Beta
×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

OpenDNS To Block and Monitor Conficker Worm

Soulskill posted more than 5 years ago | from the no-phone-home dept.

Networking 175

Linker3000 writes "According to The Register, OpenDNS plans to introduce an new service that will prevent PCs infected with the Conficker (aka Downadup) malware from contacting its control servers, and will also make it easy for admins to know if even a single machine under their control has been infected by Conficker: 'Starting Monday, any networks with PCs that try to connect to the Conficker addresses will be flagged on an admin's private statistics page. The service is available for free to both businesses and home users.' With the amount of trouble this worm has caused, perhaps this is a good time to take a look at OpenDNS if you haven't done so already."

Sorry! There are no comments related to the filter you selected.

fp (-1, Offtopic)

roguerez (319598) | more than 5 years ago | (#26771833)

fp

ubuntu r0xx

Re:fp (-1, Troll)

Anonymous Coward | more than 5 years ago | (#26772027)

Welcome to Jigabuntu

Jigabuntu is a Linux-based operating system consisting of Free and Open Source software for laptops, desktops, and servers. Jigabuntu has a clear focus on the user and usability - it should Just Work, even if the user has only the thinking capacities of a sponge. The OS ships with the latest Gnomrilla release as well as a selection of server and desktop software that makes for a comfortable desktop experience off a single installation CD. It also features the packaging manager ape-ghetto, and the challenging Linux manual pages have been reformatted into the new 'nigger' format, so for example the manual for the shutdown command can be accessed just by typing: 'nigger shut-up -h now mothafukka' instead of 'man shutdown'.

Absolutely Free of Charge

Jigabuntu is Free Software, and available to you free of charge, as in free beer or free stuffs you can get from looting. It's also Free in the sense of giving you rights of Software Freedom. The freedom to run, copy, steal, distribute, study, share, change and improve the software for any purpose, without paying licensing fees.

Free Software as in free beer!

Jigabuntu is an ancient Nigger word, meaning "humanity to niggers". Jigabuntu also means "I am what I am because of how apes behave". The Jigabuntu Linux distribution brings the spirit of Jigabuntu to the software world.
The dictator Bokassa described Jigabuntu in the following way:

A subhuman with Jigabuntu is open and available to others (like a white bitch you're ready to fsck), affirming of others, does not feel threatened by the fact that others races are more intelligent than we are, for it has a proper self-assurance that comes from knowing that it belongs to the great nigger race.

We chose the name Jigabuntu for this distribution because we think it captures perfectly the spirit of sharing and looting that is at the heart of the open source movement.

Jigabuntu, Linux for subhuman beings

Re:fp (-1, Offtopic)

Anonymous Coward | more than 5 years ago | (#26772053)

ur mom

Re:fp (1, Funny)

Anonymous Coward | more than 5 years ago | (#26772059)

Ballmer, is that you? Ok, now put down the hard liquor and step away from the internet. You shouldn't be so worried, it hasn't taken that much market-share. No, don't grab that chair. Wait what are you doing? Aaaaaaiiiieeee!

Re:fp (0, Offtopic)

Jezza (39441) | more than 5 years ago | (#26772075)

You moron. You might think you're being "funny" or "clever", but you've just managed "offensive" and "ignorant".

You're also "offtopic". It's 2009 try and keep up.

I was going to post this anonymously, but actually I want to stand up and be counted, to hell with my karma.

Re:fp (-1, Flamebait)

Anonymous Coward | more than 5 years ago | (#26772867)

All you've really done is shown that you're a noob, slashdot gets these troll post in every story.

Did you buy your account off ebay?

Re:fp (0, Offtopic)

Dreadneck (982170) | more than 5 years ago | (#26772897)

All you've really done is shown that you're a noob, slashdot gets these troll post in every story.

Did you buy your account off ebay?

Really? Because I don't recall *ever* seeing these particular brands of posts until after President Obama was elected and sworn in.

Re:fp (0)

Anonymous Coward | more than 5 years ago | (#26772919)

What you're showing is that the troll succeeded in making you rage. He'll now be more motivated to post it over and over, because he knows it works.

Re:fp (4, Insightful)

causality (777677) | more than 5 years ago | (#26773333)

What you're showing is that the troll succeeded in making you rage. He'll now be more motivated to post it over and over, because he knows it works.

I think trying to explain this to people is a lot like back when AOL tried so hard to tell customers that their staff will never ask for their account password. Despite repeated warnings and prompts, the password phishers never seemed to have any problems. Those hardheaded users preferred the convenience of refusing to stop and think or to change their habits because both of those require a small amount of effort.

Likewise, people who feed trolls prefer their little emotional outbursts and the righteous feelings they get from them and are not interested in whether they are part of the problem. The idea that they are doing exactly what the troll wanted them to do does not get their attention. They may claim otherwise or feel inclined to argue with me about that, but this is very simple: when a person's words tell me one thing and their actions tell me another, I disregard their words every time. They don't really give me a choice in the matter.

More free advertising for a duibous service... (3, Insightful)

Anonymous Coward | more than 5 years ago | (#26771855)

Heh, didnt they cash in enough on the Kempinsky non-disclosure-scare already, getting a large user base for their information trading business (heh, as if they offer costly service "for free". Get real! It'll cost you no money but your privacy.) /. the platform for pusing bogus services?

Re:Do not use OpenDNS (5, Informative)

Anonymous Coward | more than 5 years ago | (#26771895)

They make money by monitoring your habits. Can any one tell me how they pay their CDN and caching servers bills for millions and millions queries everyday? They sale your private info.

OpenDNS redirects all your Google search queries though their servers.

They redirect web browser users or scripts accessing nonexistent domains to a page containing sponsored search results, ads, and a search form. The DNS protocol requires that a query for a nonexistent domain must return the "NXDOMAIN" error response.

Re:Do not use OpenDNS (0)

Anonymous Coward | more than 5 years ago | (#26772083)

You can turn off that privacy invasion. You need an account.

Re:Do not use OpenDNS (5, Informative)

fprintf (82740) | more than 5 years ago | (#26772147)

You can turn this feature off. http://www.opendns.com/support/article/244 [opendns.com] is their response to questions about privacy.

For those that have OpenDNS running, you go to Settings, Advanced and then at the bottom there is the Network Shortcuts section. Uncheck the box "Enable OpenDNS Proxy".

