Cisco To Acquire OpenDNS

New submitter Tokolosh writes: Both Cisco and OpenDNS announced today that the former is to acquire the latter. From the Cisco announcement: "To build on Cisco's advanced threat protection capabilities, we plan to continue to innovate a cloud delivered Security platform integrating OpenDNS' key capabilities to accelerate that work. Over time, we will look to unite our cloud-delivered solutions, enhancing Cisco's advanced threat protection capabilities across the full attack continuum—before, during and after an attack." With Cisco well-embedded with the US security apparatus (NSA, CIA, FBI, etc.) is it time to seek out alternatives to OpenDNS?

Just run your own

And point it at the roots. Done.

Re:Just run your own

Or be a better netizen by running your own and forwarding to your ISP's.

Re:Just run your own

[kheldan]

You're assuming that what you think are the root DNS servers are actually the root DNS servers, and that they're not being spoofed by the CIA, NSA, or whoever in the first place. You're also assuming that your ISP would allow you to do such a thing, and not brand you as someone up to no good, and cut you off.

I never trusted OpenDNS much in the first place, certainly no more at best than I would any ISP's DNS servers.

Re:Just run your own

[bill_mcgonigle]

Or be a better netizen by running your own and forwarding to your ISP's.

The whole reason OpenDNS even exists is because ISP's proved they cannot be trusted to run an honest DNS. And let's not pretend that DNSSEC is universally deployed.

Most people here can setup up a 99 cent VPS with an openvpn endpoint running a recursive resolver, limited to the openvpn net. That fits in the smallest slice of RAM available in 2015 and will work fine.

Most other people cannot, though. Google's DNS is honest, if you don't care about tracking - but most people care more about free stuff than privacy.

Re:Just run your own

How is this better?

The ISP's DNS grabs any name that does not resolve and points it to a spam/add site with popups/popunders.

I set up my own to resolve to the roots and got rid of the spam, popups, and other crap that Time Warner redirects you to.

To top it off, I added a list of domains to my DNS to block. Including all the TimeWarner domains with popups.

Re:Just run your own

[greenfruitsalad]

please elaborate on the tracking. where did you get that from? that's an honest question; i use google's servers as last resort backup dns.

Re:Just run your own

So instead of any solution, you have NO solution. +1 Internet to you, sir.

Re:Just run your own

[nine-times]

Someone may correct me if there's more to it, but I think it's just that some people are uncomfortable with Google having so much access to information about us. Any DNS server you access will have the potential to keep records of which IP addresses made which queries, which potentially gives Google even more tracking data. As far as I know, there's no real sign that they're using that data, but to some extent, they're a company that makes money from collecting data about their users, so...

Re:Just run your own

That is what DNSSEC is for. Even tough the top most request may not support DNSSEC, the roots and an increasing number of TLDs do.

BTW the result will be that you don't get any responses on your client for DNS requests. So The Internet will be broken.

Re:Just run your own

[wiggles]

There's only one reason Google gives anything away 'for free' - it's because they're mining data from your connections to better target ads at you. They absolutely monitor every DNS lookup on their servers and use those lookups as part of their profile on you as a user.

Re:Just run your own

If you ask google's dns servers what ip is at www.overthere.com... it knows you want to go to www.overthere.com? A vast majority of people can be uniquely identified just by their list of most visited sites. Caching probably offsets this a little, but still much more valuable than other ways of getting this data.

Re:Just run your own

[QuietLagoon]

Most people here...

Most other people...

most people care...

A self-appointed spokesperson for "most people"?

Re:Just run your own

[afidel]

Or broken DNS is so pervasive that it is interfering with their ability to offer other services. If you're interested in the privacy policy around Google DNS it's available here. The quick TLDR is:

What information does Google log when I use the Google Public DNS service?

Google Public DNS complies with Google's main privacy policy, which you can view at our Privacy Center. With Google Public DNS, we collect IP address (only temporarily) and ISP and location information (in permanent logs) for the purpose of making our service faster, better and more secure. Specifically, we use this data to conduct debugging and to analyze abuse phenomena. After 24 hours, we erase any IP information. For more information, read the Google Public DNS privacy page.

Is any of the information collected stored with my Google account?

No.

Does Google share the information it collects from the Google Public DNS service with anyone outside Google?

No, except in the limited circumstances described in Google's privacy policy, such as legal processes and enforceable governmental requests. (See also Google's Transparency Report on user data requests.)

Does Google correlate or combine information from temporary or permanent logs with any personal information that I have provided Google for other services?

No.

Re:Just run your own

[LWATCDR]

So any DNS you use could do this.
So isn't it logical to use one that is being run by a massive competent company that is already making huge profits and has the whole world watching them vs some small org that is just trying to make ends meet that no one is paying attention to.
Frankly if I was the CIA I would be intercepting traffic to the small oddball servers more than Google.

Re:Just run your own

[LWATCDR]

You tool of the megacorps how dare you bring up facts that distort that crusader for freedom's self identified truth.

Re:Just run your own

[nine-times]

Well DNS isn't really secured, so if you're worried about the CIA intercepting your DNS traffic, I don't think which DNS server you use is going to be extremely important there.

But yeah, any DNS server could gather and store records about every query, and which IP address the query came from. Many people don't consider that amount of data to be invasive enough to worry about. For most people, the worst information it would leak is that, just like almost everyone else, you're visiting porn sites.

