Beta
×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

OpenDNS Phases Out Redirection To Guide

timothy posted about 5 months ago | from the good-on-them dept.

The Internet 90

First time accepted submitter Jim Efaw (3484) writes "Tired of the OpenDNS Guide surprise from website-unavailable.com when you go to an old link or a typo from some ISPs? Relief is at hand: On June 6, 2014, OpenDNS will stop redirecting dead hostnames to Guide and its ads; the OpenDNS Guide itself will shut down sometime afterwards. OpenDNS nameservers will start returning normal NXDOMAIN and SERVFAIL messages instead. Phishing protection and optional parental controls will still stay in place."

cancel ×

90 comments

Sorry! There are no comments related to the filter you selected.

Run your own resolver (1)

Anonymous Coward | about 5 months ago | (#47140025)

Control your own DNS

Re:Run your own resolver (0, Flamebait)

Anonymous Coward | about 5 months ago | (#47140073)

DNS is to complex: host files FTW

Re:Run your own resolver (4, Funny)

Ginger Unicorn (952287) | about 5 months ago | (#47140269)

Careful, you'll summon ...him

Re:Run your own resolver (0)

Anonymous Coward | about 5 months ago | (#47140745)

Careful, you'll summon ...him

Oh, now I get it. The K stands for Ktulu...

But what about the A and the P?

That's my biggest fan you're talking about there. (1)

mmell (832646) | about 5 months ago | (#47141309)

Take it easy on him. He was abused as a child.

You actually seem to be a fan of apk's (0)

Anonymous Coward | about 5 months ago | (#47146249)

he seems to be a pretty fair programmer by mmell (832646) on Friday May 23, 2014 @02:29PM (#47076923) from http://slashdot.org/comments.p... [slashdot.org]

After all, You're the one that said he's a decent programmer, mmell!

Re: You actually seem to be a fan of apk's (1)

mmell (832646) | about 5 months ago | (#47146317)

You are . You also need professional help. The two are not mutually exclusive.

Re: You actually seem to be a fan of apk's (0)

Anonymous Coward | about 5 months ago | (#47147141)

Saw your post history. You're obsessed with apk, even now. Take your own advice. Get help.

Re: You actually seem to be a fan of apk's (1)

Ginger Unicorn (952287) | about 4 months ago | (#47172735)

to be fair, apk is a fascinating character.

Worse yet. (1)

mmell (832646) | about 5 months ago | (#47141357)

You may make him commit suicide again. He's done it before, you know.

Re:Worse yet. (1)

gargleblast (683147) | about 5 months ago | (#47144385)

You may make him commit suicide again. He's done it before, you know.

Did he redirected?

You seem to be a fan of apk's, mmell (0)

Anonymous Coward | about 5 months ago | (#47146815)

he seems to be a pretty fair programmer by mmell (832646) on Friday May 23, 2014 @02:29PM (#47076923) from http://slashdot.org/comments.p... [slashdot.org]

You said apk's a decent programmer, mmell!

As I mentioned elsewhere, you are. (1)

mmell (832646) | about 5 months ago | (#47147059)

But . . . you also are clearly in need of some help. One does not preclude the other.

The problem is that knowing you to be mentally unstable at best, permitting your software to run within my network would be foolish at best, insane at worst. Witness your habit of referring to yourself in the third person. You may think that's perfectly normal, but unless you were born to the blood royal it isn't.

Really - can you possibly believe that you wouldn't be recognized? Have you not noticed that you are not taken seriously here? You're a joke around here, and a bad one at that. A perfectly good programmer incapable of producing a usable program because of concerns regarding your mental health.

This is not a difficult problem to solve. When your issues have been addressed it will become obvious to the rest of us. Until then, any competent administrator will consider your software unsafe for use and you will not be taken seriously. The only possible exception would be people who are unaware of this side of your personality, and it would almost require an act of wilful blindness on the part of a professional administrator.

I'm glad you have chosen to approach this contact more openly. I am perfectly capable of reasonably admitting my mistakes (believe me, I've made quite a few more than you'll ever know about, youngster). I submit that should be your next step as well. It may not be as satisfying as venting your frustration but I think you will find it surprisingly productive.

