Slashdot Mirror
Cisco To Acquire OpenDNS
New submitter Tokolosh writes: Both Cisco and OpenDNS announced today that the former is to acquire the latter. From the Cisco announcement: "To build on Cisco's advanced threat protection capabilities, we plan to continue to innovate a cloud delivered Security platform integrating OpenDNS' key capabilities to accelerate that work. Over time, we will look to unite our cloud-delivered solutions, enhancing Cisco's advanced threat protection capabilities across the full attack continuum—before, during and after an attack." With Cisco well-embedded with the US security apparatus (NSA, CIA, FBI, etc.) is it time to seek out alternatives to OpenDNS?
Oh, wait, what's the opposite of good? Bad? Yeah, bad, this is bad.
To ensure perfect aim, shoot first and call whatever you hit the target
outside of a very sophmoric attempt at content filtering, im not sure this service did much? (aside from molest dyndns' API for a user fee.) They basically poison NXDOMAIN for profit...under the auspices of attack prevention and puritanical righteousness.
Good people go to bed earlier.
You're assuming that what you think are the root DNS servers are actually the root DNS servers, and that they're not being spoofed by the CIA, NSA, or whoever in the first place. You're also assuming that your ISP would allow you to do such a thing, and not brand you as someone up to no good, and cut you off.
I never trusted OpenDNS much in the first place, certainly no more at best than I would any ISP's DNS servers.
Are YOU using the TOOL, or is the TOOL using YOU? Think about it!
Or be a better netizen by running your own and forwarding to your ISP's.
The whole reason OpenDNS even exists is because ISP's proved they cannot be trusted to run an honest DNS. And let's not pretend that DNSSEC is universally deployed.
Most people here can setup up a 99 cent VPS with an openvpn endpoint running a recursive resolver, limited to the openvpn net. That fits in the smallest slice of RAM available in 2015 and will work fine.
Most other people cannot, though. Google's DNS is honest, if you don't care about tracking - but most people care more about free stuff than privacy.
My God, it's Full of Source!
OUTSIDE_IP=$(dig +short my.ip @outsideip.net)
Is this the inverse of that headline rule thingy?
“He’s not deformed, he’s just drunk!”
The same Cisco that has default SSH keys on their security devices that allow hackers to run wild?
I see people are repeating this, hoping to make it believed. Not that I love Cisco either (or Oracle or SAP or... you get my drift) but that just isn't fair.
Is it that you can't believe that the NSA would get in without insider help? There have been at least a half dozen brands, many non-USA, that they are said to have gotten into. Surely a Chinese vendor wouldn't cooperate with the NSA. Unless you want to believe Huawei is well-embedded with the NSA (ha, ha, seriously...) it is wrong to make these assumptions about Cisco.
Don't go pointing at payments either. The NSA is required to pay for hardware just like everybody else. They can buy through a reseller, so it isn't as if Cisco could actually prevent a purchase. The same goes for any other equipment vendor. The products are for sale, and anybody with the money can get one.
please elaborate on the tracking. where did you get that from? that's an honest question; i use google's servers as last resort backup dns.
Point your Berkeley Internet Name Domain server at the root nameservers.
All the services that provide intermediaries to the real DNS are in the business of directing your traffic for their profit. If you are happy being a clueless end-user, the best you can do is 8.8.8.8 (Google) since they are at least built to a reasonable scale.
But it's still not really DNS... it's asking somebody else to do your DNS for you. Which is OK for non-geek end users.
Someone may correct me if there's more to it, but I think it's just that some people are uncomfortable with Google having so much access to information about us. Any DNS server you access will have the potential to keep records of which IP addresses made which queries, which potentially gives Google even more tracking data. As far as I know, there's no real sign that they're using that data, but to some extent, they're a company that makes money from collecting data about their users, so...
There's only one reason Google gives anything away 'for free' - it's because they're mining data from your connections to better target ads at you. They absolutely monitor every DNS lookup on their servers and use those lookups as part of their profile on you as a user.
They have their own internal DNS and DHCP, but the latter is needed to operate the former, sadly. I'd like to see an up to date instruction sheet to set up and place into production both services sometime. The current set is vague and wooly.
First rule of holes; When in one, stop digging.
If you ask google's dns servers what ip is at www.overthere.com... it knows you want to go to www.overthere.com? A vast majority of people can be uniquely identified just by their list of most visited sites. Caching probably offsets this a little, but still much more valuable than other ways of getting this data.
Who here trust Cisco?
"If any question why we died, Tell them because our fathers lied."
Most people here...
Most other people...
most people care...