Re:Just run your own

[LWATCDR]

actually I am not very worried about DNS privacy.
I just wish we could go back to the old days of Slashdot when it was all about cool dads building battlemech tree houses instead of the tin foil hat crowd.

Re:Just run your own

[ArcadeMan]

Actually, that's -1 Internet for him.

Re:Just run your own

[nine-times]

I'm also not too worried about DNS privacy, but I don't see the problem with Slashdot being the sort of place where nerds talk about network security.

Re: Just run your own

The US government said the same thing about data collection even after being confronted. Look where that got is all. Why trust it?
One of the creators says privacy is dead
Google it's found to be defeating private browsing for Safari
Google and tons of others are found to silently cooperate with wholesale government data collection (remember last year's headlines about Google Facebook and others begging for good pr by requesting permission from that same lying government to ungag and reveal how much they really are forced to share in secret)
TOS can change overnight and not require users to receive a penny in compensation or even an apology back by real improvement. We continue to be the product. Like the government has proven in courts for FOI requests you cannot start a lawsuit for something that allegedly does not exist until you tell the courts exactly what to look for. By the time we find where Google is outsourcing the IP data or what side channel is recording the results that they claim are not parts of our Google account they will pull out some other plan with its own law-skirting provisions.

I feel safer with DNS from a small our unknown provider than from giants who have the PHDs and perfected processes to monetize and cocorrelatey data across continents with YouTube, DNS, email, search, browser and android spying.

Re:Just run your own

[fnj]

You're also assuming that your ISP would allow you to do such a thing, and not brand you as someone up to no good, and cut you off.

I pay my ISP to give me a pipe to the internet. I use that pipe to contact numerous different public servers using numerous different protocols. If some of those servers are DNS servers, and I use DNS protocol to contact them, it is none of their mother fucking business. And indeed, my ISP clearly couldn't care less if I am doing it. If they tried to stop me, I would just ssh tunnel forward through a VPS and fuck em.

I never heard of anybody ever being "cut off" for doing this.

Re:Just run your own

[kheldan]

My point is that you have NO control over the root DNS servers (or any other DNS servers you don't own), or what happens in the route between you and any DNS servers, so how do you know what's really going on? If you were to directly use the root DNS servers, how do you know traffic in either direction isn't being tampered with? You have to assume that any data of any kind sent or received from the public Internet is inherently insecure, and there's plenty of historical evidence to prove not only it's plausibility, but it's likelihood. All you can do is make the best choices you can based on available information, and hope you're not being sold down the river by some three-letter agency, or who knows who.

Re:Just run your own

[houghi]

I use an alternative DNS server, becausde the ISPs in my country are orderd to block certain (torrent) sites. As I already give enough info to Google, I use servers I found on http://wiki.opennicproject.org...
With http://wiki.opennicproject.org... you can find witch one are closest,

I used to run my own, but after a re-install I did not yet bother.

What I think is strange is that nobody has made an easy local DNS server (for Windows) e.g. just a program that listens on port 53and only fromlocalhost and is just a DNS server. So no additional (local) zones. No additional things. Just a stripped down caching DNS server.

Just point to 127.0.0.1 as DNS server and done. No other changes should be needed. No kill of domains.No nothing should be needed.

Re:Just run your own

I think the phrase "tin foil hat" is used far too often, and most commonly by people who know next to nothing about network security. For example, OpenDNS created the DNSCrypt project, which encrypts the DNS lookups. Sounds like diamond-coated tin foil hat stuff, no? Well, incidentally, it also protects from MITM attacks that have been used on DNS lookups, which have nothing to do with nation-state protection and everything to do with protection from criminals.

Please stop using that phrase.

Re:Just run your own

[fph+il+quozientatore]

Frankly if I was the CIA I would be intercepting traffic to the small oddball servers more than Google.

Frankly, at this point, if the CIA cannot access and intercept data from Google they are utterly incompetent in doing their job. For the cost of (at most) giving an employee a suitcase full of money, you get an incredible bonanza of data. Which secret service wouldn't do it?

Re:Just run your own

[Krojack]

I never heard of anybody ever being "cut off" for doing this.

Yet..

If the big 2some Comcast and Verizon get their way with net neutrality then you can be sure this will be on their list of pipes to control. I'm already shocked they haven't tried blocking all internet ports and selling various ones in packages. Oh you want FTP? then you need to upgrade your Internet package to the next tier. You want VoIP port 5060? I'm sorry you can't have that. It directly competes with our own telephone service.

Re:Just run your own

[TCM]

Whether there's someone sitting on your line and grabbing your traffic or tampering with it is completely irrelevant because that problem exists in any case. By running your own resolver, you don't publish your queries directly to a third party on top of that and that's a good thing.

Re:Just run your own

[stackOVFL]

Yeah, and besides tinfoil hats aren't normally used for networking stuff. More gov and ET related stuff.

Re:Just run your own

[zenbi]

Pretty sure Windows comes with a simple DNS server service since the NT days. You may need to check an additional option to turn on the feature, or it may be hidden somewhere under the IIS settings.

Unless they removed it. I admit, I haven't touched Windows for anything server related in years.

Re:Just run your own

[pr0nbot]

A former colleague of mine left to a startup which some years later was absorbed by Google. The work she does at Google involves access to multiple Google databases (to detect fraudulent access patterns), which is apparently unusual. I asked her about the DNS database; she said that is the one database to which she (and most other projects at Google) doesn't have access. I took from this that Google does track DNS access.

