over, because he knows it works.
They're providing a near-zero value product, spam you with ads in dubious locations (NX) and collect a lot of personal data with borderline phishing methods (google proxy) without announcing either of that clearly upfront.
Because OpenDNS provides no added protection? The other two are plenty sufficient while nobody knows whether the OpenDNS detection is reliable nor whether they will bother to add detection of future worms etc.
Remember many phishing toolbars claim to protect you against other phishing toolbars. OpenDNS is running the same model here.
I'll probably get "OMG what are you doing?" comments for this, but my internal DNS forwarders look to OpenDNS for my small business network and I'm very satisfied.
Typo correction (yahoo.cmo) and shortcuts are very handy. I only use the categories try and block some malware/phishing and while it's definitely not the solution, every little bit of protection helps.
My machines that actually need to know whether a domain is valid or not simply use other DNS, redirects are not a big deal and don't many cable companies do this too?
You can turn this feature off. http://www.opendns.com/support/article/244 is their response to questions about privacy.
For those that have OpenDNS running, you go to Settings, Advanced and then at the bottom there is the Network Shortcuts section. Uncheck the box "Enable OpenDNS Proxy".
I have the service and I am quite happy to trade a little privacy for the content filtering done by someone else, without requiring any software installs or any maintenance of IPTables or anything else on my part. It is passive safety, I know, but gives some peace of mind with a teenager who knows his way around computers. It blocks proxies too. If there is an alternative, I'd love to read about it.
I don't know about others, but I found that OpenDNS's tracking of the IP addresses I was coming from was somewhat flaky, even though I was running their dynamic IP update client. So, every so often I would end up getting proxied service for an hour or so. And, yes, I could easily tell the difference: using their proxy server is a lot slower than accessing google directly.
I don't see a scam here. You might not like their approach, but that's different.
OpnenDNS tells you they run a proxy. They tell you how to disable it.
Sending a raw error code to 99 percent of Internet users is bad service. Better to catch the code and deliver a plain language message.
As for the ads: Would you feel better if OpenDNS billed your credit card on a regular basis? Ads are everywhere. Get used to it. Just ignore them, like the rest of us do.
Short of running their own DNS, what's a better approach? (BTW, I've run my own DNS. Not dong that again. Life's too short to think running servers is fun.)
-- Slashdot: When Public Access TV Says "No"
Near-zero value product? Hmm, they do have all kinds of filter lists available that are quite handy in business environments. The google thingy is silly I admit, but it can be disabled (should be disabled by default IMHO). And if you disable the google hijacking, what kind of personal data can they collect? And the typo correction can be useful for people who like that kind of stuff. They might make money from your (my?) typos, but who cares, it is not my money that is wasted and in any case, it is opt-in service, so if you don't like it, don't opt-in :)
- Raynet --> .
What don't you get about "they run a special proxy that inspects and redirects google.com HTTP requests"? It's not about just DNS.
Indeed. If/when someone like Time Warner, Comcast, or Verizon tries something similar, even with opt-out, people would be crying bloody murder.
People must be distracted by the word Open.
They make money by monitoring your habits. Can any one tell me how they pay their CDN and caching servers bills for millions and millions queries everyday?
From the site:
"OpenDNS partners with hardware and service providers to deliver our award-winning security, infrastructure and navigation services."
They sale your private info.
There's nothing private about my public IP address. If they can manage to glean personal info from my IP address then, damn, they're good.
OpenDNS redirects all your Google search queries though their servers.
From the site:
"Is OpenDNS running a proxy?
Yes. Some software, including your (and our) beloved Google Toolbar, intercepts requests made via the address bar so that DNS requests never occur. This creates some usability issues, including making shortcuts - which require DNS requests to be made from the address bar - unreliable. We've designed a simple proxy that ensures the best of Google and OpenDNS work without causing problems.
When enabled, we route certain requests to a simple proxy which checks for the origin of the request. Shortcut-related traffic gets handled (and redirected) while all other traffic goes to the intended destination untouched. We are not storing or mining any of the data that passes through the proxy. The proxy does nothing malicious - it's designed to make your shortcuts work seamlessly with the Google Toolbar and similar services, giving you the best of both worlds.
