Slashdot Mirror
OpenDNS To Block and Monitor Conficker Worm
Linker3000 writes "According to The Register, OpenDNS plans to introduce an new service that will prevent PCs infected with the Conficker (aka Downadup) malware from contacting its control servers, and will also make it easy for admins to know if even a single machine under their control has been infected by Conficker: 'Starting Monday, any networks with PCs that try to connect to the Conficker addresses will be flagged on an admin's private statistics page. The service is available for free to both businesses and home users.' With the amount of trouble this worm has caused, perhaps this is a good time to take a look at OpenDNS if you haven't done so already."
Heh, didnt they cash in enough on the Kempinsky non-disclosure-scare already, getting a large user base for their information trading business (heh, as if they offer costly service "for free". Get real! It'll cost you no money but your privacy.) /. the platform for pusing bogus services?
OpenDNS redirects www.google.com to OpenDNS servers.
They make money by monitoring your habits. Can any one tell me how they pay their CDN and caching servers bills for millions and millions queries everyday? They sale your private info.
OpenDNS redirects all your Google search queries though their servers.
They redirect web browser users or scripts accessing nonexistent domains to a page containing sponsored search results, ads, and a search form. The DNS protocol requires that a query for a nonexistent domain must return the "NXDOMAIN" error response.
I'd like to see a response on this from the censorship advocates. Because that's what this is, isn't it? Censorship?
I thought the whole idea of using OpenDNS is that it wouldn't be doing this type of blocking. Who's to say they don't just accidentally prevent PCs from contacting other servers?
This smells bad.
You're giving another entity access to all your DNS lookups and your computer won't talk to Google's servers anymore when you connect to www.google.com, but to a company which isn't very upfront about this redirection. Whether that's an advantage or a drawback is up to you.
I'm not sure why people around here seem positive about using OpenDNS (as opposed to running your own say).
When I make a type I get an Address Not Found error and THAT'S THE WAY I LIKE IT.
I like it this way too, unfortunately my ISP appears to want to save a few bucks on their own machines and uses OpenDNS.
So, I use 4.2.2.1 through .5 as my name servers instead.
Would it be so hard to add the OpenDNS IP addresses to the story... It's not all that hard for home users to change their DNS server addresses.
Addresses: 208.67.222.222 and 208.67.220.220
Or if you need more help, look here: https://www.opendns.com/smb/start
Nothing in the world is more dangerous than sincere ignorance and conscientious stupidity.
Nice idea, but what do you do when a worm alters your dns settings?
OpenDNS can't block access if the queries go to a server controlled by the bad guys.
You can firewall off access to dns ports to all but known servers, but then the worms just tunnel through a port 80 proxy.
Cat and mouse forever. Plus a false sense of security.
You can turn this feature off. http://www.opendns.com/support/article/244 is their response to questions about privacy.
For those that have OpenDNS running, you go to Settings, Advanced and then at the bottom there is the Network Shortcuts section. Uncheck the box "Enable OpenDNS Proxy".
I have the service and I am quite happy to trade a little privacy for the content filtering done by someone else, without requiring any software installs or any maintenance of IPTables or anything else on my part. It is passive safety, I know, but gives some peace of mind with a teenager who knows his way around computers. It blocks proxies too. If there is an alternative, I'd love to read about it.
This post brought to you by your friendly neighborhood MBA.
Try openerdns.org
93rd rule of Slashdot: No matter how obvious my sarcasm is, my comment will be taken seriously by someone.
Except, OpenDNS is not a budding geek or regular office wank type tool.
It's a tool that requires you to know what you are doing. There are all sorts of subtle problems that can crop up, so I have at this point just simply refused to help any of my clients until they switch back to their regular ISP's DNS. Amazingly, a good 50% of the certificate and "cant find web site" errors go away after that. Imagine!
OpenDNS has the right idea, but it's not ready for the "everyday internet user" crowd yet.
This is without really considering the massive privacy problems with using it.
Agree'd. The "Open" in their name is misleading. In reality many consider OpenDNS to be a scam operation.
Furthermore nobody should rely on a DNS provider (of all things!) to report worm infections. The idea is so wrong, it reminds me of the TV scams where they want to sell you a worthless product, bundled with 5 other, totally unrelated worthless products. "Buy this quality home-trainer for only $499 and you'll get this USB-stick, a bar of soap, two lightbulbs and a chinese ipod-knockoff, for free!".