Re:Just run your own

Does Google always tell the truth

Yes, of course

Does Google always live up to it's motto of "Don't be evil"

Yes, of course

Re:Just run your own

[pr0nbot]

Clearly what we need is a blockchain DNS! (I don't know what blockchain is, but I know it solves all problems. I think you get it from a hardware store, but I couldn't say whether it's in the blocks or chains aisle.)

Re: Just run your own

The US government said the same thing about data collection even after being confronted. Look where that got is all. Why trust it?

What is the alternative? Switch back to your ISPs DNS, where they have admitted they do all of the above, never delete logs, link it with your subscriber ID, and sell it to ad companies for profit?

Sounds like you are bitching about how much some unrelated party makes from your DNS requests being sold to the same large group of abusive companies.

Pretty sad actually.

Re:Just run your own

I think the phrase "tin foil hat" is used far too often, and most commonly by people who know next to nothing about network security. For example, OpenDNS created the DNSCrypt project, which encrypts the DNS lookups. Sounds like diamond-coated tin foil hat stuff, no? Well, incidentally, it also protects from MITM attacks that have been used on DNS lookups, which have nothing to do with nation-state protection and everything to do with protection from criminals.

Please stop using that phrase.

It was actually created by Yecheng Fu who has nothing to do with opendns. Since he lives in mainland China, his motivation is obvious.

What they created is a user interface (there was already one, not developed by them: winclient, created by noxwizard) to get some press and then their app became abandonware - last update: 2012.

Re:Just run your own

[omnichad]

So any DNS you use could do this.

But they actually own an ad network to put the data to use.

Re:Just run your own

[kheldan]

Hmm, that's a good point. However if too many people were going directly to the root servers, eventually wouldn't they take some action to limit access to whoever needs it (as opposed to who wants it) to reduce the workload on the servers? Bypassing all the lower strata of DNS servers kind of breaks the way the system was designed, doesn't it? Of course these nudnik ISPs and other bad actors out there 'tampering' with DNS for whatever their reasons are, are certainly breaking the way the system is supposed to work, too..

Re:Just run your own

well people install google chrome, and the omnibar key logs every key you type... that's worse than using their free dns... with their free dns they only know the domain, but not the URL.

Re:Just run your own

Namecoin.

Re:Just run your own

I think you get it from a hardware store, but I couldn't say whether it's in the blocks or chains aisle.

It's in the aisle with tackles, but you need all three to really do any heavy lifting.

Re:Just run your own

[WuphonsReach]

Services like DNS really belongs at the network level, not the local PC level. If only for the possibility that there are 2+ people on the local network who query the same thing and the DNS server can cache / return the results. Or, since the network server is likely to be left on 24x7, it can cache answers across reboots of your local PC/laptop.

Something like pfSense on the firewall to the outside world with "unbound" running does just fine for this. You can configure it to talk to your ISP's DNS servers, Google's servers, or set it up to start at the root DNS servers and do its own heavy lifting.

Re:Just run your own

[WuphonsReach]

Hmm, that's a good point. However if too many people were going directly to the root servers, eventually wouldn't they take some action to limit access to whoever needs it (as opposed to who wants it) to reduce the workload on the servers?

The only reason BIND / unbound talk to the root servers is to find out which DNS servers are authoritative for the various TLDs. The DNS root servers do not return the answer for "what is the IP address of maps.google.com", they only return the answer for "what DNS server is authoritative for .com?". Once your DNS server has the answer for ".com", it goes and asks the ".com" servers about what server handles "google.com".

I've read that a well behaved DNS server will only talk to the root servers about once every 48 hours, or whenever it hits a new TLD that is not yet cached.

Re:Just run your own

[kupekhaize]

The whole point was to avoid the ISP's crappy, overloaded servers to begin with. If the DNS server doesn't respond with an NXDOMAIN for a non existent domain, it's not worth talking to.

Ever again.

Re: Just run your own

Google it's found to be defeating private browsing for Safari

That's why I use Chrome... Oh, wait.

Re:Just run your own

[halltk1983]

Most consumer internet blocks port 25, and you have to get business class to get unblocked.

Re:Just run your own

[kheldan]

I'm not claiming to know how the whole system works; I'm getting a quick education on the subject as we're discussing it. It sounds like the overall load is well-distributed. You seem to understand it well enough to answer this question: If, say, even 10% or so of everyone did an end-run around ISP-based DNS servers in this way, would it theoretically cause enough excessive traffic that it would annoy the admins responsible for them?

Re:Just run your own

most people would assume so

Re:Just run your own

[raind]

If it is a free app, service, etc, you're not the consumer - you're the product.

Re:Just run your own

Google (and all other companies) is obligated to cooperate with the government. There is no need to hand over any suitcases.

Re: Just run your own

Your provider can read, log and analyze your DNS requests whether you use the provider's servers or not. DNS is not encrypted. Mostly it's not even signed, and even when it is, the signatures are mostly not checked. The farther you send your DNS requests, the more nodes can read them. You would have to access remote DNS resolvers via VPN if you wanted to make sure that your provider doesn't have access to that data.

Whether you trust Google or not is your own decision. Personally I treat privacy policies like other disclaimers: "This is how we say it is until you prove us wrong." Setting your system up in a way which requires you to trust more strangers than before seems counterproductive, unless it gets you a significant direct benefit in return. Google's DNS does not provide any additional value over a local recursive resolver, so why would you give them your DNS requests?

Re:Just run your own

[LWATCDR]

Network security yes.
the OMG Cisco is buying them and the Gov will spy on me now is what I could live without.