Like all OpenDNS services, the proxy is respectful of your privacy. We do not track any of the searches made through the proxy. In fact, since so many people use Google we automatically rotate and delete the logs frequently. We do not store any of those logs, nor do we perform any non-operational-related analysis of the traffic sent through the proxy at any time. Protecting your privacy and delivering a fantastic navigational experience will always be two of our main goals at OpenDNS. We believe that this solution provides just that, and continues our tradition of innovative services that make your Internet experience with OpenDNS faster, safer and more reliable.
Ultimately, this proxy serves to enhance the OpenDNS experience and we recommend you leave it enabled.
They redirect web browser users or scripts accessing nonexistent domains to a page containing sponsored search results, ads, and a search form. The DNS protocol requires that a query for a nonexistent domain must return the "NXDOMAIN" error response.
You mean if I try to navigate to a nonexistent domain that OpenDNS will A) Inform me of my error B) Present me with a search form and C) Display a few innocuous text ads on the page?
I'm crushed. Damn, how could they?
How is that any worse than Google displaying text ads on their search results page? How hard can it be to block those text ads if they really get your panties in that big of a twist? If it bothers you that much, it's not like anyone is holding a gun to your head and forcing you to use their service.
Power does not corrupt - power attracts the corrupt.
What you're showing is that the troll succeeded in making you rage. He'll now be more motivated to post it over and over, because he knows it works.
I think trying to explain this to people is a lot like back when AOL tried so hard to tell customers that their staff will never ask for their account password. Despite repeated warnings and prompts, the password phishers never seemed to have any problems. Those hardheaded users preferred the convenience of refusing to stop and think or to change their habits because both of those require a small amount of effort.
Likewise, people who feed trolls prefer their little emotional outbursts and the righteous feelings they get from them and are not interested in whether they are part of the problem. The idea that they are doing exactly what the troll wanted them to do does not get their attention. They may claim otherwise or feel inclined to argue with me about that, but this is very simple: when a person's words tell me one thing and their actions tell me another, I disregard their words every time. They don't really give me a choice in the matter.
It is a miracle that curiosity survives formal education. - Einstein
Agree'd.
Really? "Agree'd"?
There's times to use apostrophes and times not to. This was one of those times not to.
The domains that you resolve, obviously. Good for a nice browsing profile.
Wow, way to react like a child over a joke. Get some anger management.
Thank's for reminding me.
What don't you get about "you can turn that off"?
"You can either have software quality or you can have pointer arithmetic, but you cannot have both at the same time."
Besides everything (scary) that is involved on using OpenDNS as your resolver, it's true that it can block the Conficker Worm. However, Conficker worm might be the last one that OpenDNS can stop. Once the evil minds realize the power of OpenDNS, they'll start using IP addresses instead of names within their worms (period).
They are "Open" in sense of DNS terminology. Open DNS is one of the significant misconfiguration of an ordinary DNS server can have but their business works by opening it to planet and add extra features to decades old service without breaking standards.
Someone figures to make money from a decades old protocol using web technologies and without breaking privacy.
Remember the feedback that non college educated guy got when he literally saved the planet from Internet breakdown? That DNS guy? It is the similar feedback. Jelousy.
Maybe I'm clueless, but where do I find this "Settings" thing? I use OpenDNS by typing its two IP addresses into the DNS servers field. Is this on the OpenDNS website?
But they are breaking the standard. In particular rfc2308,
under 8:
Note the absence of statements like "lookup failures should silently map to A records that point to webservers serving spam".
Or the main difference in that you manually have to make a choice and switch to opendns?
What makes you think every teenager knows how to circumvent blocks and filters? I use OpenDNS to prevent access to WoW and other game sites. After that was accomplished, both my kids had a significant increase in the school grades. Don't excoriate me about how I should monitor their habits and surfing. If I did that every minute, that would make me an ogre and guys like you would beat me up about denying their rights.
They are "Open" in sense of DNS terminology. Open DNS is one of the significant misconfiguration of an ordinary DNS server can have but their business works by opening it to planet and add extra features to decades old service without breaking standards.