Re:As I mentioned elsewhere, you are. (0)

Anonymous Coward | about 5 months ago | (#47147131)

Looked at your post history. You're obsessed with apk, even now. Take your own advice. Get help.

Re: As I mentioned elsewhere, you are. (1)

mmell (832646) | about 5 months ago | (#47147613)

I'm not the one referring to himself in the third person.

Re: As I mentioned elsewhere, you are. (0)

Anonymous Coward | about 5 months ago | (#47148295)

Nor am I: You're obsessed. I merely pointed out fact.

Re: As I mentioned elsewhere, you are. (0)

Anonymous Coward | about 4 months ago | (#47185343)

Apk, why are you stalking mmell? He seems to be trying to be your friend.

How many friends do you actually have? And no, the imaginary type don't count (and neither do the voices). Stop trying to alienate the people who are trying to befriend you.

Re: As I mentioned elsewhere, you are. (0)

Anonymous Coward | about 4 months ago | (#47235577)

Notice mmell is the one stalking apk + libeling him and had to eat his words on that account http://slashdot.org/comments.p... [slashdot.org] saying he made a mistake calling apk's program a malware then he libeled him more saying he likes little boys http://slashdot.org/comments.p... [slashdot.org] clearly showing mmell is a total loser who couldn't validly disprove apk's points on hosts files (causing his trolling harassment stalking of apk) totally blowing it saying apk is trying to replace dns when hosts work with dns as apk uses them securing against dns security failures http://tech.slashdot.org/comme... [slashdot.org] so now you can eat your words like mmell did, asshole.

Re:Run your own resolver (0)

Anonymous Coward | about 5 months ago | (#47140421)

I think this is the wrong site to be saying that on. Anywho just Google it and you'll see it's quite easy.

Re:Run your own resolver (1)

laie_techie (883464) | about 5 months ago | (#47147073)

DNS is to complex: host files FTW

So, instead of a single place to update, I'd have to update the dozen or so internet devices on my network?

Better than DNS redirect secuirty issues (0)

Anonymous Coward | about 5 months ago | (#47150591)

Hosts fix those. That's a known solution. Updating's easy from a central LAN location (batchfiles, logon scripts, or other scripting tools + scheduled tasks or chronjobs)! DNS also uses more electrical power, cpu cycles, RAM, & other forms of I/O as well, needlessly (hosts compliment DNS in fact).

DNS has security issues (0)

Anonymous Coward | about 5 months ago | (#47150613)

Hosts solve that & work WITH DNS (I use OpenDNS myself) securing it vs. Kaminsky flaw redirects + fastflux & dynDNS using botnets - THIS program's "best of breed" per Malwarebytes' hpHosts:

APK Hosts File Engine 9.0++ 32/64-bit:

http://start64.com/index.php?o... [start64.com]

(Details of hosts' benefits enumerated in link)

Summary:

---

A. ) Hosts do more than AdBlock ("souled-out" 2 Google/Crippled by default) + Ghostery (Advertiser owned) - "Fox guards henhouse", or Request Policy -> http://yro.slashdot.org/commen... [slashdot.org]

B. ) Hosts add reliability vs. downed or redirected DNS + secure vs. known malicious domains too -> http://tech.slashdot.org/comme... [slashdot.org] w/ less added "moving parts" complexity + room 4 breakdown,

C. ) Hosts files yield more speed (blocks ads & hardcodes fav sites - faster than remote DNS), security (vs. malicious domains serving mal-content + block spam/phish & trackers), reliability (vs. downed or Kaminsky redirect vulnerable DNS, 99% = unpatched vs. it & worst @ ISP level + weak vs FastFlux + DynDNS botnets), & anonymity (vs. dns request logs + DNSBL's).

---

Hosts do more w/ less (1 file) @ a faster level (ring 0) vs redundant browser addons (slowing up slower ring 3 browsers) via filtering 4 the IP stack (coded in C, loads w/ OS, & 1st net resolver queried w\ 45++ yrs.of optimization).

