21 Jan

OpenDNS – Basic Security Step Zero!

opendns_logo_300

OpenDNS

Guys and Gals, you may have never heard about OpenDNS–and that is unfortunate. This FREE (yes, that is as in “pizza”) service is the most basic and simple step you can take to secure your home and/or business network. It is actually so free and easy that you may not even need me to tell you how. There are great technical instructions right there on the OpenDNS home page to the story of the whys and hows.

  • However, if you are non-technical, you may be left asking, “Now…what does this do for me again?” Keep reading.
  • Or, if you are technically-oriented, but just want the bottom line without marketing-speak…keep reading.

Still with me? Great. Following the BLUF (bottom line up front) principle, let me plainly state: You need to use OpenDNS at your home to help mitigate your risk from falling prey to a Phishing attack. If nothing else, it’s worth 15 minutes of your time for that alone.

I would use it if that was all it did.

But, OpenDNS does much more. As far as I can see it, they deliver functionality in four main areas. I’ll list them, then explain them further.

  1. Mitigate or eliminate risk from Phishing attacks.
  2. Comprehensively or selectively filter out adult sites.
  3. Typo’d and non-existent domain suggestions.
  4. DNS lookup speed.

They tend to push #4, which is a bit of a hard sell to the average user. On broadband, this difference may be measured in fractions of a second–not terribly noticeable. So, let’s handle it first and talk about how DNS works to begin with.

mr_wizard

Golly Geewillakers!

Ready to trot out the old “address book” metaphor? Skip to the next heading if you can’t handle the truth.

Ok, here goes: DNS is like an address book. You get to remember easy text names like http://www.sluggy.com and it remembers the hard stuff, like the actual IP address of 72.36.173.106 where it resides on the web. Click on both of these links–see the address bar of your browser? Your computer couldn’t care less which one you use–matter of fact, it always uses the numerical IP address anyway.

It’s our pea-brained human memories that really have a problem with the IP addresses. Not your computer or web browser. So, the Domain Name Server (DNS) service was built to help us. We put in the text name that is easy to remember, like www.google.com and it opens its address book and looks up the right destination.

This is what’s happening when you notice numbers flashing by in the status bar of your browser. Ususally, it happens so fast that you don’t see it (except on dialup–shudder). It’s 3-step process:

  1. You type in a website. Your browser looks at your computer’s DNS settings for the primary DNS address. It then sends out a message to the DNS server by address asking, “What is the IP address of google.com?”
  2. The DNS server starts at the root (the “.” in “.com”) and says to itself, “Hmm…it’s a ‘com’ address, where did I put the com book? Ok…lessee here…e…f…g… Ah! Here it is: “google!” The DNS server send your browser back a message to your browser that says, “Go to the address of 64.233.167.99 for www.google.com.”
  3. All text names are forgotten now. Your browser creates an HTML GET request aimed at 64.233.167.99 and lets fly. If google.com is up, you’ll receive a the default web page and the process is done.

Sheesh. Was that pedantic enough for you? Or would using terms like “Mr. Browser calls Mr. DNS on the phone” be better? ๐Ÿ™‚

OpenDNS Speed

Alright–so, the OpenDNS elves deep in the domain name mines have taken a full copy of the domain name structure and brought in-house, onto their own servers (in one of 3 redundant sites around the country–soon to be 4). This all has to do with step #2 above, which I simplified to be only one server. In reality it is a hierarchical network of servers, that may be spread out over distances or under varying loads.

SO, OpenDNS can claim to be zippy fast in comparison because they maintain all the hardware under carefully defined conditions. Yeah. Not too compelling to my mind. As long as it isn’t slower, the other three benefits more than sell it. Next!

Anti-Phishing

Phishing attacks essentially trick you (the user) to go to a fake website and enter in your credit card or banking information. Their goal being to steal your identity or money. They are able to do this due to that deficiency in human memory to which I earlier referred. Since you don’t remember the ip address of www.bankofamerica.com, they bet (correctly) that you won’t notice when they feed you a bogus one.

If they can write a HOSTS file on your computer or infiltrate your DNS server and feed in bad info, you will give their fake website all the goods. Passwords, credit cards, bank accounts, social security numbers, and whatever else!

SO, OpenDNS is a defense against this because they maintain a trustworthy copy of DNS. Obviously, their business is built on the “trustworthiness” of this copy, so they maintain cutting-edge expertise in the area. At least more of an expertise than the vast majority of users out there.

Caveat: I don’t know of any way to stop someone from doing the truly stupid–like sending a Namibian Prince their bank account, but this is certainly a huge step in preventing accidental exposure.

opendns_phishing_crop

Best part is that this is enabled by default and (I believe) that all it takes to setup is changing your DNS server addresses. You should do this now.

  1. Go to your Local Area Connection Properties

    lan_properties

  2. Double-click on Internet Protocol (TCP/IP). Trust me, it’s there…or you’re not reading this page! ๐Ÿ™‚

    dns_settings

  3. Change to Manual DNS and enter in the OpenDNS numbers for Primary and Secondary. They are:
    • Primary: 208.67.222.222
    • Secondary: 208.67.220.220

Click OK and you’re using OpenDNS! Well…at least to defend against phishing.ย  (Note:ย  If you are using DHCP from a firewall or router–and you should be–you can change the DNS settings there and streamline things a bit.)

Adult Site Filtering

Here’s were some more great value for parents begins. (Question: Is it proper to discuss value from a “free” service?)

