DNS @optonline.net |
DNS
Anon
2007-Dec-15 4:47 pm
Is it safe to use an open DNS rather than your ISP's DNS?I currently use Optimum Online and their DNS has been very slow lately. I was advised to use Open DNS instead (208.67.222.222 and 208.67.220.220).
Is there any security risk to using an open DNS instead of Optimum's DNS? I do online banking and wanted to know if its safe. I have read online about DNS poisioning and other DNS threats but honestly I dont completely understand how they work. |
|
|
wxbossThis is like Deja vu all over again. Premium Member join:2005-01-30 Fort Lauderdale, FL
1 recommendation |
wxboss
Premium Member
2007-Dec-15 5:14 pm
Back in March or maybe April of last year, myself and a lot of other Comcast users had to use a different DNS (I used a Level 3 one) just to be able to surf the net.
As far as security is concerned, I experienced 0 issues. |
|
EGeezer Premium Member join:2002-08-04 Midwest 1 edit |
to DNS
See » Verizon DSL FAQ » What are the DNS servers? for a list of DNS servers of major providers now controlled by Verizon. |
|
sded Premium Member join:2002-11-04 San Diego, CA |
sded to DNS
Premium Member
2007-Dec-15 5:16 pm
to DNS
I use the GTE/Verizon DNS servers 4.2.2.1, 4.2.2.2, 4.2.2.3 along with those of my ISP because they are easy to remember.. Another good choice would be the AT&T DNS servers, 68.94.156.1 Primary 68.94.157.1 Secondary. Wouldn't know whether to trust OpenDNS, but figure Verizon and AT&T will probably keep things working. |
|
Just Bob Premium Member join:2000-08-13 Spring Hill, FL |
to DNS
I use TreeWalk along with 4.2.2.2 and 4.2.2.1. TWDNS is a modified Bind 9 that runs on your own PC. It's a faster and safer solution that requires no expertise on the part of the user. » treewalkdns.com/index.htm |
|
1 recommendation |
to DNS
There is nothing about other DNS's that make them a security risk... |
|
Just Bob Premium Member join:2000-08-13 Spring Hill, FL
1 recommendation |
Just Bob
Premium Member
2007-Dec-15 5:59 pm
said by CylonRed:There is nothing about other DNS's that make them a security risk... » arstechnica.com/news.ars ··· ers.html |
|
|
to Just Bob
said by Just Bob:I use TreeWalk along with 4.2.2.2 and 4.2.2.1. TWDNS is a modified Bind 9 that runs on your own PC. It's a faster and safer solution that requires no expertise on the part of the user. » treewalkdns.com/index.htm Treewalk is nice, but it's not necessarily faster. Depends on how fast (or not) your ISP's DNS servers are. Mine are very fast, so I notice no improvement with Treewalk, however, at one time when I was having problems with my ISP's DNS servers, Treewalk saved the day. |
|
Just Bob Premium Member join:2000-08-13 Spring Hill, FL |
Just Bob
Premium Member
2007-Dec-15 6:19 pm
said by Kerodo:said by Just Bob:I use TreeWalk along with 4.2.2.2 and 4.2.2.1. TWDNS is a modified Bind 9 that runs on your own PC. It's a faster and safer solution that requires no expertise on the part of the user. » treewalkdns.com/index.htm Treewalk is nice, but it's not necessarily faster. It's hard to believe any server could be faster than 127.0.0.1. |
|
|
Kerodo
Member
2007-Dec-15 6:44 pm
said by Just Bob:said by Kerodo:said by Just Bob:I use TreeWalk along with 4.2.2.2 and 4.2.2.1. TWDNS is a modified Bind 9 that runs on your own PC. It's a faster and safer solution that requires no expertise on the part of the user. » treewalkdns.com/index.htm Treewalk is nice, but it's not necessarily faster. It's hard to believe any server could be faster than 127.0.0.1. Sure, caching is faster than an actual lookup, but every time you go somewhere new, there is an actually lookup which for me took longer with the Treewalk servers. Win caches entries also, just doesn't preserve them on reboot. |
|
Just Bob Premium Member join:2000-08-13 Spring Hill, FL 1 edit |
Just Bob
Premium Member
2007-Dec-15 6:55 pm
said by Kerodo:Sure, caching is faster than an actual lookup, but every time you go somewhere new, there is an actually lookup which for me took longer with the Treewalk servers. Win caches entries also, just doesn't preserve them on reboot. Right, and TreeWalk preserves the cache over a reboot. The key issue is really the response time of the server when busy. The DNS servers from my ISP respond to a ping in half the time or better than 4.2.2.1, 4.2.2.1 (approximately 12-15 msec versus 30 - 36), but the ISP servers struggle under peak loads. Edit - corrected ping times |
|
·Metronet
1 recommendation |
to Just Bob
Redirection can happen anytime - not just from a DNS. Do you REALLY think OpenDNS is going to allow redirection that they implement to malware..? Seriously doubt it and if you not trust any DNS (after all ANY DNS could redirect at any time) then surfing won't be a lot of fun.
