Previously, I wrote about using a second router to provide additional protection to high-value computers--specifically, to protect computers used by adults from those used by children on a shared Local Area Network (LAN).
That article was mostly conceptual, this one covers the nitty-gritty technical details.
First, the good news. Adding a second router has no effect on the first router and no effect on the untrusted (kids) computers. Each is blissfully ignorant of the following changes.
In describing the steps, the existing/first router will be referred to as the kids router since the untrusted kids computers connect to it. The new, second router will be referred to as the adults router since its job is to protect the computers used by adults.
For the sake of simplicity, I'll start with wired Ethernet connections and assume, as is usually the case, that the kids router is handing out private IP addresses* in the range 192.168.1.x using DHCP. The steps below apply regardless of the operating system employed on any particular computer.
Here's what needs to be done:
- The high-value (adults) computers are unplugged from the kids router and plugged into the LAN ports of the adults router.
- The WAN port of the adults router is plugged into a LAN port on the kids router. WAN stands for Wide Area Network, and refers to the Internet. From the perspective of the adults router, the kids router is the Internet. On some routers, the Ethernet WAN port is a different color from the LAN ports, but not always.
- What the adults router thinks is its public IP address is really a private IP address (192.168.1.x) used by the kids router. This is configured in the adults router using the type of Internet connection option. The easiest thing is to set the adults router to DHCP or dynamic. It can, alternatively, be configured for a static IP address, but this requires a knowledge of the private IP address range used by the kids computers and router. Also, if the configuration of the kids router were ever to change in the future, the static IP address may no longer be valid and thus knock the adults computers offline.
- On the WAN/Internet side, the default gateway and the primary DNS server for the adults router is the kids router (probably 192.168.1.1). If you opted for dynamic in the prior step, this should happen automatically, after rebooting the adults router. If you opted for a static IP address, you'll have to set this manually.
- On the LAN side, the adults router can use DHCP to hand out IP addresses in any private address range other than that used by the kids router. For example, it could use 192.168.2.x or 192.168.8.x. To make things as obvious as possible, however, I suggest configuring the adults router to issue IP addresses in the 10.x.x.x range with the default subnet mask of 255.0.0.0. Along with this, set the LAN side IP address of the adults router to 10.0.0.1.
- Each adults computer needs to use an IP address in the 10.x.x.x range. Most likely the computer(s) will already be configured to get an IP address using DHCP, in which case nothing needs to be changed. If, however, one was using a static IP address, a new one probably needs to be assigned, one that is outside the DHCP range handed out by the adults router.
Once this is done, an adults computer, which used to have a TCP/IP default gateway of 192.168.1.1, will now have a default gateway of 10.0.0.1. Likewise, the DNS server and DHCP server for an adults computer will now also be 10.0.0.1.
Not to switch subjects, but elsewhere I've written that I'm a big fan of OpenDNS. Any computer can be manually set up for OpenDNS, but another approach is to configure the router to use the OpenDNS servers and the router will then pass along this setting to computers that connect to it with DHCP.
More about living with this setup, and about Wi-Fi, next time.
*For more on public vs. private IP address, see What does your IP address say about you?
See also How to check if a computer is using OpenDNS
See a summary of all my Defensive Computing postings.
In response to the recent DNS problems on the Internet I had earlier suggested changing some network configuration parameters to use the free OpenDNS service.
As I did this myself for a number of machines that I maintain, the question arose of verifying the change. That is, how can someone, particularly a non-technical computer user, ensure that their computer is configured to use OpenDNS?
This is, it turns out, remarkably easy.
Go to www.opendns.com. At the top of the home page, just under the tabs, there will be a message whose content depends on whether the computer is using OpenDNS or not.
If the computer is not using OpenDNS, the message reads: "Start using the world's largest and fastest-growing DNS service. Make your network safer, faster, smarter and more reliable. It's free." See a full size image.
If the computer is using OpenDNS, the message reads: "You're using OpenDNS. Thanks! You are now navigating the Internet safer, faster, smarter and more reliably than ever before." See a full size image.
Update: According to the company, this should work for all operating systems.
See a summary of all my Defensive Computing postings.
The discussion to date about the latest DNS problem has been from the point of view of an end user, someone browsing Web sites. But there is another aspect to the DNS problem, one that concerns owners of Web sites.
This is discussed in a report from the IANA (Internet Assigned Numbers Authority), called Frequently Asked Questions on Cache Poisoning and Cross Pollination. The topic is a bit nerdy, so I'll try to explain it simply.