A self-appointed spokesperson for "most people"?
If you were trying to be french,
La vache dit SHAZOO, FTFY
Moderating "-1, Disagree" is simple censorship. Have the guts to post your opinion. -- Spazmania (174582)
Or broken DNS is so pervasive that it is interfering with their ability to offer other services. If you're interested in the privacy policy around Google DNS it's available here. The quick TLDR is:
What information does Google log when I use the Google Public DNS service?
Google Public DNS complies with Google's main privacy policy, which you can view at our Privacy Center. With Google Public DNS, we collect IP address (only temporarily) and ISP and location information (in permanent logs) for the purpose of making our service faster, better and more secure. Specifically, we use this data to conduct debugging and to analyze abuse phenomena. After 24 hours, we erase any IP information. For more information, read the Google Public DNS privacy page.
Is any of the information collected stored with my Google account?
No.
Does Google share the information it collects from the Google Public DNS service with anyone outside Google?
No, except in the limited circumstances described in Google's privacy policy, such as legal processes and enforceable governmental requests. (See also Google's Transparency Report on user data requests.)
Does Google correlate or combine information from temporary or permanent logs with any personal information that I have provided Google for other services?
No.
There are 4 boxes to use in the defense of liberty: soap, ballot, jury, ammo. Use in that order. Starting now.
So any DNS you use could do this.
So isn't it logical to use one that is being run by a massive competent company that is already making huge profits and has the whole world watching them vs some small org that is just trying to make ends meet that no one is paying attention to.
Frankly if I was the CIA I would be intercepting traffic to the small oddball servers more than Google.
See my blog http://ilovecookes.blogspot.com/ for light hearted technical information.
You tool of the megacorps how dare you bring up facts that distort that crusader for freedom's self identified truth.
See my blog http://ilovecookes.blogspot.com/ for light hearted technical information.
Well DNS isn't really secured, so if you're worried about the CIA intercepting your DNS traffic, I don't think which DNS server you use is going to be extremely important there.
But yeah, any DNS server could gather and store records about every query, and which IP address the query came from. Many people don't consider that amount of data to be invasive enough to worry about. For most people, the worst information it would leak is that, just like almost everyone else, you're visiting porn sites.
It could have been Oracle buying it. I have yet to see them acquire anything and not turn it to shit.
actually I am not very worried about DNS privacy.
I just wish we could go back to the old days of Slashdot when it was all about cool dads building battlemech tree houses instead of the tin foil hat crowd.
See my blog http://ilovecookes.blogspot.com/ for light hearted technical information.
AC's shouldn't judge, all of you interbreed.
Oh boy... "apps" guy vs "hosts" guy... whoever wins, we lose. Somebody better nuke them both from orbit, that's the only way to be sure.
Get free satoshi (Bitcoin) and Dogecoins
I'm also not too worried about DNS privacy, but I don't see the problem with Slashdot being the sort of place where nerds talk about network security.
The US government said the same thing about data collection even after being confronted. Look where that got is all. Why trust it?
One of the creators says privacy is dead
Google it's found to be defeating private browsing for Safari
Google and tons of others are found to silently cooperate with wholesale government data collection (remember last year's headlines about Google Facebook and others begging for good pr by requesting permission from that same lying government to ungag and reveal how much they really are forced to share in secret)
TOS can change overnight and not require users to receive a penny in compensation or even an apology back by real improvement. We continue to be the product. Like the government has proven in courts for FOI requests you cannot start a lawsuit for something that allegedly does not exist until you tell the courts exactly what to look for. By the time we find where Google is outsourcing the IP data or what side channel is recording the results that they claim are not parts of our Google account they will pull out some other plan with its own law-skirting provisions.
I feel safer with DNS from a small our unknown provider than from giants who have the PHDs and perfected processes to monetize and cocorrelatey data across continents with YouTube, DNS, email, search, browser and android spying.
I pay my ISP to give me a pipe to the internet. I use that pipe to contact numerous different public servers using numerous different protocols. If some of those servers are DNS servers, and I use DNS protocol to contact them, it is none of their mother fucking business. And indeed, my ISP clearly couldn't care less if I am doing it. If they tried to stop me, I would just ssh tunnel forward through a VPS and fuck em.
I never heard of anybody ever being "cut off" for doing this.
My point is that you have NO control over the root DNS servers (or any other DNS servers you don't own), or what happens in the route between you and any DNS servers, so how do you know what's really going on? If you were to directly use the root DNS servers, how do you know traffic in either direction isn't being tampered with? You have to assume that any data of any kind sent or received from the public Internet is inherently insecure, and there's plenty of historical evidence to prove not only it's plausibility, but it's likelihood. All you can do is make the best choices you can based on available information, and hope you're not being sold down the river by some three-letter agency, or who knows who.
