Cisco To Acquire OpenDNS

New submitter Tokolosh writes: Both Cisco and OpenDNS announced today that the former is to acquire the latter. From the Cisco announcement: "To build on Cisco's advanced threat protection capabilities, we plan to continue to innovate a cloud delivered Security platform integrating OpenDNS' key capabilities to accelerate that work. Over time, we will look to unite our cloud-delivered solutions, enhancing Cisco's advanced threat protection capabilities across the full attack continuum—before, during and after an attack." With Cisco well-embedded with the US security apparatus (NSA, CIA, FBI, etc.) is it time to seek out alternatives to OpenDNS?

Re:Just run your own

[bill_mcgonigle]

Or be a better netizen by running your own and forwarding to your ISP's.

The whole reason OpenDNS even exists is because ISP's proved they cannot be trusted to run an honest DNS. And let's not pretend that DNSSEC is universally deployed.

Most people here can setup up a 99 cent VPS with an openvpn endpoint running a recursive resolver, limited to the openvpn net. That fits in the smallest slice of RAM available in 2015 and will work fine.

Most other people cannot, though. Google's DNS is honest, if you don't care about tracking - but most people care more about free stuff than privacy.

Re:Just run your own

[greenfruitsalad]

please elaborate on the tracking. where did you get that from? that's an honest question; i use google's servers as last resort backup dns.

Re:Just run your own

[nine-times]

Someone may correct me if there's more to it, but I think it's just that some people are uncomfortable with Google having so much access to information about us. Any DNS server you access will have the potential to keep records of which IP addresses made which queries, which potentially gives Google even more tracking data. As far as I know, there's no real sign that they're using that data, but to some extent, they're a company that makes money from collecting data about their users, so...

Re:Just run your own

[LWATCDR]

So any DNS you use could do this.
So isn't it logical to use one that is being run by a massive competent company that is already making huge profits and has the whole world watching them vs some small org that is just trying to make ends meet that no one is paying attention to.
Frankly if I was the CIA I would be intercepting traffic to the small oddball servers more than Google.

Re:

[nine-times]

Well DNS isn't really secured, so if you're worried about the CIA intercepting your DNS traffic, I don't think which DNS server you use is going to be extremely important there.

But yeah, any DNS server could gather and store records about every query, and which IP address the query came from. Many people don't consider that amount of data to be invasive enough to worry about. For most people, the worst information it would leak is that, just like almost everyone else, you're visiting porn sites.

Re:

[LWATCDR]

actually I am not very worried about DNS privacy.
I just wish we could go back to the old days of Slashdot when it was all about cool dads building battlemech tree houses instead of the tin foil hat crowd.

Re:

[nine-times]

I'm also not too worried about DNS privacy, but I don't see the problem with Slashdot being the sort of place where nerds talk about network security.

Re:

[LWATCDR]

Network security yes.
the OMG Cisco is buying them and the Gov will spy on me now is what I could live without.

Re:

[Anonymous Coward]

I think the phrase "tin foil hat" is used far too often, and most commonly by people who know next to nothing about network security. For example, OpenDNS created the DNSCrypt project, which encrypts the DNS lookups. Sounds like diamond-coated tin foil hat stuff, no? Well, incidentally, it also protects from MITM attacks that have been used on DNS lookups, which have nothing to do with nation-state protection and everything to do with protection from criminals.

Please stop using that phrase.

Re:

[stackOVFL]

Yeah, and besides tinfoil hats aren't normally used for networking stuff. More gov and ET related stuff.

Re:Just run your own

[fph il quozientatore]

Frankly if I was the CIA I would be intercepting traffic to the small oddball servers more than Google.

Frankly, at this point, if the CIA cannot access and intercept data from Google they are utterly incompetent in doing their job. For the cost of (at most) giving an employee a suitcase full of money, you get an incredible bonanza of data. Which secret service wouldn't do it?

Re:

[slashdotwannabe]

Frankly I would be shocked if the major services (i.e. Google, Microsoft, Apple, Facebook, etc) weren't all penetrated by by ALL of the nation-state level intelligence agencies in exactly the manner you state. Suitcases full of money to a half-dozen engineers in a couple of dozen companies amounts to a rounding-error in a black budget.

At this point, the only thing really protecting "bad guys" is the size of the ocean, not some inability to fish in it.

Re:

[omnichad]

So any DNS you use could do this.

But they actually own an ad network to put the data to use.

Re:

[Trax3001BBS]

Someone may correct me if there's more to it, but I think it's just that some people are uncomfortable with Google having so much access to information about us. Any DNS server you access will have the potential to keep records of which IP addresses made which queries, which potentially gives Google even more tracking data. As far as I know, there's no real sign that they're using that data, but to some extent, they're a company that makes money from collecting data about their users, so...

