dslreports logo
site
 
    All Forums Hot Topics Gallery
spc

spacer




how-to block ads


Search Topic:
uniqs
60163
share rss forum feed


DNS

@optonline.net

Is it safe to use an open DNS rather than your ISP's DNS?

I currently use Optimum Online and their DNS has been very slow lately. I was advised to use Open DNS instead (208.67.222.222 and 208.67.220.220).

Is there any security risk to using an open DNS instead of Optimum's DNS? I do online banking and wanted to know if its safe. I have read online about DNS poisioning and other DNS threats but honestly I dont completely understand how they work.



wxboss
This is like Deja vu all over again.
Premium
join:2005-01-30
Fort Lauderdale, FL

1 recommendation

Back in March or maybe April of last year, myself and a lot of other Comcast users had to use a different DNS (I used a Level 3 one) just to be able to surf the net.

As far as security is concerned, I experienced 0 issues.



EGeezer
zichrona livracha
Premium
join:2002-08-04
Midwest
kudos:8
Reviews:
·Callcentric

1 edit
reply to DNS

See »Verizon Online DSL FAQ »What are the DNS servers? for a list of DNS servers of major providers now controlled by Verizon.
--
BBR's Shooting for a Cause!



sded
Premium
join:2002-11-04
San Diego, CA
reply to DNS

I use the GTE/Verizon DNS servers 4.2.2.1, 4.2.2.2, 4.2.2.3 along with those of my ISP because they are easy to remember.. Another good choice would be the AT&T DNS servers, 68.94.156.1 Primary 68.94.157.1 Secondary. Wouldn't know whether to trust OpenDNS, but figure Verizon and AT&T will probably keep things working.


Just Bob
Premium
join:2000-08-13
Spring Hill, FL
reply to DNS

I use TreeWalk along with 4.2.2.2 and 4.2.2.1.

TWDNS is a modified Bind 9 that runs on your own PC. It's a faster and safer solution that requires no expertise on the part of the user.
»treewalkdns.com/index.htm



CylonRed
Premium,MVM
join:2000-07-06
Bloom County

1 recommendation

reply to DNS

There is nothing about other DNS's that make them a security risk...


Just Bob
Premium
join:2000-08-13
Spring Hill, FL

1 recommendation

said by CylonRed:

There is nothing about other DNS's that make them a security risk...
»arstechnica.com/news.ars/post/20···ers.html

Kerodo

join:2004-05-08
reply to Just Bob

said by Just Bob:

I use TreeWalk along with 4.2.2.2 and 4.2.2.1.

TWDNS is a modified Bind 9 that runs on your own PC. It's a faster and safer solution that requires no expertise on the part of the user.
»treewalkdns.com/index.htm
Treewalk is nice, but it's not necessarily faster. Depends on how fast (or not) your ISP's DNS servers are. Mine are very fast, so I notice no improvement with Treewalk, however, at one time when I was having problems with my ISP's DNS servers, Treewalk saved the day.

Just Bob
Premium
join:2000-08-13
Spring Hill, FL

said by Kerodo:

said by Just Bob:

I use TreeWalk along with 4.2.2.2 and 4.2.2.1.

TWDNS is a modified Bind 9 that runs on your own PC. It's a faster and safer solution that requires no expertise on the part of the user.
»treewalkdns.com/index.htm
Treewalk is nice, but it's not necessarily faster.
It's hard to believe any server could be faster than 127.0.0.1.

Kerodo

join:2004-05-08

said by Just Bob:

said by Kerodo:

said by Just Bob:

I use TreeWalk along with 4.2.2.2 and 4.2.2.1.

TWDNS is a modified Bind 9 that runs on your own PC. It's a faster and safer solution that requires no expertise on the part of the user.
»treewalkdns.com/index.htm
Treewalk is nice, but it's not necessarily faster.
It's hard to believe any server could be faster than 127.0.0.1.

Sure, caching is faster than an actual lookup, but every time you go somewhere new, there is an actually lookup which for me took longer with the Treewalk servers. Win caches entries also, just doesn't preserve them on reboot.