Are YOU using the TOOL, or is the TOOL using YOU? Think about it!
I use an alternative DNS server, becausde the ISPs in my country are orderd to block certain (torrent) sites. As I already give enough info to Google, I use servers I found on http://wiki.opennicproject.org...
With http://wiki.opennicproject.org... you can find witch one are closest,
I used to run my own, but after a re-install I did not yet bother.
What I think is strange is that nobody has made an easy local DNS server (for Windows) e.g. just a program that listens on port 53and only fromlocalhost and is just a DNS server. So no additional (local) zones. No additional things. Just a stripped down caching DNS server.
Just point to 127.0.0.1 as DNS server and done. No other changes should be needed. No kill of domains.No nothing should be needed.
Don't fight for your country, if your country does not fight for you.
I think the phrase "tin foil hat" is used far too often, and most commonly by people who know next to nothing about network security. For example, OpenDNS created the DNSCrypt project, which encrypts the DNS lookups. Sounds like diamond-coated tin foil hat stuff, no? Well, incidentally, it also protects from MITM attacks that have been used on DNS lookups, which have nothing to do with nation-state protection and everything to do with protection from criminals.
Please stop using that phrase.
you'll summon.. him!
Frankly, at this point, if the CIA cannot access and intercept data from Google they are utterly incompetent in doing their job. For the cost of (at most) giving an employee a suitcase full of money, you get an incredible bonanza of data. Which secret service wouldn't do it?
My first program:
Hell Segmentation fault
I never heard of anybody ever being "cut off" for doing this.
Yet..
If the big 2some Comcast and Verizon get their way with net neutrality then you can be sure this will be on their list of pipes to control. I'm already shocked they haven't tried blocking all internet ports and selling various ones in packages. Oh you want FTP? then you need to upgrade your Internet package to the next tier. You want VoIP port 5060? I'm sorry you can't have that. It directly competes with our own telephone service.
Whether there's someone sitting on your line and grabbing your traffic or tampering with it is completely irrelevant because that problem exists in any case. By running your own resolver, you don't publish your queries directly to a third party on top of that and that's a good thing.
Of course it runs NetBSD. BTC: 1NT7QvbetmANwaMzhpVL6
Yeah, and besides tinfoil hats aren't normally used for networking stuff. More gov and ET related stuff.
Pretty sure Windows comes with a simple DNS server service since the NT days. You may need to check an additional option to turn on the feature, or it may be hidden somewhere under the IIS settings.
Unless they removed it. I admit, I haven't touched Windows for anything server related in years.
A former colleague of mine left to a startup which some years later was absorbed by Google. The work she does at Google involves access to multiple Google databases (to detect fraudulent access patterns), which is apparently unusual. I asked her about the DNS database; she said that is the one database to which she (and most other projects at Google) doesn't have access. I took from this that Google does track DNS access.
Clearly what we need is a blockchain DNS! (I don't know what blockchain is, but I know it solves all problems. I think you get it from a hardware store, but I couldn't say whether it's in the blocks or chains aisle.)
So any DNS you use could do this.
But they actually own an ad network to put the data to use.
Hmm, that's a good point. However if too many people were going directly to the root servers, eventually wouldn't they take some action to limit access to whoever needs it (as opposed to who wants it) to reduce the workload on the servers? Bypassing all the lower strata of DNS servers kind of breaks the way the system was designed, doesn't it? Of course these nudnik ISPs and other bad actors out there 'tampering' with DNS for whatever their reasons are, are certainly breaking the way the system is supposed to work, too..
Are YOU using the TOOL, or is the TOOL using YOU? Think about it!
I'd like you to at least give us a chance. I am still running the ship here.
# Hack the planet, it's important.
Now if only there was a way to distribute hostfiles. Some method of IP would be handy - I suggest using UDP port 53 as it's not being used.
Different ACs...
Services like DNS really belongs at the network level, not the local PC level. If only for the possibility that there are 2+ people on the local network who query the same thing and the DNS server can cache / return the results. Or, since the network server is likely to be left on 24x7, it can cache answers across reboots of your local PC/laptop.
Something like pfSense on the firewall to the outside world with "unbound" running does just fine for this. You can configure it to talk to your ISP's DNS servers, Google's servers, or set it up to start at the root DNS servers and do its own heavy lifting.
Wolde you bothe eate your cake, and have your cake?