Re:Just run your own

[Krojack]

That's primarily to less-in the damage from malware and virii from sending out mail and forcing people to go though the ISP's mail server. Most mail host will also open smtp on a second port to get around this.

Re:Just run your own

[slashdotwannabe]

Frankly I would be shocked if the major services (i.e. Google, Microsoft, Apple, Facebook, etc) weren't all penetrated by by ALL of the nation-state level intelligence agencies in exactly the manner you state. Suitcases full of money to a half-dozen engineers in a couple of dozen companies amounts to a rounding-error in a black budget.

At this point, the only thing really protecting "bad guys" is the size of the ocean, not some inability to fish in it.

Re:Just run your own

[Trax3001BBS]

Someone may correct me if there's more to it, but I think it's just that some people are uncomfortable with Google having so much access to information about us. Any DNS server you access will have the potential to keep records of which IP addresses made which queries, which potentially gives Google even more tracking data. As far as I know, there's no real sign that they're using that data, but to some extent, they're a company that makes money from collecting data about their users, so...

I just happen to use and dare say trust Goggle, no matter what search engine you use with the exception of https://duckduckgo.com/ will track you. I do read the ToS's and privacy policies of any site I'm about to register on it's the data collected that your being informed of, I've refused to register on some sites over it or had second thoughts and bailed (Microsoft's Insiders program).

It's many features or abilities is why I use Goggle - and they give back to the community, the only company I know of that does it on their scale, Goggle Earth while very useful was first seen as incredible; it's now Goggle Earth Pro.

Above all you have to remember they make their living off of your data, Goggle Earth Pro was once sold (mostly to companies doing demographics), it will show you the tax assessment of every building I've check but one. I have an unlikely video hit on youtube.com the demographics given me are vast, and varied - while myself I'd never put an ad or overlay on any video; it's interesting the ages of people who are most likely to participate in a specific activity.

Angry Birds (www.Rovio.com) has or had (it's been awhile, and now have it blocked) what was the most informative ToS and privacy policy I've ever read. They list where your data is being sent, the only one left in question is what does "data sent overseas" mean. The data they collect they sale to Flurry.com (Goggle) who with that data and what Goggle has collected are combined and sold to advertisers who wish to send ad's that you would be interested in (targeted ads). It's important to get your mobile devices opt'ed out of Flurry.com

Bottom line, I trust Goggle to a point, as I won't use their DNS's, while tracking is ok within reason, I don't need to give it to them, and what's collected going through their DNS's? All ToS's and such claim unidentifiable information (but they've got your IP address) they don't need to know who you are, just your interest. There's a reason another Goggle sever center is being built, they need more space for what they do.

Re:Just run your own

[mundlapati]

Please check http://wiki.opennicproject.org...

Re: Just run your own

I think you are looking for TreewalkDNS. I was prompted probably by this /. story and started running it yesterday.
I don't have experience with nslookup and dig command performance to tell if it is bad, or if my former DDWRT + ISPdns is faster.

It seems the author's original site is dead, and that some other program called WordNet Treewalk came up on bing or duckduckgo to throw me off for a bit.
Anyway, I found that this is set it and forget it after you install and reboot. It points windows DNS to 127.0.0.1 and as backup, it goes to your router.
Mind you, you want your router to point to 192.168.0.n where n is your octet for that DNS pc, AND because the PC goes to sleep, you point the secondary and tertiary back to whatever you've snooped your ISP's DNS to be. You can manage the service under services.msc by stopping or disabling twdns

I have only used this for a day, and queries can take between 200ms and 2000 until you try. A downside is that I don't know how to inject my trusty hostfile to keep blocking ads centrally like I used to

That'll be the end of that then

Any trusted alternatives?

Good.

[rot26]

Oh, wait, what's the opposite of good? Bad? Yeah, bad, this is bad.

Re:Good.

Oh, wait, what's the opposite of good? Bad? Yeah, bad, this is bad.

8.8.8.8

Re:Good.

Google, like you're mom, is infested with STDs.

Re:Good.

[rot26]

Exactly, what possible motive could Google have for monitoring your internet usage through DNS? I've used them for years. You know, don't be evil and all that.

Re:Good.

[rubycodez]

what google does for money: tracking for marketing and any government entity that either asks for it or takes it

Re:Good.

[ArcadeMan]

Serially Transmitted Domains? Yeah, that's what a DNS is for.

Re:Good.

[ahodgson]

Their entire business is based on monitoring your internet usage and using that to learn about you so advertisers can make more money from you. Of course they're monitoring your Internet usage.

A much better question would be, what possible motive could they have for offering a "free" service that doesn't monitor you?

Re:Good.

It improves access to their other services which do monitor you?

Re:Good.

[bored_engineer]

Sorry. Undoing a bad moderation.

Lol what?

"With Cisco well-embedded with the US security apparatus (NSA, CIA, FBI, etc.) is it time to seek out alternatives to OpenDNS?"

Does OP seriously believe he is going to evade the "US security apparatus" by picking a different public DNS provider?

is anyone using it?

[nimbius]

outside of a very sophmoric attempt at content filtering, im not sure this service did much? (aside from molest dyndns' API for a user fee.) They basically poison NXDOMAIN for profit...under the auspices of attack prevention and puritanical righteousness.

Re:is anyone using it?

[cfalcon]

What's a superior DNS, in your opinion?

