Previously, I wrote about using a second router to provide additional protection to high-value computers--specifically, to protect computers used by adults from those used by children on a shared Local Area Network (LAN).
That article was mostly conceptual, this one covers the nitty-gritty technical details.
First, the good news. Adding a second router has no effect on the first router and no effect on the untrusted (kids) computers. Each is blissfully ignorant of the following changes.
In describing the steps, the existing/first router will be referred to as the kids router since the untrusted kids computers connect to it. The new, second router will be referred to as the adults router since its job is to protect the computers used by adults.
For the sake of simplicity, I'll start with wired Ethernet connections and assume, as is usually the case, that the kids router is handing out private IP addresses* in the range 192.168.1.x using DHCP. The steps below apply regardless of the operating system employed on any particular computer.
Here's what needs to be done:
- The high-value (adults) computers are unplugged from the kids router and plugged into the LAN ports of the adults router.
- The WAN port of the adults router is plugged into a LAN port on the kids router. WAN stands for Wide Area Network, and refers to the Internet. From the perspective of the adults router, the kids router is the Internet. On some routers, the Ethernet WAN port is a different color from the LAN ports, but not always.
- What the adults router thinks is its public IP address is really a private IP address (192.168.1.x) used by the kids router. This is configured in the adults router using the type of Internet connection option. The easiest thing is to set the adults router to DHCP or dynamic. It can, alternatively, be configured for a static IP address, but this requires a knowledge of the private IP address range used by the kids computers and router. Also, if the configuration of the kids router were ever to change in the future, the static IP address may no longer be valid and thus knock the adults computers offline.
- On the WAN/Internet side, the default gateway and the primary DNS server for the adults router is the kids router (probably 192.168.1.1). If you opted for dynamic in the prior step, this should happen automatically, after rebooting the adults router. If you opted for a static IP address, you'll have to set this manually.
- On the LAN side, the adults router can use DHCP to hand out IP addresses in any private address range other than that used by the kids router. For example, it could use 192.168.2.x or 192.168.8.x. To make things as obvious as possible, however, I suggest configuring the adults router to issue IP addresses in the 10.x.x.x range with the default subnet mask of 255.0.0.0. Along with this, set the LAN side IP address of the adults router to 10.0.0.1.
- Each adults computer needs to use an IP address in the 10.x.x.x range. Most likely the computer(s) will already be configured to get an IP address using DHCP, in which case nothing needs to be changed. If, however, one was using a static IP address, a new one probably needs to be assigned, one that is outside the DHCP range handed out by the adults router.
Once this is done, an adults computer, which used to have a TCP/IP default gateway of 192.168.1.1, will now have a default gateway of 10.0.0.1. Likewise, the DNS server and DHCP server for an adults computer will now also be 10.0.0.1.
Not to switch subjects, but elsewhere I've written that I'm a big fan of OpenDNS. Any computer can be manually set up for OpenDNS, but another approach is to configure the router to use the OpenDNS servers and the router will then pass along this setting to computers that connect to it with DHCP.
More about living with this setup, and about Wi-Fi, next time.
*For more on public vs. private IP address, see What does your IP address say about you?
See also How to check if a computer is using OpenDNS
See a summary of all my Defensive Computing postings.
In response to the recent DNS problems on the Internet I had earlier suggested changing some network configuration parameters to use the free OpenDNS service.
As I did this myself for a number of machines that I maintain, the question arose of verifying the change. That is, how can someone, particularly a non-technical computer user, ensure that their computer is configured to use OpenDNS?
This is, it turns out, remarkably easy.
Go to www.opendns.com. At the top of the home page, just under the tabs, there will be a message whose content depends on whether the computer is using OpenDNS or not.
If the computer is not using OpenDNS, the message reads: "Start using the world's largest and fastest-growing DNS service. Make your network safer, faster, smarter and more reliable. It's free." See a full size image.
If the computer is using OpenDNS, the message reads: "You're using OpenDNS. Thanks! You are now navigating the Internet safer, faster, smarter and more reliably than ever before." See a full size image.
