mezzoblue: OpenDNS

By Daryl, at 06:56:25 on 2008-07-29.

2008-07-29T06:56:25-08:00

I actually switched to OpenDNS a week ago after my ISP (who may or may not be named Rogers) implemented their own DNS hijacks. It's cool to read that someone I respect and read regularly has made the same decision (albeit for a different reason).

By Nicholas Shaff, at 23:28:57 on 2008-08-08.

2008-08-08T23:28:57-08:00

Good to hear that OpenDNS blocks these attacks. I've been using OpenDNS for a while now. What got me using it was the URL auto-correction, but it has also always seemed a bit faster. I've never exactly liked using ISP DNS servers as they tend to jack with things and can be quite pokey at times. For a long time I was mooching off a University DNS server I'd memorized from a long time back.

By Christopher H, at 01:22:18 on 2008-08-10.

2008-08-10T01:22:18-08:00

Here a little more info:

Securityfocus.com actually published a very good series of articles in relation to this. They may be operated by Symantec, but they manage to put out some good information - including an article by the architect of the collaboration and patch (Dan Kaminsky).

http://www.doxpara.com/?p=1162
(This is Dan's original article about the issue - from his website)

http://www.securityfocus.com/news/11526
(talks about the collaboration)

securityfocus.com/news/11529
(talks about the initial patching fallout)

securityfocus.com/brief/785
(talks abotu Apple's DNS flaw issues)

(no, I don't work for Symantec - I just find this site a one of many great sources of information on the security side of things)

By JamesSpratt.org, at 14:21:34 on 2008-08-13.

2008-08-13T14:21:34-08:00

Great - thanks for pointing this out. Done.

By Ronald Duncan, at 04:36:09 on 2008-08-14.

2008-08-14T04:36:09-08:00

What was amazing about this issue was that BIND (the most popular DNS server was still vulnerable, and a lot of BIND clones like Microsoft are also vulnerable), given that this problem was pointed out by Dan Bernstein as part of his 1997 personal battle to improve internet security. He started by writing a secure email server, and then a DNS server in 1999.

The specific issue that has just been exploited was reported to bind on 29 July 2001, after they had made a half hearted attempt at a patch.

http://cr.yp.to/djbdns/forgery-cost.txt

From the CERT Advisory: "Daniel J. Bernstein is credited with the original idea and implementation of randomized source ports in the DNS resolver."

We use his DNS software since it is much faster, easier to automate and has never had a security exploit. Not surprisingly was protected against this exploit by design. It also is guaranteed not to have security exploit. (With an explicit exclusion of the problems caused by the current protocol)

See http://cr.yp.to/djbdns/guarantee.html

There are now plenty of alternatives to using BIND, and it is amazing the number of ISP's that still use it.

Their will be more attacks see the ICANN discussion.

http://public.icann.org/en/node/1176

Since as previously discussed DNS needs a new architecture and DNSSEC is a flawed solution.

By Chris Leonard, at 16:02:25 on 2008-08-22.

2008-08-22T16:02:25-08:00

Holy Schneikes, I read 'net news almost daily and I had no idea. This is quite alarming! Is there anything that site owners can do (or encourage our webhosts to do)?

By Robert Giordano, at 22:55:17 on 2008-09-12.

2008-09-12T22:55:17-08:00

Earlier this year I believe I was a victim of this hack, although no one could give me a straight answer. I live in Florida and use AT&T (formerly BellSouth) DSL at home. I'm a designer and I noticed some slight differences or flaws in a couple of sites I was logging into but it was already too late and my password had been captured.

One day I did a lookup of my IP address and it did not resolve to Bellsouth. I turned my router off for a few minutes, turned it back on and then I had a different IP address that did resolve to Bellsouth. I'm not entirely sure this was the same hack but I thought it was worth mentioning.

By Michael, at 01:35:48 on 2008-10-17.

2008-10-17T01:35:48-08:00

One thing to be aware of if you do use OpenDNS is that users mistyping domains are sent to a helpful "OpenDNS guide portal" with adverts.

The US ISP Roadrunner ( http://www.fka200.com/2008/02/22/road-runner-now-hijacking-not-found-mistyped-websites/ ) and Verisign ( http://slashdot.org/article.pl?sid=03/09/16/0034210 ) have received flack for redirecting mistypes to pages that include adverts in the past.

By David Robarts, at 09:31:28 on 2008-10-28.

2008-10-28T09:31:28-08:00

The article looks to me as if only Mac users running the DNS server distributed by Apple (an unpatched version of BIND) are vulnerable. There is nothing that indicates that DNS client software that an ordinary Mac user would use prevents users from protecting themselves.

I first heard about OpenDNS when I heard about drive by pharming (cross site request forgery used to change configuration of routers from within the LAN). I changed my PowerBook to use OpenDNS so I didn't have to rely on the router configuration to provide a good DNS server. I also changed my home router to use OpenDNS to take advantage of OpenDNS's features. Unfortunately in Leopard I can't configure my Mac to use only the manually configured DNS servers while getting other IP configuration information via DHCP. So if you use your Mac on a network you don't control it is possible that it will use an vulnerable DNS server. Fortunately for me I rarely use my Mac on any network other than my home and the network at school both of which are safe.

The reason OpenDNS can get away with redirecting to a guide page with adverts is that users generally opt in to use OpenDNS and have the ability to choose to enable or disable any of the features (however, network administrators can choose OpenDNS and its configuration without end user choice).

By Ran, at 07:55:46 on 2008-11-12.

2008-11-12T07:55:46-08:00

The first idea is - very usefull: Open DNS should protect against phishing and typos
but slower response time of the DNS server.