OpenDNS provides added safety for free

OpenDNS is a free online service that offers an extra layer of safety on the Internet. Technically, the service is DNS resolution, which I'll explain below. The main defensive computing advantage it provides is protection from bad Web sites, most importantly from phishing scams. ID theft is, to me at least, the worst thing that can happen to a computer user, so any extra protection helps. You also get some flexibility in deciding which other types of Web sites should be restricted.

You don't have to register to use the service, and there is no software to download or install. All that's involved is a change to the networking configuration of either your computer or your router. This is a one-time change--OpenDNS requires no ongoing care and feeding. Should you ever want to stop using the service, simply reverse the configuration change. I've used it for quite a while and fail to see a downside.

What is DNS resolution?

This topic can be a bit technical, but some background is required to understand where OpenDNS fits and how it can provide the services it does. I'll be as brief as possible.

Every computer on the Internet is assigned a unique number. Americans can think of it as a Social Security number for their computer. When two computers talk to each other on the Internet, they address each other using this number, which us nerds call an IP address. You can see the IP address of the computer you're reading this blog posting with by visiting www.ipchicken.com, whatismyip.com, whatismyipaddress.com, www.myipaddress.com or other similar Web sites.

Technically an IP address is a 32 bit (binary digit) binary number. For example, when going to www.cnet.com, under the covers, your computer is talking to a CNET machine at this IP address: 11011000111011110111101000110011

For simplicity sake, an IP address is written in decimal rather than binary. To make it especially simple, clumps of eight bits are converted to decimal and the four clumps are separated by periods. Thus, the standard way of representing the above IP address is 216.239.122.51 (without a dot/period at the end).

As proof, enter this IP address in the address bar of your Web browser as shown above. You will end up at cnet.com.*

Just as people have both names and phone numbers, computers on the Internet have both names (www.cnet.com) and IP addresses (216.239.122.51). DNS resolution can be thought of as a telephone book. It is the process of converting the name of a computer to its IP address.

DNS (Domain Name System) is a huge distributed system that functions amazing well, especially considering the initial design predates the Internet as we now know it by many years.

When your computer goes to www.cnet.com (or any other Web site) it first obtains the IP address by making a translation request to a computer called a DNS server. The translation (technically DNS resolution) happens so quickly and transparently you are not aware of it.

DNS is a core service provided by every ISP which runs a pair of computers called DNS servers (at least a pair, maybe more). When you first connect to the Internet, you are assigned a pair of DNS servers. Should one fail, your computer automatically tries to use the other one. Windows Vista, XP and 2000 users can see this by entering the command "ipconfig /all" at a command prompt. Sample XP output from this command is shown below.

Ethernet adapter Local Area Connection:
Connection-specific DNS Suffix .. : mydomain2
Description . . . . . . . . . . . : Intel(R) PRO/1000 MT Mobile...
Physical Address. . . . . . . . . : 10-12-24-D1-DE-C0
Dhcp Enabled. . . . . . . . . . . : Yes
Autoconfiguration Enabled . . . . : Yes
IP Address. . . . . . . . . . . . : 192.168.111.111
Subnet Mask . . . . . . . . . . . : 255.255.255.0
Default Gateway . . . . . . . . . : 192.168.111.1
DHCP Server . . . . . . . . . . . : 192.168.111.1
DNS Servers . . . . . . . . . . . : 208.67.222.222
                                    208.67.220.220
Lease Obtained. . . . . . . . . . : Saturday, December 15, 2007 2PM
Lease Expires . . . . . . . . . . : Sunday, December 16, 2007 2AM

As the name implies, OpenDNS runs their own DNS servers. To use their service, you change the TCP/IP networking software on your computer to point to their DNS servers instead of those from your ISP. OpenDNS provides excellent instructions for doing this.

Why OpenDNS?

Running DNS servers is not a trivial thing--there are many configuration options that need to be understood and correctly set up. In addition, speed and redundancy are critical issues. A cable TV company or a telephone company may not have the in-house expertise to do this well. OpenDNS is a specialist. Consider that the first reason to use them.

Hopefully, because they are specialists, their DNS servers will be more resistant to attack by the bad guys.

Nothing is worse than a compromised DNS server.

I don't say this lightly. If your computer is talking to a compromised DNS server, you can enter "www.citibank.com" (for example) into the address bar of your Web browser and not end up at Citibank's Web site, but instead be looking at a phony imitation Web site. Kiss your identity goodbye.

In addition to infrastructure, OpenDNS adds intelligence to the translation process that was not part of the original design of the DNS system. That intelligence, such as preventing you from accessing known bad Web sites, is the big selling point (if a free service can have a selling point). Next time, I'll go into more detail on the various types of protection offered by OpenDNS.

Let me end by pointing out that OpenDNS protection applies to your Internet connection. Any program that accesses computers by name will be protected, whether it be a Web browser, e-mail program, instant-messaging program, FTP or whatever. I mention this for a couple reasons.

First, malicious e-mail messages sometimes include links based on an IP address (e.g., http://1.2.3.4) rather the name of the computer. Since referencing a computer by IP address does not involve DNS, you always have to be on the lookout for this, as the link is bound to be bad news.

Also, if you have multiple ways of connecting to the Internet on your computer, then you'll have to make the necessary TCP/IP configuration changes for each connection. For example, laptop users interested in OpenDNS should change the wired Ethernet, modem dial-up, and wireless Wi-Fi connection. The same heads-up applies to anyone using one of the wireless data services from a cell phone company.

