21 Jan

OpenDNS – Basic Security Step Zero!

opendns_logo_300

OpenDNS

Guys and Gals, you may have never heard about OpenDNS–and that is unfortunate. This FREE (yes, that is as in “pizza”) service is the most basic and simple step you can take to secure your home and/or business network. It is actually so free and easy that you may not even need me to tell you how. There are great technical instructions right there on the OpenDNS home page to the story of the whys and hows.

  • However, if you are non-technical, you may be left asking, “Now…what does this do for me again?” Keep reading.
  • Or, if you are technically-oriented, but just want the bottom line without marketing-speak…keep reading.

Still with me? Great. Following the BLUF (bottom line up front) principle, let me plainly state: You need to use OpenDNS at your home to help mitigate your risk from falling prey to a Phishing attack. If nothing else, it’s worth 15 minutes of your time for that alone.

I would use it if that was all it did.

But, OpenDNS does much more. As far as I can see it, they deliver functionality in four main areas. I’ll list them, then explain them further.

  1. Mitigate or eliminate risk from Phishing attacks.
  2. Comprehensively or selectively filter out adult sites.
  3. Typo’d and non-existent domain suggestions.
  4. DNS lookup speed.

They tend to push #4, which is a bit of a hard sell to the average user. On broadband, this difference may be measured in fractions of a second–not terribly noticeable. So, let’s handle it first and talk about how DNS works to begin with.

mr_wizard

Golly Geewillakers!

Ready to trot out the old “address book” metaphor? Skip to the next heading if you can’t handle the truth.

Ok, here goes: DNS is like an address book. You get to remember easy text names like http://www.sluggy.com and it remembers the hard stuff, like the actual IP address of 72.36.173.106 where it resides on the web. Click on both of these links–see the address bar of your browser? Your computer couldn’t care less which one you use–matter of fact, it always uses the numerical IP address anyway.

It’s our pea-brained human memories that really have a problem with the IP addresses. Not your computer or web browser. So, the Domain Name Server (DNS) service was built to help us. We put in the text name that is easy to remember, like www.google.com and it opens its address book and looks up the right destination.

This is what’s happening when you notice numbers flashing by in the status bar of your browser. Ususally, it happens so fast that you don’t see it (except on dialup–shudder). It’s 3-step process:

  1. You type in a website. Your browser looks at your computer’s DNS settings for the primary DNS address. It then sends out a message to the DNS server by address asking, “What is the IP address of google.com?”
  2. The DNS server starts at the root (the “.” in “.com”) and says to itself, “Hmm…it’s a ‘com’ address, where did I put the com book? Ok…lessee here…e…f…g… Ah! Here it is: “google!” The DNS server send your browser back a message to your browser that says, “Go to the address of 64.233.167.99 for www.google.com.”
  3. All text names are forgotten now. Your browser creates an HTML GET request aimed at 64.233.167.99 and lets fly. If google.com is up, you’ll receive a the default web page and the process is done.

Sheesh. Was that pedantic enough for you? Or would using terms like “Mr. Browser calls Mr. DNS on the phone” be better? ๐Ÿ™‚

OpenDNS Speed

Alright–so, the OpenDNS elves deep in the domain name mines have taken a full copy of the domain name structure and brought in-house, onto their own servers (in one of 3 redundant sites around the country–soon to be 4). This all has to do with step #2 above, which I simplified to be only one server. In reality it is a hierarchical network of servers, that may be spread out over distances or under varying loads.

SO, OpenDNS can claim to be zippy fast in comparison because they maintain all the hardware under carefully defined conditions. Yeah. Not too compelling to my mind. As long as it isn’t slower, the other three benefits more than sell it. Next!

Anti-Phishing

Phishing attacks essentially trick you (the user) to go to a fake website and enter in your credit card or banking information. Their goal being to steal your identity or money. They are able to do this due to that deficiency in human memory to which I earlier referred. Since you don’t remember the ip address of www.bankofamerica.com, they bet (correctly) that you won’t notice when they feed you a bogus one.