I just happen to use and dare say trust Goggle, no matter what search engine you use with the exception of https://duckduckgo.com/ [duckduckgo.com] will track you. I do read the ToS's and privacy policies of any site I'm about to register on it's the data collected that your being informed of, I've refused to register on some sites over it or had second thoughts and bailed (Microsoft's Insiders program).

It's many features or abilities is why I use Goggle - and they give back to the community, the only company I know of tha

Re:

[wiggles]

There's only one reason Google gives anything away 'for free' - it's because they're mining data from your connections to better target ads at you. They absolutely monitor every DNS lookup on their servers and use those lookups as part of their profile on you as a user.

Re:Just run your own

[afidel]

Or broken DNS is so pervasive that it is interfering with their ability to offer other services. If you're interested in the privacy policy around Google DNS it's available here [google.com]. The quick TLDR is:

What information does Google log when I use the Google Public DNS service?

Google Public DNS complies with Google's main privacy policy, which you can view at our Privacy Center. With Google Public DNS, we collect IP address (only temporarily) and ISP and location information (in permanent logs) for the purpose of making our service faster, better and more secure. Specifically, we use this data to conduct debugging and to analyze abuse phenomena. After 24 hours, we erase any IP information. For more information, read the Google Public DNS privacy page.

Is any of the information collected stored with my Google account?

No.

Does Google share the information it collects from the Google Public DNS service with anyone outside Google?

No, except in the limited circumstances described in Google's privacy policy, such as legal processes and enforceable governmental requests. (See also Google's Transparency Report on user data requests.)

Does Google correlate or combine information from temporary or permanent logs with any personal information that I have provided Google for other services?

No.

Re:Just run your own

[LWATCDR]

You tool of the megacorps how dare you bring up facts that distort that crusader for freedom's self identified truth.

Re: Just run your own

[Anonymous Coward]

The US government said the same thing about data collection even after being confronted. Look where that got is all. Why trust it?
One of the creators says privacy is dead
Google it's found to be defeating private browsing for Safari
Google and tons of others are found to silently cooperate with wholesale government data collection (remember last year's headlines about Google Facebook and others begging for good pr by requesting permission from that same lying government to ungag and reveal how much they reall

Re:

[raind]

If it is a free app, service, etc, you're not the consumer - you're the product.

Re:

[Anonymous Coward]

If you ask google's dns servers what ip is at www.overthere.com... it knows you want to go to www.overthere.com? A vast majority of people can be uniquely identified just by their list of most visited sites. Caching probably offsets this a little, but still much more valuable than other ways of getting this data.

Re:Just run your own

[pr0nbot]

A former colleague of mine left to a startup which some years later was absorbed by Google. The work she does at Google involves access to multiple Google databases (to detect fraudulent access patterns), which is apparently unusual. I asked her about the DNS database; she said that is the one database to which she (and most other projects at Google) doesn't have access. I took from this that Google does track DNS access.

Re:

[mundlapati]

Please check http://wiki.opennicproject.org... [opennicproject.org]

Re:Just run your own

[QuietLagoon]

Most people here...

Most other people...

most people care...

A self-appointed spokesperson for "most people"?

Re:

[account_deleted]

Comment removed based on user account deletion

Re:

[zenbi]

Pretty sure Windows comes with a simple DNS server service since the NT days. You may need to check an additional option to turn on the feature, or it may be hidden somewhere under the IIS settings.

Unless they removed it. I admit, I haven't touched Windows for anything server related in years.

Re:

[WuphonsReach]

Services like DNS really belongs at the network level, not the local PC level. If only for the possibility that there are 2+ people on the local network who query the same thing and the DNS server can cache / return the results. Or, since the network server is likely to be left on 24x7, it can cache answers across reboots of your local PC/laptop.

Something like pfSense on the firewall to the outside world with "unbound" running does just fine for this. You can configure it to talk to your ISP's DNS serv

Re:

[kupekhaize]

The whole point was to avoid the ISP's crappy, overloaded servers to begin with. If the DNS server doesn't respond with an NXDOMAIN for a non existent domain, it's not worth talking to.

Ever again.

Re:

[kheldan]

You're assuming that what you think are the root DNS servers are actually the root DNS servers, and that they're not being spoofed by the CIA, NSA, or whoever in the first place. You're also assuming that your ISP would allow you to do such a thing, and not brand you as someone up to no good, and cut you off.

I never trusted OpenDNS much in the first place, certainly no more at best than I would any ISP's DNS servers.