But they do break the DNS standard. As several other posters have pointed out, the DNS protocol calls for an "NXDOMAIN" response to a non-existent hostname. Instead of sending this response, they are showing sponsored links. Not to mention that DNS is already "open to the planet". There are about 13 root DNS servers. Anyone who wants to can run their own DNS server that contacts those root servers to handle DNS queries. For free. With open-source software that is also free. OpenDNS isn't providing anything that I cannot easily do for myself AND they are failing to conform to the DNS standard in order to display what I consider spam. Why do I consider their "sponsored" links to be spam? That's easy -- if I cared about their sponsors, they would not have to direct me to their sites, I would go there on my own.
On top of all of this, there are two threats to privacy posted by OpenDNS. One is the Google request "proxying" ("hijacking" is another word that equally applies, in my opinion) that can be turned off. The other is the fact that they would know every site I visit, which cannot be turned off and is an inherent part of the arrangement. Using such a system doesn't make any rational sense whatsoever.
You are either speaking about what you don't remotely understand, or you're not really so ignorant and have some undisclosed financial relationship to OpenDNS and are not being honest with us about that. Both are rather foolish. My suggestion to you is that if you insist on doing this, try it on an audience that is less tech-savvy. Better yet, inform yourself about these matters or get a job that doesn't remove your self-respect. If that sounds like a strong response, it's because of how misleading your post was and because of how rapidly several posts very much like it (lots of praise and little to no evidence and reasoning) have appeared in this discussion.
It is a miracle that curiosity survives formal education. - Einstein
I would drop a copy of dnscache onto a Linux box and choose a different set of DNS servers to query google.com against, i.e. either the ISP's DNS servers, or the IPs of Google's authoritative DNS servers.
This way, Google.com domains are protected from any proxy mess
Then you must have changed the way you view Slashdot, since they've been around a lot longer. At least as long as 4chan became 'popular' with the mainstream.
Besides everything (scary) that is involved on using OpenDNS as your resolver, it's true that it can block the Conficker Worm. However, Conficker worm might be the last one that OpenDNS can stop. Once the evil minds realize the power of OpenDNS, they'll start using IP addresses instead of names within their worms (period).
You know I didn't even think of that. I did speculate that malware which can compromise the system can also alter DNS settings, either removing OpenDNS or (worse) replacing it with a hostile DNS server operated by the attacker. Your prediction is even simpler than that and sounds more likely.
That's really the problem with all of these blocklist solutions. None of them actually harden the host or address any of the widespread security problems that make these worms possible in the first place. The way I see it, there is one and only one reason why you have such things as worms and viruses. The reason is that an attacker can write a single piece of malware that can easily compromise thousands of vulnerable Windows machines in a fully automated fashion, with no skill required once the malware is written. If that ever changes, all of these blocklists and scanners and removal tools will be shown to be the superficial approaches that they really are.
This reminds me of a quote from Henry David Thoreau: "There are a thousand hacking at the branches of evil to one who is striking at the root." How true.
It is a miracle that curiosity survives formal education. - Einstein
So, you are equating all ads with spam?
If I use my ISP's nameservers,I get slower responses plus error pages from the ISP with ads on them.
The notion that OpenDNS is evil because they run ads is juvenile. So is the notion that they're evil because they keep logs and records. Name me a Unix system or any provider of any kind of Internet services that doesn't keep logs and records.
The phone company knows who you call. What are you doing about that great evil?
It seems you want me to be indifferent about the possibility that endless anonymous admins might get curious about my net behavior, but I'm supposed to be paranoid about OpenDNS?
-- Slashdot: When Public Access TV Says "No"
So, where you live you do have to right to watch child porn in a crowded theatre?
I'm the founder of OpenDNS. I've decided to reply even though these comments are heinously wrong, and probably just me feeding the trolls...
We have never sold user data, ever. We also have no CDN bills, we don't even use a CDN. We've built a global BGP-speaking network with hundreds of peers around the world. I know, because I built it. We peer at LoNAP, LINX, PAIX, SeattleIX and on a few of the Equinix peering fabrics around the US.
The idea that we would build our business based on monitoring user data is preposterous. I wouldn't stand for it, nor would our employees. I'm confident that all our engineers are just as vocal or more vocal about doing the right thing than you are. We make it very clear how we make money, and it's all over our website. Go to http://guide.opendns.com and do a search. The sponsored results are ads where we get paid, the organic results are regular search results. That's how we make money. We might offer an enterprise for-pay service down the road as some of our customers begin to demand tighter integration with their network but for now, we're happy with our business. And I'm happy to report that we're profitable and stable, even in this economy.
