dslreports logo
 
    All Forums Hot Topics Gallery
spc
Search similar:


uniqs
73741

DNS
@optonline.net

DNS

Anon

Is it safe to use an open DNS rather than your ISP's DNS?

I currently use Optimum Online and their DNS has been very slow lately. I was advised to use Open DNS instead (208.67.222.222 and 208.67.220.220).

Is there any security risk to using an open DNS instead of Optimum's DNS? I do online banking and wanted to know if its safe. I have read online about DNS poisioning and other DNS threats but honestly I dont completely understand how they work.

wxboss
This is like Deja vu all over again.
Premium Member
join:2005-01-30
Fort Lauderdale, FL

1 recommendation

wxboss

Premium Member

Back in March or maybe April of last year, myself and a lot of other Comcast users had to use a different DNS (I used a Level 3 one) just to be able to surf the net.

As far as security is concerned, I experienced 0 issues.

EGeezer
Premium Member
join:2002-08-04
Midwest

1 edit

EGeezer to DNS

Premium Member

to DNS
See »Verizon DSL FAQ »What are the DNS servers? for a list of DNS servers of major providers now controlled by Verizon.

sded
Premium Member
join:2002-11-04
San Diego, CA

sded to DNS

Premium Member

to DNS
I use the GTE/Verizon DNS servers 4.2.2.1, 4.2.2.2, 4.2.2.3 along with those of my ISP because they are easy to remember.. Another good choice would be the AT&T DNS servers, 68.94.156.1 Primary 68.94.157.1 Secondary. Wouldn't know whether to trust OpenDNS, but figure Verizon and AT&T will probably keep things working.
Just Bob
Premium Member
join:2000-08-13
Spring Hill, FL

Just Bob to DNS

Premium Member

to DNS
I use TreeWalk along with 4.2.2.2 and 4.2.2.1.

TWDNS is a modified Bind 9 that runs on your own PC. It's a faster and safer solution that requires no expertise on the part of the user.
»treewalkdns.com/index.htm

CylonRed
MVM
join:2000-07-06
Bloom County

1 recommendation

CylonRed to DNS

MVM

to DNS
There is nothing about other DNS's that make them a security risk...
Just Bob
Premium Member
join:2000-08-13
Spring Hill, FL

1 recommendation

Just Bob

Premium Member

said by CylonRed:

There is nothing about other DNS's that make them a security risk...
»arstechnica.com/news.ars ··· ers.html
Kerodo
join:2004-05-08

Kerodo to Just Bob

Member

to Just Bob
said by Just Bob:

I use TreeWalk along with 4.2.2.2 and 4.2.2.1.

TWDNS is a modified Bind 9 that runs on your own PC. It's a faster and safer solution that requires no expertise on the part of the user.
»treewalkdns.com/index.htm
Treewalk is nice, but it's not necessarily faster. Depends on how fast (or not) your ISP's DNS servers are. Mine are very fast, so I notice no improvement with Treewalk, however, at one time when I was having problems with my ISP's DNS servers, Treewalk saved the day.
Just Bob
Premium Member
join:2000-08-13
Spring Hill, FL

Just Bob

Premium Member

said by Kerodo:

said by Just Bob:

I use TreeWalk along with 4.2.2.2 and 4.2.2.1.

TWDNS is a modified Bind 9 that runs on your own PC. It's a faster and safer solution that requires no expertise on the part of the user.
»treewalkdns.com/index.htm
Treewalk is nice, but it's not necessarily faster.
It's hard to believe any server could be faster than 127.0.0.1.
Kerodo
join:2004-05-08

Kerodo

Member

said by Just Bob:

said by Kerodo:

said by Just Bob:

I use TreeWalk along with 4.2.2.2 and 4.2.2.1.

TWDNS is a modified Bind 9 that runs on your own PC. It's a faster and safer solution that requires no expertise on the part of the user.
»treewalkdns.com/index.htm
Treewalk is nice, but it's not necessarily faster.
It's hard to believe any server could be faster than 127.0.0.1.