Re:

[fnj]

You're also assuming that your ISP would allow you to do such a thing, and not brand you as someone up to no good, and cut you off.

I pay my ISP to give me a pipe to the internet. I use that pipe to contact numerous different public servers using numerous different protocols. If some of those servers are DNS servers, and I use DNS protocol to contact them, it is none of their mother fucking business. And indeed, my ISP clearly couldn't care less if I am doing it. If they tried to stop me, I would just ssh tu

Re:

[Krojack]

I never heard of anybody ever being "cut off" for doing this.

Yet..

If the big 2some Comcast and Verizon get their way with net neutrality then you can be sure this will be on their list of pipes to control. I'm already shocked they haven't tried blocking all internet ports and selling various ones in packages. Oh you want FTP? then you need to upgrade your Internet package to the next tier. You want VoIP port 5060? I'm sorry you can't have that. It directly competes with our own telephone service.

Re:

[halltk1983]

Most consumer internet blocks port 25, and you have to get business class to get unblocked.

Re:

[Krojack]

That's primarily to less-in the damage from malware and virii from sending out mail and forcing people to go though the ISP's mail server. Most mail host will also open smtp on a second port to get around this.

Re:

[pr0nbot]

Clearly what we need is a blockchain DNS! (I don't know what blockchain is, but I know it solves all problems. I think you get it from a hardware store, but I couldn't say whether it's in the blocks or chains aisle.)

Re:

[ArcadeMan]

Actually, that's -1 Internet for him.

Re:

[kheldan]

My point is that you have NO control over the root DNS servers (or any other DNS servers you don't own), or what happens in the route between you and any DNS servers, so how do you know what's really going on? If you were to directly use the root DNS servers, how do you know traffic in either direction isn't being tampered with? You have to assume that any data of any kind sent or received from the public Internet is inherently insecure, and there's plenty of historical evidence to prove not only it's plaus

Re:

[TCM]

Whether there's someone sitting on your line and grabbing your traffic or tampering with it is completely irrelevant because that problem exists in any case. By running your own resolver, you don't publish your queries directly to a third party on top of that and that's a good thing.

Re:

[kheldan]

Hmm, that's a good point. However if too many people were going directly to the root servers, eventually wouldn't they take some action to limit access to whoever needs it (as opposed to who wants it) to reduce the workload on the servers? Bypassing all the lower strata of DNS servers kind of breaks the way the system was designed, doesn't it? Of course these nudnik ISPs and other bad actors out there 'tampering' with DNS for whatever their reasons are, are certainly breaking the way the system is supposed

Re:

[WuphonsReach]

Hmm, that's a good point. However if too many people were going directly to the root servers, eventually wouldn't they take some action to limit access to whoever needs it (as opposed to who wants it) to reduce the workload on the servers?

The only reason BIND / unbound talk to the root servers is to find out which DNS servers are authoritative for the various TLDs. The DNS root servers do not return the answer for "what is the IP address of maps.google.com", they only return the answer for "what DNS ser

Re:

[kheldan]

I'm not claiming to know how the whole system works; I'm getting a quick education on the subject as we're discussing it. It sounds like the overall load is well-distributed. You seem to understand it well enough to answer this question: If, say, even 10% or so of everyone did an end-run around ISP-based DNS servers in this way, would it theoretically cause enough excessive traffic that it would annoy the admins responsible for them?

Synology's NAS

[TheHawke]

They have their own internal DNS and DHCP, but the latter is needed to operate the former, sadly. I'd like to see an up to date instruction sheet to set up and place into production both services sometime. The current set is vague and wooly.

Good.

[rot26]

Oh, wait, what's the opposite of good? Bad? Yeah, bad, this is bad.

Re:

[ArcadeMan]

Serially Transmitted Domains? Yeah, that's what a DNS is for.

Re:

[bored_engineer]

Sorry. Undoing a bad moderation.

Re:

[rubycodez]

what google does for money: tracking for marketing and any government entity that either asks for it or takes it

Re:

[ahodgson]

Their entire business is based on monitoring your internet usage and using that to learn about you so advertisers can make more money from you. Of course they're monitoring your Internet usage.

A much better question would be, what possible motive could they have for offering a "free" service that doesn't monitor you?

Comment removed

[account_deleted]

Comment removed based on user account deletion

Re:

[cfalcon]

What's a superior DNS, in your opinion?

Re:

[greenfruitsalad]

but how do you do content filtering yourself? i do not want to worry about my children stumbling upon goatse when all they want to see are baby goats. believe it or not, opendns filters are pretty good. it would be nice if cisco made the crowdsourced domain name ranking database freely available but i doubt that'll happen.

i have tried norton connectsafe in the past but compared to opendns, it was rather poor.