I have the service and I am quite happy to trade a little privacy for the content filtering done by someone else, without requiring any software installs or any maintenance of IPTables or anything else on my part. It is passive safety, I know, but gives some peace of mind with a teenager who knows his way around computers. It blocks proxies too. If there is an alternative, I'd love to read about it.

Re:Do not use OpenDNS (2, Informative)

moonbender (547943) | more than 5 years ago | (#26772529)

You're relying on OpenDNS for content filtering? Cute. That might work in a home for the elderly, but I doubt it'll stop any teenager, much less one who is technologically inclined. Would have stopped me for all of 45 seconds. But if it gives you peace of mind, that's something I guess.

Re:Do not use OpenDNS (1)

julesh (229690) | more than 5 years ago | (#26773141)

You can turn this feature off. http://www.opendns.com/support/article/244 [opendns.com] is their response to questions about privacy.

For those that have OpenDNS running, you go to Settings, Advanced and then at the bottom there is the Network Shortcuts section. Uncheck the box "Enable OpenDNS Proxy".

I have the service and I am quite happy to trade a little privacy for the content filtering done by someone else, without requiring any software installs or any maintenance of IPTables or anything else on my part. It is passive safety, I know, but gives some peace of mind with a teenager who knows his way around computers. It blocks proxies too. If there is an alternative, I'd love to read about it.

I don't know about others, but I found that OpenDNS's tracking of the IP addresses I was coming from was somewhat flaky, even though I was running their dynamic IP update client. So, every so often I would end up getting proxied service for an hour or so. And, yes, I could easily tell the difference: using their proxy server is a lot slower than accessing google directly.

Re:Do not use OpenDNS (1)

noidentity (188756) | more than 5 years ago | (#26773767)

For those that have OpenDNS running, you go to Settings, Advanced and then at the bottom there is the Network Shortcuts section. Uncheck the box "Enable OpenDNS Proxy"

Maybe I'm clueless, but where do I find this "Settings" thing? I use OpenDNS by typing its two IP addresses into the DNS servers field. Is this on the OpenDNS website?

Re:Do not use OpenDNS (1, Informative)

X0563511 (793323) | more than 5 years ago | (#26772161)

You are an idiot.

This is no more shadowy than the NTP pool.

Re:Do not use OpenDNS (0)

Anonymous Coward | more than 5 years ago | (#26773225)

What don't you get about "they run a special proxy that inspects and redirects google.com HTTP requests"? It's not about just DNS.

Re:Do not use OpenDNS (1)

FishWithAHammer (957772) | more than 5 years ago | (#26773509)

What don't you get about "you can turn that off"?

Re:Do not use OpenDNS (4, Insightful)

Kent Recal (714863) | more than 5 years ago | (#26772205)

Agree'd. The "Open" in their name is misleading. In reality many consider OpenDNS to be a scam operation.

Furthermore nobody should rely on a DNS provider (of all things!) to report worm infections. The idea is so wrong, it reminds me of the TV scams where they want to sell you a worthless product, bundled with 5 other, totally unrelated worthless products. "Buy this quality home-trainer for only $499 and you'll get this USB-stick, a bar of soap, two lightbulbs and a chinese ipod-knockoff, for free!".

If you're concerned with worm infections then you run antivirus software and maybe an IDS (e.g. snort) on your internet gateway.
Both will report malicious traffic much more reliable than OpenDNS because that's what they're designed to do.

Re:Do not use OpenDNS (3, Funny)

Anonymous Coward | more than 5 years ago | (#26772469)

You consider bar of soap to be worthless?

*sniff* Hmm... no wonder your hygene is questionable.

Re:Do not use OpenDNS (-1, Flamebait)

Anonymous Coward | more than 5 years ago | (#26772727)

You consider bar of soap to be worthless?

*sniff* Hmm... no wonder your hygene is questionable.

WOW! You suggested that geeks on Slashdot might have poor hygeine! That's so new and creative and original. I don't think that's EVER been done before. Man, don't ever discount that Anonymous Coward. Next thing you know, he might suggest that geeks on Slashdot don't have girlfriends! Hey, that's new and creative too, I should really write that one down ...

Really mods, this wasn't very funny to begin with, but even for things that really are amusing, the amusement wears off after the first several hundred retellings or the first few years, whichever comes first. There's no need to keep modding these up. Ok, so I gave a relatively polite (at least not rude) critique of your moderation decisions, you can make me -1 Flamebait now.

Re:Do not use OpenDNS (0)

Anonymous Coward | more than 5 years ago | (#26773403)

Wow, way to react like a child over a joke. Get some anger management.

Re:Do not use OpenDNS (1)

raynet (51803) | more than 5 years ago | (#26772815)

How are they scam operation?

And if you are concerned with worm infections, why not run OpenDNS + IDS + Antivir? Who says that if you use OpenDNS you cannot use anything else to protect yourself.

Re:Do not use OpenDNS (1, Informative)

Kent Recal (714863) | more than 5 years ago | (#26773019)

How are they scam operation?

They're providing a near-zero value product, spam you with ads in dubious locations (NX) and collect a lot of personal data with borderline phishing methods (google proxy) without announcing either of that clearly upfront.

And if you are concerned with worm infections, why not run OpenDNS + IDS + Antivir?

Because OpenDNS provides no added protection? The other two are plenty sufficient while nobody knows whether the OpenDNS detection is reliable nor whether they will bother to add detection of future worms etc.

Remember many phishing toolbars claim to protect you against other phishing toolbars. OpenDNS is running the same model here.

I Don't See A Scam (2, Informative)

reallocate (142797) | more than 5 years ago | (#26773169)

I don't see a scam here. You might not like their approach, but that's different.

OpnenDNS tells you they run a proxy. They tell you how to disable it.

Sending a raw error code to 99 percent of Internet users is bad service. Better to catch the code and deliver a plain language message.

As for the ads: Would you feel better if OpenDNS billed your credit card on a regular basis? Ads are everywhere. Get used to it. Just ignore them, like the rest of us do.

Short of running their own DNS, what's a better approach? (BTW, I've run my own DNS. Not dong that again. Life's too short to think running servers is fun.)