With the proper precautions - redirection of any kind is not any more dangerous than surfing the web. |
|
Just Bob Premium Member join:2000-08-13 Spring Hill, FL |
Just Bob
Premium Member
2007-Dec-15 7:15 pm
said by CylonRed:Redirection can happen anytime - not just from a DNS. Do you REALLY think OpenDNS is going to allow redirection that they implement to malware..? Seriously doubt it and if you not trust any DNS (after all ANY DNS could redirect at any time) then surfing won't be a lot of fun. With the proper precautions - redirection of any kind is not any more dangerous than surfing the web. » blogs.zdnet.com/security/?p=231» blog.opendns.com/2007/05 ··· he-page/I have faith that Level3 (4.2.2.2) hasn't resorted to such tactics as yet. |
|
jerry666 Premium Member join:2002-12-12 Sainte-Anne-Des-Lacs, QC |
to DNS
treewalk for the last 10 years |
|
1 recommendation |
to DNS
I've been using OpenDNS for over a year now and I love it. DNS requests are super fast (they use Anycast), and they have built-in phishing site protection (via PhishTank). Plus, their stats are kinda cool... |
|
TheWiseGuyDog And Butterfly MVM join:2002-07-04 East Stroudsburg, PA |
to Just Bob
said by Just Bob:I have faith that Level3 (4.2.2.2) hasn't resorted to such tactics as yet. Just curious, how is this a security risk? The articles you cite seem to indicate that Google and Dell are the one redirecting to a listing with a lot of ads. Opendns does do a couple of extra things with DNS but are they really a security risk? Is correcting typos a security risk. I am curious, what is the actual security risk that opendns introduces. I recommended (I assume that is what the poster is talking about) Treewalk, opendns and other OOL servers. If there really is a security problem with opendns I wish someone would spell it out and in the future I will not recommend it. |
|
|
Opendns does do a couple of extra things with DNS but are they really a security risk? If they redirect you to a site other than what you requested, then yes that is a potential security risk. Is correcting typos a security risk. It is a typo if you intended to type one thing, but typed another. If OpenDNS really has implanted something in your brain to determine your intentions, then you should be very worried. The chances are that they are not doing anything seriously nefarious. It is up to you to decide whether you trust them. My preference is to run my own DNS server. |
|
Just Bob Premium Member join:2000-08-13 Spring Hill, FL |
to TheWiseGuy
TWG, In the normal course of events we would expect that our ISP has the opportunity to track our every move. We know that NSA may also have that opportunity. If we use third party DNS servers that's another opportunity for tracking. If our DNS requests are then exposed to the wonderfully wide open world of advertising companies that's yet another tracking opportunity and another potential exposure to malicious ads. If AOL, MSN, ABC, NeoPets, and many other sites can be found serving malicious ads, why would we assume that OpenDNS would not be subject to the same problems? So after all that, yes, to some extent it is both a privacy and security issue. |
|
TheWiseGuyDog And Butterfly MVM join:2002-07-04 East Stroudsburg, PA |
to nwrickert
said by nwrickert:It is a typo if you intended to type one thing, but typed another. If OpenDNS really has implanted something in your brain to determine your intentions, then you should be very worried. Certainly, but correct me if I am wrong, they only correct where there is no DNS results for what you have typed and it is a common error in spelling. So while they of course could in a few cases misread where you wanted to go, I would guess they could be pretty accurate. said by nwrickert:Opendns does do a couple of extra things with DNS but are they really a security risk? If they redirect you to a site other than what you requested, then yes that is a potential security risk. I am not sure what you are referring to here, if you are talking about where there is an error in spelling for a site or the google situation or something else. I would be happy to discuss either. |
|
TheWiseGuy 1 edit |
to Just Bob
said by Just Bob:TWG, In the normal course of events we would expect that our ISP has the opportunity to track our every move. We know that NSA may also have that opportunity. If we use third party DNS servers that's another opportunity for tracking. JB In the blog it is stated they are not tracking. So given someone wants to use an outside DNS server, which was the actual question, is there a reason to think opendns is less secure then any third party DNS server? |
|
Just Bob Premium Member join:2000-08-13 Spring Hill, FL |
Just Bob
Premium Member
2007-Dec-15 11:11 pm
said by TheWiseGuy:In the blog it is stated they are not tracking. So given someone wants to use an outside DNS server, which was the actual question, is there a reason to think opendns is less secure then any third party DNS server? For myself if nothing else it strikes me as inappropriate for a dsn server to be serving ads. It calls their business model into question and I can't help but wonder how badly they need to enhance their cash flow. |
|
TheWiseGuyDog And Butterfly MVM join:2002-07-04 East Stroudsburg, PA |
Well that is their business model, so I wouldn't say they are hard up for cash. According to the New York Times article below they basically serve up a search from Yahoo. Since I use Firefox if I type a word into the the url address box, I get search results from Google, is there much difference? What is the security risk in receiving results from Yahoo instead of Google? » www.nytimes.com/2007/07/ ··· &emc=rss |
|
|
to TheWiseGuy
The also do it to "protect" you from phishing.