Sure, caching is faster than an actual lookup, but every time you go somewhere new, there is an actually lookup which for me took longer with the Treewalk servers. Win caches entries also, just doesn't preserve them on reboot.
Just Bob
Premium Member
join:2000-08-13
Spring Hill, FL

1 edit

Just Bob

Premium Member

said by Kerodo:

Sure, caching is faster than an actual lookup, but every time you go somewhere new, there is an actually lookup which for me took longer with the Treewalk servers. Win caches entries also, just doesn't preserve them on reboot.
Right, and TreeWalk preserves the cache over a reboot.

The key issue is really the response time of the server when busy. The DNS servers from my ISP respond to a ping in half the time or better than 4.2.2.1, 4.2.2.1 (approximately 12-15 msec versus 30 - 36), but the ISP servers struggle under peak loads.

Edit - corrected ping times

CylonRed
MVM
join:2000-07-06
Bloom County
·Metronet

1 recommendation

CylonRed to Just Bob

MVM

to Just Bob
Redirection can happen anytime - not just from a DNS. Do you REALLY think OpenDNS is going to allow redirection that they implement to malware..? Seriously doubt it and if you not trust any DNS (after all ANY DNS could redirect at any time) then surfing won't be a lot of fun.

With the proper precautions - redirection of any kind is not any more dangerous than surfing the web.
Just Bob
Premium Member
join:2000-08-13
Spring Hill, FL

Just Bob

Premium Member

said by CylonRed:

Redirection can happen anytime - not just from a DNS. Do you REALLY think OpenDNS is going to allow redirection that they implement to malware..? Seriously doubt it and if you not trust any DNS (after all ANY DNS could redirect at any time) then surfing won't be a lot of fun.

With the proper precautions - redirection of any kind is not any more dangerous than surfing the web.
»blogs.zdnet.com/security/?p=231
»blog.opendns.com/2007/05 ··· he-page/

I have faith that Level3 (4.2.2.2) hasn't resorted to such tactics as yet.

jerry666
Premium Member
join:2002-12-12
Sainte-Anne-Des-Lacs, QC

jerry666 to DNS

Premium Member

to DNS
treewalk for the last 10 years

dlayphoto
join:2005-01-05
Silver Spring, MD

1 recommendation

dlayphoto to DNS

Member

to DNS
I've been using OpenDNS for over a year now and I love it. DNS requests are super fast (they use Anycast), and they have built-in phishing site protection (via PhishTank). Plus, their stats are kinda cool...
TheWiseGuy
Dog And Butterfly
MVM
join:2002-07-04
East Stroudsburg, PA

TheWiseGuy to Just Bob

MVM

to Just Bob
said by Just Bob:

I have faith that Level3 (4.2.2.2) hasn't resorted to such tactics as yet.
Just curious, how is this a security risk? The articles you cite seem to indicate that Google and Dell are the one redirecting to a listing with a lot of ads.

Opendns does do a couple of extra things with DNS but are they really a security risk? Is correcting typos a security risk. I am curious, what is the actual security risk that opendns introduces. I recommended (I assume that is what the poster is talking about) Treewalk, opendns and other OOL servers. If there really is a security problem with opendns I wish someone would spell it out and in the future I will not recommend it.

nwrickert
Mod
join:2004-09-04
Geneva, IL

nwrickert

Mod

Opendns does do a couple of extra things with DNS but are they really a security risk?
If they redirect you to a site other than what you requested, then yes that is a potential security risk.
Is correcting typos a security risk.
It is a typo if you intended to type one thing, but typed another. If OpenDNS really has implanted something in your brain to determine your intentions, then you should be very worried.

The chances are that they are not doing anything seriously nefarious. It is up to you to decide whether you trust them. My preference is to run my own DNS server.
Just Bob
Premium Member
join:2000-08-13
Spring Hill, FL

Just Bob to TheWiseGuy

Premium Member

to TheWiseGuy
TWG,

In the normal course of events we would expect that our ISP has the opportunity to track our every move.