Re:I Don't See A Scam (4, Insightful)

Kent Recal (714863) | more than 5 years ago | (#26773413)

Sending a raw error code to 99 percent of Internet users is bad service. Better to catch the code and deliver a plain language message.

Guess what browsers and web-proxies have done for, umm, 10 years? Mine says "Name Error: The domain name does not exist". What could OpenDNS possibly add to this simple message, other than their spam?

Short of running their own DNS, what's a better approach?

Better approach to what?
Why not just use your ISPs nameserver?

Re:Do not use OpenDNS (1)

raynet (51803) | more than 5 years ago | (#26773203)

Near-zero value product? Hmm, they do have all kinds of filter lists available that are quite handy in business environments. The google thingy is silly I admit, but it can be disabled (should be disabled by default IMHO). And if you disable the google hijacking, what kind of personal data can they collect? And the typo correction can be useful for people who like that kind of stuff. They might make money from your (my?) typos, but who cares, it is not my money that is wasted and in any case, it is opt-in service, so if you don't like it, don't opt-in :)

Re:Do not use OpenDNS (1)

Kent Recal (714863) | more than 5 years ago | (#26773363)

what kind of personal data can they collect?

The domains that you resolve, obviously. Good for a nice browsing profile.

Re:Do not use OpenDNS (0, Redundant)

Ilgaz (86384) | more than 5 years ago | (#26773715)

Someone figures to make money from a decades old protocol using web technologies and without breaking privacy.

Remember the feedback that non college educated guy got when he literally saved the planet from Internet breakdown? That DNS guy? It is the similar feedback. Jelousy.

Re:Do not use OpenDNS (0)

Anonymous Coward | more than 5 years ago | (#26773269)

Indeed. If/when someone like Time Warner, Comcast, or Verizon tries something similar, even with opt-out, people would be crying bloody murder.

People must be distracted by the word Open.

Re:Do not use OpenDNS (0)

Anonymous Coward | more than 5 years ago | (#26773359)

Agree'd.

Really? "Agree'd"?

There's times to use apostrophes and times not to. This was one of those times not to.

Re:Do not use OpenDNS (2, Funny)

Kent Recal (714863) | more than 5 years ago | (#26773437)

Thank's for reminding me.

Re:Do not use OpenDNS (0, Redundant)

Ilgaz (86384) | more than 5 years ago | (#26773573)

They are "Open" in sense of DNS terminology. Open DNS is one of the significant misconfiguration of an ordinary DNS server can have but their business works by opening it to planet and add extra features to decades old service without breaking standards.

Aren't ISP's, Etc., Selling Data, Too? (1)

reallocate (142797) | more than 5 years ago | (#26772655)

Is there any evidence that major ISP's or DNS providers are not also selling customer behavior data?

I'm a Time-Warner customer. When I use their nameservers, I see a Time-Warner error page when I try to access a nonexistent domain.

The DNS protocol may require an "NXDOMAIN" repsonse on a bogus domain, but making that visible to the typical Internet user is pointless.

Re:Aren't ISP's, Etc., Selling Data, Too? (5, Informative)

Antique Geekmeister (740220) | more than 5 years ago | (#26772911)

It could be worse. Does anyone else here remember the 'Site Finder' chaos, when Verisign returned their own sales website domain for all nonexistent .com addresses? As the managers of .com, their behavior screwed up network monitoring tools worldwide, and misdirected huge amounts of misaddressed email to their servers, without warning. Patches were quickly released for every major DNS software package to block it, which is probably the real reason it got dropped: having every DNS server in the world used to the idea that 'I can block the behavior of idiots' is very, very bad for companies like Verisign that have repeatedly misused their position of trust against third parties.

Re:Aren't ISP's, Etc., Selling Data, Too? (1)

Ilgaz (86384) | more than 5 years ago | (#26773597)

Not just that, DNS queries have "hostname" only so it is near worthless if they were a evil spyware operation. What matters to advertisers and behaviour watchers is the address after "/".

Funnily, people have no problem with Google Analytics which is almost like a viral type threat, pyramid scheme. I said "almost".

Re:Do not use OpenDNS (3, Informative)

Dreadneck (982170) | more than 5 years ago | (#26773317)

They make money by monitoring your habits. Can any one tell me how they pay their CDN and caching servers bills for millions and millions queries everyday?

From the site:

"OpenDNS partners with hardware and service providers to deliver our award-winning security, infrastructure and navigation services."

They sale your private info.

There's nothing private about my public IP address. If they can manage to glean personal info from my IP address then, damn, they're good.

OpenDNS redirects all your Google search queries though their servers.

From the site:

"Is OpenDNS running a proxy?

Yes. Some software, including your (and our) beloved Google Toolbar, intercepts requests made via the address bar so that DNS requests never occur. This creates some usability issues, including making shortcuts - which require DNS requests to be made from the address bar - unreliable. We've designed a simple proxy that ensures the best of Google and OpenDNS work without causing problems.

When enabled, we route certain requests to a simple proxy which checks for the origin of the request. Shortcut-related traffic gets handled (and redirected) while all other traffic goes to the intended destination untouched. We are not storing or mining any of the data that passes through the proxy. The proxy does nothing malicious - it's designed to make your shortcuts work seamlessly with the Google Toolbar and similar services, giving you the best of both worlds.

Like all OpenDNS services, the proxy is respectful of your privacy. We do not track any of the searches made through the proxy. In fact, since so many people use Google we automatically rotate and delete the logs frequently. We do not store any of those logs, nor do we perform any non-operational-related analysis of the traffic sent through the proxy at any time. Protecting your privacy and delivering a fantastic navigational experience will always be two of our main goals at OpenDNS. We believe that this solution provides just that, and continues our tradition of innovative services that make your Internet experience with OpenDNS faster, safer and more reliable.

Ultimately, this proxy serves to enhance the OpenDNS experience and we recommend you leave it enabled.

They redirect web browser users or scripts accessing nonexistent domains to a page containing sponsored search results, ads, and a search form. The DNS protocol requires that a query for a nonexistent domain must return the "NXDOMAIN" error response.

You mean if I try to navigate to a nonexistent domain that OpenDNS will A) Inform me of my error B) Present me with a search form and C) Display a few innocuous text ads on the page?

I'm crushed. Damn, how could they?