Some DNS server computers talk to you and me, while others talk to their fellow DNS servers. The DNS servers run by your ISP or by OpenDNS answer queries from Internet users, converting the name of computers into their underlying IP address (for more, see "What you need to know about the latest DNS flaw"). These are called "resolving" or "recursive" DNS servers.
When a resolving/recursive DNS server doesn't know the IP address for a given domain, it asks other DNS servers for help. The ultimate authority for translating a particular domain name into an IP address lies with the "authoritative" DNS servers for that domain. If, for example, a Web site is hosted with a Web site hosting company, the hosting company is responsible for running the authoritative DNS servers for all the sites they host.
Web site owners need to be concerned because the current bug in DNS only applies to resolving/recursive DNS servers, not to authoritative DNS servers. This is good news, but only if the authoritative DNS server is only being used as an authoritative source. If it is also being used to do resolving, then it can be hacked (often referred to as "poisoning").
Poisoning the DNS servers run by Comcast, for example, would affect all Comcast users who haven't switched to OpenDNS. Poisoning the authoritative DNS server for a domain affects the entire world. The patches for the DNS bug make it harder, but not impossible to poison DNS servers.
Fortunately, IANA has a very simple test that reports whether the authoritative DNS servers for a particular domain are configured to only do authoritative work (a good thing) or whether they also do resolving work.
The test is available at recursive.iana.org (see above). It is fairly self-explanatory. In the results, "Not recursive" is a good thing. Click here for a full-size screenshot of the test results.
Anyone involved in creating a Web site should run this test.
Thanks to Larry Seltzer for mentioning this in his blog, finding this report on the IANA Web site is all but impossible.
See a summary of all my Defensive Computing postings.
The front page of the New York Times today had a story by John Markoff, With Security at Risk, a Push to Patch the Web, about the recent bug in DNS. Being a newspaper, the focus of the story was on news rather than practical advice. In contrast, this Defensive Computing blog focuses on practical advice.
For another introduction to the problem see What you need to know about the latest DNS flaw.
For an online test that tells you if your computer is vulnerable to the DNS flaw see The best test for vulnerability to the DNS flaw. The fact that there are online vulnerability tests wasn't even mentioned in the newspaper.
If your computer is vulnerable to the problem, see A cheatsheet for defending against the DNS flaw.
Markoff warned about the potential danger of the DNS flaw with:
"It could allow a criminal to redirect Web traffic secretly, so that a person typing a bank's actual Web address would be sent to an impostor site set up to steal the user's name and password. The user might have no clue about the misdirection... "
Firefox 3 users have a much better chance of being informed about misdirections as a result of the DNS flaw - if, they are willing to tweak the browser a bit.
In Firefox 3 gotcha: No more yellow address bars, I wrote about how to restore the yellow address bar to indicate a secure web page. This was a feature in Firefox 2 that got dropped in version 3.
If you prefer to think of green as good and yellow as a warning, then you can read Make Firefox 3 use green for secure web pages where I explain how to change the secure page color in the address bar from yellow to green.
Even further information about secure web pages is available with another Firefox 3 configuration change. See Firefox 3: Expand the Site Identification button on HTTPS pages to learn how to enable a feature that displays the secure website name in a blue button right next to the address bar.
The end results is an address bar that looks like the below for secure web pages. If this is how secure web pages display, it makes it much harder for the bad guys to fool you by mis-directing you to a scam copy of a website.
Below is the same web page displayed in Internet Explorer 7. Something such as the missing "S" in the protocol name, which flags a secure web page, can be easily missed.
Update July 31:The above screen shot from Internet Explorer 7 is from an instance with the phishing filter turned off. When this filter is turned on, IE7 works much like the tweaked copy of Firefox 3, that is, the address bar turns green and there is an extra button on the right with additional information about the secure page.
See a summary of all my Defensive Computing postings.
Not only is there is a flaw in the Domain Name System, there is also a flaw in the suggested ways to test whether your computer is vulnerable.
Many articles suggest going to Web site x or y to run vulnerability tests. (I'm guilty of this too.) But the nature of the problem is that you can't trust Web site names.
The fallacy is simple: use a name you can't trust to see if you can trust a name.
As I explained in "What you need to know about the latest DNS flaw," every Web site can be accessed by an IP address. The DNS flaw does not affect this rare, but quite valid, method of addressing Web sites. Thus, it's the best approach for an online vulnerability test.