Hmm, that's a good point. However if too many people were going directly to the root servers, eventually wouldn't they take some action to limit access to whoever needs it (as opposed to who wants it) to reduce the workload on the servers?
.com?". Once your DNS server has the answer for ".com", it goes and asks the ".com" servers about what server handles "google.com".
The only reason BIND / unbound talk to the root servers is to find out which DNS servers are authoritative for the various TLDs. The DNS root servers do not return the answer for "what is the IP address of maps.google.com", they only return the answer for "what DNS server is authoritative for
I've read that a well behaved DNS server will only talk to the root servers about once every 48 hours, or whenever it hits a new TLD that is not yet cached.
Wolde you bothe eate your cake, and have your cake?
The whole point was to avoid the ISP's crappy, overloaded servers to begin with. If the DNS server doesn't respond with an NXDOMAIN for a non existent domain, it's not worth talking to.
Ever again.
One of these days i'm going to find this 'peer' guy and reset HIS connection!
I thought all those with ID >101 have ascended or have had their consciousness uploaded into some kind of silicon based brain!
Thanks for being here for us, guiding the way.
Don't be apathetic. Procrastinate!
I am still running the ship here.
... until the cheque clears.
Most consumer internet blocks port 25, and you have to get business class to get unblocked.
Watch for Penguins, they eat Apples and throw rocks at Windows.
I'm not claiming to know how the whole system works; I'm getting a quick education on the subject as we're discussing it. It sounds like the overall load is well-distributed. You seem to understand it well enough to answer this question: If, say, even 10% or so of everyone did an end-run around ISP-based DNS servers in this way, would it theoretically cause enough excessive traffic that it would annoy the admins responsible for them?
Are YOU using the TOOL, or is the TOOL using YOU? Think about it!
If it is a free app, service, etc, you're not the consumer - you're the product.
Get up!
Network security yes.
the OMG Cisco is buying them and the Gov will spy on me now is what I could live without.
See my blog http://ilovecookes.blogspot.com/ for light hearted technical information.
That's primarily to less-in the damage from malware and virii from sending out mail and forcing people to go though the ISP's mail server. Most mail host will also open smtp on a second port to get around this.
Frankly I would be shocked if the major services (i.e. Google, Microsoft, Apple, Facebook, etc) weren't all penetrated by by ALL of the nation-state level intelligence agencies in exactly the manner you state. Suitcases full of money to a half-dozen engineers in a couple of dozen companies amounts to a rounding-error in a black budget.
At this point, the only thing really protecting "bad guys" is the size of the ocean, not some inability to fish in it.
This comment is my opinion and does not represent an official position of Donald Trump or others I do not work for
Someone may correct me if there's more to it, but I think it's just that some people are uncomfortable with Google having so much access to information about us. Any DNS server you access will have the potential to keep records of which IP addresses made which queries, which potentially gives Google even more tracking data. As far as I know, there's no real sign that they're using that data, but to some extent, they're a company that makes money from collecting data about their users, so...
I just happen to use and dare say trust Goggle, no matter what search engine you use with the exception of https://duckduckgo.com/ will track you. I do read the ToS's and privacy policies of any site I'm about to register on it's the data collected that your being informed of, I've refused to register on some sites over it or had second thoughts and bailed (Microsoft's Insiders program).
It's many features or abilities is why I use Goggle - and they give back to the community, the only company I know of that does it on their scale, Goggle Earth while very useful was first seen as incredible; it's now Goggle Earth Pro.
Above all you have to remember they make their living off of your data, Goggle Earth Pro was once sold (mostly to companies doing demographics), it will show you the tax assessment of every building I've check but one. I have an unlikely video hit on youtube.com the demographics given me are vast, and varied - while myself I'd never put an ad or overlay on any video; it's interesting the ages of people who are most likely to participate in a specific activity.
Angry Birds (www.Rovio.com) has or had (it's been awhile, and now have it blocked) what was the most informative ToS and privacy policy I've ever read. They list where your data is being sent, the only one left in question is what does "data sent overseas" mean. The data they collect they sale to Flurry.com (Goggle) who with that data and what Goggle has collected are combined and sold to advertisers who wish to send ad's that you would be interested in (targeted ads). It's important to get your mobile devices opt'ed out of Flurry.com
Bottom line, I trust Goggle to a point, as I won't use their DNS's, while tracking is ok within reason, I don't need to give it to them, and what's collected going through their DNS's? All ToS's and such claim unidentifiable information (but they've got your IP address) they don't need to know who you are, just your interest. There's a reason another Goggle sever center is being built, they need more space for what they do.
Please check http://wiki.opennicproject.org...