* Addons are more complex + slowup browsers & in message passing (use a few concurrently - you'll see)

** Addons slowdown SLOWER usermode browsers layering on MORE - bloating memory consumption too + hugely excessive CPU usage (4++gb extra in FireFox https://blog.mozilla.org/nneth... [mozilla.org] )

SO - Instead, I work w/ what you have in kernelmode, via hosts (A tightly integrated PART of the IP stack itself)

APK

P.S.=> "The premise is, quite simple: Take something designed by nature & reprogram it to make it work FOR the body, rather than against it..." - Dr. Alice Krippen "I AM LEGEND"

...apk

Re:Run your own resolver (0)

Anonymous Coward | about 5 months ago | (#47140081)

If I want to visit a website I just add an entry in /etc/hosts.

Re:Run your own resolver (0)

Anonymous Coward | about 5 months ago | (#47140103)

If I want to visit a website I just add an entry in /etc/hosts.

Really you can't remember IPs?

Re:Run your own resolver (0)

Anonymous Coward | about 5 months ago | (#47140123)

Yeah, that guys a noob.

# telnet 68.3.24.66
GET /index.html HTTP/1.1
Host: google.com

Re:Run your own resolver (1)

kwark (512736) | about 5 months ago | (#47140141)

You patched your telnet to connect to port 80 by default? Our is the telnet command an alias?

Re:Run your own resolver (0)

Anonymous Coward | about 5 months ago | (#47140435)

I can think of two possibilities. He edited his routing table so 68.3.24.66 is a telnet server which immediately connects to the real 68.3.24.66 at port 80. Either that or he's aliased telnet to lynx then patched lynx so the HTTP transaction has to be performed manually.

A third possibility is that he's used the HTTP Perl-style Comment Extensions, so he's already connected, and that # telnet line is just ignored by the server. If he's using a transparent logging proxy, he might have put it in there to remind himself to telnet to 68.3.24.66 at a later date. So that's three - three plausible possibilities.

Alternatively, he's using a shell which prompts for missing arguments, and he's Australian and we're supposed to read this upside down. He accidentally pasted the wrong three lines, so we see what he did after he finished rather than before he began.

Re:Run your own resolver (2)

Radak (126696) | about 5 months ago | (#47140655)

I'm going to go with "he thinks he looks k00l if he can use words like 'telnet' and 'GET' on a Slashdot post".

Re:Run your own resolver (0)

Anonymous Coward | about 5 months ago | (#47141259)

I'd be really impressed if he did a working request over TLS 1.2 to Google.

Re:Run your own resolver (1)

rubycodez (864176) | about 5 months ago | (#47141277)

you are week-old n00b, use https and check those certificates

openssl s_client -connect google.com:443
CONNECTED(00000003)

GET / HTTP/1.0

Re:Run your own resolver (0)

Anonymous Coward | about 5 months ago | (#47140661)

Have fun with those pesky vhosts!

Re:Run your own resolver (1)

red crab (1044734) | about 5 months ago | (#47140701)

Wait till we switch to IPv6...

Re:Run your own resolver (1)

laffer1 (701823) | about 5 months ago | (#47141689)

Oh I got this...

telnet 2001:4978:f:d9::2 80
Trying 2001:4978:f:d9::2...
Connected to cl-218.chi-02.us.sixxs.net.
Escape character is '^]'.
GET / HTTP/1.0
Host: www.midnightbsd.org

HTTP/1.1 200 OK
Date: Sun, 01 Jun 2014 17:02:59 GMT
Server: Apache/2.2.25 (MidnightBSD)
Accept-Ranges: bytes
Vary: Accept-Encoding
Connection: close
Content-Type: text/html

Re:Run your own resolver (1)

Plouf (957367) | about 5 months ago | (#47140349)

Sure, and Linux being completely secure this means you need to open a text editor with root privileges each time you visit a website, mmh...

Re:Run your own resolver (1)

mmell (832646) | about 5 months ago | (#47142269)

RBAC/SELinux will handle that nicely. Done right, those systems will even let you remove the root account entirely.

