Our daughter was rummaging through a box of memorabilia and found an evelope of photos taken in early 2001, about the time I'd purchased a cool new macro lens. One minute she was flipping through a series of cute puppy pictures and the next minute she's face to face with a set of full-frontal nude photographs depicting...a wolf spider. In fact, the spider was so exposed, the close-up so extreme, that Amy could not bring herself to even handle the photos so as to put them back into the envelope from which they came.
So when I got home I did the manly thing and, judging their scientific value to be near zero, tossed the spider pictures into the trash. When our daughter threw something away later that evening, and then needed to retrieve it, she shrieked again at the vile images that she could not unsee (and I was chastised for merely disposing of them instead of using our new commercial-grade shredder). Is there any possible way to prevent our children from accessing images or content that is disturbing to them or to us as parents? And should that be our sole criteria for judging whether or not we have won the war on porn?
A new Red Hat employee queried an internal e-mail list as to methods of protecting their children from accessing pornography, and through the responses I learned a few things I thought I'd share...
Perhaps the first question to answer is "what is to be protected?" We live in a media-saturated culture where some of the raciest material is to be found in all its pixelated glory of some of the most conservative TV programs (see Fox News Porn). Between the catalogs, newpaper ads, billboards, etc., there's plenty of disturbing material to go around. Indeed, when traveling through the airport with my daughter last year, she had quite a laugh when she came face-to-face with the image of a woman barely dressed on the cover of Cosmopolitan. (She called her "naked-bottom girl" for the rest of the day.) Deciding where to begin has become difficult indeed.
One popular approach is taken by OpenDNS. (Disclaimer: OpenDNS was funded by the former CEO of CNET.) The Domain Name Service (DNS) is the service that translates a URL (such as wikipedia.org) into an actual IP address (such as 208.80.152.2). By using OpenDNS instead of regular DNS, you give them permission to help you with the translation:
- wikipedia.org -> 208.80.152.2
- wikipedia.og -> 208.80.152.2 (it corrects your "spelling mistake")
- playboy.org -> BLOCKED! (if you want to filter out Web sites that serve "pornography" or "nudity")
But they also log every site you visit (part of the bargain of being between you and a "real" DNS server) and there is vigorous debate as to whether OpenDNS should be doing application-level rewrites of network-level requests. People think it is wrong (evil, even) that Google's toolbar does this. And they raised holy hell when VeriSign did this back in 2003. But if you are not bothered by the idea that whatever you type into your browser goes first to OpenDNS.com, and secondly, that when you request Site A, it could transparently and silently take you to Site B as if it were Site A, then it may be an interesting solution. As with any service that collects and interprets such sensitive personal information as your browsing habits, I suggest you read their privacy policy carefully. And you should be aware that OpenDNS is not open source.
If you want a content filtering solution that is open source (because you want to independently verify what is being logged, and you want to independently verify how the blocking choices are being made), you might be interested in DansGuardian. They have an impressive list of users as well as a blacklist you can review, adopt, or ignore. Several of my colleagues said that they use DansGuardian and that it works well.
An even more interesting suggestion was to use a firewall to force all Internet access through a proxy that can log every connection from every client computer. One family reported:
The proxy doesn't have a filter on it, but it does mail my wife and I a daily summary of what each computer asked for and when, so we know what the kids are doing online. And we make sure the kids know that we know.
I must admit that at first I was taken aback by the idea of having this type of access to somebody else's surfing history. But then I asked myself: if I am at all bothered by the idea of parents having such access to their children's surfing habits, how happy am I to be trusting that data with some third party, their supercomputer, and who knows what federal agencies?
Back to the topic of open source. One parent raised the issue that they are quite confident of the security and configuration of their own computer network, but what about the neighbor with the open wireless access point? A little education goes a long way. First, if you see a neighbor has an open wireless connection, suggest that they may wish to close it, as it represents a security problem for you. Second, if they are concerned about being a gateway to inappropriate content, suggest a mechanism whereby they, too, can play a role in filtering the content. OpenDNS might not be the right solution if your neighbor does not agree with their business model, but DansGuardian could be a good alternative. Third, use this as a positive opportunity to discuss with your children the "rules of the road" of Internet use. Those rules could range from accepting real-time oversight (how we do things at our house) to requesting specific permission to access the Internet (the parent turns on the sole wireless router the child's computer is configured to access) to accepting arbitrary monitoring and reporting. Or, do none of the above and study hard for what you plan to do when your child inevitably does access something you find disturbing and inappropriate, not to mention the disturbing and inappropriate things that porn-serving companies like to do to your computers. Worse than spiders, for sure.
