Want to read Slashdot from your mobile device? Point it at m.slashdot.org and keep reading!

 



Forgot your password?
typodupeerror
×
Networking The Internet IT

OpenDNS As Quick-Fix To DNS Patch Dilemma 61

CWmike writes "It turns out that problems with the July 8 patch that was rolled out to fix a cache poisoning flaw discovered by researcher Dan Kaminsky are causing headaches for admins. Preston Gralla suggests a 30-second quick-fix, perhaps until everyone is patched up: Use OpenDNS, which has been patched, as your personal DNS. If you run a corporate network and need help getting OpenDNS set up, your best bet is to go to the OpenDNS FAQ page, he writes."
This discussion has been archived. No new comments can be posted.

OpenDNS As Quick-Fix To DNS Patch Dilemma

Comments Filter:
  • by 77Punker ( 673758 ) <(spencr04) (at) (highpoint.edu)> on Wednesday July 30, 2008 @03:52PM (#24408269)

    If you run a corporate network and need the FAQ page to help, you should not be running a corporate network.

    Then your job should promptly be given to me.

  • but how does this stop us from being exploided by upstream dns servers?
    • Re: (Score:3, Interesting)

      by BSAtHome ( 455370 )

      How do you get this to work with a corporate split DNS infrastructure. This is not a fix but a hack which does not work in many scenarios...

      • whatever DNS server you are using for inside your corporate network to resolve internet domains should be set up to forward to OpenDNS instead of your ISP's DNS servers so that your employees will benefit from the overall idea behind OpenDNS as well as the fact of having an almost 100% guaranteed secure DNS system. Your external DNS servers should be patched so that they do not become hijacked.
        • by Lennie ( 16154 )

          Unless you hace a shitty NAT-firewall in between. And if a lot of people use OpenDNS, you'll all be an easy target.

          • whether or not you have a NAT firewall is irrelevant to the setup i described. It does not have any effect on a split-horizon DNS setup. and OpenDNS is a no more bigger target than nailing the DNS servers for comcast or even a root level system. OpenDNS actively scrubs their records of malicious websites and malsites.
            • by Lennie ( 16154 )

              No I'm talking about someone trying to spoof answers for your questions to OpenDNS. If your NAT messes up your source-port-randomisation, you'll still be in trouble.

              • at that point, its the admins fault for running an enterprise with split-horizon DNS setup yet maintaining a crappy NAT firewall. there are free firewalls (software is free, still need hardware) that are enterprise level such as pfSense, so no excuse for the admin.
    • by Anonymous Coward on Wednesday July 30, 2008 @04:45PM (#24409073)

      Hush now, we're trying to advertise OpenDNS. Just use it and shut up like a good lemming.

  • Like I'm going to switch out my name server on a high-availability server farm, which would require even more testing.

    "During the development cycle, we became aware of a potential performance issue on high-traffic recursive servers, defined as those seeing a query volume of greater than 10,000/queries per second," said Vixie.

    Emphasis mine.

    It's almost as useful as saying the solution to BSoD is Linux. Amusing though. :)

  • As a rule, I try to avoid applying quick fxes to my servers. After all, if the poster and editor can't even be bothered to spell check, how can I be sure the programmer bug tested their fx? =)
  • Great idea. (Score:4, Funny)

    by casualsax3 ( 875131 ) on Wednesday July 30, 2008 @04:04PM (#24408433)
    Quick everyone - all of our eggs in the OpenDNS basket!
  • Just a bit ago my parents bought a new router JUST so they could install OpenDNS to protect me from porn... for once I'm actually glad that did it =P
    • by moderatorrater ( 1095745 ) on Wednesday July 30, 2008 @05:11PM (#24409411)
      supersloshy: "Come on, mom, I'm 32 years old, I can look at porn if I want to."
      mom: "Not while you're living under my roof without paying rent!"
      step-dad: "Besides, son, I hear it can help protect you against that dns cache poisoning that's been going on."
      supersloshy: "Shut up! You're not my real dad!"
      real dad: "Now supersloshy, you obey your step father, even if he does dress funny and try too hard."
      supersloshy: "I hate you! I wish I'd never been born!"