Beyond which, if I have root there's no security problem, is there? (With the exception of me having root in the first place, that is).

This also explains why a certain worthless hostfile manager for Windows runs in ring zero. To defeat security. Can't conceive any other reason why, unless the programmer was just too stupid to properly design his work. Sort of explains why the code isn't somewhere reputable, like CNET, or SourceForge, or even (*shudder*) Tucows. It's the kind of mistake one would expect from a young, inexperienced programmer with delusions of adequacy.

Re:Run your own resolver (1)

Z00L00K (682162) | about 5 months ago | (#47140135)

I already do - it's easy enough if you have a Linux box. No need to depend on filtered stuff from your ISP.

If you read in between the lines (2, Insightful)

Anonymous Coward | about 5 months ago | (#47140091)

"We can make enough money from selling your IP and the domains you look up."

Re:If you read in between the lines (1)

postbigbang (761081) | about 5 months ago | (#47140479)

Exactly that.

Hello, Seagate rep? Yeah, we're gonna need a freaking exatabyte to store our new hadoop engine data--yeah, the ones with the ready-to-sort web page script filters.

How many? How many does a 53' semi-trailer hold? Really? Yeah, here's the PO #.

Re:If you read in between the lines (5, Informative)

davidu (18) | about 5 months ago | (#47140835)

Nope. Never. We've never sold our data. We've never even used it for marketing purposes internally.

We've only ever made money from one of three things: Ads, selling individuals an ad-free version, and enterprise security services.

Today, most all of our revenue, and all of our growth, comes from selling enterprise security. If you work in IT, it's worth checking out to improve your security posture. There's a lot more to it than you might guess.

-David

Re:If you read in between the lines (1)

Anonymous Coward | about 5 months ago | (#47141025)

2 digits! He must be legit

Re:If you read in between the lines (0)

Anonymous Coward | about 5 months ago | (#47141435)

Or an ebay/sold account...

Re:If you read in between the lines (2)

davidu (18) | about 5 months ago | (#47141931)

I was here before it was Slashdot...

Just stop. (1)

mmell (832646) | about 5 months ago | (#47142543)

Be satisfied that your UID is higher than their apparent IQ.

Puts it in perspective, don't you think?

Re:If you read in between the lines (1)

metrix007 (200091) | about 4 months ago | (#47166695)

What was it before it was Slashdot? Just curious.

Re: If you read in between the lines (-1)

Anonymous Coward | about 5 months ago | (#47141273)

Still lying to you. They say "We always want to do what's best for you." If that was really the truth then why would would they break a standard internet protocol just so they could serve ads to you? The fact is they did it for money. They whored out your eyes to a bunch of marketers and now they are lying to about why they did it.

Re: If you read in between the lines (4, Insightful)

davidu (18) | about 5 months ago | (#47141371)

What are you talking about? You might not have like the ads, but we never lied about anything. Our service was super clear about how it worked. And for those who didn't like the redirection, it has always been possible to create an account and disable that part of the service.

Re: If you read in between the lines (-1)

Anonymous Coward | about 5 months ago | (#47141563)

Or, as I did, use Google's instead. They have much easier to remember IPs too - I did remember openDNS's at some point, but now... not so much.

As to security, I can only imagine CloudFlare are killing you. This must be a last-ditch to get enough traffic to survive.

Nice idea, poor execution.

Re:If you read in between the lines (1)

Voyager529 (1363959) | about 5 months ago | (#47141855)

David,

Thanks for responding here. You sure don't see the guys over at Comcast responding directly to the Slashdot crowd, so respect there.

One thing I've been hoping that OpenDNS would adopt is the system that FoolDNS uses to thwart tracking and redirects. I'll be honest and say that I switched my router's DNS addresses to FoolDNS for that reason. Is there any meaningful discussion within OpenDNS to provide a service like this?

Thanks!

Re:If you read in between the lines (1)

unity (1740) | about 5 months ago | (#47144689)

Good to know. I've been using you guys for a long time now; its a great service. Best of luck with the security services.