How is that any worse than Google displaying text ads on their search results page? How hard can it be to block those text ads if they really get your panties in that big of a twist? If it bothers you that much, it's not like anyone is holding a gun to your head and forcing you to use their service.

*BSD is Dying (-1, Troll)

Anonymous Coward | more than 5 years ago | (#26771881)

It is now official. Netcraft confirms: *BSD is dying

One more crippling bombshell hit the already beleaguered *BSD community when IDC confirmed that *BSD market share has dropped yet again, now down to less than a fraction of 1 percent of all servers. Coming on the heels of a recent Netcraft survey which plainly states that *BSD has lost more market share, this news serves to reinforce what we've known all along. *BSD is collapsing in complete disarray, as fittingly exemplified by failing dead last [samag.com] in the recent Sys Admin comprehensive networking test.

You don't need to be the Amazing Kreskin [amazingkreskin.com] to predict *BSD's future. The hand writing is on the wall: *BSD faces a bleak future. In fact there won't be any future at all for *BSD because *BSD is dying. Things are looking very bad for *BSD. As many of us are already aware, *BSD continues to lose market share. Red ink flows like a river of blood.

FreeBSD is the most endangered of them all, having lost 93% of its core developers. The sudden and unpleasant departures of long time FreeBSD developers Jordan Hubbard and Mike Smith only serve to underscore the point more clearly. There can no longer be any doubt: FreeBSD is dying.

Let's keep to the facts and look at the numbers.

OpenBSD leader Theo states that there are 7000 users of OpenBSD. How many users of NetBSD are there? Let's see. The number of OpenBSD versus NetBSD posts on Usenet is roughly in ratio of 5 to 1. Therefore there are about 7000/5 = 1400 NetBSD users. BSD/OS posts on Usenet are about half of the volume of NetBSD posts. Therefore there are about 700 users of BSD/OS. A recent article put FreeBSD at about 80 percent of the *BSD market. Therefore there are (7000+1400+700)*4 = 36400 FreeBSD users. This is consistent with the number of FreeBSD Usenet posts.

Due to the troubles of Walnut Creek, abysmal sales and so on, FreeBSD went out of business and was taken over by BSDI who sell another troubled OS. Now BSDI is also dead, its corpse turned over to yet another charnel house.

All major surveys show that *BSD has steadily declined in market share. *BSD is very sick and its long term survival prospects are very dim. If *BSD is to survive at all it will be among OS dilettante dabblers. *BSD continues to decay. Nothing short of a miracle could save it at this point in time. For all practical purposes, *BSD is dead.

Fact: *BSD is dying

OpenDNS (5, Informative)

Anonymous Coward | more than 5 years ago | (#26771893)

OpenDNS redirects www.google.com to OpenDNS servers.

Re:OpenDNS (4, Informative)

ratbag (65209) | more than 5 years ago | (#26772159)

http://blog.opendns.com/2007/05/22/google-turns-the-page/ [opendns.com]

Don't know if it's a good enough justification by itself, but at least it's a logical explanation.

Re:OpenDNS (2, Interesting)

julesh (229690) | more than 5 years ago | (#26773117)

Don't know if it's a good enough justification by itself, but at least it's a logical explanation.

Breaking DNS in order to help people whose computers are set up to provide a poor search system when an unknown URL is added. No, that's not a good enough justification. If I attempt to access www.google.com, I should access www.google.com, not have my searches proxied through OpenDNS's servers. I've found google searches to be slower and less reliable when using OpenDNS, with the home page sometimes taking 10 seconds or so to load. Without OpenDNS, I get almost instant access to the home page, almost every time.

Re:OpenDNS (3, Informative)

fprintf (82740) | more than 5 years ago | (#26772169)

By default, yes it does. Since your post is right on top at the moment, I'll post something I shared earlier: Here is OpenDNS response to the privacy concerns: http://www.opendns.com/support/article/244 [opendns.com]

You can easily turn off the proxy by changing your settings, under the Advanced section at the bottom.

Re:OpenDNS (0)

Anonymous Coward | more than 5 years ago | (#26772485)

First, I don't buy it. At all. Second, my comment is a statement of fact, nothing more, nothing less.

OpenDNS doesn't tell new users about this "feature". It's hidden in the support database. I think the fact that OpenDNS resolves www.google.com to their own server is something that users should know about. They can make their own mind up about having their searches channeled through OpenDNS. Being stealthy about it is just dishonest and in direct contrast to the "trustworthy" image that OpenDNS likes to project and (IMO wrongfully) implies with its name. If it really were a feature for the users, then they could make it an option that users of Google toolbar or other extensions which interfere with OpenDNS specialties can turn on, instead of making it so that everybody is affected by it, even those who don't need it. As I said, I think their explanation is bullshit, but do make your own mind up about it. The fact remains: OpenDNS redirects www.google.com.

Re:OpenDNS (0)

Anonymous Coward | more than 5 years ago | (#26772605)

And what the hell is your point, exactly?

Whoopty doo to all of it, they redirect your packets through their servers.
Is it going to kill you?
Is it going to get your details stolen?
It it going to screw up your connection?
Didn't think so.

Re:OpenDNS (0)

Anonymous Coward | more than 5 years ago | (#26773391)

If OpenDNS' HTTP proxy is slow, overloaded with traffic or under attack, your Google searches will be slow. Even worse: if their proxy is down, you won't be able to do any searches, even if Google is up.

Their TTL is also lower than Google's, too, which means you will be doing more DNS lookups.

Re:OpenDNS (-1, Troll)

Anonymous Coward | more than 5 years ago | (#26772179)

Explanation: http://blog.opendns.com/2007/05/22/google-turns-the-page (basically Google and Dell has partnered to more or less force users to Google).

You can turn it off.

Censorship advocates (2, Interesting)

Anonymous Coward | more than 5 years ago | (#26771901)

I'd like to see a response on this from the censorship advocates. Because that's what this is, isn't it? Censorship?

I thought the whole idea of using OpenDNS is that it wouldn't be doing this type of blocking. Who's to say they don't just accidentally prevent PCs from contacting other servers?

This smells bad.

Re:Censorship advocates (3, Insightful)

Jezza (39441) | more than 5 years ago | (#26772111)

Well if this is censorship (and that's debatable) then it's "opt-in". Personally I have no problem with that, as long as you know and have opted FOR it, then that seems fine.

