Slashdot Mirror

← Back to Stories (view on slashdot.org)

OpenDNS To Block and Monitor Conficker Worm

Posted by Soulskill on from the no-phone-home dept.

Linker3000 writes "According to The Register, OpenDNS plans to introduce an new service that will prevent PCs infected with the Conficker (aka Downadup) malware from contacting its control servers, and will also make it easy for admins to know if even a single machine under their control has been infected by Conficker: 'Starting Monday, any networks with PCs that try to connect to the Conficker addresses will be flagged on an admin's private statistics page. The service is available for free to both businesses and home users.' With the amount of trouble this worm has caused, perhaps this is a good time to take a look at OpenDNS if you haven't done so already."

5 of 175 comments (clear)

  1. Re:I just found out about this. by Anonymous Coward · · Score: 5, Interesting

    You're giving another entity access to all your DNS lookups and your computer won't talk to Google's servers anymore when you connect to www.google.com, but to a company which isn't very upfront about this redirection. Whether that's an advantage or a drawback is up to you.

  2. cat and mouse. by Cmdr-Absurd · · Score: 4, Interesting

    Nice idea, but what do you do when a worm alters your dns settings?
    OpenDNS can't block access if the queries go to a server controlled by the bad guys.
    You can firewall off access to dns ports to all but known servers, but then the worms just tunnel through a port 80 proxy.
    Cat and mouse forever. Plus a false sense of security.

    1. Re:cat and mouse. by Cmdr-Absurd · · Score: 4, Interesting

      Use an OS with security policies that only allow specific software that shipped with the OS to modify those settings? Honestly, I do not understand why Microsoft does not at least ship that as a default policy

      Well, yes, but admins have to support what their organizations use/demand.

      A couple of years ago, there was a Macintosh Trojan that altered DNS settings and added a crontab to re-alter every minute if the user tried to fix the change.

      Social engineering works at least some of the time. There are zero-day exploits.
      If you think that *nix is a panacea against malware, you will eventually be disappointed. Better than Win, but not perfect.

  3. Maybe good in theory by jafiwam · · Score: 3, Interesting

    Except, OpenDNS is not a budding geek or regular office wank type tool.

    It's a tool that requires you to know what you are doing. There are all sorts of subtle problems that can crop up, so I have at this point just simply refused to help any of my clients until they switch back to their regular ISP's DNS. Amazingly, a good 50% of the certificate and "cant find web site" errors go away after that. Imagine!

    OpenDNS has the right idea, but it's not ready for the "everyday internet user" crowd yet.

    This is without really considering the massive privacy problems with using it.

    1. Re:Maybe good in theory by tom1974 · · Score: 4, Interesting

      Could you elaborate on this massive privacy problem you talk about? Like you don't have this massive privacy problem by using your ISP's DNS servers who can actually match DNS queries to user account?

      And who asked if OpenDNS is about "Everyday internet user" crowd? It's A DNS service! Do you want a CSI type frontend with it?