brad at shub-internet.org
Thu Jun 5 18:16:54 CDT 2008
While the rest of this discussion seems to have diverged somewhat, I wanted
to get back to the original topic.
IMO, OpenDNS is dangerous. Any Caching Open Recursive Nameserver (CORN) is
dangerous, and not just for the reasons laid out at
CORNs are also dangerous because the party who controls your selected
caching nameserver can choose to go do the VeriSign SiteFinder thing, just
like TWC is now doing, and then you're screwed.
CORNs are also dangerous because there are a number of vulnerabilities in
most nameservers, and CORNs frequently allow attackers to easily insert
whatever data they want into your nameserver, and your nameserver will
actually believe that it's real -- like re-directing your web traffic over
to a machine that the Russian Business League operates, so that they can
capture all your traffic to BankOfAmerica.com.
This is called "Spear Phishing", and it is amazingly successful. The bigger
the community of users potentially affected, the more attractive the target.
There are other security vulnerabilities, but this should be enough.
You need to run your own caching recursive nameserver, and make sure it's
secure against external parties being able to use it. They may still try to
attack it, and their attacks may or may not be successful, but at least
you've got more control over your own fate and you can help ensure that your
systems are as secure as they can reasonably be.
Brad Knowles <brad at shub-internet.org>
LinkedIn Profile: <http://tinyurl.com/y8kpxu>
More information about the SATLUG