And as to the OpenDNS proxy. It's true, we do redirect certain Google requests through a proxy so that we can make our OpenDNS shortcuts and some other features work more reliably. Two important things here: First, we peer with Google at every datacenter, so we aren't adding to your latency or anything else. Second, we don't log and store any data and we certainly don't care about it. We prefer to be able to confidently say we aren't keeping data on it. Of course, you are welcome to disable it by going into your settings and disabling the OpenDNS proxy. That's it. Do that and we don't ever see the request. Pretty easy. End of story.
David Ulevitch
Founder, OpenDNS
# Hack the planet, it's important.
OpenDNS does tell you about their proxy and their handling of BX responses. It's on their website. I knew all that before I started using them.
I have no more concerns about OpenDNS "monitoring" (not exactly the word I'd use) than I do about my grocery tracking my purchases. I feel no loss of privacy when my data is aggregated with that of many others, or when software keys on my buying habits to flaunt a product.
-- Slashdot: When Public Access TV Says "No"
OpenDNS blocks at the DNS level. So if example.com/malicioususer1 does something naughty, the whole of example.com gets blocked. A sledgehammer approach if you like.
This guy has a 2-digit UID, how could he possibly not be on the level? ;-)
Seriously, I've been using OpenDNS for a year or so, and based on what I know and everything I've read here minus David Ulevitch's description I don't really see a problem, just a lot of people overreacting. After reading what he had to say, I am confident that my gut feeling was accurate... unless of course he's lying, which I have no reason to believe.
You are in a maze of twisty little passages, all alike.
Yep, I believe you can use OpenDNS servers by themselves without any account setup. However you can also set up an account with them to enable setting custom filtering among other things, and control over your proxy/privacy settings. So it is, indeed, on their website after you set up an account. They don't ask for much of anything to set up an account, so I have used a throwaway email address in the past... tho they do still have your IP if you are really worried.
This post brought to you by your friendly neighborhood MBA.
You must be kidding..
- Raynet --> .
If you don't think it's funny, you're not smart enough. Complaining about it doesn't make you smarter, it reveals that you're a complete moron ;)
Ah, yes. A "Flamebait" moderation in response to facts and reasoning that were presented in a relatively mild way. I wouldn't mind being a fly on the wall of such a moderator to see whether they feel better about themselves after doing this. My bet is that they do it only to find out that it's not so satisfying as they thought it would be.
To those moderators who think that what you do and don't agree with is what determines "Flamebait" and "Offtopic", you will be more effective if you choose an easier target than me. I have karma to burn, which I have earned, and I am not at all intimidated by your inability to handle reasoned criticism or your little temper tantrums that result from it. If anything, I'm going to post more when you do this because I will call you on it. You are lesser men who don't have what it takes to openly take me on, which is why you cower behind the moderation system when what you would really like to do is prove me wrong. This isn't because I am so great, because I am not; it is because you are so ridiculously weak and cowardly that you consider losing an Internet debate to be an unacceptable risk. If you ever try it, I'll tell you this much: I learned a lot more from those who were able to find the flaws in my reasoning than I ever did from those who said "me too!"
To those moderators who have a clue, please pardon the tone of this post. I ask that you understand that lots of low-quality moderators are operating unchecked and that this goes on because so few are willing to stand up to them (i.e. most people don't seem to care). Of course, the removal or alteration of the old metamod system also has a lot to do with this.
It is a miracle that curiosity survives formal education. - Einstein
Except the fact that the Conflicker worm connects to domains via an algorithm- that the spammers buy specifically to control the machines, and no other people are on that domain. If the phishers have any of the 250 domains the worm tries to connect to each day (again, the worm has this code in the client), the worm gets instructions. So, OpenDNS can use the algorithim and block any domains each day even if the authors have already registered the bad domains., preventing the worm from getting instructions.
Also, as an OpenDNS user, I've seen geocities.com/baduser12 be blocked as phishing, while geocities.com and geocities.com/averageuser123 isn't blocked.