To be continued...

---

Update. December 17, 2007: According to this article in the New York Times, OpenDNS was started with "... a $2 million investment from Halsey M. Minor, the former chief executive at CNET.com." I was not aware of this when writing this posting.

*It's actually more complicated than this. For example, multiple Web sites can share a single IP address, one computer can have multiple IP addresses and, in a LAN environment where multiple computers share a single high-speed Internet connection, only the router has an IP address on the Internet. The other computers have IP addresses, but these are IP addresses that have been set aside for internal use only, they are never used on the Internet.

See a summary of all my Defensive Computing postings.

[A_N_Onymous]

You're free to use OpenDNS. I prefer to use a DNS provider who doesn't log my DNS queries, building up a database of where I've surfed. See the following portion of "Security Now! Transcript of Episode #121" at http://www.grc.com/sn/SN-121.htm (search for OpenDNS in the page to find the start).

========================================================================

Steve: Well, another example of a concern that people may not be aware of is, for example, there is a third-party DNS facility. We've talked about OpenDNS...

Leo: I use it, yeah.

Steve: ...a couple times. Unfortunately, their privacy statement has raised concerns among people. Basically they're saying, if anyone asks us to let people know who's performed what lookups, we're going to provide that information.

Leo: Anyone, or any government agency?

Steve: Oh, I'm sure government agency. You know, someone gives them reason to compel them to turn over their logs, they'll do that. Well...

Leo: I'm sure your Internet service provide would do exactly the same thing.

Steve: Right, although our ISP would have to be filtering and explicitly logging our DNS lookups in order to do that. OpenDNS is saying, yes, we're keeping logs. And we're making them available if we need to. So again it's - by aiming your PCs at a single DNS service, you're essentially telling them, based on your IP - and there is no cookie transaction, thank goodness, in DNS. So it is purely IP based; although, again, by subpoenaing records from your ISP, all the IPs you've had and when you've had them can be known. So again, it would be possible for a government entity to determine all of the websites that you have, you or your computer, has gone to during the window through which these logs are valid.

[mhinnewyork]

OpenDNS Privacy Policy

Here is their Privacy Policy. It was revised in July 2007, so I'm not sure if Steve Gibson's comments were based on the policy before or after revision.
http://www.opendns.com/privacy/

To compare apples to apples, you would need to see the privacy policy for your ISP. If anyone has relevant links, please post them here. This is not something I am very familiar with, but some ISPs have turned over much material to the government.

Michael Horowitz

[ruminator]

In a defensive computing blog, what does it matter in this instance to compare apples with apples or privacy policies with privacy policies? It seems you're suggesting that because some ISPs turn over more than OpenDNS would, then it's OK to use OpenDNS? IMHO, whether what Mr Roberts says below is accurate or not, I simply would do without using any such service if the industry as a whole plays fast and loose with our private information. And in any event, as you humbly noted, this whole process is beyond trivial -- it's going to a whole of trouble to avoid one mess and to give up more privacy. Thanks but no thanks on this one!

[pencoyd]

Steve Gibson's look was long before we revised our privacy policy. We weren't doing anything to be concerned about, so we spelled out more details for the interested in our July 2007 update.

Read the privacy policy, as Michael linked. For a brief look at the changes, review: http://blog.opendns.com/2007/07/23/privacy-policy-update/

A few notes:
1. For queries outside of accounts, OpenDNS removes the IP address from the logs after 2 business days, so it's not even available.

2. For queries inside accounts, it's up to the account holder. OpenDNS isn't logging info by default for accounts, but most people turn ON the logging to get the network statistics described here: http://www.opendns.com/features/statistics/

3. Have you looked at your ISP's privacy policy??? AT&T, for instance, says that they own your data.

We understand privacy, and we've put the control in your hands.

John Roberts
OpenDNS

[thedreaming]

Lately my isp's dns servers seem to shutdown or become nonresponsive after 5pm, so to combat this I changed the dns settings in my dsl modem to opendns and i never have a problem with my internet again.

Does it bother me that they are logging every place I go. It does, but I'm not doing anything illegal online so I have nothig to hide.

They are also providing the service for free, so they must be collecting the data and selling it. They gotta make money somehow.

[ruminator]

Data gathering has nothing to do with illegalities or something to hide. When one entity collects what seems to be an innocuous set of information from you, and another entity collects another set of data, and so and so on...what you have after a while is an amazingly complete picture of you ... perhaps as a consumer, as a political person, as a whatever... the only saving grace at this point is that most entities promise not to collaborate and put together the information and form what could be a rather revealing composite.

However, this may not even depend on the good intentions of the information gathering entities. They be hacked or just careless or compelled by law to turn over information. When it is put all together (by hackers or legal authorities) you may not be as cavalier as you are now about releasing private data. It is more than disappointing that this defensive blog instead of warning about the dangers of free services (which as you rightly note have to make their money by data collection) worships freebies and ignores security.

[msanto]

I tried this once ... and then I lost access to my network printers on my home network. A little searching and I found this was "relatively common." It was quite some time ago, though. If this was no longer an issue I might go back.

[mikebegert]

Try changing the settings on your router if you have one, instead of your computers.

[LibertyUnites]

I have a question about privacy and DNS. Could you avoid any potential logs of your web activity by simply learning the actual IP address of your favorite sites and thus avoid going through a DNS server? Or do .com's and IP address requests go through DNS servers irregardless?