The biggest problem with censorship is it distorts your ability to know the truth - if you say: "Don't show me this or that" you still have the ability to know the truth, you're just choosing what you see and what you don't. But we do this everyday, we read one newspaper over another, we listen to particular commentators over others - we all self-censor.

Re:Censorship advocates (4, Funny)

calmofthestorm (1344385) | more than 5 years ago | (#26772117)

Freedom of speech is very important, but there are exceptions. For example, we don't have the right to watch child porn in a crowded theatre, because that would harm children.

We don't have the right to hijack music vessels on the high seas because it would harm the corporate interests that sheltered us when we were still huddled around dark fires, marveling at shadows on the cave wall.

I fully support OpenDNS's sensible actions, or "sens-orship", as I like to call it. Surely we can trust any corporation with "open" in the title to control our minds in a way we will soon be programmed to approve of.

Re:Censorship advocates (0)

Anonymous Coward | more than 5 years ago | (#26772197)

For example, we don't have the right to watch child porn in a crowded theatre

Not sure where you live. Your country has some strange laws.

Sicko...

Re:Censorship advocates (1)

mangu (126918) | more than 5 years ago | (#26772409)

We don't have the right to hijack music vessels on the high seas because it would harm the corporate interests that sheltered us when we were still huddled around dark fires, marveling at shadows on the cave wall.

Shhhh, don't give them ideas! Keep saying that and how long until someone [disney.com] will claim the copyright on the pictures [google.com] ?

Re:Censorship advocates (1)

Ilgaz (86384) | more than 5 years ago | (#26773689)

I got an open wireless network and it has damn good censorship, P2P, porn, crack and even gambling sites are "censored" thanks to OpenDNS.

The other option would be watching people (via Squid for example), asking them their ID cards (already happens in Europe) and give them access.

If guy just wants to check his mail or browse ordinary web? It is fine but our service isn't a tool for others who doesn't respect the ones on network.

It is the "best of the worst". I don't want to watch people habits (via squid or other tools) or I don't really care what their ID or CC number is. It is a security risk anyway. If they aren't happy with the service? Well, they can run their own via EDGE, 3G etc. I don't care.

Re:Censorship advocates (1)

jopsen (885607) | more than 5 years ago | (#26773699)

All of OpenDNS filters are optional... I use OpenDNS to circumvent the Danish internet censorship...

Block and monitor this (-1, Offtopic)

Anonymous Coward | more than 5 years ago | (#26771913)

Kittens [goatse.fr]

I just found out about this. (1)

Cameljock (1401329) | more than 5 years ago | (#26771917)

So since five minutes ago, I registered with OpenDNS after reading about the service and have started using it. Whats the advantages/drawbacks of using this over my own ISP DNS's?

Re:I just found out about this. (5, Interesting)

Anonymous Coward | more than 5 years ago | (#26771927)

You're giving another entity access to all your DNS lookups and your computer won't talk to Google's servers anymore when you connect to www.google.com, but to a company which isn't very upfront about this redirection. Whether that's an advantage or a drawback is up to you.

Re:I just found out about this. (1)

X0563511 (793323) | more than 5 years ago | (#26772173)

In the same manner that you give another entity access to all your NTP syncs.

OpenDNS is basically the same thing as the NTP pool.

Put the tinfoil down, and back away slowly...

Shill/Astroturfer/whatever (3, Insightful)

nabsltd (1313397) | more than 5 years ago | (#26772397)

Boy, talk about not understanding Internet protocols.

NTP packets are basically "I think it's this time...what do you think", while DNS is "I want to know the IP for www.childpr0n.com".

There just isn't any possible privacy issue with NTP packets, while DNS is basically a record of everything you visit. Heck, if OpenDNS were to modify the TTL in their DNS replies, they could even get more complete data about how often you request each site.

Actually, I must be wrong about you misunderstanding. Nobody could be that dumb, so you must work for OpenDNS (or another company that benefits from their data collection).

Re:Shill/Astroturfer/whatever (1)

Ilgaz (86384) | more than 5 years ago | (#26773635)

Ask any gray hat or black hat how much it matters that single IP, in this NAT crazy planet resolved Facebook.com or not or even what site they visit after that.

What matters is the URLs (not just domains), cookies and how long one stays on that URL, which part of site they visit after it. Do you know the service offering it for free? Google Analytics. That is your issue, not OpenDNS instead of using some ISPs worst security breached, censored DNS server.

Run Wireshark in a free time, that is what your ISP probably has access to.

Re:I just found out about this. (3, Informative)

slug359 (533109) | more than 5 years ago | (#26772441)

Not really, no.

For the NTP pool you send and recieve time data; funnily enough the time is public information.

Switching your DNS servers to OpenDNS means you end up sending them every domain you visit, and apparently every Google search too.
Most people would probably want their search terms and domains they visit to stay private, so your analogy between the NTP pool and commercial DNS providers breaks down here.

(note: I'm not implying sending your DNS data to OpenDNS means it's made public!)

Re:I just found out about this. (4, Insightful)

causality (777677) | more than 5 years ago | (#26772477)

In the same manner that you give another entity access to all your NTP syncs.

OpenDNS is basically the same thing as the NTP pool.

Put the tinfoil down, and back away slowly...

I'm really not sure why people keep comparing OpenDNS to NTP [wikipedia.org] . NTP shares the current time, in UTC. This information is not secret and is not a privacy violation because it was already available to anyone who wants it. If knowing your system time helps an attacker to i.e. guess your TCP sequence numbers, that is a weakness in your (pseudo)random number generator, not a weakness in running an NTP daemon.

Compare that to the data that OpenDNS can collect. They can see every hostname you resolve with their service. Not unlike application-level techniques used by various advertisers (web bugs, third-party cookies, redirections, HTTP "ping", etc.) to track your browsing, a list of every hostname you resolve can certainly compromise your privacy. Every site I visit, when I visited it, and an idea of how often I visited it is not "already available to anyone who wants it." Normally, to obtain this sort of information, an attacker would need to either break into this computer and install a program to log and transmit it, or they would need to conduct a man-in-the-middle type of attack against my ISP's network. There's a reason for that.