Just Bob
Premium
join:2000-08-13
Spring Hill, FL

1 edit

said by Kerodo:

Sure, caching is faster than an actual lookup, but every time you go somewhere new, there is an actually lookup which for me took longer with the Treewalk servers. Win caches entries also, just doesn't preserve them on reboot.
Right, and TreeWalk preserves the cache over a reboot.

The key issue is really the response time of the server when busy. The DNS servers from my ISP respond to a ping in half the time or better than 4.2.2.1, 4.2.2.1 (approximately 12-15 msec versus 30 - 36), but the ISP servers struggle under peak loads.

Edit - corrected ping times


CylonRed
Premium,MVM
join:2000-07-06
Bloom County

1 recommendation

reply to Just Bob

Redirection can happen anytime - not just from a DNS. Do you REALLY think OpenDNS is going to allow redirection that they implement to malware..? Seriously doubt it and if you not trust any DNS (after all ANY DNS could redirect at any time) then surfing won't be a lot of fun.

With the proper precautions - redirection of any kind is not any more dangerous than surfing the web.


Just Bob
Premium
join:2000-08-13
Spring Hill, FL

said by CylonRed:

Redirection can happen anytime - not just from a DNS. Do you REALLY think OpenDNS is going to allow redirection that they implement to malware..? Seriously doubt it and if you not trust any DNS (after all ANY DNS could redirect at any time) then surfing won't be a lot of fun.

With the proper precautions - redirection of any kind is not any more dangerous than surfing the web.
»blogs.zdnet.com/security/?p=231
»blog.opendns.com/2007/05/22/goog···he-page/

I have faith that Level3 (4.2.2.2) hasn't resorted to such tactics as yet.


jerry666
Premium
join:2002-12-12
Canada
reply to DNS

treewalk for the last 10 years



dlayphoto

join:2005-01-05
Cleveland, OH

1 recommendation

reply to DNS

I've been using OpenDNS for over a year now and I love it. DNS requests are super fast (they use Anycast), and they have built-in phishing site protection (via PhishTank). Plus, their stats are kinda cool...


TheWiseGuy
Dog And Butterfly
Premium,MVM
join:2002-07-04
East Stroudsburg, PA
kudos:3
Reviews:
·Optimum Online
reply to Just Bob

said by Just Bob:

I have faith that Level3 (4.2.2.2) hasn't resorted to such tactics as yet.
Just curious, how is this a security risk? The articles you cite seem to indicate that Google and Dell are the one redirecting to a listing with a lot of ads.

Opendns does do a couple of extra things with DNS but are they really a security risk? Is correcting typos a security risk. I am curious, what is the actual security risk that opendns introduces. I recommended (I assume that is what the poster is talking about) Treewalk, opendns and other OOL servers. If there really is a security problem with opendns I wish someone would spell it out and in the future I will not recommend it.
--
Warning, If you post nonsense and use misinformation and are here to argue based on those methods, you will be put on ignore.


nwrickert
sand groper
Premium,MVM
join:2004-09-04
Geneva, IL
kudos:7
Reviews:
·AT&T U-Verse

Opendns does do a couple of extra things with DNS but are they really a security risk?
If they redirect you to a site other than what you requested, then yes that is a potential security risk.
Is correcting typos a security risk.
It is a typo if you intended to type one thing, but typed another. If OpenDNS really has implanted something in your brain to determine your intentions, then you should be very worried.

The chances are that they are not doing anything seriously nefarious. It is up to you to decide whether you trust them. My preference is to run my own DNS server.
--
AT&T dsl; Westell 2200 modem/router; SuSE 10.1; firefox 2.0.0.8

Just Bob
Premium
join:2000-08-13
Spring Hill, FL
reply to TheWiseGuy

TWG,

In the normal course of events we would expect that our ISP has the opportunity to track our every move.

We know that NSA may also have that opportunity.

If we use third party DNS servers that's another opportunity for tracking.

If our DNS requests are then exposed to the wonderfully wide open world of advertising companies that's yet another tracking opportunity and another potential exposure to malicious ads.