My previous posting was an introduction to both DNS and OpenDNS. Here, I offer a brief review of the features and services offered by OpenDNS.
First though, let's consider what happens when DNS breaks. As noted previously, the DNS system translates computer names into IP addresses. So if it breaks, it may seem that your Internet connection is broken when in fact, it's fully functional. That is, from your ISP's perspective everything can be working fine, all the lights on your modem and router* can be normal, but still, you can't get to any Web sites without DNS being alive and well.
To see if DNS is the problem, try to access a few Web sites by their underlying IP address. Here are some to try:
chow.com http://216.239.116.39
google.com http://64.233.167.99
opendns status http://208.67.219.60
Speed and reliability
OpenDNS claims to be fast. I don't doubt this is true, but this is probably not reason enough to switch. For one, it may or may not be faster than the DNS servers you now use. And even if it is faster, the speed boost may not be noticeable (it wasn't to me). Still, it's not hard to find people who claim the Internet runs faster after switching to OpenDNS [here and here]
You can get a feel for the speed at SiteUptime, which offers a free Quick Check that can be used to compare the speed of OpenDNS with your current DNS servers. The OpenDNS DNS servers are 208.67.222.222 and 208.67.220.220. Its Getting Started page shows you how to determine your current DNS servers for many operating systems.
Take all these IP addresses to SiteUptime, chose the city closest to you, in the drop-down menu chose "DNS 53," and enter an IP addresses in the "HostName or URL" box. When I tried this, the two OpenDNS servers responded in 0.010 and 0.009 second, whereas my ISP's DNS servers responded in 0.025 and .027 second. Your mileage will vary.
Unlike speed, reliability may well be a reason, in and of itself, to switch. OpenDNS operates servers in five physical locations, two on the East Coast of the U.S., two on the West Coast, and one in London. This is likely a much more robust setup than that offered by your ISP. It also accounts, in part, for its speed claims--it responds to queries from the location closest to you.
Phishing
Phishing protection is perhaps the most defensive computing reason to use OpenDNS. Heck, anything that helps prevent ID theft is a plus.
Of course, the latest versions of Firefox and Internet Explorer also include phishing protection. There should be no conflict between the protection from your browser and from OpenDNS.
Neither Mozilla nor Microsoft say where their phishing data (the list of known bad Web sites) comes from. In typical corporate-speak, Microsoft says it comes from "several industry partners." OpenDNS gets its list of phishing Web sites from PhishTank, a sister company it describes as "...a collaborative clearing house for data and information about phishing on the Internet." Anyone can report suspected phishing Web sites to PhishTank. And you've got to love the name.
Typos
Another type of intelligence added to the DNS name -> IP address translation involves typing mistakes. OpenDNS fixes a handful of common mistakes and sends you to the place you probably wanted to go in the first place. For example, typing www.javatester.og (missing r) will take you to javatester.org. So, too, will wwww.javatester.org (four leading w's) take you to my JavaTester Web site.
Five w's at the front is too much though, that OpenDNS considers an error. But, the error page wisely asks if you meant to go to javatester.org. OpenDNS users can get to CNET using either cnet.cmo or cnet.comm. Not earth-shattering, but all in all, a nice feature to have.
Site blocking
If you sign up for an account at OpenDNS, then it can block Web sites for you. At home, this could be used to keep children from playing online games while they are supposed to be doing their homework. In a corporate setting, it can be used to prevent access to Webmail as a way of encouraging employees to use the corporate e-mail system. OpenDNS is able to, for example, block Yahoo e-mail (mail.yahoo.com), while still allowing access to the rest of Yahoo.
The bad news here is that I can't see how this blocking can be enforced. A knowledgeable computer user can simply change the DNS servers used by the operating system.