      Whole thing sounds kind of silly now, huh?
    • Re: (Score:3, Informative)

      by socsoc ( 1116769 )
      I switched my corporate lan's proxy to use OpenDNS and I thought a few of the blocking categories looked useful so I selected them. I quickly disabled those after the first day. I don't see how Monster.com qualifies as an Adware site, but it sure pissed off my HR dept when they got a blocked message in their browser. Those categories are so overreaching, it's laughable. The typo correction and shortcuts are useful though.
  • Great (Score:2, Insightful)

    by Anonymous Coward

    So we can replace possible random DNS hijacking with guaranteed DNS hijacking that's passed off as a feature.

    Didn't we get extremely upset at Verizon when they served up adverts and returned bogus DNS responses on domains that don't exist?

  • What's with the constant OpenDNS slashvertisements?

    Why would anyone in their right mind replace a distributed system that gets overloaded often enough with a single point of failure?

    Have oodles of servers been slashdotted in vain?

    np: Spooky - Belong (Open (Disc 1))

    • Re: (Score:3, Informative)

      by caerwyn ( 38056 )

      I did because Comcast is the only service provider in my area, and OpenDNS actually provides better DNS reliability than Comcast's DNS servers. The switch was actually driven by a Comcast DNS outage.

  • by duplicate-nickname ( 87112 ) on Wednesday July 30, 2008 @04:23PM (#24408733) Homepage

    Seriously, this solution has been posted in response to every DNS article on Slashdot this past month and has been mentioned by just about every article talking about the issue.

    Does Slashdot really need to post links to Computer World that rehash was has been discussed 100 times already?

    • by neomunk ( 913773 )

      Hey, if all you have is a hammer, but people keep tossing you nails...

      • Re: (Score:1, Insightful)

        by Anonymous Coward
        Sell the nails and hammer the people.
  • Thankfully, I've been using OpenDNS for almost a year now.
  • by shogarth ( 668598 ) on Wednesday July 30, 2008 @04:55PM (#24409191)

    Given the near fanatical privacy concerns on Slashdot, I'm surprised nobody is screaming over this "recommendation." Imagine how valuable it would be to know every web site visited by "millions of people a day." Does anyone think the for-profit company isn't mining then reselling the lookup->client-ip information?

    On a technical issue, how effective is their service? I've had hotel/hot-spot links that were proxying DNS queries regardless of my settings. It seems to me that unless you know that your ISP's DNS is way broken and that they aren't intercepting DNS queries, this is of questionable use.

  • by Anonymous Coward on Wednesday July 30, 2008 @05:00PM (#24409275)

    No.
    OpenDNS does terrible NX-overriding and other useless, annoying things (logins, etc..)

    Instead, just use public, geo-distributed DNS servers which FOLLOW RFC and are patched. Here are the standard suggestions (Level7):
    4.2.2.1 through 4.2.2.6.

    These have good randomness and are multi-cast addresses for DNS servers all over the country. They are VERY fast in most areas.
     

    • Thanks, learn something new (and useful) daily! I use OpenDNS currently, but wow, response times alone are amazing! = 10ms to the 4.* servers and ~100 to OpenDNS. I might still stick with OpenDNS for now since I use some of their features, but this is certainly food for thought and a useful tool when I get stuck without DNS during some of my travels -- very easy to remember IPs :)
    • Instead, just use public, geo-distributed DNS servers which FOLLOW RFC and are patched. Here are the standard suggestions (Level7):
      4.2.2.1 through 4.2.2.6.