If AOL, MSN, ABC, NeoPets, and many other sites can be found serving malicious ads, why would we assume that OpenDNS would not be subject to the same problems?

So after all that, yes, to some extent it is both a privacy and security issue.


TheWiseGuy
Dog And Butterfly
Premium,MVM
join:2002-07-04
East Stroudsburg, PA
kudos:3
Reviews:
·Optimum Online
reply to nwrickert

said by nwrickert:

It is a typo if you intended to type one thing, but typed another. If OpenDNS really has implanted something in your brain to determine your intentions, then you should be very worried.
Certainly, but correct me if I am wrong, they only correct where there is no DNS results for what you have typed and it is a common error in spelling. So while they of course could in a few cases misread where you wanted to go, I would guess they could be pretty accurate.

said by nwrickert:

Opendns does do a couple of extra things with DNS but are they really a security risk?
If they redirect you to a site other than what you requested, then yes that is a potential security risk.
I am not sure what you are referring to here, if you are talking about where there is an error in spelling for a site or the google situation or something else. I would be happy to discuss either.
--
Warning, If you post nonsense and use misinformation and are here to argue based on those methods, you will be put on ignore.

TheWiseGuy
Dog And Butterfly
Premium,MVM
join:2002-07-04
East Stroudsburg, PA
kudos:3
Reviews:
·Optimum Online

1 edit
reply to Just Bob

said by Just Bob:

TWG,

In the normal course of events we would expect that our ISP has the opportunity to track our every move.

We know that NSA may also have that opportunity.

If we use third party DNS servers that's another opportunity for tracking.
JB

In the blog it is stated they are not tracking. So given someone wants to use an outside DNS server, which was the actual question, is there a reason to think opendns is less secure then any third party DNS server?
--
Warning, If you post nonsense and use misinformation and are here to argue based on those methods, you will be put on ignore.

Just Bob
Premium
join:2000-08-13
Spring Hill, FL

said by TheWiseGuy:

In the blog it is stated they are not tracking. So given someone wants to use an outside DNS server, which was the actual question, is there a reason to think opendns is less secure then any third party DNS server?
For myself if nothing else it strikes me as inappropriate for a dsn server to be serving ads. It calls their business model into question and I can't help but wonder how badly they need to enhance their cash flow.

TheWiseGuy
Dog And Butterfly
Premium,MVM
join:2002-07-04
East Stroudsburg, PA
kudos:3
Reviews:
·Optimum Online

Well that is their business model, so I wouldn't say they are hard up for cash. According to the New York Times article below they basically serve up a search from Yahoo. Since I use Firefox if I type a word into the the url address box, I get search results from Google, is there much difference? What is the security risk in receiving results from Yahoo instead of Google?

»www.nytimes.com/2007/07/09/busin···&emc=rss
--
Warning, If you post nonsense and use misinformation and are here to argue based on those methods, you will be put on ignore.



nwrickert
sand groper
Premium,MVM
join:2004-09-04
Geneva, IL
kudos:7
Reviews:
·AT&T U-Verse
reply to TheWiseGuy

The also do it to "protect" you from phishing.

The point is that they are deliberately giving wrong answers to DNS queries. That's where you have to decide whether you trust them and their motivations. As far as I can tell, their motivation is to make profits which they expect to do by exposing you to advertising.

Oh, and DNS lookups are not only for web browsing, so their giving a wrong answer to redirect your browsing could affect something else.
--
AT&T dsl; Westell 2200 modem/router; SuSE 10.1; firefox 2.0.0.8


TheWiseGuy
Dog And Butterfly
Premium,MVM
join:2002-07-04
East Stroudsburg, PA
kudos:3
Reviews:
·Optimum Online

1 recommendation

said by nwrickert:

The also do it to "protect" you from phishing.