If you're concerned with worm infections then you run antivirus software and maybe an IDS (e.g. snort) on your internet gateway.
Both will report malicious traffic much more reliable than OpenDNS because that's what they're designed to do.
.....instructs its drone machines to report to 250 different internet addresses each day. Without the service, admins would have to manually block 1,750 domains each week, or 91,250 each year.
Wouldn't blocking "this weeks" known IP addresses stop the addition of new ones, rendering the infection impotent?
Enlightenment? It's just a flush in the pan.
Boy, talk about not understanding Internet protocols.
NTP packets are basically "I think it's this time...what do you think", while DNS is "I want to know the IP for www.childpr0n.com".
There just isn't any possible privacy issue with NTP packets, while DNS is basically a record of everything you visit. Heck, if OpenDNS were to modify the TTL in their DNS replies, they could even get more complete data about how often you request each site.
Actually, I must be wrong about you misunderstanding. Nobody could be that dumb, so you must work for OpenDNS (or another company that benefits from their data collection).
Not really, no.
For the NTP pool you send and recieve time data; funnily enough the time is public information.
Switching your DNS servers to OpenDNS means you end up sending them every domain you visit, and apparently every Google search too.
Most people would probably want their search terms and domains they visit to stay private, so your analogy between the NTP pool and commercial DNS providers breaks down here.
(note: I'm not implying sending your DNS data to OpenDNS means it's made public!)
You consider bar of soap to be worthless?
*sniff* Hmm... no wonder your hygene is questionable.
In the same manner that you give another entity access to all your NTP syncs.
OpenDNS is basically the same thing as the NTP pool.
Put the tinfoil down, and back away slowly...
I'm really not sure why people keep comparing OpenDNS to NTP. NTP shares the current time, in UTC. This information is not secret and is not a privacy violation because it was already available to anyone who wants it. If knowing your system time helps an attacker to i.e. guess your TCP sequence numbers, that is a weakness in your (pseudo)random number generator, not a weakness in running an NTP daemon.
Compare that to the data that OpenDNS can collect. They can see every hostname you resolve with their service. Not unlike application-level techniques used by various advertisers (web bugs, third-party cookies, redirections, HTTP "ping", etc.) to track your browsing, a list of every hostname you resolve can certainly compromise your privacy. Every site I visit, when I visited it, and an idea of how often I visited it is not "already available to anyone who wants it." Normally, to obtain this sort of information, an attacker would need to either break into this computer and install a program to log and transmit it, or they would need to conduct a man-in-the-middle type of attack against my ISP's network. There's a reason for that.
Why would I volunteer this data to a third-party who otherwise would have no access to it? What's my incentive to unnecessarily trust them in exchange for a service I don't need? It's not like there is anything difficult about running my own caching DNS server (and you can bet I don't use BIND), not to mention that DNS has to be one of the worst ways to deal with the problem of host security. It's just not a tool that was ever designed for this type of job; meanwhile, better tools that are designed for this job are readily and freely available. This might tempt someone who doesn't want to take responsibility for their own security and thinks anyone else should handle it for them, but I recognize that as a personal shortcoming, a flawed idea. The product of a flawed idea is also flawed, so with this arrangement you are merely trading one threat (the Conflicker worm) for another threat (reduced privacy). I can't call that a solution with a straight face.
It is a miracle that curiosity survives formal education. - Einstein
You're relying on OpenDNS for content filtering? Cute. That might work in a home for the elderly, but I doubt it'll stop any teenager, much less one who is technologically inclined. Would have stopped me for all of 45 seconds. But if it gives you peace of mind, that's something I guess.
Switch back to Slashdot's D1 system.
Use 127.0.0.3, and put that in your /etc/hosts as 'dns.localdomain'. This still reaches your loopback address, but avoids some of the potential reverse DNS confusions with 'localhost.localdomain'.
Just Google for "free DNS", but I use 4.2.2.2, 4.2.2.3 myself. I think they're from Level 3. There's tons of others though. I used to have Comcast, and I switched my DNS because theirs were slow and unreliable. I mean, if I went to a complex site (take MSNBC.COM, for example) it would take several seconds to load on a 16 mbit/sec line, just because of all the domain requests. I just switched to AT&T for my ISP now, and I haven't changed my DNS settings yet because the response is really, really crisp.