One often-cited vulnerability test is offered by the DNS Operations, Analysis, and Research Center (DNS-OARC) at: https://www.dns-oarc.net/oarc/services/dnsentropy
I asked them about using an IP address to get to their online test and was told (thanks, Duane) that the test is also available at:
To me, this is the best vulnerability test for the current DNS flaw.
While this link bypasses the introduction to the topic offered by DNS-OARC, hopefully your computer is safe and you won't need to read about the problem. If all is well, it will report "great" for both the source port randomness and the transaction ID randomness.
If you are vulnerable, see "A cheatsheet for defending against the DNS flaw."
See a summary of all my Defensive Computing postings.
In my recent posting, What you need to know about the latest DNS flaw, I suggested using OpenDNS as a defense against the current DNS flaw. OpenDNS provides excellent step by step instructions for modifying the network settings on your computer to use their DNS services.
The only omission in their instructions is the need to make this change for every type of network connection. On a laptop computer, for example, you would need to modify both the network connection for wired Ethernet and also the Wi-Fi network connection. If you use dial-up, that too, needs to be modified.
Chose your Operating System:
The Continue button at the bottom of the instructions invites you to open an account with OpenDNS. This offers useful and free services but opening an account is not required.
See a summary of all my Defensive Computing postings.
If you've been hearing or reading about the latest DNS (Domain Name System) flaw, you may be confused about how to defend yourself. Think of this as a cheatsheet, it's what you need to know in the fewest words possible.
The flaw is mostly with software on a server computer run by your Internet Service Provider (ISP).* Some ISPs have patched the vulnerable DNS software on their computers, some have not. A recent list is available here. That said, Windows users also need to be sure they are up to date on patches as Microsoft released a recent DNS patch for Windows XP, 2000 and Server 2003. Windows Vista does not need to be patched.
DNS server computers translate the name of Internet-resident computers into numbers. Every computer that is reachable over the Internet is assigned a unique number (it's a bit more complicated, but this is essentially true). What is, to you, www.cnet.com, is to the computers on the Internet 216.239.113.101.
This number is called an IP address and yes, those are periods rather than commas. You can see this for yourself, by entering an IP address directly into the address bar of your web browser. For example, CBS owns CNET. You can see what's on CBS tonight at both
www.cbs.com/info/schedule/index.php
and
198.99.118.37/info/schedule/index.php
The danger with the current DNS flaw is similar to someone modifying a phone book. Suppose you wanted call the Post Office to tell them to stop your mail for a few weeks while you won't be home. You look up the Post Office phone number in a hacked phone book and instead of calling the actual Post Office you end up calling bad guys and telling them when they can safely come and rob you.
Everything you do online depends on translating the name of a website (or email server or any other computer) into an IP address. The recently discovered DNS flaw, lets the bad guys control this translation. Thus, they can steer people to fake websites. Input sensitive information or passwords at a fake website and you can kiss your identity goodbye.
What to do?
My preferred defense is to use OpenDNS. I wrote about this back in December:
Basically, it means re-configuring your computer to use DNS translation services from OpenDNS rather than from your ISP. Think core competence. And, it's free.
There is also a very simple online test of whether the DNS servers you are currently using are vulnerable to this bug at www.doxpara.com. Click on the "Check My DNS" button.
Another test is available at www.dns-oarc.net/oarc/services/dnsentropy, click on "Test My DNS". If all is well, it will report "GREAT" for both the source port randomness and the transaction ID randomness.
Update July 26, 2008: See A cheatsheet for defending against the DNS flaw
Update July 29, 2008: See The best test for vulnerability to the DNS flaw
Update July 30, 2008: According to You experience issues with UDP-dependent network services after you install DNS Server service security update 953230 (MS08-037) the Microsoft patch for Windows XP and the server versions of Windows is buggy. ComputerWorld reports that Microsoft has no plans to fix the problem caused by their DNS patch.
* If you work for a large organization, they may run their own DNS server computers.
See a summary of all my Defensive Computing postings.
Yesterday, was Patch Tuesday and a bug fix released by Microsoft caused a problem for ZoneAlarm firewall users - they could no longer get online. Oops. Except, if they followed the advice offered earlier on this blog, which is to wait until Thursday or Friday before installing the patches Microsoft releases on Tuesday. This is exactly the sort of situation for which that advice was intended.