Whoa! A two-digit Slashdot ID? This guy has mana - I'm inclined to believe his side of the story.
Do as you would be done to.
Regardless of the intent and drawbacks to OpenDNS, it is still a valid notion to black-hole the lookups for known malicious addresses. Monitoring for lookups to these addresses is also a godd idea as it's an indicator of a problem.
For one of the original users of Slashdot to dive into this Libertarian troll-tank and defend his work, it should be respected and not dwarfed by conspiracy theories. Put this at the top, then let people rant on about the end of their liberties.
Life is irony, and nothing ever goes as planned.
[weasel words] [citation needed]
Web consulting +
Well, they are a documented company backed by big finance and based in USA and especially more important, California.
If you think they are spamming by showing couple of text ads and rough guesses instead of a "server not found" message, you should sue them. In fact, state of California should sue them.
That Google proxying is a real interesting one. Apparently nobody has problem that Google itself is hijacking their queries.
As you pointed an "undisclosed relationship" and thanks to the same tone of all "opendns is evil" comments, one would think for a leap of a second that there is organised attack to OpenDNS. I don't really care, it is them to investigate. I just keep using them instead of my ISPs mismanaged and unsecure servers and keep setting it up.
my exact feelings ... thanks for responding David!
------ no thanks... I've quit
Some questions, then:
Mr. Ulevitch,
Your response is not yet of sufficient detail to be believeable.
Before I get into that, I'll note that when I tried your DNS on by box, I did an ethernet trace and found my local 196.168.*.* IPs where being looked up on your
service. Apparently I need to run my own BIND to avoid that.
https://www.opendns.com/smb/start/device/apple-osx-leopard
# just add our DNS IPs as your resolver
I consider it a security hazard for my intranet addresses to be looked up on an outside DNS. Nowhere do you warn people of this unexpected behaviour. "Just add us." There's no mention of one's opting in to your proxies or DNS intercepts at the point of the directions to "just add us." Why don't you fix that? We have privacy protections in law with our onramp ISP, but not with your service.
" Do you like advertising with your DNS?
OpenDNS result:"
# You tried to visit 208.67.217.132, which is not loading.
#
# OpenDNS Guide [search box]
#
# Refine Your Search
#
# Real Estate
# Apartment for Rent
# Personals
# Cheap Airfare
# Vacation Packages
# Vegas Vacation
# Cancun Hotel
# New Cars
# Hybrid Cars
# Digital Cameras
" Real classy. (not)"
I find it hard to believe your business model makes money via your search page.
Prove it: break down your company's costs and income.
What else?
http://www.opendns.com/privacy/
#
# We are affiliated with a variety of businesses and
# work closely with them in order to provide our services
# to users. We will only share personal information with
# affiliates to the extent that is necessary for such
# affiliates to provide the services. For example, when
# a website visitor searches on OpenDNS, the IP address
# and query are shared with OpenDNS's advertising partners.
Who are your advertising partners, Mr. Ulevitch?
Which domains/IPs/anything else are you intercepting to proxy?
I find the wording "We will only share personal information" is probably designed to mislead the public as to what is really happening. People have probably seen ads on pages that use their name right in the ad, and this happens because the ad was a cgi retrieval from say Yahoo! and so it gets your Yahoo! cookie, which is how it returned a personalized ad.
If you proxy to Google, are you passing the user's Google cookies through your proxy? Is there anything in your TOS limiting you from passing those cookies and the URL (with the search query) to your other "affiliates?" The cookies may not include "personal information", but the cross-pollination available is similar to what happens with "deep-packet inspection" advertising.
Which major search engines and advertisers are you "affiliated" with, meaning you _do_ log and pass data to them (IP/search URL/cookies)?
If Google an affiliate? Is Yahoo!? MSN?
Tell us who your affiliates are and what information they receive and under what circumstances.
Or have you pre-explained not answering by postulating you are just feeding the trolls?
http://harvey-mars.com/
> We have never sold user data, ever.
Prove it.
> you are welcome to disable it by going into your settings and disabling the OpenDNS proxy.
Prove that it REALLY disables the proxy, and doesn't simply hide the fact that proxy is being done.
> We don't log and store any data
Prove it.