Update: According to the company, this should work for all operating systems.
See a summary of all my Defensive Computing postings.
In my recent posting, What you need to know about the latest DNS flaw, I suggested using OpenDNS as a defense against the current DNS flaw. OpenDNS provides excellent step by step instructions for modifying the network settings on your computer to use their DNS services.
The only omission in their instructions is the need to make this change for every type of network connection. On a laptop computer, for example, you would need to modify both the network connection for wired Ethernet and also the Wi-Fi network connection. If you use dial-up, that too, needs to be modified.
Chose your Operating System:
The Continue button at the bottom of the instructions invites you to open an account with OpenDNS. This offers useful and free services but opening an account is not required.
See a summary of all my Defensive Computing postings.
If you've been hearing or reading about the latest DNS (Domain Name System) flaw, you may be confused about how to defend yourself. Think of this as a cheatsheet, it's what you need to know in the fewest words possible.
The flaw is mostly with software on a server computer run by your Internet Service Provider (ISP).* Some ISPs have patched the vulnerable DNS software on their computers, some have not. A recent list is available here. That said, Windows users also need to be sure they are up to date on patches as Microsoft released a recent DNS patch for Windows XP, 2000 and Server 2003. Windows Vista does not need to be patched.
DNS server computers translate the name of Internet-resident computers into numbers. Every computer that is reachable over the Internet is assigned a unique number (it's a bit more complicated, but this is essentially true). What is, to you, www.cnet.com, is to the computers on the Internet 216.239.113.101.
This number is called an IP address and yes, those are periods rather than commas. You can see this for yourself, by entering an IP address directly into the address bar of your web browser. For example, CBS owns CNET. You can see what's on CBS tonight at both
www.cbs.com/info/schedule/index.php
and
198.99.118.37/info/schedule/index.php
The danger with the current DNS flaw is similar to someone modifying a phone book. Suppose you wanted call the Post Office to tell them to stop your mail for a few weeks while you won't be home. You look up the Post Office phone number in a hacked phone book and instead of calling the actual Post Office you end up calling bad guys and telling them when they can safely come and rob you.
Everything you do online depends on translating the name of a website (or email server or any other computer) into an IP address. The recently discovered DNS flaw, lets the bad guys control this translation. Thus, they can steer people to fake websites. Input sensitive information or passwords at a fake website and you can kiss your identity goodbye.
What to do?
My preferred defense is to use OpenDNS. I wrote about this back in December:
Basically, it means re-configuring your computer to use DNS translation services from OpenDNS rather than from your ISP. Think core competence. And, it's free.
There is also a very simple online test of whether the DNS servers you are currently using are vulnerable to this bug at www.doxpara.com. Click on the "Check My DNS" button.
Another test is available at www.dns-oarc.net/oarc/services/dnsentropy, click on "Test My DNS". If all is well, it will report "GREAT" for both the source port randomness and the transaction ID randomness.
Update July 26, 2008: See A cheatsheet for defending against the DNS flaw
Update July 29, 2008: See The best test for vulnerability to the DNS flaw
Update July 30, 2008: According to You experience issues with UDP-dependent network services after you install DNS Server service security update 953230 (MS08-037) the Microsoft patch for Windows XP and the server versions of Windows is buggy. ComputerWorld reports that Microsoft has no plans to fix the problem caused by their DNS patch.
* If you work for a large organization, they may run their own DNS server computers.
See a summary of all my Defensive Computing postings.
My previous posting was an introduction to both DNS and OpenDNS. Here, I offer a brief review of the features and services offered by OpenDNS.
First though, let's consider what happens when DNS breaks. As noted previously, the DNS system translates computer names into IP addresses. So if it breaks, it may seem that your Internet connection is broken when in fact, it's fully functional. That is, from your ISP's perspective everything can be working fine, all the lights on your modem and router* can be normal, but still, you can't get to any Web sites without DNS being alive and well.