Re:

[bigfinger76]

There are blacklists you can use. Alternatively, you can query DNS servers that do the filtering for you (blacklisting is done on their end).

Re:

[greenfruitsalad]

i don't think there are. (i'm not talking about blacklisting spammers)

regarding querying other dns servers to get content filtering on my dns server, that completely defies the purpose. whether my client PC uses opendns or my home dns server is the same thing (from their point of view). they are still queries from the same gateway IP address.

Re:

[bigfinger76]

Uhh....what?

Who cares what IP address the queries come from? We're not talking about anonymity here, we're talking about content filtering via DNS. What matters are the results that are returned to the client.

Re:

[greenfruitsalad]

squid doesn't just summon a list of adult/malware/etc domain names out of thin air. opendns's advantage is in the gigantic crowdsourced database of domains and their classification. if that database were a separate opensource project that anybody could use and pull updates from, i'd happily use my own Unbound resolver.

Re:

[laie_techie]

One you run yourself. Not like setting up and maintaining bind is all that hard to do.

At some point you will have to query an outside server. You don't plan on having billions of domains in your own DNS, do you? The problem is that some DNS return an IP for an ad site instead of correctly telling you that it's an unknown host. Or, returning an IP for an ad site instead of saying that a particular host is blacklisted.

Re:

[magical liopleurodon]

8.8.8.8?

Re:is anyone using it?

[drinkypoo]

Google, of course. Any DNS sizable enough to trust is likely to be a tool of the state, but at least Google is competent.

Re:

[drinkypoo]

I prefer my ISP's DNS service to Google's, because my ISP is likely not competent enough to actually understand the data and truly track me.

You only think this because you don't know how the system works. Ignorance is a bitch, prepare to be educated: The FBI serves your ISP with a letter telling them they have to collect your DNS requests. It doesn't matter where your requests go, because your ISP logs all of your DNS traffic, maybe the contents of any unencrypted HTTP requests you make (the URL, that is) and anything else the FBI wants. Then, on a regular schedule, they provide that information to the FBI.

Probably every ISP of any note in Amer

BIND

[Medievalist]

What's a superior DNS, in your opinion?

Point your Berkeley Internet Name Domain server at the root nameservers.

All the services that provide intermediaries to the real DNS are in the business of directing your traffic for their profit. If you are happy being a clueless end-user, the best you can do is 8.8.8.8 (Google) since they are at least built to a reasonable scale.

But it's still not really DNS... it's asking somebody else to do your DNS for you. Which is OK for non-geek end users.

Re:

[bigfinger76]

Distributed, hierarchical servers are the way DNS was designed and intended, so it actually is DNS. Trusting the hierarchy is another matter altogether.
So your point still stands. Do it yourself; it's educational and fun.

Re:

[Anonymous Coward]

outside of a very sophmoric attempt at content filtering, im not sure this service did much? (aside from molest dyndns' API for a user fee.) They basically poison NXDOMAIN for profit...under the auspices of attack prevention and puritanical righteousness.

The primary reason I use OpenDNS is for DnsCrypt, not for any filtering they provided.

Re:

[Anonymous Coward]

What's the value you get out of DNSCrypt to OpenDNS? Instead of your ISP seeing your DNS traffic and requests, OpenDNS (and now Cisco) gets to see your DNS traffic and requests.

Am I missing something?

Re:

[Whiteox]

Yeah. If your ISP's DNS server is in a country that is monitoring requests, then:
A: Your ISP can see what you are viewing
B: They would be bound by law to hand over the logs.
By going out of the geopolitical boundary (that's if you can) for DNS, then it's 1 chink in your armour.

Re:is anyone using it?

[MatthiasF]

Malware domain filtering as well, don't forget that.

The best defense against virus and malware is blocking them before your computer can even connect to download.

Re:

[Where's my towel]

Hit the nail on the head with this one. This is the bit where the Cisco "better together" argument actually makes sense. It's also the part of the puzzle many of Cisco's biggest customers (ISPs, Fortune 500, Governments) really care about - Slashdotterss may be able to keep their ten-node home networks clean easily but these guys really struggle to keep their 10,000 node networks clean.

It's not just Malware - it's Spam, Phishing, Spyware, Botnet C&C traffic - basically anything bad on the net. The amoun

Re: is anyone using it?

[corychristison]

I've always used Level3, personally. Its anycast based, like Google's service.

Just pick 2 or more of the following:
4.2.2.1
4.2.2.2
4.2.2.3
4.2.2.4
4.2.2.5
4.2.2.6

It is even somehow faster than my ISP in terms of response time.