That's why I use Google DNS (1)

ssufficool (1836898) | about 5 months ago | (#47142893)

I trust them not to sell my data for marketing purposes : https://developers.google.com/... [google.com]

Re:That's why I use Google DNS (0)

Anonymous Coward | about 5 months ago | (#47144803)

I trust them not to sell my data for marketing purposes : https://developers.google.com/... [google.com]

And this:
https://developers.google.com/... [google.com]

Especially the part about what they permanently log (almost everything), and what they "promise" to delete within 24-48 hours. Or at least what they're promising today.

Business model (1, Funny)

fph il quozientatore (971015) | about 5 months ago | (#47140115)

Wait, how will they make money then?

Oh, right. The usual answer. Selling our data.

Re:Business model (0)

Anonymous Coward | about 5 months ago | (#47140175)

Edgy, bro, tip o' le Fedora to you. They have a premium service.

Re:Business model (1)

gl4ss (559668) | about 5 months ago | (#47140237)

yeah the premium paid users ip's are even more worthy: these guys will pay money for nothing.

Re:Business model (-1)

Anonymous Coward | about 5 months ago | (#47140185)

Wait, how will they make money then?

I would just kidnap some niggers

Re:Business model (-1, Troll)

Anonymous Coward | about 5 months ago | (#47140339)

Wait, how will they make money then?

I would just kidnap some niggers

no don't do that. just look at Harlem (from a good safe distance!) for a picture of the long-term consequences of that.

the nigger's origin in a faraway continent and the nigger's inability to come up with seafaring vessels on his own (or invent much of anything really unless you like spears and peanuts) are actually great fortunes meant to protect civilization. do you see now what greed and laziness does?

if my great great grandpappy knew things would be this way he'd of picked his own cotton!!

Re:Business model (2)

jbmartin6 (1232050) | about 5 months ago | (#47140241)

It is not "your" data, it is data about you. Data that you are freely giving them.

Re:Business model (0)

Anonymous Coward | about 5 months ago | (#47140319)

Uhm, yeah, i give them information about as much as celebrities gives their pictures to paparazzi, but there's not much you can do about the fact that the sleazy a-holes are hiding and snapping pictures/collecting data.

Re:Business model (0)

Anonymous Coward | about 5 months ago | (#47140357)

Uhm, yeah, i give them information about as much as celebrities gives their pictures to paparazzi, but there's not much you can do about the fact that the sleazy a-holes are hiding and snapping pictures/collecting data.

Identifying the people who give a fuck about "celebrity gossip" and convincing them all to get a fucking life is an NP-hard problem. After all they didn't become so smallminded and frivolous overnight. Until large numbers of them do get a life and some priorities and maybe a hobby or some friends or a concern for shit that's actually important, there will always be big financial incentives for sleazy paparazzi.

Re:Business model (0)

Anonymous Coward | about 5 months ago | (#47140777)

Until large numbers of them do get a life and some priorities and maybe a hobby or some friends or a concern for shit that's actually important, there will always be big financial incentives for sleazy paparazzi.

Hey now! Me and my friends do have a hobby.

We collect and share pictures of celebrities. It's our number 1 priority.

Re:Business model (1)

jbmartin6 (1232050) | about 5 months ago | (#47140243)

From TFA:

But we’re excited to report that in the past few years we’ve built a thriving enterprise security business and now have more than 10,000 happy, paying customers.

Re:Business model (1)

houghi (78078) | about 5 months ago | (#47140723)

So where can I find a single PC caching DNS server that I can use. If possible only one file, no configuration (except perhaps pointo to 127.0.0.1) and installable by my grandma.

Oh and obviously is should be free (at least as in speech)

That way I do not need a third party server that will either block sites or use my data. Well, not me, as I already run my own DNS server, but for others this might be a great tool to use.

Because what most people want (and might even need) is just to get to the site. If they want more extended support, there are many other solutions available already.

What would be the requirements:
1) One program (and thus simple install)
2) Only accept connections from localhost
3) Do the standard lookup of DNS starting at root
4) Just point to localhost

So no configuration. No directing towards another server. No nothing else. Just one program running.

