dslreports logo
 
    All Forums Hot Topics Gallery
spc
uniqs
11
TheWiseGuy
Dog And Butterfly
MVM
join:2002-07-04
East Stroudsburg, PA

1 recommendation

TheWiseGuy to nwrickert

MVM

to nwrickert

Re: Is it safe to use an open DNS rather than your ISP's DNS?

said by nwrickert:

The also do it to "protect" you from phishing.

The point is that they are deliberately giving wrong answers to DNS queries. That's where you have to decide whether you trust them and their motivations. As far as I can tell, their motivation is to make profits which they expect to do by exposing you to advertising.
True, but from what I gather it is similar to firefox going to google when you type a non-qualified url, they send your search to Yahoo, am I incorrect? If they simply send you to Yahoo, what is the actual security risk?
said by nwrickert:

Oh, and DNS lookups are not only for web browsing, so their giving a wrong answer to redirect your browsing could affect something else.
Yes I know, I saw that argument, but it only occurs when there is no actual DNS lookup, how often will this effect the user, wouldn't this be rare where an application has a problem due to no DNS being available? Is it a security risk?

nwrickert
Mod
join:2004-09-04
Geneva, IL

1 edit

nwrickert

Mod

..., but it only occurs when there is no actual DNS lookup, ...
Sorry, I don't understand that part.

Maybe I am sysadmin for a web server. Somebody has broken into that server, and put up a phish page. So I try to ssh into the server to take down that page. But OpenDNS is "protecting" me from that phishing site by giving a bogus DNS answer, and my attempt to ssh into the OpenDNS advertising site that they substituted of course fails - and it wouldn't have helped me even it it succeeded.

I don't use OpenDNS, so the above won't actually happen to me. But it could affect people who do use OpenDNS.

I am not trying to prevent you or anybody else from using OpenDNS. I was just answering questions about the risks involved.

Egeezerunplugged
@struegel.net

1 recommendation

Egeezerunplugged to TheWiseGuy

Anon

to TheWiseGuy
I seem to remember Network Solutions trying the "business model" of enhancing revenue by doing redirects on 404s instead of the default responses. It screwed up a few corporate customers who had some applications break.

It seems like using an ad or search-engine supported DNS service isn't any different than using any other ad-supported service. The important thing is whether the DNS service is trustworthy and open about its business model and routing of requests.

I occasionally hunt for DNS servers with low latency and use those. Of course there's always fastcache or other local caching apps to speed up common requests.
TheWiseGuy
Dog And Butterfly
MVM
join:2002-07-04
East Stroudsburg, PA

TheWiseGuy to nwrickert

MVM

to nwrickert
said by nwrickert:

Maybe I am sysadmin for a web server. Somebody has broken into that server, and put up a phish page. So I try to ssh into the server to take down that page. But OpenDNS is "protecting" me from that phishing site by giving a bogus DNS answer, and my attempt to ssh into the OpenDNS advertising site that they substituted of course fails - and it wouldn't have helped me even it it succeeded.
Certainly, but someone who is a sysadmin and knows how to use SSH and is using opendns should know they protect from Phishing. They should then easily work their way around the block with several methods, including changing the DNS server short term or using nslookup or web based DNS to obtain the IP. They could then use the hosts file for a lookup or simply use the IP they had obtained to get to the site. Certainly a downside to using opendns but a sysadim should be able to work around it on the rare occasion needed. I wouldn't think it was security concern since it would protect other users from the Phishing site and it is easy to get around for anyone who needs to actually get to the IP.
said by nwrickert:

I don't use OpenDNS, so the above won't actually happen to me. But it could affect people who do use OpenDNS.
I don't use it either, I use my ISPs DNS server and normally don't have problems. When there are problems they normally clear fairly quickly but other people have had different experiences, so given the posters question, which is on security I am trying to decide whether to give it as an alternative it in the future or exclude it for security concerns.
said by nwrickert:

I am not trying to prevent you or anybody else from using OpenDNS. I was just answering questions about the risks involved.
I am not trying to get anyone to use it or not use it. I was asked to recommend an alternative to a DNS server which was slow. I recommended Treewalk, opendns and a batch of other DNS server within my ISP which probably were not having problems. I am simply trying to find out if there is a valid security concern. So far, the extend of the security concerns seem to be a privacy concern but since their privacy policy removes the IP from the logs fairly quickly (or allows you to control removal with an account) I just don't see the problem. While I can certainly understand that others might still be concerned about privacy, I see no real gotcha's.
said by opendns privacy policy :
For customers without an account, OpenDNS removes the IP address from its logs within 2 business days.


Michail
Premium Member
join:2000-08-02
Boynton Beach, FL

Michail to nwrickert

Premium Member

to nwrickert
said by nwrickert:

..., but it only occurs when there is no actual DNS lookup, ...
Sorry, I don't understand that part.

Maybe I am sysadmin for a web server. Somebody has broken into that server, and put up a phish page. So I try to ssh into the server to take down that page. But OpenDNS is "protecting" me from that phishing site by giving a bogus DNS answer, and my attempt to ssh into the OpenDNS advertising site that they substituted of course fails - and it wouldn't have helped me even it it succeeded.

I don't use OpenDNS, so the above won't actually happen to me. But it could affect people who do use OpenDNS.

I am not trying to prevent you or anybody else from using OpenDNS. I was just answering questions about the risks involved.
If you are the sysadmin wouldn't you have the IP address for that case?

nwrickert
Mod
join:2004-09-04
Geneva, IL

nwrickert

Mod

I might well know the IP address. But I don't normally SSH to an IP address. I use the hostname, and rely on correct DNS resolution.

schaps
Premium Member
join:2004-01-15
Saint Paul, MN

schaps

Premium Member

said by nwrickert:

I might well know the IP address. But I don't normally SSH to an IP address. I use the hostname, and rely on correct DNS resolution.
And if you're a sysadmin, and you don't know how to bypass the opendns servers you set up, you shouldn't be a sysadmin.

I'm the network manager at a high school. I set up a free account with OpenDNS and use it to block bad sites, many ads, and bandwidth-sucking sites, as well as produce reports on which sites are the most used. Non-admins cannot change their workstation or laptop's DNS servers, but I can in literally two seconds on my MacBook Pro - I just defined a location that that has custom DNS servers (Verizon's) and can switch the location in my Apple menu in literally two seconds (could also set up a key combo, but no real need). The custom blocking options and categories in OpenDNS are quite flexible, but you need a free account to set that up. You also obviously need a service like dyndns if you don't have a static IP. It helps us make the most of our T1s in an ever-increasingly streaming world.