The point is that they are deliberately giving wrong answers to DNS queries. That's where you have to decide whether you trust them and their motivations. As far as I can tell, their motivation is to make profits which they expect to do by exposing you to advertising.
True, but from what I gather it is similar to firefox going to google when you type a non-qualified url, they send your search to Yahoo, am I incorrect? If they simply send you to Yahoo, what is the actual security risk?

said by nwrickert:

Oh, and DNS lookups are not only for web browsing, so their giving a wrong answer to redirect your browsing could affect something else.
Yes I know, I saw that argument, but it only occurs when there is no actual DNS lookup, how often will this effect the user, wouldn't this be rare where an application has a problem due to no DNS being available? Is it a security risk?
--
Warning, If you post nonsense and use misinformation and are here to argue based on those methods, you will be put on ignore.

Just Bob
Premium
join:2000-08-13
Spring Hill, FL
reply to TheWiseGuy

Read this:
»www.nytimes.com/2006/08/09/techn···&ei=5090
The point is that given enough data you are personally identifiable. How soon we forget.
Now read their privacy policy. It doesn't leave me feeling warm and fuzzy.

I just not in favor of ad supported programs and services. Others may feel differently.


TheWiseGuy
Dog And Butterfly
Premium,MVM
join:2002-07-04
East Stroudsburg, PA
kudos:3
Reviews:
·Optimum Online

said by Just Bob:

Read this:
»www.nytimes.com/2006/08/09/techn···&ei=5090
The point is that given enough data you are personally identifiable. How soon we forget.
Now read their privacy policy. It doesn't leave me feeling warm and fuzzy.
I am not sure what part you object to, from what I understand this part of the policy is certainly better than google
quote:
For customers without an account, OpenDNS removes the IP address from its logs within 2 business days. For customers with an account, such data may be stored for as long as the account is open (although, customers with an account may also choose to have DNS data purged automatically, at any time, from within their account).

said by Just Bob:

I just not in favor of ad supported programs and services. Others may feel differently.
You certainly have that right. Almost every site that you do not pay a fee to use is supported by advertising, and while you may choose to block the ads, the Internet would be pretty barren if the majority of users blocked or did not use advertising supported sites.
--
Warning, If you post nonsense and use misinformation and are here to argue based on those methods, you will be put on ignore.


antdude
A Ninja Ant
Premium,VIP
join:2001-03-25
United State
kudos:4

1 edit
reply to DNS

OpenDNS

I love OpenDNS. I love being able to block bad sites like porn, phishers, etc. I also love the statistics to see.


Just Bob
Premium
join:2000-08-13
Spring Hill, FL

1 recommendation

reply to TheWiseGuy

Re: Is it safe to use an open DNS rather than your ISP's DNS?

said by TheWiseGuy:

You certainly have that right. Almost every site that you do not pay a fee to use is supported by advertising, and while you may choose to block the ads, the Internet would be pretty barren if the majority of users blocked or did not use advertising supported sites.
Damn! You shamed me into upgrading!


nwrickert
sand groper
Premium,MVM
join:2004-09-04
Geneva, IL
kudos:7
Reviews:
·AT&T U-Verse

1 edit
reply to TheWiseGuy

..., but it only occurs when there is no actual DNS lookup, ...
Sorry, I don't understand that part.

Maybe I am sysadmin for a web server. Somebody has broken into that server, and put up a phish page. So I try to ssh into the server to take down that page. But OpenDNS is "protecting" me from that phishing site by giving a bogus DNS answer, and my attempt to ssh into the OpenDNS advertising site that they substituted of course fails - and it wouldn't have helped me even it it succeeded.

I don't use OpenDNS, so the above won't actually happen to me. But it could affect people who do use OpenDNS.

I am not trying to prevent you or anybody else from using OpenDNS. I was just answering questions about the risks involved.
--
AT&T dsl; Westell 2200 modem/router; SuSE 10.1; firefox 2.0.0.8


Egeezerunplugged

@struegel.net

1 recommendation

reply to TheWiseGuy

I seem to remember Network Solutions trying the "business model" of enhancing revenue by doing redirects on 404s instead of the default responses. It screwed up a few corporate customers who had some applications break.

It seems like using an ad or search-engine supported DNS service isn't any different than using any other ad-supported service. The important thing is whether the DNS service is trustworthy and open about its business model and routing of requests.

I occasionally hunt for DNS servers with low latency and use those. Of course there's always fastcache or other local caching apps to speed up common requests.