To see if DNS is the problem, try to access a few Web sites by their underlying IP address. Here are some to try:
chow.com http://216.239.116.39
google.com http://64.233.167.99
opendns status http://208.67.219.60
Speed and reliability
OpenDNS claims to be fast. I don't doubt this is true, but this is probably not reason enough to switch. For one, it may or may not be faster than the DNS servers you now use. And even if it is faster, the speed boost may not be noticeable (it wasn't to me). Still, it's not hard to find people who claim the Internet runs faster after switching to OpenDNS [here and here]
You can get a feel for the speed at SiteUptime, which offers a free Quick Check that can be used to compare the speed of OpenDNS with your current DNS servers. The OpenDNS DNS servers are 208.67.222.222 and 208.67.220.220. Its Getting Started page shows you how to determine your current DNS servers for many operating systems.
Take all these IP addresses to SiteUptime, chose the city closest to you, in the drop-down menu chose "DNS 53," and enter an IP addresses in the "HostName or URL" box. When I tried this, the two OpenDNS servers responded in 0.010 and 0.009 second, whereas my ISP's DNS servers responded in 0.025 and .027 second. Your mileage will vary.
Unlike speed, reliability may well be a reason, in and of itself, to switch. OpenDNS operates servers in five physical locations, two on the East Coast of the U.S., two on the West Coast, and one in London. This is likely a much more robust setup than that offered by your ISP. It also accounts, in part, for its speed claims--it responds to queries from the location closest to you.
Phishing
Phishing protection is perhaps the most defensive computing reason to use OpenDNS. Heck, anything that helps prevent ID theft is a plus.
Of course, the latest versions of Firefox and Internet Explorer also include phishing protection. There should be no conflict between the protection from your browser and from OpenDNS.
Neither Mozilla nor Microsoft say where their phishing data (the list of known bad Web sites) comes from. In typical corporate-speak, Microsoft says it comes from "several industry partners." OpenDNS gets its list of phishing Web sites from PhishTank, a sister company it describes as "...a collaborative clearing house for data and information about phishing on the Internet." Anyone can report suspected phishing Web sites to PhishTank. And you've got to love the name.
Typos
Another type of intelligence added to the DNS name -> IP address translation involves typing mistakes. OpenDNS fixes a handful of common mistakes and sends you to the place you probably wanted to go in the first place. For example, typing www.javatester.og (missing r) will take you to javatester.org. So, too, will wwww.javatester.org (four leading w's) take you to my JavaTester Web site.
Five w's at the front is too much though, that OpenDNS considers an error. But, the error page wisely asks if you meant to go to javatester.org. OpenDNS users can get to CNET using either cnet.cmo or cnet.comm. Not earth-shattering, but all in all, a nice feature to have.
Site blocking
If you sign up for an account at OpenDNS, then it can block Web sites for you. At home, this could be used to keep children from playing online games while they are supposed to be doing their homework. In a corporate setting, it can be used to prevent access to Webmail as a way of encouraging employees to use the corporate e-mail system. OpenDNS is able to, for example, block Yahoo e-mail (mail.yahoo.com), while still allowing access to the rest of Yahoo.
The bad news here is that I can't see how this blocking can be enforced. A knowledgeable computer user can simply change the DNS servers used by the operating system.
If you're dealing with children though, the "adult" Web site blocking might be very handy, and it's free. OpenDNS has partnered with the iGuard team at St. Bernard Software to provide it with a list of "adult" Web sites it claims is updated daily. How good is this list? Test it for yourself at opendns.com/support/adult/. If it blocks a Web site by mistake, you can override it using a white-listing feature.
Setting it up
The instructions for enabling OpenDNS on its site are pretty good, but they are click-here-type-this instructions and not defensively oriented.
One thing I would add to the instructions is to make a note of your current DNS servers so that, if need be, you can revert back to them. Also, if you have multiple computers on a LAN and want to kick the tires on OpenDNS before fully converting, then change only one computer to use the service.