If they can write a HOSTS file on your computer or infiltrate your DNS server and feed in bad info, you will give their fake website all the goods. Passwords, credit cards, bank accounts, social security numbers, and whatever else!

SO, OpenDNS is a defense against this because they maintain a trustworthy copy of DNS. Obviously, their business is built on the “trustworthiness” of this copy, so they maintain cutting-edge expertise in the area. At least more of an expertise than the vast majority of users out there.

Caveat: I don’t know of any way to stop someone from doing the truly stupid–like sending a Namibian Prince their bank account, but this is certainly a huge step in preventing accidental exposure.

opendns_phishing_crop

Best part is that this is enabled by default and (I believe) that all it takes to setup is changing your DNS server addresses. You should do this now.

  1. Go to your Local Area Connection Properties

    lan_properties

  2. Double-click on Internet Protocol (TCP/IP). Trust me, it’s there…or you’re not reading this page! ๐Ÿ™‚

    dns_settings

  3. Change to Manual DNS and enter in the OpenDNS numbers for Primary and Secondary. They are:
    • Primary: 208.67.222.222
    • Secondary: 208.67.220.220

Click OK and you’re using OpenDNS! Well…at least to defend against phishing.ย  (Note:ย  If you are using DHCP from a firewall or router–and you should be–you can change the DNS settings there and streamline things a bit.)

Adult Site Filtering

Here’s were some more great value for parents begins. (Question: Is it proper to discuss value from a “free” service?)

Anyway, St. Bernard Software is a company that makes business-class web filters to block porn, instant messaging, and viruses, along with providing email archiving and such like. They are nice enough to provide OpenDNS with their carefully maintained listing of Adult Sites by category. And if you setup an Account with OpenDNS (again, for free) you can block the sites on that list from ever coming into your home.

SO, adult web pages are never even looked up in the DNS directory–the browser is instead sent to a block page that explains that adult sites are not allowed. One can even upload a custom image to the block page. I don’t know, maybe something like your spouse’s photo?

opendns_sites_crop

First thing to do is setup an account on OpenDNS and respond to their email to confirm. This happens pretty fast. Then login and go to the dashboard’s “Settings” tab. Make your selections and click apply.

Let me point out here that no filter list is ever going to be 100% effective. There are new sites everyday, and some that might exist in some far corner of the world that might be missed. That being said, I would expect this to be around the 99.9999% (four nines) level of success. Which is leaps and bounds over nothing, let me tell you. Goes along way towards protecting the entire family from accidental exposure.

Usually, the problem with a filter like this is that a site might be listed as “bad” mistakenly, rather than the reverse (a bad site listed as “ok”). For this reason OpenDNS provides Whitelisting (“I” say this site is OK) and Blacklisting (“I” say that this site is never OK). Personally, I’ve never had to use either one and am not really expecting to in the future.

Caveat: This will most likely not work properly until you setup a dynamic IP address updater. Keep reading.

Typo Recommendation

This feature gives the user recommendations when a non-existent domain name is entered. So…if I try to point my browser at microsoftcom (no dot) instead of microsoft.com it will bring me to a google-like “Did you mean?” page with a list of the domain names I might have been looking for…

This is great when my hands get off the home row of the keyboard and instead of microsoft.com I type in “j8d50w0r5ld0j.” Don’t ask…it happens ๐Ÿ™‚

It remains to be seen how wonderful this will bear out to be. On paper it looks fantastic. Maybe my typing has improved to the point where I don’t h33e 86.

Oh, and they place click advertisements on this page–just like Google does. Don’t begrudge them, this is how they monetize their efforts.

Dynamic IP Addresses

Whether they know it or not, most people with cable or DSL Internet use Dynamic Host Configuration Protocol (DHCP) to get out to the web. Essentially, the provider (your cable company) has a server that assigns an IP address to your computer or firewall when it first attaches to the service. This IP address may stay the same for days, weeks, even months–but sooner or later it will change. You’ll shut down your machine at the same time that some other subscriber starts theirs and they take the address you have been using until recently.

