Slashdot Mirror
OpenDNS To Block and Monitor Conficker Worm
Linker3000 writes "According to The Register, OpenDNS plans to introduce an new service that will prevent PCs infected with the Conficker (aka Downadup) malware from contacting its control servers, and will also make it easy for admins to know if even a single machine under their control has been infected by Conficker: 'Starting Monday, any networks with PCs that try to connect to the Conficker addresses will be flagged on an admin's private statistics page. The service is available for free to both businesses and home users.' With the amount of trouble this worm has caused, perhaps this is a good time to take a look at OpenDNS if you haven't done so already."
OpenDNS redirects www.google.com to OpenDNS servers.
They make money by monitoring your habits. Can any one tell me how they pay their CDN and caching servers bills for millions and millions queries everyday? They sale your private info.
OpenDNS redirects all your Google search queries though their servers.
They redirect web browser users or scripts accessing nonexistent domains to a page containing sponsored search results, ads, and a search form. The DNS protocol requires that a query for a nonexistent domain must return the "NXDOMAIN" error response.
You're giving another entity access to all your DNS lookups and your computer won't talk to Google's servers anymore when you connect to www.google.com, but to a company which isn't very upfront about this redirection. Whether that's an advantage or a drawback is up to you.
I'm not sure why people around here seem positive about using OpenDNS (as opposed to running your own say).
When I make a type I get an Address Not Found error and THAT'S THE WAY I LIKE IT.
Nice idea, but what do you do when a worm alters your dns settings?
OpenDNS can't block access if the queries go to a server controlled by the bad guys.
You can firewall off access to dns ports to all but known servers, but then the worms just tunnel through a port 80 proxy.
Cat and mouse forever. Plus a false sense of security.
Freedom of speech is very important, but there are exceptions. For example, we don't have the right to watch child porn in a crowded theatre, because that would harm children.
We don't have the right to hijack music vessels on the high seas because it would harm the corporate interests that sheltered us when we were still huddled around dark fires, marveling at shadows on the cave wall.
I fully support OpenDNS's sensible actions, or "sens-orship", as I like to call it. Surely we can trust any corporation with "open" in the title to control our minds in a way we will soon be programmed to approve of.
93rd rule of Slashdot: No matter how obvious my sarcasm is, my comment will be taken seriously by someone.
You can turn this feature off. http://www.opendns.com/support/article/244 is their response to questions about privacy.
For those that have OpenDNS running, you go to Settings, Advanced and then at the bottom there is the Network Shortcuts section. Uncheck the box "Enable OpenDNS Proxy".
I have the service and I am quite happy to trade a little privacy for the content filtering done by someone else, without requiring any software installs or any maintenance of IPTables or anything else on my part. It is passive safety, I know, but gives some peace of mind with a teenager who knows his way around computers. It blocks proxies too. If there is an alternative, I'd love to read about it.
This post brought to you by your friendly neighborhood MBA.
Agree'd. The "Open" in their name is misleading. In reality many consider OpenDNS to be a scam operation.
Furthermore nobody should rely on a DNS provider (of all things!) to report worm infections. The idea is so wrong, it reminds me of the TV scams where they want to sell you a worthless product, bundled with 5 other, totally unrelated worthless products. "Buy this quality home-trainer for only $499 and you'll get this USB-stick, a bar of soap, two lightbulbs and a chinese ipod-knockoff, for free!".
If you're concerned with worm infections then you run antivirus software and maybe an IDS (e.g. snort) on your internet gateway.
Both will report malicious traffic much more reliable than OpenDNS because that's what they're designed to do.
In the same manner that you give another entity access to all your NTP syncs.
OpenDNS is basically the same thing as the NTP pool.
Put the tinfoil down, and back away slowly...
I'm really not sure why people keep comparing OpenDNS to NTP. NTP shares the current time, in UTC. This information is not secret and is not a privacy violation because it was already available to anyone who wants it. If knowing your system time helps an attacker to i.e. guess your TCP sequence numbers, that is a weakness in your (pseudo)random number generator, not a weakness in running an NTP daemon.
Compare that to the data that OpenDNS can collect. They can see every hostname you resolve with their service. Not unlike application-level techniques used by various advertisers (web bugs, third-party cookies, redirections, HTTP "ping", etc.) to track your browsing, a list of every hostname you resolve can certainly compromise your privacy. Every site I visit, when I visited it, and an idea of how often I visited it is not "already available to anyone who wants it." Normally, to obtain this sort of information, an attacker would need to either break into this computer and install a program to log and transmit it, or they would need to conduct a man-in-the-middle type of attack against my ISP's network. There's a reason for that.
Why would I volunteer this data to a third-party who otherwise would have no access to it? What's my incentive to unnecessarily trust them in exchange for a service I don't need? It's not like there is anything difficult about running my own caching DNS server (and you can bet I don't use BIND), not to mention that DNS has to be one of the worst ways to deal with the problem of host security. It's just not a tool that was ever designed for this type of job; meanwhile, better tools that are designed for this job are readily and freely available. This might tempt someone who doesn't want to take responsibility for their own security and thinks anyone else should handle it for them, but I recognize that as a personal shortcoming, a flawed idea. The product of a flawed idea is also flawed, so with this arrangement you are merely trading one threat (the Conflicker worm) for another threat (reduced privacy). I can't call that a solution with a straight face.