On July 2nd, I wrote about Flagfox, a Firefox extension that displays a small flag in the corner of the browser window. Three days later I expanded on this saying that Flagfox can serve a very important service, displaying the IP address of a website. For financial institutions, or anywhere you do sensitive transactions, this is very important. There are many ways that malicious software can fake out things such that even using a browser bookmark/favorite and even seeing the name of your financial institution in the address bar, you can nonetheless be at a phony, scam copy of the website, one designed to steal your password. Typically this is the result of an attack on DNS, a system that I described back in December when I suggested using OpenDNS.
Yesterday, it comes to light that there is a huge bug in DNS. Massive repercussions. But, not for Flagfox users. They can see the IP address of their bank website and verify it. If, for example, a bank website is supposed to be at IP address 1.2.3.4 and a DNS poisoning attack results in your ending up at 5.6.7.8, Flagfox users won't be faked out. Of course, the banks have to publicly verify their IP addresses and so far only Bank of America has done so. Chase outright refused to say anything. I'm still working on this.
On June 11th Brian Krebs at WashingtonPost.com wrote about a version of the "Zlob" Trojan that tries to zap the DNS settings on your router (a totally different type of DNS attack). But, anyone who took my March posting, Defending your router, and your identity, with a password change to heart, had already changed their router password and was immune to this attack.
On July 6th I discussed Still more reasons to avoid Internet Explorer. The very next day, we learned of another security problem with IE, this one having to do with an ActiveX control related to Microsoft Access. By my count, this brings the number of known bugs in Internet Explorer without fixes to six. I read my fair share of articles on this latest IE bug, none said anything about a Microsoft commitment to fix it, despite the fact that bad guys are currently exploiting it. In fact, Elinor Mills said Microsoft "may" provide a fix in the future. It must be nice to be a monopoly.
Back in April, when Windows XP Service Pack 3 was released, I advised against installing it at a time when others said it was good thing. In retrospect, the problems it caused far outweighed the trivial benefits it offers. I still haven't installed it and don't plan on doing so in the immediate future. Neither should you.
Watch this space for more Defensive Computing and, if you missed it, let me suggest reading The pillars of Defensive Computing.
See a summary of all my Defensive Computing postings.
Recently, in the techie Q&A column in the New York Times, someone asked about changing the password in their router. Due to space limitations, the answer by J. D. Biersdorfer was short, too short. This is what you need to know.
Every router, wired or wireless, has an internal website used to make configuration changes. Accessing this internal website requires a userid/password, something totally independent of any wireless network passwords.
A year ago, in my prior blog, I discussed why it is so important to change the default router password (see Home routers can be dangerous. VERY dangerous). In brief, if your router is using the default password, your computer is vulnerable to an attack where the router is re-configured. Specifically, the dangerous configuration option is the DNS server. For an introduction to the concept of DNS servers, see my prior posting on OpenDNS.
Malicious DNS servers can result in your visiting to a website, any website, and ending up at a phony version of the site run by bad guys. If the website is that of a bank or credit card company, and you enter a userid/password, you can kiss your identity, and money, good-bye.
There are three steps to changing the password in a router:*
1. Find the router on the network
2. Log in to the website built into the router
3. Hunt around for the appropriate web page
If your router was setup by a good techie, there should be a piece of paper next to it with the IP address, userid and password. I'm sure this is rare.
Step 1: Find The Router On Your Network
Every computer on a network is assigned a unique number. The most common networking protocol, TCP/IP, uses a 32 bit binary number which is written as four decimal numbers separated by periods (such as 192.168.1.1). The unique number for computers on a TCP/IP network is called an IP address.
You can find the IP address of the router in the following ways:
1. The person who set it up tells you.
2. If you have the manual for the router, it will have the default IP address. In my experience, the default IP address is rarely changed.
3. You can download an electronic version of the manual from the website of the company that manufactured the router. Again, this will have the default IP address.
Connection-specific DNS Suffix . : localdomain2
IP Address. . . . . . . . . . . . : 192.168.1.88
Subnet Mask . . . . . . . . . . . : 255.255.255.0
Default Gateway . . . . . . . . . : 192.168.1.1
4. The most reliable method is to ask the TCP/IP software running on your computer. It always knows where the router is. In Windows XP, Vista and 2000, open a command prompt window and enter the command "ipconfig" (see above). The IP address of the router is identified by Windows as the "Default Gateway".
Open your web browser and type this number into the address bar, as shown below.
This will connect you with the website that lives inside the router. This website will look and act like any other website even though, technically, it is not on the world wide web.
