said by nwrickert:Maybe I am sysadmin for a web server. Somebody has broken into that server, and put up a phish page. So I try to ssh into the server to take down that page. But OpenDNS is "protecting" me from that phishing site by giving a bogus DNS answer, and my attempt to ssh into the OpenDNS advertising site that they substituted of course fails - and it wouldn't have helped me even it it succeeded.
Certainly, but someone who is a sysadmin and knows how to use SSH and is using opendns should know they protect from Phishing. They should then easily work their way around the block with several methods, including changing the DNS server short term or using nslookup or web based DNS to obtain the IP. They could then use the hosts file for a lookup or simply use the IP they had obtained to get to the site. Certainly a downside to using opendns but a sysadim should be able to work around it on the rare occasion needed. I wouldn't think it was security concern since it would protect other users from the Phishing site and it is easy to get around for anyone who needs to actually get to the IP.
said by nwrickert:I don't use OpenDNS, so the above won't actually happen to me. But it could affect people who do use OpenDNS.
I don't use it either, I use my ISPs DNS server and normally don't have problems. When there are problems they normally clear fairly quickly but other people have had different experiences, so given the posters question, which is on security I am trying to decide whether to give it as an alternative it in the future or exclude it for security concerns.
said by nwrickert:I am not trying to prevent you or anybody else from using OpenDNS. I was just answering questions about the risks involved.
I am not trying to get anyone to use it or not use it. I was asked to recommend an alternative to a DNS server which was slow. I recommended Treewalk, opendns and a batch of other DNS server within my ISP which probably were not having problems. I am simply trying to find out if there is a valid security concern. So far, the extend of the security concerns seem to be a privacy concern but since their privacy policy removes the IP from the logs fairly quickly (or allows you to control removal with an account) I just don't see the problem. While I can certainly understand that others might still be concerned about privacy, I see no real gotcha's.
said by opendns privacy policy :
For customers without an account, OpenDNS removes the IP address from its logs within 2 business days.