We know that NSA may also have that opportunity.

If we use third party DNS servers that's another opportunity for tracking.

If our DNS requests are then exposed to the wonderfully wide open world of advertising companies that's yet another tracking opportunity and another potential exposure to malicious ads.

If AOL, MSN, ABC, NeoPets, and many other sites can be found serving malicious ads, why would we assume that OpenDNS would not be subject to the same problems?

So after all that, yes, to some extent it is both a privacy and security issue.
TheWiseGuy
Dog And Butterfly
MVM
join:2002-07-04
East Stroudsburg, PA

TheWiseGuy to nwrickert

MVM

to nwrickert
said by nwrickert:

It is a typo if you intended to type one thing, but typed another. If OpenDNS really has implanted something in your brain to determine your intentions, then you should be very worried.
Certainly, but correct me if I am wrong, they only correct where there is no DNS results for what you have typed and it is a common error in spelling. So while they of course could in a few cases misread where you wanted to go, I would guess they could be pretty accurate.
said by nwrickert:
Opendns does do a couple of extra things with DNS but are they really a security risk?
If they redirect you to a site other than what you requested, then yes that is a potential security risk.
I am not sure what you are referring to here, if you are talking about where there is an error in spelling for a site or the google situation or something else. I would be happy to discuss either.
TheWiseGuy

1 edit

TheWiseGuy to Just Bob

MVM

to Just Bob
said by Just Bob:

TWG,

In the normal course of events we would expect that our ISP has the opportunity to track our every move.

We know that NSA may also have that opportunity.

If we use third party DNS servers that's another opportunity for tracking.
JB

In the blog it is stated they are not tracking. So given someone wants to use an outside DNS server, which was the actual question, is there a reason to think opendns is less secure then any third party DNS server?
Just Bob
Premium Member
join:2000-08-13
Spring Hill, FL

Just Bob

Premium Member

said by TheWiseGuy:

In the blog it is stated they are not tracking. So given someone wants to use an outside DNS server, which was the actual question, is there a reason to think opendns is less secure then any third party DNS server?
For myself if nothing else it strikes me as inappropriate for a dsn server to be serving ads. It calls their business model into question and I can't help but wonder how badly they need to enhance their cash flow.
TheWiseGuy
Dog And Butterfly
MVM
join:2002-07-04
East Stroudsburg, PA

TheWiseGuy

MVM

Well that is their business model, so I wouldn't say they are hard up for cash. According to the New York Times article below they basically serve up a search from Yahoo. Since I use Firefox if I type a word into the the url address box, I get search results from Google, is there much difference? What is the security risk in receiving results from Yahoo instead of Google?

»www.nytimes.com/2007/07/ ··· &emc=rss

nwrickert
Mod
join:2004-09-04
Geneva, IL

nwrickert to TheWiseGuy

Mod

to TheWiseGuy
The also do it to "protect" you from phishing.

The point is that they are deliberately giving wrong answers to DNS queries. That's where you have to decide whether you trust them and their motivations. As far as I can tell, their motivation is to make profits which they expect to do by exposing you to advertising.

Oh, and DNS lookups are not only for web browsing, so their giving a wrong answer to redirect your browsing could affect something else.
TheWiseGuy
Dog And Butterfly
MVM
join:2002-07-04
East Stroudsburg, PA

1 recommendation

TheWiseGuy

MVM

said by nwrickert:

The also do it to "protect" you from phishing.

