That Whole DNS “thing”
You’ve probably been inundated with news about Dan Kaminsky’s DNS cache exploit, potentially one of the biggest Internet-wide vulnerabilities ever announced. Unpatched DNS servers can be easily tricked into leading users to bogus Web sites, and literally, without patching the DNS servers (and sometimes the clients) there is little the average end-user can do. Although many Internet security experts believe this flaw is critical, but way overhyped, there is a likely chance that the crimeware industry will be working overtime to utilize this exploit.
That’s from DNS bug reveals the Internet’s soft, chewy center by Roger A. Grimes. I’m not always a big fan of InfoWorld stuff, but I do like some of their bloggers. If you’re looking for the “cliff notes” version of what’s going on and why “DNS” is in the title of so many articles recently than this article is a good place to start.
All this excitement happens to mesh with an issue that I’ve been wrestling with for work: Find an easy way to do some filtering of the sites that my folks are visiting. We’re having some bandwidth challenges due to all the streaming audio and video and a few folks have (apparently) been dabbling with torrents over the Wi-fi segment. I don’t monitor that segment — it is seperate from the corporate lan — but it uses the same data lines as everything else.
My solution for both issues is currently OpenDNS. I first looked at this exactly two years ago. I recall liking them at the time but at some point I stopped using the service. No clue why, but I’m liking them again.
As far as the vulnerabilities go, they claim not to be vulnerable. Kaminsky and the testing app at his site seem to agree. Curious about your DNS provider? Try that DNS Checker app at Kaminsky’s site.
The amount of flexibility and reporting is great and I’m really digging the Content Filtering options. Here’s the initial display:
If one of those options isn’t quite what you’re after, just click the “Customize” link under one that is close and tweak to your heart’s content:
Oh wait, you still have some exceptions? Need it even finer-grained? No problem. You can do it at the individual domain level.
Each domain you specify can be as “Always block” or “Always allow” and it seems to work just fine for my needs.
I have slightly different settings on the wifi segment vs. the corporate lan segment and, after just a week of usage, have been very pleased with how easy this was to integrate and how well it has been working.
There were Dashboard changes this week as well and I like ‘em. The reporting options are summarized well and it is very simple to drill down into any of the summaries to get more info.
While I sure can’t recall why (or when) I stopped using OpenDNS at home, I am happy with how it is working out at the office. I’ll be switching back from home as well just to get some of the filtering and reporting options.
If nothing else, the phishing attack filtering and typo fixing alone are worth giving it a look (imho).
Possibly Related posts:
- (X)ubuntu and Slow DNS
- Today’s Stumper – DNS
- OpenDNS FamilyShield – Easy Mode
- Conficker, Nmap and What I sent to the Office
- Windows AD migration
Comments
Leave a Reply
Referrals and Ads
Flair and Sparklies