Step 2: Find The Password
Before you can see the router configuration website, you have to provide a password and possibly a userid. Usually you can't change the userid, so I'll focus on the password. In the example below, of logging in to a Belkin router, there isn't even a userid, just a password.
Below is a screen shot of logging into a Linksys router. Note that you are instructed to leave the userid blank, and only enter a password.
If you don't now the router password, start by trying the default one. The New York Times article mentioned two websites where you can find the default userid and password for many routers (here and here). Be aware though, that the sites are neither authoritative nor comprehensive. You can also find the default userid and password in the manual for the router.
If the default password doesn't work, you are safe from malicious software changing the DNS servers. Still, it's a good idea to know the password for your router.
To change a non-default password without knowing it, requires reseting the router back to the factory default settings. There should be a small Reset button for just this purpose. You may have to unwind a paper clip to press the button and may have to hold it pressed for a few seconds. The manual should explain the procedure.
Step 3: Change The Password
Simply put, you'll have to do some hunting around the website to find the page for changing the password. Every router I've seen has a different interface.
In a Linksys router it may be in the Administration tab. In a Belkin router, try the System Settings. In a recent D-Link router, you changed the password in the Admin sub-section of the Tools section.
Rather than hunt, if you have the manual in Adobe Acrobat PDF format, try doing a find for the word "password". Unfortunately, routers are complicated and there are many passwords. The password to login to the router is not the PPoE password, or the PPTP password or the L2TP password. It also has nothing to do with the password for the wireless network.
D-Link may add more complication. Their routers may have an admin password for logging in to the router and making changes, and, a separate user password for logging in to the router in read-only mode.
After changing the password, you will likely get bounced out of the website and forced to login with the new password. Do so, just to be sure the new password is working. Now write down the userid and password on a piece of paper and tape it to the router. For good luck, include the IP address too.
Be Angry?
If the person that setup your router did not tell you the IP address, userid and password, they are incompetent. It's like buying a new car and not being able to open the hood to get to the engine. The car will run and work fine, for a while. Maybe quite a while. But there will come a time when you need to poke around the engine and you won't be able to.
If your router was using the default userid/password then the person that set it up is worse than incompetent, they are guilty of negligence. It's not inconceivable for this to result in a lawsuit someday.
Update. March 11, 2008: I just set up a new Belkin N Mimo router. Not only does the new model continue the tradition mentioned above of supporting only a password (no userid), the default password is no password.
*Note: There may also be software for managing the router, but finding and installing the software can be a headache of its own. Also, there is no standard for how the software works.
See a summary of all my Defensive Computing postings.
My previous posting was an introduction to both DNS and OpenDNS. Here, I offer a brief review of the features and services offered by OpenDNS.
First though, let's consider what happens when DNS breaks. As noted previously, the DNS system translates computer names into IP addresses. So if it breaks, it may seem that your Internet connection is broken when in fact, it's fully functional. That is, from your ISP's perspective everything can be working fine, all the lights on your modem and router* can be normal, but still, you can't get to any Web sites without DNS being alive and well.
To see if DNS is the problem, try to access a few Web sites by their underlying IP address. Here are some to try:
chow.com http://216.239.116.39
google.com http://64.233.167.99
opendns status http://208.67.219.60
Speed and reliability
OpenDNS claims to be fast. I don't doubt this is true, but this is probably not reason enough to switch. For one, it may or may not be faster than the DNS servers you now use. And even if it is faster, the speed boost may not be noticeable (it wasn't to me). Still, it's not hard to find people who claim the Internet runs faster after switching to OpenDNS [here and here]
You can get a feel for the speed at SiteUptime, which offers a free Quick Check that can be used to compare the speed of OpenDNS with your current DNS servers. The OpenDNS DNS servers are 208.67.222.222 and 208.67.220.220. Its Getting Started page shows you how to determine your current DNS servers for many operating systems.
Take all these IP addresses to SiteUptime, chose the city closest to you, in the drop-down menu chose "DNS 53," and enter an IP addresses in the "HostName or URL" box. When I tried this, the two OpenDNS servers responded in 0.010 and 0.009 second, whereas my ISP's DNS servers responded in 0.025 and .027 second. Your mileage will vary.
Unlike speed, reliability may well be a reason, in and of itself, to switch. OpenDNS operates servers in five physical locations, two on the East Coast of the U.S., two on the West Coast, and one in London. This is likely a much more robust setup than that offered by your ISP. It also accounts, in part, for its speed claims--it responds to queries from the location closest to you.