No big deal. You are simply assigned a different address and life goes on. Nobody even notices or pays attention–I know that I certainly couldn’t care less at my house.

The problem is that IP address is the only way that OpenDNS knows that you are in fact you. So, if you get a different address, the anti-phishing might work and the typo recommendations might work, but all of your other settings won’t be used. Settings like the adult site filtering and your white and black lists.

Just so you know, the person that gets your “old” IP address isn’t affected, unless they are using OpenDNS too…in which case why aren’t they updating their own IP address!?!?!

So, how do we get around this? We have to somehow tell OpenDNS when you get a new address. And to do this, they’ve thoughtfully provided another FREE (again, as in pizza) service called DNS-O-Matic. (Cute, huh?)

First thing to do is add a dynamic network to OpenDNS

opendns_dynip_crop

Do this by clicking the obvious link on the page’s left-hand menu and apply. That let’s OpenDNS know you want to do the dynamic thing. Now you need something to actually DO it.

Like DNS-O-Matic.

Here’s where my own configuration gets a bit complex. If I were just a PC attached to broadband, I would just use one of the software clients, such as DynDNS Updater to do the heavy lifting. I wouldn’t necessarily need DynDNS.org as a service, but would be using their client. OpenDNS has a config example for doing this here.

My problem is that I operate behind an Endian Community firewall. I use the built-in Endian client to update my DynDNS.org host name so my VPN connection to my home works. It’s great, my Endian firewall automatically updates things and I don’t have to edit my VPN configuration, just point it at firewallname.dhs.org to connect. It looks like this:

efw_services_dyndns_add

Uh, BTW, my firewall isn’t named “firewallname”, just in case you were wondering…although that might be kinda funny. ๐Ÿ™‚

So I end up with a bit of a kludge. I have to update DynDNS in two ways, via the firewall and also with a software client on one of my computers. The software also updates OpenDNS.

I guess it works…but it’s a bit silly.

Before I found this page, I sent an email to OpenDNS asking for FQDN support in either OpenDNS or DNS-O-Matic. It is apparently out of the question. OK, so at least provide the hostname support on DNS-O-Matic. That way it can lookup against DynDNS and I don’t have to run client software. I also sent an email to the Endian people…maybe it can make into a future release.

I am currently using DNS-O-Matic Updater from Marc Hรƒยถrsken. It’s simple and easy to use. Once it is installed and running, you can right-click on it in the system tray and choose “Automatic Startup” so it will start after each reboot. Vista hates this.

dns_o_matic_updater

BUT, what I will probably end-up doing is an update script on my Endian firewall as a chron job. I hate that something this simple requires advanced Linux knowledge. This should be easier.

Oh, well. All-in-all, I am very happy with the results. It might sound more complex than it really is–you can expect to spend 15 to 30 minutes setting it up. Maybe less. Most of my friends and associates have now heard about OpenDNS from me. Honestly, just for the phishing protection alone, it is well-worth availing oneself. Highly recommended.

See you, Space Cowboy.

02 Jan

All Tech No Brains – Little Pebble

Well…we’ve come to the end of our little revisit to my misspent youth. Only one little track left, and we can get back to more important things. Whatever those may be. ๐Ÿ™‚ Like some of those DOSBox articles I promised so long ago…

pebbles

I actually went on this little journey for a number of reasons. First, as I think I already stated, a blog is something of a painfully open little journal. And because of this, all current interests and activities are fodder. But the root cause of all of this springs from my desire to return to the world of audio. This case in particular is some self-flagellating (and induced) training on audio mastering techniques. You will admit, as I do, that I still have much to learn!

main_screenshot_small

And if I had had access to software like Ardour (www.ardour.org) fifteen years ago, who knows what we would have created. Maybe nothing–maybe all the goofiness of tracking boom-boxes back and fourth through a Radio Shack mixer was a necessary part of the process.