If you're dealing with children though, the "adult" Web site blocking might be very handy, and it's free. OpenDNS has partnered with the iGuard team at St. Bernard Software to provide it with a list of "adult" Web sites it claims is updated daily. How good is this list? Test it for yourself at opendns.com/support/adult/. If it blocks a Web site by mistake, you can override it using a white-listing feature.
Setting it up
The instructions for enabling OpenDNS on its site are pretty good, but they are click-here-type-this instructions and not defensively oriented.
One thing I would add to the instructions is to make a note of your current DNS servers so that, if need be, you can revert back to them. Also, if you have multiple computers on a LAN and want to kick the tires on OpenDNS before fully converting, then change only one computer to use the service.
Finally, you may think you have converted an entire network to OpenDNS, but all the ducks may not be in a row. Normally, computers on a LAN are assigned their DNS servers at the same time they are assigned an IP address, using a protocol called DHCP. Thus, the standard way to convert all machines to OpenDNS is by modifying the DHCP server software. In non-techie terms, this means making a configuration change to the router. However, it is possible for a computer to always use certain DNS servers regardless of DHCP. So after modifying the router, I suggest restarting each computer and verifying that it is, in fact, using OpenDNS.
Its start page will tell you if OpenDNS is being used or not, as will itsbuttons page (see above).
Making money
All the services described so far are free, as are a couple I skipped over. So how does OpenDNS make money? Quoting its Knowledge Base:
"OpenDNS makes money by offering clearly labeled advertisements alongside organic search results when the domain entered is not valid and not a typo we can fix. OpenDNS will provide additional services on top of its enhanced DNS service, and some of them may cost money. Speedy, reliable DNS will always be free."
Time will tell how profitable this is, if at all. The founder, David Ulevitch, claimed the company was "nearly profitable" in back in July.
Wrapping up
OpenDNS is a service worth paying for. My hope is that ISPs will pay for it and brag about it as a way to obtain or retain customers. This would be a win for the ISP, which no longer needs to be bothered doing its own DNS, a win for their customers and a win for OpenDNS. The only loser would be the bad guys.
If you take the OpenDNS plunge, you're not alone. Its home page shows how many name -> IP address translations it is doing per second. The last few days it has varied between 37,000 and 46,000. Multiplied out, this comes out to more than 3 billion requests a day. Five months ago, it was handling only 1.4 billion requests a day.
Even if you don't use OpenDNS now, it can come in handy as an emergency fallback, should something go wrong with your current DNS servers.
* I wrote The blinking lights on a router are talking to you back in July.
See a summary of all my Defensive Computing postings.
OpenDNS is a free online service that offers an extra layer of safety on the Internet. Technically, the service is DNS resolution, which I'll explain below. The main defensive computing advantage it provides is protection from bad Web sites, most importantly from phishing scams. ID theft is, to me at least, the worst thing that can happen to a computer user, so any extra protection helps. You also get some flexibility in deciding which other types of Web sites should be restricted.
You don't have to register to use the service, and there is no software to download or install. All that's involved is a change to the networking configuration of either your computer or your router. This is a one-time change--OpenDNS requires no ongoing care and feeding. Should you ever want to stop using the service, simply reverse the configuration change. I've used it for quite a while and fail to see a downside.
What is DNS resolution?
This topic can be a bit technical, but some background is required to understand where OpenDNS fits and how it can provide the services it does. I'll be as brief as possible.
Every computer on the Internet is assigned a unique number. Americans can think of it as a Social Security number for their computer. When two computers talk to each other on the Internet, they address each other using this number, which us nerds call an IP address. You can see the IP address of the computer you're reading this blog posting with by visiting www.ipchicken.com, whatismyip.com, whatismyipaddress.com, www.myipaddress.com or other similar Web sites.
Technically an IP address is a 32 bit (binary digit) binary number. For example, when going to www.cnet.com, under the covers, your computer is talking to a CNET machine at this IP address: 11011000111011110111101000110011
For simplicity sake, an IP address is written in decimal rather than binary. To make it especially simple, clumps of eight bits are converted to decimal and the four clumps are separated by periods. Thus, the standard way of representing the above IP address is 216.239.122.51 (without a dot/period at the end).
As proof, enter this IP address in the address bar of your Web browser as shown above. You will end up at cnet.com.*
Just as people have both names and phone numbers, computers on the Internet have both names (www.cnet.com) and IP addresses (216.239.122.51). DNS resolution can be thought of as a telephone book. It is the process of converting the name of a computer to its IP address.