      Those aren't actually public DNS servers though, are they? They are private DNS servers which just happen to publicly accessible at the moment. If at some point in the future they block all access from outside their network, which they have every right and incentive to do, you will lose DNS. They have in the past temporarily changed the reverse DNS names for those servers to please-do-not-steal-service.whatever.net, so don't say you weren't warned.

      And when it comes to FOLLOWING RFC, I'm pretty sure that "do

      • And when it comes to FOLLOWING RFC, I'm pretty sure that "don't use other people's DNS servers" is pretty high on the list.

        And how do you do that? Isn't DNS a hierarchical system, where all the answers you are not authoritative on get resolved through queries to other servers? That implies you can't avoid other people's DNS servers.

    • These have good randomness and are any-cast addresses for DNS servers all over the country.

      Fixed.

  • I wonder how OpenDNS' performance with more users using it due to this flaw.

    • by Shados ( 741919 )

      I just switched to it right now because my ISP -still- didnt do anything about it. Its pretty zippy honestly (my ISP's DNS servers were actually the bottleneck of my connection). I'm happy.

      • Unpatched _still_? Latent, too? Who are these jokers?

        • by Shados ( 741919 )

          As far as I can tell, and from the information I gather on the patch, and the tests I ran... the losers DID patch the darn thing, but they stuck their DNS servers behind a firewall that blocks most ports (probably a 2 headed department, where the people in charge of firewall and the ones in charge of DNS arent the same and dont talk much), so while the ports are randomized, there's only a couple that can go through, so it kills the point.

        • by Shados ( 741919 ) on Wednesday July 30, 2008 @10:07PM (#24411879)

          Oh, and while not naming em, let just say I have a screenshot from long ago that I took from a trace route to Google that I did, and all of the routers that my ISP owned on the way had been renamed to something like "xyz-cannot-secure-their-routers.xyz.com" and such things. Nuff said :)

    • by mboz62 ( 732360 )
      I did a bit of research into OpenDNS a while ago, the link is here [smoothwall.org]

      I've been a little intrigued by what sort of real benefit the likes of OpenDNS might actually have on, so I thought I'd do a bit of a test of, and see what it does.

      SO I thought I'd start with the worlds most popular websites, according to http://www.alexa.com/ [alexa.com] I got a list of the top 100 global websites.

      the basic results turned out to be...
      1. OpenDNS server at 208.67.222.222 average = 108.8787879 min = 15 max = 1273

      2. my IS
  • Ok, so I can deal with all the 'turfing on EVERY FUCKING DNS story that slashdot posts. Fine. I just ignore it and move on.

    But now we're getting editors astroturfing..their..own site...

    opendns isn't that special. I've looked at it. Anybody who uses it for a corporate network should be shot. You are purposely exposing your internal users to the whims of an external company.

  • I use opendns because it allows me to manually refresh the cache (opendns.com/cache) when I am making name server changes on my domains. Then I know immediately if the changes are correct and will propagate to the rest of the internet eventually.
  • I remember being stateside and getting to control my choice of DNS server. That said, many small third-world ISPs and plenty of colleges and other overly-controlled environments where bandwidth is expensive NAT you and run transparent proxies, locking you in to the DNS server used by said proxy and, even if the stray packet does get to OpenDNS, prevents you from using ddclient or anything else to effectively manage your settings there.

    How 'bout an option for us? What ever happened to Tor? Any similar vulner

  • I'm still using my own BIND installation to bypass Sweden's insane filter system. I've applied the patch now.
  • I've just had a read around the opendns site, and it seems like a marketing thing more than a good technical idea.

    they appear to make their money by sending you to an advertising site whenever a name doesn't resolve. to me, this seems a bad idea imagine the scenario - 'hey bob, the kitties getting a bit empty you know' - 'not a prob boss, just let me tweak some dns resolver timings'

    also, their idea that they are 'quicker' because they use a 'large' cache is also bobbins. a dns time to live (ttl) is

Technology is dominated by those who manage what they do not understand.

Working...