Anyway, St. Bernard Software is a company that makes business-class web filters to block porn, instant messaging, and viruses, along with providing email archiving and such like. They are nice enough to provide OpenDNS with their carefully maintained listing of Adult Sites by category. And if you setup an Account with OpenDNS (again, for free) you can block the sites on that list from ever coming into your home.

SO, adult web pages are never even looked up in the DNS directory–the browser is instead sent to a block page that explains that adult sites are not allowed. One can even upload a custom image to the block page. I don’t know, maybe something like your spouse’s photo?

opendns_sites_crop

First thing to do is setup an account on OpenDNS and respond to their email to confirm. This happens pretty fast. Then login and go to the dashboard’s “Settings” tab. Make your selections and click apply.

Let me point out here that no filter list is ever going to be 100% effective. There are new sites everyday, and some that might exist in some far corner of the world that might be missed. That being said, I would expect this to be around the 99.9999% (four nines) level of success. Which is leaps and bounds over nothing, let me tell you. Goes along way towards protecting the entire family from accidental exposure.

Usually, the problem with a filter like this is that a site might be listed as “bad” mistakenly, rather than the reverse (a bad site listed as “ok”). For this reason OpenDNS provides Whitelisting (“I” say this site is OK) and Blacklisting (“I” say that this site is never OK). Personally, I’ve never had to use either one and am not really expecting to in the future.

Caveat: This will most likely not work properly until you setup a dynamic IP address updater. Keep reading.

Typo Recommendation

This feature gives the user recommendations when a non-existent domain name is entered. So…if I try to point my browser at microsoftcom (no dot) instead of microsoft.com it will bring me to a google-like “Did you mean?” page with a list of the domain names I might have been looking for…

This is great when my hands get off the home row of the keyboard and instead of microsoft.com I type in “j8d50w0r5ld0j.” Don’t ask…it happens ๐Ÿ™‚

It remains to be seen how wonderful this will bear out to be. On paper it looks fantastic. Maybe my typing has improved to the point where I don’t h33e 86.

Oh, and they place click advertisements on this page–just like Google does. Don’t begrudge them, this is how they monetize their efforts.

Dynamic IP Addresses

Whether they know it or not, most people with cable or DSL Internet use Dynamic Host Configuration Protocol (DHCP) to get out to the web. Essentially, the provider (your cable company) has a server that assigns an IP address to your computer or firewall when it first attaches to the service. This IP address may stay the same for days, weeks, even months–but sooner or later it will change. You’ll shut down your machine at the same time that some other subscriber starts theirs and they take the address you have been using until recently.

No big deal. You are simply assigned a different address and life goes on. Nobody even notices or pays attention–I know that I certainly couldn’t care less at my house.

The problem is that IP address is the only way that OpenDNS knows that you are in fact you. So, if you get a different address, the anti-phishing might work and the typo recommendations might work, but all of your other settings won’t be used. Settings like the adult site filtering and your white and black lists.

Just so you know, the person that gets your “old” IP address isn’t affected, unless they are using OpenDNS too…in which case why aren’t they updating their own IP address!?!?!

So, how do we get around this? We have to somehow tell OpenDNS when you get a new address. And to do this, they’ve thoughtfully provided another FREE (again, as in pizza) service called DNS-O-Matic. (Cute, huh?)

First thing to do is add a dynamic network to OpenDNS

opendns_dynip_crop

Do this by clicking the obvious link on the page’s left-hand menu and apply. That let’s OpenDNS know you want to do the dynamic thing. Now you need something to actually DO it.

Like DNS-O-Matic.

Here’s where my own configuration gets a bit complex. If I were just a PC attached to broadband, I would just use one of the software clients, such as DynDNS Updater to do the heavy lifting. I wouldn’t necessarily need DynDNS.org as a service, but would be using their client. OpenDNS has a config example for doing this here.

My problem is that I operate behind an Endian Community firewall. I use the built-in Endian client to update my DynDNS.org host name so my VPN connection to my home works. It’s great, my Endian firewall automatically updates things and I don’t have to edit my VPN configuration, just point it at firewallname.dhs.org to connect. It looks like this:

efw_services_dyndns_add

Uh, BTW, my firewall isn’t named “firewallname”, just in case you were wondering…although that might be kinda funny. ๐Ÿ™‚

So I end up with a bit of a kludge. I have to update DynDNS in two ways, via the firewall and also with a software client on one of my computers. The software also updates OpenDNS.

I guess it works…but it’s a bit silly.

Before I found this page, I sent an email to OpenDNS asking for FQDN support in either OpenDNS or DNS-O-Matic. It is apparently out of the question. OK, so at least provide the hostname support on DNS-O-Matic. That way it can lookup against DynDNS and I don’t have to run client software. I also sent an email to the Endian people…maybe it can make into a future release.

I am currently using DNS-O-Matic Updater from Marc Hรƒยถrsken. It’s simple and easy to use. Once it is installed and running, you can right-click on it in the system tray and choose “Automatic Startup” so it will start after each reboot. Vista hates this.

dns_o_matic_updater

BUT, what I will probably end-up doing is an update script on my Endian firewall as a chron job. I hate that something this simple requires advanced Linux knowledge. This should be easier.

Oh, well. All-in-all, I am very happy with the results. It might sound more complex than it really is–you can expect to spend 15 to 30 minutes setting it up. Maybe less. Most of my friends and associates have now heard about OpenDNS from me. Honestly, just for the phishing protection alone, it is well-worth availing oneself. Highly recommended.

See you, Space Cowboy.