Re:is anyone using it?

outside of a very sophmoric attempt at content filtering, im not sure this service did much? (aside from molest dyndns' API for a user fee.) They basically poison NXDOMAIN for profit...under the auspices of attack prevention and puritanical righteousness.

The primary reason I use OpenDNS is for DnsCrypt, not for any filtering they provided.

Re:is anyone using it?

[MatthiasF]

Malware domain filtering as well, don't forget that.

The best defense against virus and malware is blocking them before your computer can even connect to download.

Re:is anyone using it?

One you run yourself. Not like setting up and maintaining bind is all that hard to do.

Re:is anyone using it?

[magical+liopleurodon]

8.8.8.8?

Re: is anyone using it?

Ironsides DNS, using exception free Ada code might be more secure. http://ironsides.martincarlisle.com/

Re:is anyone using it?

[drinkypoo]

Google, of course. Any DNS sizable enough to trust is likely to be a tool of the state, but at least Google is competent.

Re:is anyone using it?

What's the value you get out of DNSCrypt to OpenDNS? Instead of your ISP seeing your DNS traffic and requests, OpenDNS (and now Cisco) gets to see your DNS traffic and requests.

Am I missing something?

Re:is anyone using it?

Go away with your pesky facts!

If it has encryption, it's more secure! Hurr durr.

Re: is anyone using it?

[corychristison]

I've always used Level3, personally. Its anycast based, like Google's service.

Just pick 2 or more of the following:
4.2.2.1
4.2.2.2
4.2.2.3
4.2.2.4
4.2.2.5
4.2.2.6

It is even somehow faster than my ISP in terms of response time.

Re:is anyone using it?

127.0.0.1

Re:is anyone using it?

That's my problem with them. I prefer my ISP's DNS service to Google's, because my ISP is likely not competent enough to actually understand the data and truly track me. Google certainly is. They're not running 8.8.8.8 out of the kindness of their hearts.

Re:is anyone using it?

[greenfruitsalad]

but how do you do content filtering yourself? i do not want to worry about my children stumbling upon goatse when all they want to see are baby goats. believe it or not, opendns filters are pretty good. it would be nice if cisco made the crowdsourced domain name ranking database freely available but i doubt that'll happen.

i have tried norton connectsafe in the past but compared to opendns, it was rather poor.

Re: is anyone using it?

I've been using 4.2.2.1 so long, they know my preferences in Asian food.

Re: is anyone using it?

It is even somehow faster than my ISP in terms of response time.

Well, sure, it's quicker to just access the NSA DNS servers directly, without your ISP as a middleman.

Re:is anyone using it?

Google, of course. Any DNS sizable enough to trust is likely to be a tool of the state, but at least Google is competent.

Or if there was competent admins, we could use any DNS and be reasonably assured it works as intended. DNSSEC.

Re:is anyone using it?

[afidel]

You know you could signup for a free account and turn off NXDOMAIN redirects, right? Of course it's a moot point since they turned it off globally years ago.

Re: is anyone using it?

[afidel]

L3 has introduced random delays in their resolvers for anyone off-network so if you want decent performance you'll use just about anything but those. Google had some performance issues when they first introduced their anycast clusters but today they're as fast as anything I've tried.

Re:is anyone using it?

[bigfinger76]

There are blacklists you can use. Alternatively, you can query DNS servers that do the filtering for you (blacklisting is done on their end).

Re:is anyone using it?

Squid can do a much better job at filtering than any DNS-based solution could ever hope to.

Re:is anyone using it?

[laie_techie]

One you run yourself. Not like setting up and maintaining bind is all that hard to do.

At some point you will have to query an outside server. You don't plan on having billions of domains in your own DNS, do you? The problem is that some DNS return an IP for an ad site instead of correctly telling you that it's an unknown host. Or, returning an IP for an ad site instead of saying that a particular host is blacklisted.

Re: is anyone using it?

Keep in mind that if you're not a Level3 customer, you are in effect using someone else's DNS, which you aren't even contributing to supporting. It's the ultimate freeloader stance, which is akin to being something of a sponge.

Level3 has never purported to be the DNS for the world. Use a root server or Google's DNS, as the root servers are for public use and at least Google welcomes public use. Level3 has made no statement indicating it welcomes the entire internet using their DNS servers.

Also, all those concerned with tracking. Keep in mind that DNS is about distributing publicly accessible records, so curtail your security concerns to the sensible side of security concerning the exposure that DNS already provides.

Re: is anyone using it?

You.. don't really know what DNS does, do you?

Re:is anyone using it?

[greenfruitsalad]

squid doesn't just summon a list of adult/malware/etc domain names out of thin air. opendns's advantage is in the gigantic crowdsourced database of domains and their classification. if that database were a separate opensource project that anybody could use and pull updates from, i'd happily use my own Unbound resolver.

Re: is anyone using it?

Supervise your kids. You know, that parental responsibility thing. The internet is not your babysitter, YOU are.

Re:is anyone using it?

Why not use another one?

The majority of DNSCrypt resolvers are run by OpenNIC: https://github.com/jedisct1/dnscrypt-proxy/blob/master/dnscrypt-resolvers.csv

Or run your own DNSCrypt server: http://dnscrypt.org/

Re: is anyone using it?

L3 has introduced random delays in their resolvers for anyone off-network

source on this?

Re: is anyone using it?

You sound like a 15 year old.
You really have no experience with children, do you?

Believe it or not, parents also have other responsibilities rather than their eyes being transfixed on their child 24/7.

Re:is anyone using it?