It is a miracle that curiosity survives formal education. - Einstein
FTFA:
.....instructs its drone machines to report to 250 different internet addresses each day. Without the service, admins would have to manually block 1,750 domains each week, or 91,250 each year.
Wouldn't blocking "this weeks" known IP addresses stop the addition of new ones, rendering the infection impotent?
That would address a symptom and would do nothing about the actual problem. We keep doing that because we don't want to admit that addressing only symptoms is a failed idea; trying harder and harder to find new ways to implement this idea won't change the fact that it's a failed idea.
The root problem is the vulnerability of Windows to these types of worms. Yes I am selectively speaking about Microsoft Windows; if I ever start seeing widespread (keyword) worms in the wild (keyword) for *nix operating systems then on that day I'll include them too. Anti-virus seeks to remove or contain an external object to which Windows is vulnerable, so it too addresses only the symptom and not the vulnerability. The reason why *nix operating systems don't generally need anti-virus (unless of course you ask an anti-virus vendor) is because they have a security model that is able to prevent infections from occurring in the first place. This is much simpler and more practical (but creates fewer cottage industries) than sophisticated scanners and high-maintainence databases of tens of thousands of signatures that must be applied to every file or every file operation. It's a lot simpler than pretending that DNS is the correct tool for host security as well.
If OpenDNS maintains a highly effective, well-maintained blocklist and if many people start using it, what happens next is rather predictable. A worm/virus that can compromise the machine can also alter that machine's DNS settings. It could make the machine stop using OpenDNS or worse (as another poster has pointed out) it could make it use a hostile DNS server. You can expect this to be a standard malware feature if OpenDNS's efforts are successful. That's the downside of participating in an arms race. The best way to avoid an arms race is to realize that mitigation techniques, while not completely useless, have extremely limited utility and that prevention is the only actual cure.
It is a miracle that curiosity survives formal education. - Einstein
Could you elaborate on this massive privacy problem you talk about? Like you don't have this massive privacy problem by using your ISP's DNS servers who can actually match DNS queries to user account?
And who asked if OpenDNS is about "Everyday internet user" crowd? It's A DNS service! Do you want a CSI type frontend with it?
It could be worse. Does anyone else here remember the 'Site Finder' chaos, when Verisign returned their own sales website domain for all nonexistent .com addresses? As the managers of .com, their behavior screwed up network monitoring tools worldwide, and misdirected huge amounts of misaddressed email to their servers, without warning. Patches were quickly released for every major DNS software package to block it, which is probably the real reason it got dropped: having every DNS server in the world used to the idea that 'I can block the behavior of idiots' is very, very bad for companies like Verisign that have repeatedly misused their position of trust against third parties.
What you're showing is that the troll succeeded in making you rage. He'll now be more motivated to post it over and over, because he knows it works.
I think trying to explain this to people is a lot like back when AOL tried so hard to tell customers that their staff will never ask for their account password. Despite repeated warnings and prompts, the password phishers never seemed to have any problems. Those hardheaded users preferred the convenience of refusing to stop and think or to change their habits because both of those require a small amount of effort.
Likewise, people who feed trolls prefer their little emotional outbursts and the righteous feelings they get from them and are not interested in whether they are part of the problem. The idea that they are doing exactly what the troll wanted them to do does not get their attention. They may claim otherwise or feel inclined to argue with me about that, but this is very simple: when a person's words tell me one thing and their actions tell me another, I disregard their words every time. They don't really give me a choice in the matter.
It is a miracle that curiosity survives formal education. - Einstein
Guess what browsers and web-proxies have done for, umm, 10 years? Mine says "Name Error: The domain name does not exist". What could OpenDNS possibly add to this simple message, other than their spam?
Better approach to what?
Why not just use your ISPs nameserver?
But they are breaking the standard. In particular rfc2308,
under 8:
Note the absence of statements like "lookup failures should silently map to A records that point to webservers serving spam".
I'm the founder of OpenDNS. I've decided to reply even though these comments are heinously wrong, and probably just me feeding the trolls...
We have never sold user data, ever. We also have no CDN bills, we don't even use a CDN. We've built a global BGP-speaking network with hundreds of peers around the world. I know, because I built it. We peer at LoNAP, LINX, PAIX, SeattleIX and on a few of the Equinix peering fabrics around the US.
The idea that we would build our business based on monitoring user data is preposterous. I wouldn't stand for it, nor would our employees. I'm confident that all our engineers are just as vocal or more vocal about doing the right thing than you are. We make it very clear how we make money, and it's all over our website. Go to http://guide.opendns.com and do a search. The sponsored results are ads where we get paid, the organic results are regular search results. That's how we make money. We might offer an enterprise for-pay service down the road as some of our customers begin to demand tighter integration with their network but for now, we're happy with our business. And I'm happy to report that we're profitable and stable, even in this economy.
And as to the OpenDNS proxy. It's true, we do redirect certain Google requests through a proxy so that we can make our OpenDNS shortcuts and some other features work more reliably. Two important things here: First, we peer with Google at every datacenter, so we aren't adding to your latency or anything else. Second, we don't log and store any data and we certainly don't care about it. We prefer to be able to confidently say we aren't keeping data on it. Of course, you are welcome to disable it by going into your settings and disabling the OpenDNS proxy. That's it. Do that and we don't ever see the request. Pretty easy. End of story.
David Ulevitch
Founder, OpenDNS
# Hack the planet, it's important.