Finally, you may think you have converted an entire network to OpenDNS, but all the ducks may not be in a row. Normally, computers on a LAN are assigned their DNS servers at the same time they are assigned an IP address, using a protocol called DHCP. Thus, the standard way to convert all machines to OpenDNS is by modifying the DHCP server software. In non-techie terms, this means making a configuration change to the router. However, it is possible for a computer to always use certain DNS servers regardless of DHCP. So after modifying the router, I suggest restarting each computer and verifying that it is, in fact, using OpenDNS.
Its start page will tell you if OpenDNS is being used or not, as will itsbuttons page (see above).
Making money
All the services described so far are free, as are a couple I skipped over. So how does OpenDNS make money? Quoting its Knowledge Base:
"OpenDNS makes money by offering clearly labeled advertisements alongside organic search results when the domain entered is not valid and not a typo we can fix. OpenDNS will provide additional services on top of its enhanced DNS service, and some of them may cost money. Speedy, reliable DNS will always be free."
Time will tell how profitable this is, if at all. The founder, David Ulevitch, claimed the company was "nearly profitable" in back in July.
Wrapping up
OpenDNS is a service worth paying for. My hope is that ISPs will pay for it and brag about it as a way to obtain or retain customers. This would be a win for the ISP, which no longer needs to be bothered doing its own DNS, a win for their customers and a win for OpenDNS. The only loser would be the bad guys.
If you take the OpenDNS plunge, you're not alone. Its home page shows how many name -> IP address translations it is doing per second. The last few days it has varied between 37,000 and 46,000. Multiplied out, this comes out to more than 3 billion requests a day. Five months ago, it was handling only 1.4 billion requests a day.
Even if you don't use OpenDNS now, it can come in handy as an emergency fallback, should something go wrong with your current DNS servers.
* I wrote The blinking lights on a router are talking to you back in July.
See a summary of all my Defensive Computing postings.
OpenDNS is a free online service that offers an extra layer of safety on the Internet. Technically, the service is DNS resolution, which I'll explain below. The main defensive computing advantage it provides is protection from bad Web sites, most importantly from phishing scams. ID theft is, to me at least, the worst thing that can happen to a computer user, so any extra protection helps. You also get some flexibility in deciding which other types of Web sites should be restricted.
You don't have to register to use the service, and there is no software to download or install. All that's involved is a change to the networking configuration of either your computer or your router. This is a one-time change--OpenDNS requires no ongoing care and feeding. Should you ever want to stop using the service, simply reverse the configuration change. I've used it for quite a while and fail to see a downside.
What is DNS resolution?
This topic can be a bit technical, but some background is required to understand where OpenDNS fits and how it can provide the services it does. I'll be as brief as possible.
Every computer on the Internet is assigned a unique number. Americans can think of it as a Social Security number for their computer. When two computers talk to each other on the Internet, they address each other using this number, which us nerds call an IP address. You can see the IP address of the computer you're reading this blog posting with by visiting www.ipchicken.com, whatismyip.com, whatismyipaddress.com, www.myipaddress.com or other similar Web sites.
Technically an IP address is a 32 bit (binary digit) binary number. For example, when going to www.cnet.com, under the covers, your computer is talking to a CNET machine at this IP address: 11011000111011110111101000110011
For simplicity sake, an IP address is written in decimal rather than binary. To make it especially simple, clumps of eight bits are converted to decimal and the four clumps are separated by periods. Thus, the standard way of representing the above IP address is 216.239.122.51 (without a dot/period at the end).
As proof, enter this IP address in the address bar of your Web browser as shown above. You will end up at cnet.com.*
Just as people have both names and phone numbers, computers on the Internet have both names (www.cnet.com) and IP addresses (216.239.122.51). DNS resolution can be thought of as a telephone book. It is the process of converting the name of a computer to its IP address.
DNS (Domain Name System) is a huge distributed system that functions amazing well, especially considering the initial design predates the Internet as we now know it by many years.