[Whiteox]

Yeah. If your ISP's DNS server is in a country that is monitoring requests, then:
A: Your ISP can see what you are viewing
B: They would be bound by law to hand over the logs.
By going out of the geopolitical boundary (that's if you can) for DNS, then it's 1 chink in your armour.

Re: is anyone using it?

[antdude]

Do they have filters like OpenDNS?

Re:is anyone using it?

[greenfruitsalad]

i don't think there are. (i'm not talking about blacklisting spammers)

regarding querying other dns servers to get content filtering on my dns server, that completely defies the purpose. whether my client PC uses opendns or my home dns server is the same thing (from their point of view). they are still queries from the same gateway IP address.

Re:is anyone using it?

[drinkypoo]

I prefer my ISP's DNS service to Google's, because my ISP is likely not competent enough to actually understand the data and truly track me.

You only think this because you don't know how the system works. Ignorance is a bitch, prepare to be educated: The FBI serves your ISP with a letter telling them they have to collect your DNS requests. It doesn't matter where your requests go, because your ISP logs all of your DNS traffic, maybe the contents of any unencrypted HTTP requests you make (the URL, that is) and anything else the FBI wants. Then, on a regular schedule, they provide that information to the FBI.

Probably every ISP of any note in America is collecting logging data on at least one of their customers. I would be shocked, amazed, and almost appalled if I weren't one of them :)

Re: is anyone using it?

[corychristison]

If they didn't want off-network users to use it, they would firewall it to just their subnets. I get they have a very large network that is ever expanding, and it may just be easier to not lock it to their subnets, but seriously it's not that hard.

I don't use my ISPs DNS because they resolve non-existent zones to some bullshit landing page in which they try to "help" users find what they were looking for, effectively breaking DNS in my opinion.

I don't use Google's because it sucked the last time I used it (when it was new, I suppose it is probably better now). Tracking isn't a real concern of mine in terms of DNS, although I do block Google Analytics via dnsmasq on my router. I just don't trust Google. They abandon services all the time. Quite frankly, I didn't expect their resolvers to stick around this long.

I own a web hosting business. We have a few servers in a datacenter. I run my own resolvers that are locked down to my /25 subnet, they resolve off the roots, specifically d.root-servers.net, and e.root-servers.net. Get less than 2ms on those.

At home, however, Level3 is still faster than any of the roots. :-/

Re:is anyone using it?

[bigfinger76]

Uhh....what?

Who cares what IP address the queries come from? We're not talking about anonymity here, we're talking about content filtering via DNS. What matters are the results that are returned to the client.

Re:is anyone using it?

[Where's+my+towel]

Hit the nail on the head with this one. This is the bit where the Cisco "better together" argument actually makes sense. It's also the part of the puzzle many of Cisco's biggest customers (ISPs, Fortune 500, Governments) really care about - Slashdotterss may be able to keep their ten-node home networks clean easily but these guys really struggle to keep their 10,000 node networks clean.

It's not just Malware - it's Spam, Phishing, Spyware, Botnet C&C traffic - basically anything bad on the net. The amount of data Cisco has on this stuff as a result of telemetry from their routing and switching business and the more importantly the previous Ironport, SourceFire, TheatGrid and ScanSafe acquisitions is huge - arguably the richest set of security related data in the business. Simply adding the WebRep domain levels blocks from Ironport's data to OpenDNS would improve the overall protection massively.

Of course, Cisco's ability to successfully integrate all of this stuff without falling over themselves is another story - one of the reasons why I left.

Fitting match for an overpriced service

Used to use OpenDNS at work. They used to be a great low cost content filter until they found out they could brand themselves as an "Enterprise" product and charge out the ass for it.

It's a great product (Except that it completely breaks hosted exchange. Conditional forward the domains of your exchange hosts to a "normal" resolver or you will have no ends of random, unexplainable problems) and it works well. You don't need some assnine proxy server/appliance as an extra point of failure and you don't need some shit client software that only works on windows.

Did a great job of keeping porn off the pubic access systems, and malware/phishing/garbage off staff systems. And it used to be cheap! Why would it be expensive? It's just a fancy resolver.

But I guess they found out that their competitors were charging about 10x per seat what they were, and that they were missing out on free money. They'll be right at home, being absorbed in to the money pit that is Cisco systems.

is it time to seek out alternatives to OpenDNS?

[fustakrakich]

Is this the inverse of that headline rule thingy?

Re:is it time to seek out alternatives to OpenDNS?

Betteridge's Law.

Bye-bye, Open DNS / Hello, Hackers!

[__aaclcg7560]

The same Cisco that has default SSH keys on their security devices that allow hackers to run wild?

With Cisco well-embedded with the US security appa

I assume OpenDNS is just embedded with the US security apparatus as Cisco, and have been from the beginning. Either they are under secret court orders and they never could talk about it or that they in fact an part of the NSA, like Tor. The only computer safe from Big Brother has full air-gaps and is inside a Faraday cage.

So, I do not even try hide from Big Brother, I hide from the casual little brothers, like DoubleClick, RIAA, MPAA, my ex-wife, etc.

Re:With Cisco well-embedded with the US security a

Your ex-wife is your little brother?

Eew...

well-embedded with the NSA, CIA, FBI, etc.?

I see people are repeating this, hoping to make it believed. Not that I love Cisco either (or Oracle or SAP or... you get my drift) but that just isn't fair.