The higher the technology, the sharper that two-edged sword.
It could be worse. Does anyone else here remember the 'Site Finder' chaos, when Verisign returned their own sales website domain for all nonexistent .com addresses? As the managers of .com, their behavior screwed up network monitoring tools worldwide, and misdirected huge amounts of misaddressed email to their servers, without warning. Patches were quickly released for every major DNS software package to block it, which is probably the real reason it got dropped: having every DNS server in the world used to the idea that 'I can block the behavior of idiots' is very, very bad for companies like Verisign that have repeatedly misused their position of trust against third parties.
I don't see a scam here. You might not like their approach, but that's different.
OpnenDNS tells you they run a proxy. They tell you how to disable it.
Sending a raw error code to 99 percent of Internet users is bad service. Better to catch the code and deliver a plain language message.
As for the ads: Would you feel better if OpenDNS billed your credit card on a regular basis? Ads are everywhere. Get used to it. Just ignore them, like the rest of us do.
Short of running their own DNS, what's a better approach? (BTW, I've run my own DNS. Not dong that again. Life's too short to think running servers is fun.)
-- Slashdot: When Public Access TV Says "No"
They make money by monitoring your habits. Can any one tell me how they pay their CDN and caching servers bills for millions and millions queries everyday?
From the site:
"OpenDNS partners with hardware and service providers to deliver our award-winning security, infrastructure and navigation services."
They sale your private info.
There's nothing private about my public IP address. If they can manage to glean personal info from my IP address then, damn, they're good.
OpenDNS redirects all your Google search queries though their servers.
From the site:
"Is OpenDNS running a proxy?
Yes. Some software, including your (and our) beloved Google Toolbar, intercepts requests made via the address bar so that DNS requests never occur. This creates some usability issues, including making shortcuts - which require DNS requests to be made from the address bar - unreliable. We've designed a simple proxy that ensures the best of Google and OpenDNS work without causing problems.
When enabled, we route certain requests to a simple proxy which checks for the origin of the request. Shortcut-related traffic gets handled (and redirected) while all other traffic goes to the intended destination untouched. We are not storing or mining any of the data that passes through the proxy. The proxy does nothing malicious - it's designed to make your shortcuts work seamlessly with the Google Toolbar and similar services, giving you the best of both worlds.
Like all OpenDNS services, the proxy is respectful of your privacy. We do not track any of the searches made through the proxy. In fact, since so many people use Google we automatically rotate and delete the logs frequently. We do not store any of those logs, nor do we perform any non-operational-related analysis of the traffic sent through the proxy at any time. Protecting your privacy and delivering a fantastic navigational experience will always be two of our main goals at OpenDNS. We believe that this solution provides just that, and continues our tradition of innovative services that make your Internet experience with OpenDNS faster, safer and more reliable.
Ultimately, this proxy serves to enhance the OpenDNS experience and we recommend you leave it enabled.
They redirect web browser users or scripts accessing nonexistent domains to a page containing sponsored search results, ads, and a search form. The DNS protocol requires that a query for a nonexistent domain must return the "NXDOMAIN" error response.
You mean if I try to navigate to a nonexistent domain that OpenDNS will A) Inform me of my error B) Present me with a search form and C) Display a few innocuous text ads on the page?
I'm crushed. Damn, how could they?
How is that any worse than Google displaying text ads on their search results page? How hard can it be to block those text ads if they really get your panties in that big of a twist? If it bothers you that much, it's not like anyone is holding a gun to your head and forcing you to use their service.
Power does not corrupt - power attracts the corrupt.
What you're showing is that the troll succeeded in making you rage. He'll now be more motivated to post it over and over, because he knows it works.
I think trying to explain this to people is a lot like back when AOL tried so hard to tell customers that their staff will never ask for their account password. Despite repeated warnings and prompts, the password phishers never seemed to have any problems. Those hardheaded users preferred the convenience of refusing to stop and think or to change their habits because both of those require a small amount of effort.
Likewise, people who feed trolls prefer their little emotional outbursts and the righteous feelings they get from them and are not interested in whether they are part of the problem. The idea that they are doing exactly what the troll wanted them to do does not get their attention. They may claim otherwise or feel inclined to argue with me about that, but this is very simple: when a person's words tell me one thing and their actions tell me another, I disregard their words every time. They don't really give me a choice in the matter.