SimpleDNS is already way too complex (although most likely good in what it does)

Unfortunately I am a lousy programmer. Otherwise I would have already made it myself. Any takers? Running it on multiple platforms would be great, obviously.

Re:Business model (1)

simplypeachy (706253) | about 5 months ago | (#47141077)

If you're looking to block access to a given list of domains/host names, Privoxy can be configured to do this and no more. If you're actually looking just to do DNS caching on your grandma's computer, try this from an elevated command prompt:

sc config dnscache start= auto
net start dnscache

Then type out 1000 times: I will not turn off the local DNS caching system.

Re:Business model (5, Informative)

davidu (18) | about 5 months ago | (#47140839)

Nope. Never.

We wouldn't make such a case for turning off ads if this was our business model going forward. You could visit our site and see how we make money. We sell security services. We never could have done it without first being a consumer service, but we're not selling your data. Come on.

-David

Re:Business model (-1)

Anonymous Coward | about 5 months ago | (#47140987)

Screw you, nobody needs your shitty DNS service.

captcha: ailment

Re:Business model (0)

Anonymous Coward | about 5 months ago | (#47141175)

> but we're not selling your data. Come on.

I skimmed your site and did not see an explicit claim along those lines. I note that you have a direct link on every page to your anti-censorship policy in which you say you won't do business with censor-happy organizations. But I couldn't find a straight-forward explanation of your information collection, retention and re-distribution policies. The closest thing to that was the legal boilerplate on the privacy policy page, but that's not even close to addressing the concerns being expressed here.

I get that these accusations can be vexing for someone running the company. But we aren't in your head, all we have to go on are official statements on your website and a cynicism that's informed by common internet business practices. Coming up with a formal and public policy addressing these concerns would do two important things:

(1) Reassure users
(2) Provide good internal direction - writing it out makes it harder for "policy drift" where what is unreasonable today becomes reasonable tomorrow

Re:Business model (5, Informative)

davidu (18) | about 5 months ago | (#47141267)

We have been building a data privacy and data usage policy document that we plan to release soon.

One of the many, many reasons to turn off ads is that we had to share some potentially personally identifiable information with ad partners (indirectly when making ad requests, they would just see it in the ad request), so by turning off ads, our privacy / data policy will be a lot more clear and will not need to have weird "certain third parties for certain services" kind of language to address the advertising business.

We're waiting to turn off ads, we'll get the document cleaned up, and we'll publish it.

-David

Re:Business model (0)

Anonymous Coward | about 5 months ago | (#47141571)

So when you do that, people might trust you more. It's not unreasonable to be suspicious when your current state is 'trust us, it's coming, honest'.

Re:Business model (1)

fph il quozientatore (971015) | about 5 months ago | (#47142581)

Thanks for the informative answer. I am looking forward to reading the new data privacy policy, to back up your claims.

Open DNS redirect (-1)

Anonymous Coward | about 5 months ago | (#47140219)

Dat nigga been in my host phile fow show, yo.

Click baiter (0)

Anonymous Coward | about 5 months ago | (#47140233)

Self referencing article complete with links to itself. Post click bait, profit!

OpenDNS sucks less than everyone else (1, Redundant)

SpzToid (869795) | about 5 months ago | (#47140239)

I like the OpenDNS free service, because compared to everything else out there I know of for doing the same job, they suck less than all other options.

Using my ISPs, or VPNs, Google's, or having to roll my own all suck even more.

Re:OpenDNS sucks less than everyone else (2)

drinkypoo (153816) | about 5 months ago | (#47140271)

Using my ISPs, or VPNs, Google's, or having to roll my own all suck even more.

So what sucks about using google? Don't trust them? I guess that's a valid concern, but I wouldn't say it causes suckage.

Re:OpenDNS sucks less than everyone else (0)

Anonymous Coward | about 5 months ago | (#47142097)

It isn't useful to pick a single narrow definition of "suck" and then complain that other people's definitions aren't as restricted as yours. He didn't say "specific technical concerns" he used a very general colloquialism.