Why would I volunteer this data to a third-party who otherwise would have no access to it? What's my incentive to unnecessarily trust them in exchange for a service I don't need? It's not like there is anything difficult about running my own caching DNS server (and you can bet I don't use BIND), not to mention that DNS has to be one of the worst ways to deal with the problem of host security. It's just not a tool that was ever designed for this type of job; meanwhile, better tools that are designed for this job are readily and freely available. This might tempt someone who doesn't want to take responsibility for their own security and thinks anyone else should handle it for them, but I recognize that as a personal shortcoming, a flawed idea. The product of a flawed idea is also flawed, so with this arrangement you are merely trading one threat (the Conflicker worm) for another threat (reduced privacy). I can't call that a solution with a straight face.

Re:I just found out about this. (1)

julesh (229690) | more than 5 years ago | (#26773159)

Compare that to the data that OpenDNS can collect. They can see every hostname you resolve with their service. Not unlike application-level techniques used by various advertisers (web bugs, third-party cookies, redirections, HTTP "ping", etc.) to track your browsing, a list of every hostname you resolve can certainly compromise your privacy. Every site I visit, when I visited it, and an idea of how often I visited it is not "already available to anyone who wants it." Normally, to obtain this sort of information, an attacker would need to either break into this computer and install a program to log and transmit it, or they would need to conduct a man-in-the-middle type of attack against my ISP's network. There's a reason for that.

They also see every google search you run, too, because by default they proxy requests to google.com addresses. For your convenience, of course.

Re:I just found out about this. (1, Informative)

Anonymous Coward | more than 5 years ago | (#26773133)

Dude.

dig @208.67.222.222 www.google.com
[..] ;; ANSWER SECTION:
www.google.com. 30 IN CNAME google.navigation.opendns.com.
google.navigation.opendns.com. 30 IN A 208.67.217.230
google.navigation.opendns.com. 30 IN A 208.67.217.231

Your browser will issue an HTTP request to the OpenDNS servers. If that's not a man in the middle, I don't know what is.

Re:I just found out about this. (4, Insightful)

sakdoctor (1087155) | more than 5 years ago | (#26771955)

I'm not sure why people around here seem positive about using OpenDNS (as opposed to running your own say).

When I make a type I get an Address Not Found error and THAT'S THE WAY I LIKE IT.

Re:I just found out about this. (1)

tyldis (712367) | more than 5 years ago | (#26771967)

Each his own.
This is the reason I do not use it or support it. I want a pure DNS service not a tampered one.

Re:I just found out about this. (1)

thebryce (1076543) | more than 5 years ago | (#26772069)

I agree. Honestly I never thought much about which DNS service I use, but I know that I don't like my ISP in control of it.

Can anyone suggest other DNS services that might be better than openDNS?

Thanks

Roll your own or... (0)

Anonymous Coward | more than 5 years ago | (#26772109)

4.2.2.2

(Level 3, in case you're wondering who that is)

Re:Roll your own or... (0)

Anonymous Coward | more than 5 years ago | (#26772319)

4.2.2.3 and 4.2.2.4 work as well for systems that require multiple dns servers.

Re:I just found out about this. (3, Funny)

calmofthestorm (1344385) | more than 5 years ago | (#26772149)

Try openerdns.org

Re:I just found out about this. (1)

nabsltd (1313397) | more than 5 years ago | (#26772427)

Sure, just install your own caching DNS server on your machine and set your DNS server to 127.0.0.1.

For Linux, it's trivial...most distros include a caching nameserver package.

For Windows, it's a little harder to set up some of the open source nameservers, but you also have some free closed source and commercial software to choose from. Try searching for "DNS server Windows" and the results should get you started.

Re:I just found out about this. (3, Informative)

Antique Geekmeister (740220) | more than 5 years ago | (#26772535)

Use 127.0.0.3, and put that in your /etc/hosts as 'dns.localdomain'. This still reaches your loopback address, but avoids some of the potential reverse DNS confusions with 'localhost.localdomain'.

Re:I just found out about this. (1)

causality (777677) | more than 5 years ago | (#26772927)

Sure, just install your own caching DNS server on your machine and set your DNS server to 127.0.0.1.

For Linux, it's trivial...most distros include a caching nameserver package.

For Windows, it's a little harder to set up some of the open source nameservers, but you also have some free closed source and commercial software to choose from. Try searching for "DNS server Windows" and the results should get you started.

This gives you one advantage I haven't seen anyone else mention. If you run a caching DNS server on localhost, any queries for data that's already in the cache are answered instantly. You get to control how many objects are in the cache and how long they remain cached. The suggestions that others have made for Level 3's servers at 4.2.2.2 etc. do not and cannot have this advantage because you will always have the network latency of sending a request and awaiting their response.

I say that knowing that the DNS resolver (the DNS client) can also cache responses. I am merely saying that a local DNS client that performs caching combined with a local DNS server that performs caching is significantly better than a local caching client and a remote DNS server. For new queries that could not possibly be cached on this end, I also feel that my local server outperforms my ISP's, in the sense that the ISP server may be beefier but it also has a drastically higher load.

The latency difference would not significantly affect any sort of realistic network benchmark. However, near-instantaneous and lower-latency DNS resolution has a significant impact on the psychological perception of performance, especially with a Web browser. Ad servers have two annoying habits: they are often the slowest part of a page to load and they tend not to specify image size in the IMG tags so the browser must load the advertisement before it can render the rest of the page. Because of that, running a well-configured local caching DNS server and combining that with ad blocking (I primarily use Adblock Plus) is one of the best ways you can speed up your subjective Web experience without actually purchasing more bandwidth.

Re:I just found out about this. (2, Informative)

ScrewMaster (602015) | more than 5 years ago | (#26772591)

Just Google for "free DNS", but I use 4.2.2.2, 4.2.2.3 myself. I think they're from Level 3. There's tons of others though. I used to have Comcast, and I switched my DNS because theirs were slow and unreliable. I mean, if I went to a complex site (take MSNBC.COM, for example) it would take several seconds to load on a 16 mbit/sec line, just because of all the domain requests. I just switched to AT&T for my ISP now, and I haven't changed my DNS settings yet because the response is really, really crisp.

Re:I just found out about this. (2, Informative)

digitalchinky (650880) | more than 5 years ago | (#26772041)

I like it this way too, unfortunately my ISP appears to want to save a few bucks on their own machines and uses OpenDNS.

