[Novalug] opendns.com - a good thing?

Chris Sykes psychs@gmail.com
Wed Jul 30 07:57:46 EDT 2008


I tend to concur with paul in his sentiment. For my own personal stuff
I run a local copy of djbdns as a caching server. That tends to be
overkill for most ppl but I appreciate the logging and versatility of
having my own box that goes straight to root nameservers. Now there
are those of the belief that I am burdening the root servers
unnecessarily but my take is that those servers have survived the
worst DDoS in history and can handle my piddly traffic. In addition
monitoring dns requests of your local network is one of the best ways
to catch outbound spam and malware phone home requests.

Most home users aren't going to have their own local caching dns box
(although it's a fun project), so to answer your question as a home
user I would do ... nothing. DNS cache poisoning has been around in
different forms for a long time, what kaminisky brings to the table is
a particularly nasty (and fast!) version of it. But the underlying
things you should do as preventative measures are still the same. Any
kind of sensitive web surfing (banking, ebay, paypal, e-mail, logins
to company resources, even forums you are a partial to) should be done
over https. All authentication done in any kind of web form should be
done over https. If you aren't in the habit of first making sure that
the connection is https secured and then secondly verifying the
certificate is from a valid signer and is for the actual site you are
on then you are just biding your time till you are successfully
pharm'd/phish'd/pwn'd. Now for the rest of your surfing that isn't
over https or for things that aren't directly under your control (such
as apps that auto update in http or some other non encrypted protocol)
you are at the mercy of your isp's dns server and upstream cache but
things like manually downloading applications instead of using auto
updaters, verifying downloads using md5 checksums (when available) or
just being a little more paranoid and untrusting of the things you
read or go to on the net will help bunches.

In the end it's the same old race between good guys and bad guys and
unfortunately when we are talking technology (at least IT) the bad
guys always have the edge.

Oh while I'm thinking of it, I use a firefox plugin called 'showip'.
It's main purpose is to show the ip address of the dns name you have
surfed to. If you right click on it you'll see any other ip address'
for that A record and also have the option to whois the ip block.
That's useful in seeing if you were redirected away from where you
should be. Not fool proof since a lil xss/frame injection magic will
circumvent that protection but it's fun to have at least. =)

Last thoughts, I toyed with the idea of making a python resolver that
would sit on the dns server and just double check addresses against a
list of dns servers you provide ... be interesting to have that data
... but I'm lazy.

-Chris



On 7/29/08, Paul Bohme <novalug@bohme.org> wrote:
> Roger W. Broseus wrote:
>> Use of opendns.com services were advocated in the article to protect
>> against these and other vulnerabilities. What is the collective wisdom on
>> use of opendns
>
> On a lark when I was rebuilding my network last weekend I put the
> opendns servers in.  First thing I did was typo a URL, and it popped up
> an advertising page.  Needless to say, I removed the entries immediately
> and went back to my ISP defaults.
>
> It's nice of them to strut around like they're the secure thing, but
> then pull something as stupid and vile as wildcarding all unknown
> queries to their ad pages?
>
>   -P
>
> --
> When you posture DRM as a 'direct consumer benefit' you may as well
> just be saying 'It's double plus good' as you strap the rat cage to
> my face.  - "parf" on Windows Vista's "content protection"
>
>
> _______________________________________________
> Novalug mailing list
> Novalug@calypso.tux.org
> http://calypso.tux.org/cgi-bin/mailman/listinfo/novalug
>



More information about the Novalug mailing list