DNS (Domain Name System) is a huge distributed system that functions amazing well, especially considering the initial design predates the Internet as we now know it by many years.
When your computer goes to www.cnet.com (or any other Web site) it first obtains the IP address by making a translation request to a computer called a DNS server. The translation (technically DNS resolution) happens so quickly and transparently you are not aware of it.
DNS is a core service provided by every ISP which runs a pair of computers called DNS servers (at least a pair, maybe more). When you first connect to the Internet, you are assigned a pair of DNS servers. Should one fail, your computer automatically tries to use the other one. Windows Vista, XP and 2000 users can see this by entering the command "ipconfig /all" at a command prompt. Sample XP output from this command is shown below.
Connection-specific DNS Suffix .. : mydomain2
Description . . . . . . . . . . . : Intel(R) PRO/1000 MT Mobile...
Physical Address. . . . . . . . . : 10-12-24-D1-DE-C0
Dhcp Enabled. . . . . . . . . . . : Yes
Autoconfiguration Enabled . . . . : Yes
IP Address. . . . . . . . . . . . : 192.168.111.111
Subnet Mask . . . . . . . . . . . : 255.255.255.0
Default Gateway . . . . . . . . . : 192.168.111.1
DHCP Server . . . . . . . . . . . : 192.168.111.1
DNS Servers . . . . . . . . . . . : 208.67.222.222
208.67.220.220
Lease Obtained. . . . . . . . . . : Saturday, December 15, 2007 2PM
Lease Expires . . . . . . . . . . : Sunday, December 16, 2007 2AM
As the name implies, OpenDNS runs their own DNS servers. To use their service, you change the TCP/IP networking software on your computer to point to their DNS servers instead of those from your ISP. OpenDNS provides excellent instructions for doing this.
Why OpenDNS?
Running DNS servers is not a trivial thing--there are many configuration options that need to be understood and correctly set up. In addition, speed and redundancy are critical issues. A cable TV company or a telephone company may not have the in-house expertise to do this well. OpenDNS is a specialist. Consider that the first reason to use them.
Hopefully, because they are specialists, their DNS servers will be more resistant to attack by the bad guys.
Nothing is worse than a compromised DNS server.
I don't say this lightly. If your computer is talking to a compromised DNS server, you can enter "www.citibank.com" (for example) into the address bar of your Web browser and not end up at Citibank's Web site, but instead be looking at a phony imitation Web site. Kiss your identity goodbye.
In addition to infrastructure, OpenDNS adds intelligence to the translation process that was not part of the original design of the DNS system. That intelligence, such as preventing you from accessing known bad Web sites, is the big selling point (if a free service can have a selling point). Next time, I'll go into more detail on the various types of protection offered by OpenDNS.
Let me end by pointing out that OpenDNS protection applies to your Internet connection. Any program that accesses computers by name will be protected, whether it be a Web browser, e-mail program, instant-messaging program, FTP or whatever. I mention this for a couple reasons.
First, malicious e-mail messages sometimes include links based on an IP address (e.g., http://1.2.3.4) rather the name of the computer. Since referencing a computer by IP address does not involve DNS, you always have to be on the lookout for this, as the link is bound to be bad news.
Also, if you have multiple ways of connecting to the Internet on your computer, then you'll have to make the necessary TCP/IP configuration changes for each connection. For example, laptop users interested in OpenDNS should change the wired Ethernet, modem dial-up, and wireless Wi-Fi connection. The same heads-up applies to anyone using one of the wireless data services from a cell phone company.
To be continued...
Update. December 17, 2007: According to this article in the New York Times, OpenDNS was started with "... a $2 million investment from Halsey M. Minor, the former chief executive at CNET.com." I was not aware of this when writing this posting.
*It's actually more complicated than this. For example, multiple Web sites can share a single IP address, one computer can have multiple IP addresses and, in a LAN environment where multiple computers share a single high-speed Internet connection, only the router has an IP address on the Internet. The other computers have IP addresses, but these are IP addresses that have been set aside for internal use only, they are never used on the Internet.
See a summary of all my Defensive Computing postings.
- prev
- 1
- next