I use google's DNS behind a VPN with a bunch of other people who also use google's DNS so my queries get (mostly) lost in the crowd. But if that option weren't available to me, I would definitely define that lack of trust as a big source of suckage.

Re:OpenDNS sucks less than everyone else (1, Insightful)

SpzToid (869795) | about 5 months ago | (#47142345)

Wow, I can't believe my original post got down-modded to a zero. Regardless, I'll clarify per your request.

Google is an advertising company that at-minimum aggregates, so I trust them less than OpenDNS with my DNS service. Simple as that. But especially since OpenDNS has made clear they are a security company and they don't want to mess with those profits, while advertising actually messes with the stated mission of theirs and they want to completely jettison it now, hence their recent changes made public now in the TFA.

I like OpenDNS as a free security service, and I like them even more for the recent changes they've made. There. I said it again. Mod away. I can handle it.

Disclaimer: I am only a user of their free DNS service, and have never registered with them.

Re:OpenDNS sucks less than everyone else (0)

Anonymous Coward | about 5 months ago | (#47145809)

Disclaimer: I am only a user of their free DNS service, and have never registered with them.

I apologise for doing this, but I feel compelled to point out that this is a disclosure, not a disclaimer.
</pedantmode>

Re:OpenDNS sucks less than everyone else (1)

SpzToid (869795) | about 5 months ago | (#47147607)

Thank you for taking the time and effort to educate me on something that clearly I needed to be educated on. I appreciate your consideration and effort very much AC.

Good! (3, Interesting)

Anonymous Coward | about 5 months ago | (#47140287)

My company used to use OpenDNS, but then they'd resolve websites that went MIA and our automated scripts wouldn't know that and vomited on what OpenDNS fed them. We're using Google DNS now and it works perfectly. Gets around all the problems introduced by BT mangling the DNSSEC chain.

Ask Slashdot: to-disk caching emergency resolver? (3, Interesting)

TheRealHocusLocus (2319802) | about 5 months ago | (#47140361)

Being a prepper of sorts, and seeing the Gub'mint positioning itself to hijack DNS in order to exert control (or potentially just shut everything down by attacking this low hanging fruit) I've been looking around for a very specific type of resolver, which can be placed manually into one of several modes:

NORMAL: all lookups are resolved with network queries (as a standalone resolver OR as a 'thin' resolver which just forwards to some upstream DNS server). The results are returned as a real-time resolver does, but are also cached permanently to disk in a database that will inevitably grow over time.

FALLBACK 1, fill in the blanks: when a real result is received yet it is a fail (NOERROR,SRVFAIL,NXDOMAIN), as might be the case in a hypothetical shutdown attack, a stored query that had a positive result is returned.

FALLBACK 2, DNS network down/disabled: all queries are returned from the database and network lookups are not attempted.

So while we are resolving normally a database is being created for emergency use, yet if some disruption to DNS occurs it would be possible to switch to one of the fallback modes to surf -- if not completely, at least with some reasonable level of success...

A desirable feature would be to store a maintainable list of 'poison' ip/net masks of known DHS/ICE webservers, so any A records matching this list are NOT treated as real results, and trigger fallback action. Another desirable feature would be explicit (and implicit via matching of results) recognition of wildcard DNS schemes such as gobblegook.realdomain.com so repeated resolves of these do not overwhelm the database. But there might be some gruesome heuristics behind this.

I realize OpenDNS is in itself a step in this direction, but the local fallback resolver would also give you options for cases when OpenDNS itself is not reachable, such as a hostile/draconian ISP that rewrites DNS packets to point to its own servers.

Re:Ask Slashdot: to-disk caching emergency resolve (2)

evilviper (135110) | about 5 months ago | (#47140969)

MaraDNS caches to memory, not disk, but will return expired DNS records to the client when there is no answer from authoritative sources.

PowerDNS can connect to a database backend, which can then permanently store a huge collection of DNS records.