It is a miracle that curiosity survives formal education. - Einstein
Thank's for reminding me.
Besides everything (scary) that is involved on using OpenDNS as your resolver, it's true that it can block the Conficker Worm. However, Conficker worm might be the last one that OpenDNS can stop. Once the evil minds realize the power of OpenDNS, they'll start using IP addresses instead of names within their worms (period).
But they are breaking the standard. In particular rfc2308,
under 8:
Note the absence of statements like "lookup failures should silently map to A records that point to webservers serving spam".
They are "Open" in sense of DNS terminology. Open DNS is one of the significant misconfiguration of an ordinary DNS server can have but their business works by opening it to planet and add extra features to decades old service without breaking standards.
But they do break the DNS standard. As several other posters have pointed out, the DNS protocol calls for an "NXDOMAIN" response to a non-existent hostname. Instead of sending this response, they are showing sponsored links. Not to mention that DNS is already "open to the planet". There are about 13 root DNS servers. Anyone who wants to can run their own DNS server that contacts those root servers to handle DNS queries. For free. With open-source software that is also free. OpenDNS isn't providing anything that I cannot easily do for myself AND they are failing to conform to the DNS standard in order to display what I consider spam. Why do I consider their "sponsored" links to be spam? That's easy -- if I cared about their sponsors, they would not have to direct me to their sites, I would go there on my own.
On top of all of this, there are two threats to privacy posted by OpenDNS. One is the Google request "proxying" ("hijacking" is another word that equally applies, in my opinion) that can be turned off. The other is the fact that they would know every site I visit, which cannot be turned off and is an inherent part of the arrangement. Using such a system doesn't make any rational sense whatsoever.
You are either speaking about what you don't remotely understand, or you're not really so ignorant and have some undisclosed financial relationship to OpenDNS and are not being honest with us about that. Both are rather foolish. My suggestion to you is that if you insist on doing this, try it on an audience that is less tech-savvy. Better yet, inform yourself about these matters or get a job that doesn't remove your self-respect. If that sounds like a strong response, it's because of how misleading your post was and because of how rapidly several posts very much like it (lots of praise and little to no evidence and reasoning) have appeared in this discussion.
It is a miracle that curiosity survives formal education. - Einstein
Specifically, highjacking SSL sessions.
Several of my customers have had problems with their domain names not resolving, which is just a run of the mill reliability problem. Remove OpenDNs and it goes away. Not a biggie.
However, two of them had pop up warnings from Firefox (but not IE for some reason) about a security certificate not matching the domain name, "*.opendns.org" (org? gimmie a fucking break they are selling aggregated data, that is not an "org".) while the users were logging into or just using bank related web sites. Other users on the same network were having no such problems.
Because the sites are hosted on my stuff, they think that MY stuff is off. Even though I can show them the source code and say "ok, where is this pulled from in your HTML?"
Most sites worked, except for a few bank sites. I don't know about you, but SSL is supposed to verify the domain and web server were authorized by the certificate issuing party, as well as make the data flow between the server and computer inspection-proof. OpenDNS tried to get in the way of that. (I don't think it was malicious, THIS time.)
So, OpenDNS not only caused a pain in the ass for me, but also were doing something with SSL certificates when users tried to use SSL on a bank web site.
I found out later, that some idiot IT guy was putting the stuff in because he was too lazy to update his domain controller (or didn't know how). Something he would have not needed to do had he read the instructions in the first place. Typical complicated response to a simple RTFM problem.
Stop spreading FUD. Their privacy policy says that "OpenDNS removes the IP address from its logs within 2 business days." That's better than Google and probably any other search engine you might use.
I said that use of their service would make them privy to information that I don't wish for them to have. Specifically, my information. I'd love to hear a self-consistent explanation of how that constitutes Fear, Uncertainty, and/or Doubt. In fact I hereby challenge you to provide one. I'd like to see you try, so I won't tell you right now why that will fail although it's qute possible Merriam Webster can fill you in. Extra points if it's not trivial for me to tear down your argument. I don't normally use a tone like this when I reply to someone, but you have made an accusation and I demand to see either your evidence or a concession that you have spoken amiss.
