[SATLUG] OpenDNS...

Brad Knowles brad at shub-internet.org
Thu Jun 5 18:16:54 CDT 2008


Folks,

While the rest of this discussion seems to have diverged somewhat, I wanted 
to get back to the original topic.


IMO, OpenDNS is dangerous.  Any Caching Open Recursive Nameserver (CORN) is 
dangerous, and not just for the reasons laid out at 
<http://www.ietf.org/internet-drafts/draft-ietf-dnsop-reflectors-are-evil-05.txt>.

CORNs are also dangerous because the party who controls your selected 
caching nameserver can choose to go do the VeriSign SiteFinder thing, just 
like TWC is now doing, and then you're screwed.

CORNs are also dangerous because there are a number of vulnerabilities in 
most nameservers, and CORNs frequently allow attackers to easily insert 
whatever data they want into your nameserver, and your nameserver will 
actually believe that it's real -- like re-directing your web traffic over 
to a machine that the Russian Business League operates, so that they can 
capture all your traffic to BankOfAmerica.com.

This is called "Spear Phishing", and it is amazingly successful.  The bigger 
the community of users potentially affected, the more attractive the target.


There are other security vulnerabilities, but this should be enough.

You need to run your own caching recursive nameserver, and make sure it's 
secure against external parties being able to use it.  They may still try to 
attack it, and their attacks may or may not be successful, but at least 
you've got more control over your own fate and you can help ensure that your 
systems are as secure as they can reasonably be.

-- 
Brad Knowles <brad at shub-internet.org>
LinkedIn Profile: <http://tinyurl.com/y8kpxu>


More information about the SATLUG mailing list