Comments on: OpenDNS provides added safety for free

You can be a bit safer on the Internet using OpenDNS rather than the DNS servers from your ISP.

[A_N_Onymous]

You're free to use OpenDNS. I prefer to use a DNS provider who doesn't log my DNS queries, building up a database of where I've surfed. See the following portion of "Security Now! Transcript of Episode #121" at http://www.grc.com/sn/SN-121.htm (search for OpenDNS in the page to find the start).

========================================================================

Steve: Well, another example of a concern that people may not be aware of is, for example, there is a third-party DNS facility. We've talked about OpenDNS...

Leo: I use it, yeah.

Steve: ...a couple times. Unfortunately, their privacy statement has raised concerns among people. Basically they're saying, if anyone asks us to let people know who's performed what lookups, we're going to provide that information.

Leo: Anyone, or any government agency?

Steve: Oh, I'm sure government agency. You know, someone gives them reason to compel them to turn over their logs, they'll do that. Well...

Leo: I'm sure your Internet service provide would do exactly the same thing.

Steve: Right, although our ISP would have to be filtering and explicitly logging our DNS lookups in order to do that. OpenDNS is saying, yes, we're keeping logs. And we're making them available if we need to. So again it's - by aiming your PCs at a single DNS service, you're essentially telling them, based on your IP - and there is no cookie transaction, thank goodness, in DNS. So it is purely IP based; although, again, by subpoenaing records from your ISP, all the IPs you've had and when you've had them can be known. So again, it would be possible for a government entity to determine all of the websites that you have, you or your computer, has gone to during the window through which these logs are valid.

[mhinnewyork]

OpenDNS Privacy Policy

Here is their Privacy Policy. It was revised in July 2007, so I'm not sure if Steve Gibson's comments were based on the policy before or after revision.
http://www.opendns.com/privacy/

To compare apples to apples, you would need to see the privacy policy for your ISP. If anyone has relevant links, please post them here. This is not something I am very familiar with, but some ISPs have turned over much material to the government.

Michael Horowitz

[ruminator]

In a defensive computing blog, what does it matter in this instance to compare apples with apples or privacy policies with privacy policies? It seems you're suggesting that because some ISPs turn over more than OpenDNS would, then it's OK to use OpenDNS? IMHO, whether what Mr Roberts says below is accurate or not, I simply would do without using any such service if the industry as a whole plays fast and loose with our private information. And in any event, as you humbly noted, this whole process is beyond trivial -- it's going to a whole of trouble to avoid one mess and to give up more privacy. Thanks but no thanks on this one!

[pencoyd]

Steve Gibson's look was long before we revised our privacy policy. We weren't doing anything to be concerned about, so we spelled out more details for the interested in our July 2007 update.

Read the privacy policy, as Michael linked. For a brief look at the changes, review: http://blog.opendns.com/2007/07/23/privacy-policy-update/

A few notes:
1. For queries outside of accounts, OpenDNS removes the IP address from the logs after 2 business days, so it's not even available.

2. For queries inside accounts, it's up to the account holder. OpenDNS isn't logging info by default for accounts, but most people turn ON the logging to get the network statistics described here: http://www.opendns.com/features/statistics/

3. Have you looked at your ISP's privacy policy??? AT&T, for instance, says that they own your data.

We understand privacy, and we've put the control in your hands.

John Roberts
OpenDNS

[thedreaming]

Lately my isp's dns servers seem to shutdown or become nonresponsive after 5pm, so to combat this I changed the dns settings in my dsl modem to opendns and i never have a problem with my internet again.

Does it bother me that they are logging every place I go. It does, but I'm not doing anything illegal online so I have nothig to hide.

They are also providing the service for free, so they must be collecting the data and selling it. They gotta make money somehow.

[ruminator]

Data gathering has nothing to do with illegalities or something to hide. When one entity collects what seems to be an innocuous set of information from you, and another entity collects another set of data, and so and so on...what you have after a while is an amazingly complete picture of you ... perhaps as a consumer, as a political person, as a whatever... the only saving grace at this point is that most entities promise not to collaborate and put together the information and form what could be a rather revealing composite.

However, this may not even depend on the good intentions of the information gathering entities. They be hacked or just careless or compelled by law to turn over information. When it is put all together (by hackers or legal authorities) you may not be as cavalier as you are now about releasing private data. It is more than disappointing that this defensive blog instead of warning about the dangers of free services (which as you rightly note have to make their money by data collection) worships freebies and ignores security.

[msanto]

I tried this once ... and then I lost access to my network printers on my home network. A little searching and I found this was "relatively common." It was quite some time ago, though. If this was no longer an issue I might go back.

[mikebegert]

Try changing the settings on your router if you have one, instead of your computers.

[LibertyUnites]

I have a question about privacy and DNS. Could you avoid any potential logs of your web activity by simply learning the actual IP address of your favorite sites and thus avoid going through a DNS server? Or do .com's and IP address requests go through DNS servers irregardless?