I'd also like a self-consistent explanation of how the privacy problems posed by various search engines somehow justifies unnecessarily supplying OpenDNS with my information. Considering that the services OpenDNS offers are worse for me than what I can do for myself using Open Source software, this would indeed be unnecessary. To justify what you just said, you would have to explain how one wrong thing justifies and excuses another, unrelated wrong thing. Good luck with that.
I strongly doubt I'm going to get either explanation. I fully expect you to quietly disappear from this thread and find an easier target for your apologist message, but on occasion people do surprise me. Having said that, I will add that I think you are misunderstanding something fundamental. I will explain what that is. I am not satisfied that they promise to play nice with my information or that they don't retain it for very long (nevermind that I cannot audit their systems, so I have no way to verify those claims and must take their word for it). I am satisfied when they have no access to my information. If other people don't feel that way, this is their business, but I considered all my options long before it ever occurred to you that a little two-liner from an AC was going to change my mind and I believe my stance is a solid one that I can back up. Can you say the same?
It is a miracle that curiosity survives formal education. - Einstein
So, you are equating all ads with spam?
If I use my ISP's nameservers,I get slower responses plus error pages from the ISP with ads on them.
The notion that OpenDNS is evil because they run ads is juvenile. So is the notion that they're evil because they keep logs and records. Name me a Unix system or any provider of any kind of Internet services that doesn't keep logs and records.
The phone company knows who you call. What are you doing about that great evil?
It seems you want me to be indifferent about the possibility that endless anonymous admins might get curious about my net behavior, but I'm supposed to be paranoid about OpenDNS?
-- Slashdot: When Public Access TV Says "No"
I'm the founder of OpenDNS. I've decided to reply even though these comments are heinously wrong, and probably just me feeding the trolls...
We have never sold user data, ever. We also have no CDN bills, we don't even use a CDN. We've built a global BGP-speaking network with hundreds of peers around the world. I know, because I built it. We peer at LoNAP, LINX, PAIX, SeattleIX and on a few of the Equinix peering fabrics around the US.
The idea that we would build our business based on monitoring user data is preposterous. I wouldn't stand for it, nor would our employees. I'm confident that all our engineers are just as vocal or more vocal about doing the right thing than you are. We make it very clear how we make money, and it's all over our website. Go to http://guide.opendns.com and do a search. The sponsored results are ads where we get paid, the organic results are regular search results. That's how we make money. We might offer an enterprise for-pay service down the road as some of our customers begin to demand tighter integration with their network but for now, we're happy with our business. And I'm happy to report that we're profitable and stable, even in this economy.
And as to the OpenDNS proxy. It's true, we do redirect certain Google requests through a proxy so that we can make our OpenDNS shortcuts and some other features work more reliably. Two important things here: First, we peer with Google at every datacenter, so we aren't adding to your latency or anything else. Second, we don't log and store any data and we certainly don't care about it. We prefer to be able to confidently say we aren't keeping data on it. Of course, you are welcome to disable it by going into your settings and disabling the OpenDNS proxy. That's it. Do that and we don't ever see the request. Pretty easy. End of story.
David Ulevitch
Founder, OpenDNS
# Hack the planet, it's important.
This guy has a 2-digit UID, how could he possibly not be on the level? ;-)
Seriously, I've been using OpenDNS for a year or so, and based on what I know and everything I've read here minus David Ulevitch's description I don't really see a problem, just a lot of people overreacting. After reading what he had to say, I am confident that my gut feeling was accurate... unless of course he's lying, which I have no reason to believe.
You are in a maze of twisty little passages, all alike.
Yep, I believe you can use OpenDNS servers by themselves without any account setup. However you can also set up an account with them to enable setting custom filtering among other things, and control over your proxy/privacy settings. So it is, indeed, on their website after you set up an account. They don't ask for much of anything to set up an account, so I have used a throwaway email address in the past... tho they do still have your IP if you are really worried.
This post brought to you by your friendly neighborhood MBA.
Ah, yes. A "Flamebait" moderation in response to facts and reasoning that were presented in a relatively mild way. I wouldn't mind being a fly on the wall of such a moderator to see whether they feel better about themselves after doing this. My bet is that they do it only to find out that it's not so satisfying as they thought it would be.