Is it that you can't believe that the NSA would get in without insider help? There have been at least a half dozen brands, many non-USA, that they are said to have gotten into. Surely a Chinese vendor wouldn't cooperate with the NSA. Unless you want to believe Huawei is well-embedded with the NSA (ha, ha, seriously...) it is wrong to make these assumptions about Cisco.

Don't go pointing at payments either. The NSA is required to pay for hardware just like everybody else. They can buy through a reseller, so it isn't as if Cisco could actually prevent a purchase. The same goes for any other equipment vendor. The products are for sale, and anybody with the money can get one.

Re:well-embedded with the NSA, CIA, FBI, etc.?

...

They can buy through a reseller, so it isn't as if Cisco could actually prevent a purchase. The same goes for any other equipment vendor. The products are for sale, and anybody with the money can get one.

Cisco does not do direct sales, so anybody wanting their hardware must go through a reseller, including the gov. Now whether the buyer is in bed with the reseller is another story.

Re:OpenDNS is for cows.

Le cow says "SHAZOO!", you insensitive clod!

BIND

[Medievalist]

What's a superior DNS, in your opinion?

Point your Berkeley Internet Name Domain server at the root nameservers.

All the services that provide intermediaries to the real DNS are in the business of directing your traffic for their profit. If you are happy being a clueless end-user, the best you can do is 8.8.8.8 (Google) since they are at least built to a reasonable scale.

But it's still not really DNS... it's asking somebody else to do your DNS for you. Which is OK for non-geek end users.

Re:BIND

[bigfinger76]

Distributed, hierarchical servers are the way DNS was designed and intended, so it actually is DNS. Trusting the hierarchy is another matter altogether.
So your point still stands. Do it yourself; it's educational and fun.

Synology's NAS

[TheHawke]

They have their own internal DNS and DHCP, but the latter is needed to operate the former, sadly. I'd like to see an up to date instruction sheet to set up and place into production both services sometime. The current set is vague and wooly.

And...

[koan]

Who here trust Cisco?

Re:And...

[Capt+James+McCarthy]

Who here trust Cisco?

Your bank.

Re:And...

[ArcadeMan]

I trust Crisco all-vegetable shortening to get well-done, crunchy french fries.

Oh wait, Cisco? Not me.

Re:And...

Who here trust Cisco?

Your bank.

Who give the US govt direct access to your account information anyway, and that of overseas non US citizens too.

Re:And...

[SeaFox]

Who here trust Cisco?

Your bank.

You bank also trusts Microsoft, so let's consider that for a moment...

Re:And...

[dissy]

Who here trust Cisco?

That depends which definition of trust you mean.

Do I trust them to respond in a certain way under a given set of circumstances?
Yes, I believe I can predict exactly how they will abuse and eventually clusterfuck OpenDNS, and I predict it will not be pretty.

But do I trust them to have my best interests at heart?
Hell no.

Re:And...

[thejynxed]

The majority of banks also trust Diebold (who have ridiculously insecure default settings on their ATM terminals, the manuals of which are available online, and yes, criminals have exploited this), so take that into consideration.

Java updaters...

If Java updaters are any indication, expect to first be taken to ask.com when trying to go to google.

Re:OpenDNS is for cows.

[behrooz0az]

If you were trying to be french,
La vache dit SHAZOO, FTFY

Cisco also bought Snort

http://www.networkworld.com/article/2168383/data-center/cisco-spending--2-7b-for-sourcefire--company-that-commercialized-snort-open-source-secur.html

Now Cisco can screw with our open IDS rules through automatic updates, and they can screw with our DNS (for those who use OpenDNS).

Could have been worse

[Wokan]

It could have been Oracle buying it. I have yet to see them acquire anything and not turn it to shit.

Re:Could have been worse

They've done very well with Java. They released Java 7 after Sun couldn't get it out for 5 years, they settled the closures debate and got Java 8 released, they got Java EE 7 out the door, fixed a ton of security bugs in the applet browser plugin (Java itself is not the security risk), they are getting Java 9's new module system out the door (has been under development for many years), etc. I suspect the Java community is mostly very pleased with Oracle's stewardship.

Re:Could have been worse

Yeah, I was thinking about considering history.
Cisco acquired Snort and ClamAV, and I don't recall hearing about how those got drug through the mud.
Sure, Cisco's recent news about SSH keys being pre-installed is alarming. Then again, Cisco's own IOS/etc.-based products have always been closed source, locked to certain hardware, etc. But the community-created (open source) stuff that they've acquired, it seems that they haven't butchered those things.
I'm rather inclined to think that Cisco will probably handle an acquired OpenDNS in ways we would approve of, based on Cisco's history of handling acquired things in ways that we would approve of, despite Cisco's own name-branded internally-created products being handled in ways that we may not like as well.
Those who know their history may be blessed to repeat it.

Re:With Cisco well-embedded with the US security a

[crashumbc]

AC's shouldn't judge, all of you interbreed.

Re:DNS is for Luddites.

[ArcadeMan]

Oh boy... "apps" guy vs "hosts" guy... whoever wins, we lose. Somebody better nuke them both from orbit, that's the only way to be sure.

Re:DNS is for Luddites.

[rogoshen1]

you'll summon.. him!

We will be finding an alternative

We have used OpenDNS forever it seems, but we will be discontinuing service. Cisco places a value upon your data and habits, even going as far as reserving the right to disable services if they believe what you are doing is objectionable (http://www.extremetech.com/computing/132142-ciscos-cloud-vision-mandatory-monetized-and-killed-at-their-discretion). Cisco lost my business years ago with this move, and now OpenDNS as well.