Phishing
Phishing protection is perhaps the most defensive computing reason to use OpenDNS. Heck, anything that helps prevent ID theft is a plus.
Of course, the latest versions of Firefox and Internet Explorer also include phishing protection. There should be no conflict between the protection from your browser and from OpenDNS.
Neither Mozilla nor Microsoft say where their phishing data (the list of known bad Web sites) comes from. In typical corporate-speak, Microsoft says it comes from "several industry partners." OpenDNS gets its list of phishing Web sites from PhishTank, a sister company it describes as "...a collaborative clearing house for data and information about phishing on the Internet." Anyone can report suspected phishing Web sites to PhishTank. And you've got to love the name.
Typos
Another type of intelligence added to the DNS name -> IP address translation involves typing mistakes. OpenDNS fixes a handful of common mistakes and sends you to the place you probably wanted to go in the first place. For example, typing www.javatester.og (missing r) will take you to javatester.org. So, too, will wwww.javatester.org (four leading w's) take you to my JavaTester Web site.
Five w's at the front is too much though, that OpenDNS considers an error. But, the error page wisely asks if you meant to go to javatester.org. OpenDNS users can get to CNET using either cnet.cmo or cnet.comm. Not earth-shattering, but all in all, a nice feature to have.
Site blocking
If you sign up for an account at OpenDNS, then it can block Web sites for you. At home, this could be used to keep children from playing online games while they are supposed to be doing their homework. In a corporate setting, it can be used to prevent access to Webmail as a way of encouraging employees to use the corporate e-mail system. OpenDNS is able to, for example, block Yahoo e-mail (mail.yahoo.com), while still allowing access to the rest of Yahoo.
The bad news here is that I can't see how this blocking can be enforced. A knowledgeable computer user can simply change the DNS servers used by the operating system.
If you're dealing with children though, the "adult" Web site blocking might be very handy, and it's free. OpenDNS has partnered with the iGuard team at St. Bernard Software to provide it with a list of "adult" Web sites it claims is updated daily. How good is this list? Test it for yourself at opendns.com/support/adult/. If it blocks a Web site by mistake, you can override it using a white-listing feature.
Setting it up
The instructions for enabling OpenDNS on its site are pretty good, but they are click-here-type-this instructions and not defensively oriented.
One thing I would add to the instructions is to make a note of your current DNS servers so that, if need be, you can revert back to them. Also, if you have multiple computers on a LAN and want to kick the tires on OpenDNS before fully converting, then change only one computer to use the service.
Finally, you may think you have converted an entire network to OpenDNS, but all the ducks may not be in a row. Normally, computers on a LAN are assigned their DNS servers at the same time they are assigned an IP address, using a protocol called DHCP. Thus, the standard way to convert all machines to OpenDNS is by modifying the DHCP server software. In non-techie terms, this means making a configuration change to the router. However, it is possible for a computer to always use certain DNS servers regardless of DHCP. So after modifying the router, I suggest restarting each computer and verifying that it is, in fact, using OpenDNS.
Its start page will tell you if OpenDNS is being used or not, as will itsbuttons page (see above).
Making money
All the services described so far are free, as are a couple I skipped over. So how does OpenDNS make money? Quoting its Knowledge Base:
"OpenDNS makes money by offering clearly labeled advertisements alongside organic search results when the domain entered is not valid and not a typo we can fix. OpenDNS will provide additional services on top of its enhanced DNS service, and some of them may cost money. Speedy, reliable DNS will always be free."
Time will tell how profitable this is, if at all. The founder, David Ulevitch, claimed the company was "nearly profitable" in back in July.
Wrapping up
OpenDNS is a service worth paying for. My hope is that ISPs will pay for it and brag about it as a way to obtain or retain customers. This would be a win for the ISP, which no longer needs to be bothered doing its own DNS, a win for their customers and a win for OpenDNS. The only loser would be the bad guys.
If you take the OpenDNS plunge, you're not alone. Its home page shows how many name -> IP address translations it is doing per second. The last few days it has varied between 37,000 and 46,000. Multiplied out, this comes out to more than 3 billion requests a day. Five months ago, it was handling only 1.4 billion requests a day.
Even if you don't use OpenDNS now, it can come in handy as an emergency fallback, should something go wrong with your current DNS servers.
* I wrote The blinking lights on a router are talking to you back in July.
See a summary of all my Defensive Computing postings.