The point is that they are deliberately giving wrong answers to DNS queries. That's where you have to decide whether you trust them and their motivations. As far as I can tell, their motivation is to make profits which they expect to do by exposing you to advertising.
Oh, and DNS lookups are not only for web browsing, so their giving a wrong answer to redirect your browsing could affect something else. |
|
TheWiseGuyDog And Butterfly MVM join:2002-07-04 East Stroudsburg, PA
1 recommendation |
said by nwrickert:The also do it to "protect" you from phishing. The point is that they are deliberately giving wrong answers to DNS queries. That's where you have to decide whether you trust them and their motivations. As far as I can tell, their motivation is to make profits which they expect to do by exposing you to advertising. True, but from what I gather it is similar to firefox going to google when you type a non-qualified url, they send your search to Yahoo, am I incorrect? If they simply send you to Yahoo, what is the actual security risk? said by nwrickert:Oh, and DNS lookups are not only for web browsing, so their giving a wrong answer to redirect your browsing could affect something else. Yes I know, I saw that argument, but it only occurs when there is no actual DNS lookup, how often will this effect the user, wouldn't this be rare where an application has a problem due to no DNS being available? Is it a security risk? |
|
Just Bob Premium Member join:2000-08-13 Spring Hill, FL |
to TheWiseGuy
Read this: » www.nytimes.com/2006/08/ ··· &ei=5090The point is that given enough data you are personally identifiable. How soon we forget. Now read their privacy policy. It doesn't leave me feeling warm and fuzzy. I just not in favor of ad supported programs and services. Others may feel differently. |
|
TheWiseGuyDog And Butterfly MVM join:2002-07-04 East Stroudsburg, PA |
said by Just Bob:Read this: » www.nytimes.com/2006/08/ ··· &ei=5090The point is that given enough data you are personally identifiable. How soon we forget. Now read their privacy policy. It doesn't leave me feeling warm and fuzzy. I am not sure what part you object to, from what I understand this part of the policy is certainly better than google quote: For customers without an account, OpenDNS removes the IP address from its logs within 2 business days. For customers with an account, such data may be stored for as long as the account is open (although, customers with an account may also choose to have DNS data purged automatically, at any time, from within their account).
said by Just Bob:I just not in favor of ad supported programs and services. Others may feel differently. You certainly have that right. Almost every site that you do not pay a fee to use is supported by advertising, and while you may choose to block the ads, the Internet would be pretty barren if the majority of users blocked or did not use advertising supported sites. |
|
antdudeMatrix Ant Premium Member join:2001-03-25 US 1 edit |
antdude to DNS
Premium Member
2007-Dec-16 12:02 am
to DNS
OpenDNSI love OpenDNS. I love being able to block bad sites like porn, phishers, etc. I also love the statistics to see. |
|
Just Bob Premium Member join:2000-08-13 Spring Hill, FL
1 recommendation |
to TheWiseGuy
Re: Is it safe to use an open DNS rather than your ISP's DNS?said by TheWiseGuy:You certainly have that right. Almost every site that you do not pay a fee to use is supported by advertising, and while you may choose to block the ads, the Internet would be pretty barren if the majority of users blocked or did not use advertising supported sites. Damn! You shamed me into upgrading! |
|
1 edit |
to TheWiseGuy
..., but it only occurs when there is no actual DNS lookup, ... Sorry, I don't understand that part. Maybe I am sysadmin for a web server. Somebody has broken into that server, and put up a phish page. So I try to ssh into the server to take down that page. But OpenDNS is "protecting" me from that phishing site by giving a bogus DNS answer, and my attempt to ssh into the OpenDNS advertising site that they substituted of course fails - and it wouldn't have helped me even it it succeeded. I don't use OpenDNS, so the above won't actually happen to me. But it could affect people who do use OpenDNS. I am not trying to prevent you or anybody else from using OpenDNS. I was just answering questions about the risks involved. |
|
1 recommendation |
Egeezerunplugged to TheWiseGuy
Anon
2007-Dec-16 12:37 am
to TheWiseGuy
I seem to remember Network Solutions trying the "business model" of enhancing revenue by doing redirects on 404s instead of the default responses. It screwed up a few corporate customers who had some applications break.
It seems like using an ad or search-engine supported DNS service isn't any different than using any other ad-supported service. The important thing is whether the DNS service is trustworthy and open about its business model and routing of requests.
I occasionally hunt for DNS servers with low latency and use those. Of course there's always fastcache or other local caching apps to speed up common requests. |
|