When your computer goes to www.cnet.com (or any other Web site) it first obtains the IP address by making a translation request to a computer called a DNS server. The translation (technically DNS resolution) happens so quickly and transparently you are not aware of it.
DNS is a core service provided by every ISP which runs a pair of computers called DNS servers (at least a pair, maybe more). When you first connect to the Internet, you are assigned a pair of DNS servers. Should one fail, your computer automatically tries to use the other one. Windows Vista, XP and 2000 users can see this by entering the command "ipconfig /all" at a command prompt. Sample XP output from this command is shown below.
Connection-specific DNS Suffix .. : mydomain2
Description . . . . . . . . . . . : Intel(R) PRO/1000 MT Mobile...
Physical Address. . . . . . . . . : 10-12-24-D1-DE-C0
Dhcp Enabled. . . . . . . . . . . : Yes
Autoconfiguration Enabled . . . . : Yes
IP Address. . . . . . . . . . . . : 192.168.111.111
Subnet Mask . . . . . . . . . . . : 255.255.255.0
Default Gateway . . . . . . . . . : 192.168.111.1
DHCP Server . . . . . . . . . . . : 192.168.111.1
DNS Servers . . . . . . . . . . . : 208.67.222.222
208.67.220.220
Lease Obtained. . . . . . . . . . : Saturday, December 15, 2007 2PM
Lease Expires . . . . . . . . . . : Sunday, December 16, 2007 2AM
As the name implies, OpenDNS runs their own DNS servers. To use their service, you change the TCP/IP networking software on your computer to point to their DNS servers instead of those from your ISP. OpenDNS provides excellent instructions for doing this.
Why OpenDNS?
Running DNS servers is not a trivial thing--there are many configuration options that need to be understood and correctly set up. In addition, speed and redundancy are critical issues. A cable TV company or a telephone company may not have the in-house expertise to do this well. OpenDNS is a specialist. Consider that the first reason to use them.
Hopefully, because they are specialists, their DNS servers will be more resistant to attack by the bad guys.
Nothing is worse than a compromised DNS server.
I don't say this lightly. If your computer is talking to a compromised DNS server, you can enter "www.citibank.com" (for example) into the address bar of your Web browser and not end up at Citibank's Web site, but instead be looking at a phony imitation Web site. Kiss your identity goodbye.
In addition to infrastructure, OpenDNS adds intelligence to the translation process that was not part of the original design of the DNS system. That intelligence, such as preventing you from accessing known bad Web sites, is the big selling point (if a free service can have a selling point). Next time, I'll go into more detail on the various types of protection offered by OpenDNS.
Let me end by pointing out that OpenDNS protection applies to your Internet connection. Any program that accesses computers by name will be protected, whether it be a Web browser, e-mail program, instant-messaging program, FTP or whatever. I mention this for a couple reasons.
First, malicious e-mail messages sometimes include links based on an IP address (e.g., http://1.2.3.4) rather the name of the computer. Since referencing a computer by IP address does not involve DNS, you always have to be on the lookout for this, as the link is bound to be bad news.
Also, if you have multiple ways of connecting to the Internet on your computer, then you'll have to make the necessary TCP/IP configuration changes for each connection. For example, laptop users interested in OpenDNS should change the wired Ethernet, modem dial-up, and wireless Wi-Fi connection. The same heads-up applies to anyone using one of the wireless data services from a cell phone company.
To be continued...
Update. December 17, 2007: According to this article in the New York Times, OpenDNS was started with "... a $2 million investment from Halsey M. Minor, the former chief executive at CNET.com." I was not aware of this when writing this posting.
*It's actually more complicated than this. For example, multiple Web sites can share a single IP address, one computer can have multiple IP addresses and, in a LAN environment where multiple computers share a single high-speed Internet connection, only the router has an IP address on the Internet. The other computers have IP addresses, but these are IP addresses that have been set aside for internal use only, they are never used on the Internet.
See a summary of all my Defensive Computing postings.
- prev
- 1
- next