Don't forget the uselessness of light bulbs, making his room into a dark, smelly basement.
I am not devoid of humor.
After that was accomplished, both my kids had a significant increase in the school grades.
I know , it's called withdrawal. It will pass.
Slipping shoelaces ?
I hope they're doing well. If they can continue to make good money in this sort of economy, it means that they are effective businesspeople who know what they're doing. Of course, that still doesn't have anything to do with the technical merits of their service and whether I would find them useful.
The only consistent definition of spam that I know is "advertising that I don't want to see and don't have to see". I definitely don't want to see any advertising. If I need your product, I'll determine that on my own (it's simpler that way, too). Just because spam is perfectly legal, doesn't mean that I want to see it. Sometimes advertising is part of the package, like when you listen to broadcast radio. Other times it can be completely and easily avoided. Avoiding the advertising of the OpenDNS folks is very easy -- all I have to do is not use their service. It would be morally wrong for anyone to sue them because their entire system is optional and opt-in. They are not forcing their system on anyone and therefore they are probably good people. My criticisms of their methods do not depend on anyone being forced to do anything. I am questioning why someone would want this service, which presupposes that some people do in fact want it. The basis of my reasoning is that there is nothing that they can do for me that I cannot do for myself, and especially in the case of host security, I can do it myself using tools better suited for the job. When there is no real benefit of an arrangement, even a slight drawback becomes unacceptable.
What you're doing there is a form of misdirection. The way you worded that, you are implying that the choice is to either support an extreme measure that makes no sense (suing someone over nothing) or abandon the idea that I should avoid advertisements I don't want to see and don't have to see. It's like you intended me to say "gee, the state of California is not suing them, their service must suddenly be very useful to me so that I am willing to view occasional ads in order to have the privilege of using it". That doesn't work. It's called a false dichotomy; it is also known as the fallacy of the excluded middle. That's a tactic for an opponent, not a tool for determining truth. You're probably doing it because you were personally offended by my opinions so now this is about who's right and who's wrong. That doesn't work either because opinions are arbitrary and I don't think you appreciate how difficult it is to apply "right and wrong" to them. There's also the fact that nothing I say here could possibly prevent you from having a different opinion if you felt like doing it.
What happened there is I took a position based on how I already felt about these matters (that is, my opinion of them). The order of these things is important. When you take a position, you tend to support it with facts and reasoning especially if you want to be persuasive. That's not the same thing as making a positive claim that it's the only position available or the only conclusion that could be based on the facts. Another person who was so inclined could take a position based on the merits of OpenDNS and could find facts and reasoning to support that. He could do a good job of this and produce well-written reasoning. It's when I see that people are failing to do this without committing various logical fallacies and factual errors that I might decide they are taking a position of weakness, that is, one that they are having great difficulty supporting.
It is a miracle that curiosity survives formal education. - Einstein
What makes me think that is that a casual Google search will give you howtos my mother could follow to disable such a filter. And I never said or implied in what way you should monitor your kids usage, that's really none of my business.
Switch back to Slashdot's D1 system.
Where you might very well get eaten by a grue.
LOL. Yeah, I wish I could get my old UID back. I managed to forget a password or mis-typed it the same twice once a while back, forcing me to make a new UID because I'd also recently dropped the e-mail address I used. :-\ I had a low 6 digit one, too! Not a 2 UID (damn!) but still ...
Anyhow, I've been using OpenDNS since Comcast bought out my old ISP. I never really had trouble before that but once Comcast took over I found their DNS servers to be absurdly slow. I tried running my own, which wasn't terribly hard but OpenDNS just works, saving me the hassle. For this convenience, I see some ads now and again. Big deal. I get assaulted by ads going into the grocery store lately (freaking window company hiring people to hassle me).
As an aside, I also like the filtering aspect they offer for some of my clients. Sure, it's bypassed easily enough by those who really want to but it is otherwise effective, requires no software on the system and is platform agnostic to boot.
You know the thing about UDP jokes? I don't care if you get it or not.
I started using OpenDNS because my ISP's DNS servers were partly unresponsive and I haven't looked back since. Also I've seen many major ISPs with insecure DNS servers... at least I know the OpenDNS guys know what they are doing.
Kill all hipsters.