The point is that they are deliberately giving wrong answers to DNS queries. That's where you have to decide whether you trust them and their motivations. As far as I can tell, their motivation is to make profits which they expect to do by exposing you to advertising.
True, but from what I gather it is similar to firefox going to google when you type a non-qualified url, they send your search to Yahoo, am I incorrect? If they simply send you to Yahoo, what is the actual security risk?
said by nwrickert:

Oh, and DNS lookups are not only for web browsing, so their giving a wrong answer to redirect your browsing could affect something else.
Yes I know, I saw that argument, but it only occurs when there is no actual DNS lookup, how often will this effect the user, wouldn't this be rare where an application has a problem due to no DNS being available? Is it a security risk?
Just Bob
Premium Member
join:2000-08-13
Spring Hill, FL

Just Bob to TheWiseGuy

Premium Member

to TheWiseGuy
Read this:
»www.nytimes.com/2006/08/ ··· &ei=5090
The point is that given enough data you are personally identifiable. How soon we forget.
Now read their privacy policy. It doesn't leave me feeling warm and fuzzy.

I just not in favor of ad supported programs and services. Others may feel differently.
TheWiseGuy
Dog And Butterfly
MVM
join:2002-07-04
East Stroudsburg, PA

TheWiseGuy

MVM

said by Just Bob:

Read this:
»www.nytimes.com/2006/08/ ··· &ei=5090
The point is that given enough data you are personally identifiable. How soon we forget.
Now read their privacy policy. It doesn't leave me feeling warm and fuzzy.
I am not sure what part you object to, from what I understand this part of the policy is certainly better than google
quote:
For customers without an account, OpenDNS removes the IP address from its logs within 2 business days. For customers with an account, such data may be stored for as long as the account is open (although, customers with an account may also choose to have DNS data purged automatically, at any time, from within their account).

said by Just Bob:

I just not in favor of ad supported programs and services. Others may feel differently.
You certainly have that right. Almost every site that you do not pay a fee to use is supported by advertising, and while you may choose to block the ads, the Internet would be pretty barren if the majority of users blocked or did not use advertising supported sites.

antdude
Matrix Ant
Premium Member
join:2001-03-25
US

1 edit

antdude to DNS

Premium Member

to DNS

OpenDNS

I love OpenDNS. I love being able to block bad sites like porn, phishers, etc. I also love the statistics to see.
Just Bob
Premium Member
join:2000-08-13
Spring Hill, FL

1 recommendation

Just Bob to TheWiseGuy

Premium Member

to TheWiseGuy

Re: Is it safe to use an open DNS rather than your ISP's DNS?

said by TheWiseGuy:

You certainly have that right. Almost every site that you do not pay a fee to use is supported by advertising, and while you may choose to block the ads, the Internet would be pretty barren if the majority of users blocked or did not use advertising supported sites.
Damn! You shamed me into upgrading!

nwrickert
Mod
join:2004-09-04
Geneva, IL

1 edit

nwrickert to TheWiseGuy

Mod

to TheWiseGuy
..., but it only occurs when there is no actual DNS lookup, ...
Sorry, I don't understand that part.

Maybe I am sysadmin for a web server. Somebody has broken into that server, and put up a phish page. So I try to ssh into the server to take down that page. But OpenDNS is "protecting" me from that phishing site by giving a bogus DNS answer, and my attempt to ssh into the OpenDNS advertising site that they substituted of course fails - and it wouldn't have helped me even it it succeeded.

I don't use OpenDNS, so the above won't actually happen to me. But it could affect people who do use OpenDNS.

I am not trying to prevent you or anybody else from using OpenDNS. I was just answering questions about the risks involved.

Egeezerunplugged
@struegel.net

1 recommendation

Egeezerunplugged to TheWiseGuy

Anon

to TheWiseGuy
I seem to remember Network Solutions trying the "business model" of enhancing revenue by doing redirects on 404s instead of the default responses. It screwed up a few corporate customers who had some applications break.

It seems like using an ad or search-engine supported DNS service isn't any different than using any other ad-supported service. The important thing is whether the DNS service is trustworthy and open about its business model and routing of requests.

I occasionally hunt for DNS servers with low latency and use those. Of course there's always fastcache or other local caching apps to speed up common requests.