So, I use 4.2.2.1 through .5 as my name servers instead.

The IP Adresses. (2, Informative)

bhima (46039) | more than 5 years ago | (#26772079)

Would it be so hard to add the OpenDNS IP addresses to the story... It's not all that hard for home users to change their DNS server addresses.

Addresses: 208.67.222.222 and 208.67.220.220

Or if you need more help, look here: https://www.opendns.com/smb/start [opendns.com]

cat and mouse. (4, Interesting)

Cmdr-Absurd (780125) | more than 5 years ago | (#26772095)

Nice idea, but what do you do when a worm alters your dns settings?
OpenDNS can't block access if the queries go to a server controlled by the bad guys.
You can firewall off access to dns ports to all but known servers, but then the worms just tunnel through a port 80 proxy.
Cat and mouse forever. Plus a false sense of security.

Re:cat and mouse. (1)

modestgeek (1449921) | more than 5 years ago | (#26772183)

Very true. I suppose all the worm really has to do is add entries to your host file. I've seen some pretty complex malware do redirects that do not modify DNS settings or use hosts files. They hijack the something in the winsock settings. Not sure exactly how it is done. Spywareguard 2009 was one that did something like this and was a HUGE pain to remove.

Re:cat and mouse. (1)

betterunixthanunix (980855) | more than 5 years ago | (#26772247)

"Nice idea, but what do you do when a worm alters your dns settings?"

Use an OS with security policies that only allow specific software that shipped with the OS to modify those settings? Honestly, I do not understand why Microsoft does not at least ship that as a default policy, especially since Windows can also check program hashes and thus prevent tampering (in theory; I guess "mitigate" is a better way to describe it).

Re:cat and mouse. (4, Interesting)

Cmdr-Absurd (780125) | more than 5 years ago | (#26772487)

Use an OS with security policies that only allow specific software that shipped with the OS to modify those settings? Honestly, I do not understand why Microsoft does not at least ship that as a default policy

Well, yes, but admins have to support what their organizations use/demand.

A couple of years ago, there was a Macintosh Trojan that altered DNS settings and added a crontab to re-alter every minute if the user tried to fix the change.

Social engineering works at least some of the time. There are zero-day exploits.
If you think that *nix is a panacea against malware, you will eventually be disappointed. Better than Win, but not perfect.

Not too bad of a service. (1)

modestgeek (1449921) | more than 5 years ago | (#26772125)

I've used this service a couple of times to help protect sites where corporate won't spend an extra buck on a true content filtering solution. I just redirect things that are obviously not business related like hacking, phishing, spyware, porn, nude, gambling, etc.

I realize that it's not full proof but it does help. It's just one extra layer that I can implement on top of other basic group policy settings, antivirus software and windows defender, and spam/virus filtering. I suppose that I could always implement something like ipcop with various add ons, but I don't have the time to manage something like that on an ongoing basis.

Flush your cache after! (1)

doesthisfuckingexist (1384097) | more than 5 years ago | (#26772131)

If you do create an account just to mess with it and then delete the account (or change your DNS server settings back to the auto setting) use 'ipconfig /flushdns' from a DOS prompt to clear your cache. All you're lookups will go back to your ISP (and not keep the ones obtained from any OpenDNS queries).

Maybe good in theory (3, Interesting)

jafiwam (310805) | more than 5 years ago | (#26772171)

Except, OpenDNS is not a budding geek or regular office wank type tool.

It's a tool that requires you to know what you are doing. There are all sorts of subtle problems that can crop up, so I have at this point just simply refused to help any of my clients until they switch back to their regular ISP's DNS. Amazingly, a good 50% of the certificate and "cant find web site" errors go away after that. Imagine!

OpenDNS has the right idea, but it's not ready for the "everyday internet user" crowd yet.

This is without really considering the massive privacy problems with using it.

Re:Maybe good in theory (1)

Krneki (1192201) | more than 5 years ago | (#26772249)

Still better then most Telcos DNS.

Re:Maybe good in theory (1)

maird (699535) | more than 5 years ago | (#26773153)

Still better than most Telcos DNS.

I agree. That's the reason why I did my first DNS server install at home. My ISP was a telco and their DNS server was down a lot more frequently than their IP routing. Most of my Internet usage was evenings and weekends. The ISP was a 9-5 business for home users (i.e. not 5 nines). So, I'd have to wait hours, even days sometimes for name resolving to return. I've maintained my own DNS server ever since and never had to worry about it.

It's obviously not for everyone and there are reliable servers beyond many ISPs, like the Level 3 ones referred to in other posts.

Re:Maybe good in theory (-1, Troll)

Anonymous Coward | more than 5 years ago | (#26772453)

Well, OpenDNS's Idea is right for a totalitarian Regime.

The right idea for places like China, North Korea and the US of A.

Have total control of the one central flow of surveiliance data about your behavior which is independant of application, protocol or user settings: Domain Name Lookups.

Yes, this is the Right (capital R) idea.

Re:Maybe good in theory (1)

ScrewMaster (602015) | more than 5 years ago | (#26772647)

The right idea for places like China, North Korea and the US of A.

Love how you stick the U.S. in with China. There's no Great Firewall here yet, so we're really not in China's league. Domestic surveillance is an issue, of course, but at least here it is an issue. In the other places you mention it's not even on The People's radar.

Of course, the bulk of people in the U.S. go through the major ISPs, which means the likes of Comcast and AT&T. Both companies have already proven to be very (ahem) "law enforcement friendly", shall we say. Using an alternate DNS service (whether it be OpenDNS or otherwise) would, if anything, improve your privacy with regards to what sites you visit. Not that ISPs can't log all that information anyway, without needing access to your DNS requests.

Re:Maybe good in theory (4, Interesting)

tom1974 (413939) | more than 5 years ago | (#26772669)

Could you elaborate on this massive privacy problem you talk about? Like you don't have this massive privacy problem by using your ISP's DNS servers who can actually match DNS queries to user account?

And who asked if OpenDNS is about "Everyday internet user" crowd? It's A DNS service! Do you want a CSI type frontend with it?

fud injection à deux .. (1)

viralMeme (1461143) | more than 5 years ago | (#26772853)

"I have at this point just simply refused to help any of my clients until they switch back to their regular ISP's DNS"

What's the name of your company and please enumerate the problems your clients experienced.