Re:Ask Slashdot: disk caching emergency resolver (1)

TheRealHocusLocus (2319802) | about 5 months ago | (#47152033)

powerdns can connect to a database backend, which can then permanently store a huge collection of dns records.

thanks kindly, this route looks the most promising.

All; the other relevant details of my response including a sketch of how I could implement this idea are OMITTED because I am being harassed by Slashdot's 'Lameness filter' and rather than engage in some investigatory process (hint: it had nothing to do with CAPS) I said Fuck It. Time to move to Pipedot?.

Re: Ask Slashdot: to-disk caching emergency resolv (0)

Anonymous Coward | about 5 months ago | (#47141081)

Any modern DNS server has a caching build-in or comes with cached of some sorts.
Having a manually maintained list of hostname-to-ip records is gonna be tricky, since big sites do Geo-balance / load-balance with DNS and may even change IP on the whim.

Re:Ask Slashdot: to-disk caching emergency resolve (0)

Anonymous Coward | about 5 months ago | (#47142685)

"I realize OpenDNS is in itself a step in this direction, but the local fallback resolver would also give you options for cases when OpenDNS itself is not reachable, such as a hostile/draconian ISP that rewrites DNS packets to point to its own servers."

If your ISP redirect DNS requests, running a resolver will not help you (it makes requests to other servers that will be redirected). So you have to run it somewhere else (making you dependend on other external services) and either use an alternate port for requests or some kind of VPN.

OpenNIC (2)

cancerouspete (2746963) | about 5 months ago | (#47140497)

Use OpenNIC instead - less schennigans

Just like (5, Insightful)

Antique Geekmeister (740220) | about 5 months ago | (#47140657)

The _behavior_ of redirecting failed DNS lookups to an advertising server is unsurprising. Roughly 10 years ago, Verisign did much the same thing to to the master servers for *.com', and broke the concept of getting a "no such record" result for everyone in the world using ".com" addresses.

                              http://slashdot.org/story/03/0... [slashdot.org]

Many, many people were _extremely_ upset when this unannounced change occurred. It broke tools worldwide that were used to verify DNS configuraitons, and it routed email that was misspelled or had faild DNS to Verizon's advertising DNS IP addresses. I was never sure if Verisign bothered to do anything with all the DNS connection requests, FTP requests, SSH requests, or everyehing else redirected to their sites, but it left Verisign in charge of a tremendous amount of data and potential network manipulation.

People, and software, have become more accustomed to such DNS abuse. But it's still problematic if you don't realize it's going on.

Re:Just like (-1)

Anonymous Coward | about 5 months ago | (#47141457)

What are you doing to make a weblink clickable?

Re:Just like (0)

Anonymous Coward | about 5 months ago | (#47145043)

Not using beta.

Meanwhile, scumbag Verizon... (1)

Anonymous Coward | about 5 months ago | (#47140707)

Verizon just started redirecting their business class DSL users to Yahoo! search results for bad domains a few weeks ago. Maybe that is what changed OpenDNS's mind about the ads -- they decided they didn't want to be as scummy as Verizon ;-) Oh, and Yahoo!, stay classy.

This was always optional! (1)

raburton (1281780) | about 5 months ago | (#47141609)

Doesn't look like a lot of people knew this - you could turn this off. I see people complaining about this feature and how it broke their tools when they used it at work, but it was always (afaik) optional and I always had it turned off, if you found it a problem you could have too.

Re:This was always optional! (1)

Anonymous Coward | about 5 months ago | (#47144993)

As far as I could tell, turning OpenDNS Guide was not optional unless you created an account, so a large number of people believed that their only options were between intercepted by malware-style redirections or creating an account with the organization that seemed to be behind the malware-style behavior. When you perceive you are being abused by someone, do you then create an account with them at their request, to see if they're going to be less or more abusive now that you've let them know you're willing to do whatever they tell you to do on their own terms? Don't tech-savvy computer users spend a good portion of our time teaching people not to interact with anything that looks like they're infecting the users' Internet access that way? The right behavior is to stop it, which is what OpenDNS seems to be doing.

Check for New Comments
Slashdot Login

Need an Account?

Forgot your password?