No big deal right? This impacts our household, the three businesses we run and one of these is an IT service company with a fairly extensive client list. At last count, this will terminate about 220 accounts.

Re:We will be finding an alternative

[davidu]

I'd like you to at least give us a chance. I am still running the ship here.

Re:We will be finding an alternative

[Whiteox]

I thought all those with ID >101 have ascended or have had their consciousness uploaded into some kind of silicon based brain!
Thanks for being here for us, guiding the way.

Re:We will be finding an alternative

[SJ]

I am still running the ship here.

... until the cheque clears.

parental controls

I use OpenDNS for their parental controls not so much for their DNS capability. What parental control software do you use to replace OpenDNS.

Good choice cisco & why? apk

OpenDNS = patched vs. redirect poisoning& hosts work perfectly w/ Open DNS - complimenting them!

(Simply by lightening DNS server loads which their admins should love via users' hardcoded fav sites @ the TOP of their custom hosts files for FASTEST POSSIBLE LOCAL IN RAM RESOLUTION (adding more speed than adblocking alone as well as security vs. threats + "downed" DNS too)).

---

Lastly omnichump & especially in YOUR case?

Hey - "Eating your words" != GOOD nutrition

"Your hosts file comments are not trustworthy" - by omnichad (1198475) on Friday August 09, 2013 @11:22AM (#44520759)

Oh, really? Ok: MalwareBytes' hpHosts Admin (MalwareBytes employee who has seen & verified its sourcecode too no less as safe) hosts & recommends it -> http://hosts-file.net/?s=Downl...

&

MalwareBytes = BEST antivirus (per this VERY recent testing of them all) -> http://www.av-test.org/en/news...

&

It's GUARANTEED safe & clean (per it being checked by 57 antivirus programs recently) in BOTH its 64-bit model -> https://www.virustotal.com/en/...

+

In its 32-bit model also https://www.virustotal.com/en/...

---

Tells us, omniweasel:

* HOW'S IT TASTE "EATING YOUR WORDS" flavored with your FOOT IN YOUR MOUTH ramming them down spiced with the BITTER TASTE of SELF-DEFEAT"?

LMAO...

APK

P.S.=> Lastly: In the past, You also conceded MANY points on hosts to me & made huge mistakes vs. me here http://tech.slashdot.org/comme...

&

Here too http://tech.slashdot.org/comme...

LMAO @ U, "omniloser"... apk

Re:Good choice cisco & why? apk

DO YOU KNOW WHAT A "TSR" IS (terminate & stay resident program)?

Hahahaha, apk is stuck in the 90's. He'll always be a windows luser, nothing more.

Re:Good choice cisco & why? apk

he never said that here so wtf was that about?

Re:DNS is for Luddites.

[oobayly]

Now if only there was a way to distribute hostfiles. Some method of IP would be handy - I suggest using UDP port 53 as it's not being used.

Re:With Cisco well-embedded with the US security a

[oobayly]

Different ACs...

You're right

I Googled it and found out I have nothing to fear from Google. Their people in the Obama administration have assured me that I have nothing to fear from NSA spying too.

I'm not going to worry about it - I just found out there's a cool flying squirrel video trending on YouTube that I can go watch for free.....as long as I let Google spy on me.......

Posting ac to "defend yourself" omniloser?

See subject: Proof's that you quote what I wrote correcting you omnichad.

After all - I asked YOU what you quoted from me years ago that was from here http://tech.slashdot.org/comme...

AFTER YOU STUPIDLY SAID THIS:

"You're right. DOS couldn't multi-task" - by omnichad (1198475) on Thursday May 30, 2013 @11:38AM (#43861407) FROM-> http://slashdot.org/comments.p...

APK

P.S.=> YOU WERE WRONG AS USUAL FOOL - TSR's did run simultaneously with other programs so DOS *did* do multitasking running MORE THAN 1 PROGRAM @ ONCE (& there WAS "european DOS" that actually DID do true multitasking, not just taskswitching ala Dosshell OR NovellDOS type)... apk

Re:Posting ac so you don't get banned, apk?

DOS wouldn't switch tasks until a process entered a syscall (which could be never), so it really was not capable of multitasking.

It says a lot about apk's computer science knowledge that he thinks terminate-and-stay-resident DOS programs from 20 years ago were "multitasking."

I thought you autistic tards were supposed to be good at this stuff!

Learn to read dumbass: European DOS... apk

See subject & https://en.wikipedia.org/wiki/...

PERTINENT EXCERPT/QUOTATION:

"MS-DOS 4.0 was a multitasking release of MS-DOS developed by Microsoft based on MS-DOS 3.1"

You lose/fail, as always, vs. myself, you dumb fuck!

---

New NEWS/NewsFlash/Clue:

TSR's also run @ the SAME TIME as the current foreground program in DOS, so it *did* 'multitask' in a way also, moron (just not like today's more modern OS do).

* Keep trolling by ac & LOSING BADLY vs. myself, see link above & key excerpt from it bigmouth!

Your trollish unidentifiable ac posts? They speak WORLDS of your lack of confidence in yourself! No small wonder that - you always FAIL, just as you have now, lol!

(& it SCREAMS that I've absolutely FLOORED YOU before, and you know it - as I'd bring it right up in here to show how STUPID you are & have been vs. myself in the past...)

APK

P.S.=> If an Operating System (or even a command interpreter like DOS really was) runs more than 1 thing @ once? It IS multitasking stupid... apk