"This is without really considering the massive privacy problems with using it"

What privacy problems would that be in comparison to other DNS providers?

Maybe I'm off base here but (3, Insightful)

BuhDuh (1102769) | more than 5 years ago | (#26772207)

FTFA:

.....instructs its drone machines to report to 250 different internet addresses each day. Without the service, admins would have to manually block 1,750 domains each week, or 91,250 each year.

Wouldn't blocking "this weeks" known IP addresses stop the addition of new ones, rendering the infection impotent?

Re:Maybe I'm off base here but (4, Informative)

causality (777677) | more than 5 years ago | (#26772633)

FTFA:

.....instructs its drone machines to report to 250 different internet addresses each day. Without the service, admins would have to manually block 1,750 domains each week, or 91,250 each year.

Wouldn't blocking "this weeks" known IP addresses stop the addition of new ones, rendering the infection impotent?

That would address a symptom and would do nothing about the actual problem. We keep doing that because we don't want to admit that addressing only symptoms is a failed idea; trying harder and harder to find new ways to implement this idea won't change the fact that it's a failed idea.

The root problem is the vulnerability of Windows to these types of worms. Yes I am selectively speaking about Microsoft Windows; if I ever start seeing widespread (keyword) worms in the wild (keyword) for *nix operating systems then on that day I'll include them too. Anti-virus seeks to remove or contain an external object to which Windows is vulnerable, so it too addresses only the symptom and not the vulnerability. The reason why *nix operating systems don't generally need anti-virus (unless of course you ask an anti-virus vendor) is because they have a security model that is able to prevent infections from occurring in the first place. This is much simpler and more practical (but creates fewer cottage industries) than sophisticated scanners and high-maintainence databases of tens of thousands of signatures that must be applied to every file or every file operation. It's a lot simpler than pretending that DNS is the correct tool for host security as well.

If OpenDNS maintains a highly effective, well-maintained blocklist and if many people start using it, what happens next is rather predictable. A worm/virus that can compromise the machine can also alter that machine's DNS settings. It could make the machine stop using OpenDNS or worse (as another poster has pointed out) it could make it use a hostile DNS server. You can expect this to be a standard malware feature if OpenDNS's efforts are successful. That's the downside of participating in an arms race. The best way to avoid an arms race is to realize that mitigation techniques, while not completely useless, have extremely limited utility and that prevention is the only actual cure.

Re:Maybe I'm off base here but (1)

symbolset (646467) | more than 5 years ago | (#26772781)

A worm/virus that can compromise the machine can also alter that machine's DNS settings.

A swarm with 15 million zombies would also have little trouble knocking OpenDNS offline. Since this is typically what the operators of these systems do to security researchers who get too nosy and purveyors of block lists and patch tools, it's a logical next step.

Won't work for certain Indian ISPs (0)

Anonymous Coward | more than 5 years ago | (#26772527)

Those of you whose ISP is Reliance Broadband, please note that this won't work for you. Reliance Broadband intercepts all DNS / port 53 traffic.
Which means Reliance's DNS server replies to the query you sent to OpenDNS.

(Mods, I'm posting anonymously, please treat this as a PSA.)

Re:Won't work for certain Indian ISPs (1)

iammani (1392285) | more than 5 years ago | (#26773447)

I second this, I have even written to them about this, but yet to hear from them

So since people are going nuts over this... (0)

Anonymous Coward | more than 5 years ago | (#26772725)

What are other solutions?

I know there is the 4.2.2.2-3 (4-5 too?), any others?

Re:So since people are going nuts over this... (1)

julesh (229690) | more than 5 years ago | (#26773181)

I know there is the 4.2.2.2-3 (4-5 too?), any others?

Hold on... that's the unreliable DNS server that my last ISP (3 Mobile Broadband) used to hand out in the link configuration info when I connected to them. Are you saying this is a public service, and they couldn't even be bothered to run their own unreliable DNS service?

TPB (1)

irp (260932) | more than 5 years ago | (#26772895)

I've started using OpenDNS since Denmark started censoring the Piratebay. The easiest way to circumvent the block.

(TPB: My #1 source to bad 80's movies! (which I personally don't think is illegal to download, I'm assuming; since no one apparently want to sell them, it must be because they are worthless (which, honestly, most of them are :-)))

Re:TPB (1)

causality (777677) | more than 5 years ago | (#26773217)

I've started using OpenDNS since Denmark started censoring the Piratebay. The easiest way to circumvent the block.

(TPB: My #1 source to bad 80's movies! (which I personally don't think is illegal to download, I'm assuming; since no one apparently want to sell them, it must be because they are worthless (which, honestly, most of them are :-)))

There is one way that is easier still, which is to resolve thepiratebay.org once (it is 83.140.65.11) and then add that to your hosts file. That way you don't need to surrender the privacy of which sites you visit or which Google search terms you use to the operators of OpenDNS.

Really I'd prefer to just run my own local caching DNS server, which is what I do. I'd recommend maradns or djbdns and I'd strongly suggest staying away from BIND and its poor security history (same reason I absolutely refuse to use sendmail) unless you simply must have some feature exclusive to it. It also can't hurt to use your firewall to make sure that your local DNS server can use UDP port 53 to contact only the root DNS servers of the world (I believe there are 13 of them) and no other addresses outside of your LAN.

happy with it (1)

socsoc (1116769) | more than 5 years ago | (#26773023)

I'll probably get "OMG what are you doing?" comments for this, but my internal DNS forwarders look to OpenDNS for my small business network and I'm very satisfied.

Typo correction (yahoo.cmo) and shortcuts are very handy. I only use the categories try and block some malware/phishing and while it's definitely not the solution, every little bit of protection helps.

My machines that actually need to know whether a domain is valid or not simply use other DNS, redirects are not a big deal and don't many cable companies do this too?

Worms will use IP addresses instead (2, Insightful)

nunoloureiro (1162373) | more than 5 years ago | (#26773545)

Besides everything (scary) that is involved on using OpenDNS as your resolver, it's true that it can block the Conficker Worm. However, Conficker worm might be the last one that OpenDNS can stop. Once the evil minds realize the power of OpenDNS, they'll start using IP addresses instead of names within their worms (period).
Load More Comments
Slashdot Login

Need an Account?

Forgot your password?