To those moderators who think that what you do and don't agree with is what determines "Flamebait" and "Offtopic", you will be more effective if you choose an easier target than me. I have karma to burn, which I have earned, and I am not at all intimidated by your inability to handle reasoned criticism or your little temper tantrums that result from it. If anything, I'm going to post more when you do this because I will call you on it. You are lesser men who don't have what it takes to openly take me on, which is why you cower behind the moderation system when what you would really like to do is prove me wrong. This isn't because I am so great, because I am not; it is because you are so ridiculously weak and cowardly that you consider losing an Internet debate to be an unacceptable risk. If you ever try it, I'll tell you this much: I learned a lot more from those who were able to find the flaws in my reasoning than I ever did from those who said "me too!"
To those moderators who have a clue, please pardon the tone of this post. I ask that you understand that lots of low-quality moderators are operating unchecked and that this goes on because so few are willing to stand up to them (i.e. most people don't seem to care). Of course, the removal or alteration of the old metamod system also has a lot to do with this.
It is a miracle that curiosity survives formal education. - Einstein
Why don't you use BIND?
For the same reason I'll consider using nearly any MTA except Sendmail, which is because it has a poor security history. BIND and Sendmail both hail from a time when the Internet was a much friendlier place and I consider neither trustworthy on the hostile network that the Internet has since become. I know that version 9 of BIND was a complete rewrite, yet that too has had more security issues than I would like to see.
In my opinion, BIND is written for functionality first and security second. History has shown that security needs to be a fundamental design goal from the beginning; trying to write a program and then secure it later as vulnerabilities are found is problematic at best and causes a lot of preventable problems. Good security is not an afterthought. I just don't see security as an integral part of BIND's design, not when compared to alternatives like djbdns or maradns. For example, from its very first release, maradns has always used a cryptographically secure RNG to randomize query IDs and source port numbers and was never once vulnerable to cache poisoning attacks. BIND didn't start doing this until people started exploiting it. I've just seen too many issues like that which were better solved by more proactive approaches. I really can't rigorously prove to you that one solution is inherently superior to some other solution, especially since your needs and priorities may differ from mine, but I can explain why I have strong preferences that contribute to what I will and won't do.
BIND is also bigger and more complex than what I actually need. I have never felt like there was some must-have feature provided by BIND, so there is really no compelling reason for me to use it. Even so, using a daemon whose authors more proactively consider security issues is just one step. I take other measures, including but not limited to a well-configured software firewall (Linux kernel/iptables) that is itself behind a hardware firewall/router, a PaX/Grsecurity kernel that provides things like non-executable stacks and randomized memory addresses and chroot jails that are much harder to break, and userland measures like compiling the daemon with SSP. Many of those are part of running a Gentoo system with the Hardened profile, which also implies a hardened toolchain. A source-based distribution is definitely not for everyone, but it offers some very good options like this and I'm quite happy with it. I also use Logsentry and a few other tools to help me keep an eye on things.
Yes I'm paranoid, but it's because I believe in preparedness and I've seen too many examples of what happens when administrators don't consider attacks to be an eventuality. I'm rather "old school" in a few ways; for example, I do not believe in after-the-fact removal tools (i.e. for rootkits) at all. Once a system has been compromised, the only way to ever trust it again is to wipe the drives and reinstall from known good media. Between the two, I consider the idea that I may have put an excess of effort into locking down the system (and in the process expanded my skill) to be far more acceptable than the idea of regretting that I didn't do enough. I know there is no such thing as absolutely perfect security, so I think about my threat model and I consider a system "secure" when the effort required to have a hope of breaking into it far exceeds (by a ridiculous margin) any value that might be obtained by doing so. To give a poor analogy, it doesn't make any sense to spend one million dollars in order to earn one thousand dollars. Unless it's a personal vendetta, attackers do understand this and they greatly prefer to go after the low-hanging fruit. The standard these days is so low that it doesn't even take very much to place yourself out of that category.
It is a miracle that curiosity survives formal education. - Einstein
Where on their website is it?
I honestly clicked through most of it (short of digging through the knowledge base) and didn't find a trace of it.
Proxying google queries should be worth a note along with the setup instructions, don't you think?
Some questions, then:
Which is interesting, because up above, the founder of OpenDNS claims that they do not log or save requests at all. So which is correct, his claim, or the privacy policy that contradicts it?