[SATLUG] OpenDNS...

Don Crowder donguitar at gmail.com
Fri Jun 6 01:35:11 CDT 2008


Brad Knowles wrote:
> Folks,
> 
> While the rest of this discussion seems to have diverged somewhat, I 
> wanted to get back to the original topic.
> 
> 
> IMO, OpenDNS is dangerous.  Any Caching Open Recursive Nameserver (CORN) 
> is dangerous, and not just for the reasons laid out at 
> <http://www.ietf.org/internet-drafts/draft-ietf-dnsop-reflectors-are-evil-05.txt>. 
> 
> 
> CORNs are also dangerous because the party who controls your selected 
> caching nameserver can choose to go do the VeriSign SiteFinder thing, 
> just like TWC is now doing, and then you're screwed.
> 
> CORNs are also dangerous because there are a number of vulnerabilities 
> in most nameservers, and CORNs frequently allow attackers to easily 
> insert whatever data they want into your nameserver, and your nameserver 
> will actually believe that it's real -- like re-directing your web 
> traffic over to a machine that the Russian Business League operates, so 
> that they can capture all your traffic to BankOfAmerica.com.
> 
> This is called "Spear Phishing", and it is amazingly successful.  The 
> bigger the community of users potentially affected, the more attractive 
> the target.
> 
> 
> There are other security vulnerabilities, but this should be enough.
> 
> You need to run your own caching recursive nameserver, and make sure 
> it's secure against external parties being able to use it.  They may 
> still try to attack it, and their attacks may or may not be successful, 
> but at least you've got more control over your own fate and you can help 
> ensure that your systems are as secure as they can reasonably be.
> 

Brad, you've said this before but I haven't enough technical acumen to 
follow your argument.

I submit that Verizon is trying to feed me sponsored links on URL errors 
but, as annoying as it is, I don't have to click on any of them.  I can 
(and do) merely hit my back button and try again.  Am I correct in 
assuming that you feel this minor annoyance is preferable to trusting 
OpenDNS?
Thanks,
-- 
Don Crowder


More information about the SATLUG mailing list