Re:

[Anonymous Coward]

It is even somehow faster than my ISP in terms of response time.

Well, sure, it's quicker to just access the NSA DNS servers directly, without your ISP as a middleman.

Re: is anyone using it?

[afidel]

L3 has introduced random delays in their resolvers for anyone off-network so if you want decent performance you'll use just about anything but those. Google had some performance issues when they first introduced their anycast clusters but today they're as fast as anything I've tried.

Re:

[Anonymous Coward]

L3 has introduced random delays in their resolvers for anyone off-network

source on this?

Re:

[Anonymous Coward]

Keep in mind that if you're not a Level3 customer, you are in effect using someone else's DNS, which you aren't even contributing to supporting. It's the ultimate freeloader stance, which is akin to being something of a sponge.

Level3 has never purported to be the DNS for the world. Use a root server or Google's DNS, as the root servers are for public use and at least Google welcomes public use. Level3 has made no statement indicating it welcomes the entire internet using their DNS servers.

Also, all those

Re:

[corychristison]

If they didn't want off-network users to use it, they would firewall it to just their subnets. I get they have a very large network that is ever expanding, and it may just be easier to not lock it to their subnets, but seriously it's not that hard.

I don't use my ISPs DNS because they resolve non-existent zones to some bullshit landing page in which they try to "help" users find what they were looking for, effectively breaking DNS in my opinion.

I don't use Google's because it sucked the last time I used it (

Re:

[antdude]

Do they have filters like OpenDNS?

Re:

[afidel]

You know you could signup for a free account and turn off NXDOMAIN redirects, right? Of course it's a moot point since they turned it off globally years ago.

is it time to seek out alternatives to OpenDNS?

[fustakrakich]

Is this the inverse of that headline rule thingy?

Bye-bye, Open DNS / Hello, Hackers!

[__aaclcg7560]

The same Cisco that has default SSH keys [slashdot.org] on their security devices that allow hackers to run wild?

well-embedded with the NSA, CIA, FBI, etc.?

[Anonymous Coward]

I see people are repeating this, hoping to make it believed. Not that I love Cisco either (or Oracle or SAP or... you get my drift) but that just isn't fair.

Is it that you can't believe that the NSA would get in without insider help? There have been at least a half dozen brands, many non-USA, that they are said to have gotten into. Surely a Chinese vendor wouldn't cooperate with the NSA. Unless you want to believe Huawei is well-embedded with the NSA (ha, ha, seriously...) it is wrong to make these assumpti

And...

[koan]

Who here trust Cisco?

Re:And...

[Capt James McCarthy]

Who here trust Cisco?

Your bank.

Re:

[SeaFox]

Who here trust Cisco?

Your bank.

You bank also trusts Microsoft, so let's consider that for a moment...

Re:

[thejynxed]

The majority of banks also trust Diebold (who have ridiculously insecure default settings on their ATM terminals, the manuals of which are available online, and yes, criminals have exploited this), so take that into consideration.

Re:

[ArcadeMan]

I trust Crisco all-vegetable shortening to get well-done, crunchy french fries.

Oh wait, Cisco? Not me.

Re:

[dissy]

Who here trust Cisco?

That depends which definition of trust you mean.

Do I trust them to respond in a certain way under a given set of circumstances?
Yes, I believe I can predict exactly how they will abuse and eventually clusterfuck OpenDNS, and I predict it will not be pretty.

But do I trust them to have my best interests at heart?
Hell no.

Could have been worse

[Wokan]

It could have been Oracle buying it. I have yet to see them acquire anything and not turn it to shit.

Re:

[Behrooz Amoozad]

If you were trying to be french,
La vache dit SHAZOO, FTFY

Re:

[crashumbc]

AC's shouldn't judge, all of you interbreed.

Re:

[oobayly]

Different ACs...

Re:

[ArcadeMan]

Oh boy... "apps" guy vs "hosts" guy... whoever wins, we lose. Somebody better nuke them both from orbit, that's the only way to be sure.

Re:

[rogoshen1]

you'll summon.. him!

Re:

[oobayly]

Now if only there was a way to distribute hostfiles. Some method of IP would be handy - I suggest using UDP port 53 as it's not being used.

Re:

[davidu]

I'd like you to at least give us a chance. I am still running the ship here.

Re:

[Whiteox]

I thought all those with ID >101 have ascended or have had their consciousness uploaded into some kind of silicon based brain!
Thanks for being here for us, guiding the way.

Re:

[SJ]

I am still running the ship here.

... until the cheque clears.