The evening that I showed up at Tom’s house armed with the “drums” from “The Phone Bill”, I found that he had done little planning ahead too. He had been out and about that day and picked up a “Relaxation” CD from some bargain bin. It was entitled something like, “Seashore with Cello and Gulls.” It was a real thing of beauty. Over 75 unadulterated minutes of white noise for only $3.95!!! It was cheap at half the price…I mean, twice the price!

The drums distracted him initially, and in reality, after we were done with phone bill, I was ready to go. However, Tom seemed a touch put out that we had not used his new CD for anything yet.

Sigh.

I’m glad I stayed though, or the world might never know about being “sturdy and strong.”

There were two parts to this one. The ocean noises and…well, that part in the middle. We simply ran a microphone into a quadraverb and turned the reverb up to eleven (a major mistake when you don’t have a true monitoring system) and played the CD. Tom did what Tom always did–wrote a funny little bit and spoke with alacrity.

But, we discovered that it needed something. That certain je ne sais quoi. By this time it’s really really really early in the morning. So, we kinda went back to defaults:

  1. We randomly detuned his guitar to a truly janglely degree, put some massive distortion on my bass, and sampled about a 3 second loop into the effects processor. This loop was put on infinite repeat and fed back into the mixer with the analog synth. We rolled tape while I completely improvised some crazy “dance of the baby elephants” melody line. We just filled up a few minutes and ended the cacophony. The length didn’t matter, we knew it was going to be faded in and then back out.
  2. Next we loaded that target tape up into one of the source decks and gave Tom a mic full of tube distortion. He tracked those fateful words so rich with meaning and portent, “Suddenly, a giant octopus…”
  3. Step Three: Smile at a job well done.

With a little manual timing to start cassette players and quasi-deft hand at the faders, we mixed the two tapes together.

Now to clean this up, I followed the same procedure as before with one deviation. The source audio I sampled with the Extigy had two problems. To get a good level on the ocean waves part would cause the middle bit to clip badly and come in waaaaay too hot. The final product still has a defect on one or two of the peaks (it sounds like clipping), but unfortunately it was recorded that way; so GIGO rules apply.

The second problem stems from the fact that–back then–I was monitoring with really bad headphones two feet away from the input (Tom). I didn’t find out that the voice over was COMPLETELY UNINTELLIGIBLE until riding home in my truck that morning. I had cranked the wet/dry mix on the reverb to the place that one could barely hear what he was saying. Oh, sure, there were plenty of reverb reflections, but the words themselves where buried in them. Enough of the live sound was leaking into my headphones sitting across the table from Tom that I didn’t hear the problem going to tape until too late.

Gee…perhaps we should have invested in some real monitoring headphones?

 

[amazon-product align=”center”]B000AJIF4E[/amazon-product]

 

Ouch. Before I could post it here, I would have to fix all of this. I tried a couple of ways to treat the entire track, but didn’t get too far. So, I eventually sampled the tape into two tracks in my studio software. That way, I could apply different filters on the ocean part and the crazy part. The first part cleaned up amazingly–a dynamic expander and more than a little noise reduction killed the lion’s share of the reverb and brought the vocal back to the front of the mix.

The crazy octopus part was more labor-intensive. I created a custom volume envelope for each peak so that I could automate “ducking” the bad spots. Then I compressed it and equalized the fire out of it.

Mixing these two tracks back together, I nudged the waveforms around a little which probably shortened the length some, but no biggie. I think I learned more about mastering with this one then I did on the others. Have a listen and tell me if you disagree.

Title: Little Pebble
Album: All Tech No Brains
Artists: Tom Murray and Joseph Baxter
Target: Self-Help Tapes

Ok, that is all. However, not a final all. My brother Brad gave me one of our old band’s “professional” tapes. It sounded horrible. I intend to remaster all eight songs as a favor for him. Of these I may post a sample as a before and after with screen shots on the entire process.

We’ll see how it turns out. Until then, thanks for stopping by, see you soon!