I think it might be a good idea for laptop users who connect to the Internet from multiple locations to reconfigure their laptops to use a single trustworthy DNS server instead of whatever default one is provided at a particular location. I.e. NOT to use the normal default of DHCP to configure DNS when you boot the laptop.

According to what I read yesterday, a very significant percentage of DNS servers worldwide have yet to be hardened against the recently revealed recursive DNS server vulnerability. Note well, that if whatever DNS server you happen to be using is compromised by bad guys, then the bad guys effectively become Lords of the Internet and very likely Lords of your computer, too.

Note well too, that even if a DNS server HAS been hardened, there is already a new exploit available and published that would allow (with some added effort and time) compromising of hardened DNS servers. So it may very well be that only certain highly secure DNS servers (hopefully including OpenDNS) would be effectively safe.

I don't use OpenDNS myself since I don't have a laptop. I probably would use it if I did.

DH

OpenDNS is useful even if not using a notebook or other portable computer. My ISP's DNS sometimes is a bit unreliable, but OpenDNS seems rock solid!

there is already a new exploit available and published that would allow (with some added effort and time) compromising of hardened DNS servers

It is very unlikely that it could be used against an ISP. More likely it would be used to attack a business with a DNS server on the same fast LAN as machines that can be taken over by trojan horses. ISPs tend not to keep machines like that on the same LAN as their public servers and also tend to have better defences against flooding attacks.

From all I hear using OpenDNS is as safe a choice as you could find.

OpenDNS is useful even if not using a notebook or other portable computer. My ISP's DNS sometimes is a bit unreliable, but OpenDNS seems rock solid!
If sometimes a bit slow. I often wait while the "looking up..." message stares at me.

OpenDNS is useful even if not using a notebook or other portable computer. My ISP's DNS sometimes is a bit unreliable, but OpenDNS seems rock solid!And how does one configure a laptop to use this?

And how does one configure a laptop to use this?

Maybe this is what you're looking for:

Windows XP Home Edition >> Help and Support Center >> Networking and the Web >> Networking >> Network components >> To configure TCP/IP settings


To configure TCP/IP settings
1. Open Network Connections.
2. Click the connection you want to configure, and then, under Network Tasks, click Change settings of this connection.
3. Do one of the following:
-- If the connection is a local area connection, on the General tab, under This connection uses the following items, click Internet Protocol (TCP/IP), and then click Properties.
-- If this is a dial-up, VPN, or incoming connection, click the Networking tab. In This connection uses the following items, click Internet Protocol (TCP/IP), and then click Properties.
4. Do one of the following:
-- If you want IP settings to be assigned automatically, click Obtain an IP address automatically, and then click OK.
-- If you want to specify an IP address or a DNS server address, do the following:
---- Click Use the following IP address, and in IP address, type the IP address.
---- Click Use the following DNS server addresses, and in Preferred DNS server and Alternate DNS server, type the addresses of the primary and secondary DNS servers.
5. To configure DNS, WINS, and IP Settings, click Advanced.


Notes

-- To open Network Connections, click Start, click Control Panel, and then double-click Network Connections.
-- You should use automated IP settings (DHCP) whenever possible, for the following reasons:
---- DHCP is enabled by default.
---- If your location changes, you do not have to modify your IP settings.
---- Automated IP settings are used for all connections, and they eliminate the need to configure settings such as DNS, WINS, and so on.


http://opendns.com/ lists the IP's of the DNS as:

208.67.222.222
208.67.220.220

I have not actually done this myself. I tested OpenDNS DNS servers by reconfiguring my router/DSLmodem.

DH

And how does one configure a laptop to use this?
BTW if you want to do the extra work, it's possible to set up your PC and OPENDNS so that known malware sites, gambling sites, known porn, etc. is blocked automatically. You can specify the types of sites you'd like their DNS server to block for you in a somewhat detailed way, so it can be personalized to an appreciable degree if one so desires.

Of course, Firefox 3 even by itself helps in blocking bad sites, and other add-ons such as NoScript can help security tremendously. So for me, using OpenDNS has not been a priority yet.

DH

It is very unlikely that it could be used against an ISP. More likely it would be used to attack a business with a DNS server on the same fast LAN as machines that can be taken over by trojan horses. ISPs tend not to keep machines like that on the same LAN as their public servers and also tend to have better defences against flooding attacks.

From all I hear using OpenDNS is as safe a choice as you could find.As you say, I figured attacks would be more likely successful against DNS of small outfits. However even the coverage of the Fortune 500 DNS's may still not be very close to 99% yet, according to one report I skimmed over the past weekend.

DH

And how does one configure a laptop to use this?

Some more details: Typically a laptop is configured to get both IP address and DNS server addresses automatically from DHCP. In the Windows connection settings (properties for TCP/IP) you can select to get the ip address automatically and override the DNS part, entering the OpenDNS ip addresses manually. That will ensure that your laptop uses OpenDNS wherever you go. If you prefer to use OpenDNS when you are at home but accept the choice of DNS server at your office, public WiFi point, etc., you would instead change the DNS addresses in your home router, then the laptop will get those DNS addresses provided to it by the router's DHCP server.

Also, OpenDNS provides a number of services that you may or may not want, and which you can configure by registering a free account at their website and entering ip addresses that you come in from. For example, by default if you enter a nonexistent domain name, say because of a typo, you will get directed to a web site with search link ads. If you turn that off you will get the standard "not found" page. They also have phishing protection that will block domains that are on their blacklist. You may want to leave that enabled and disable the ads.

If you prefer to use OpenDNS when you are at home but accept the choice of DNS server at your office, public WiFi point, etc., you would instead change the DNS addresses in your home router, then the laptop will get those DNS addresses provided to it by the router's DHCP server.What are the benefits / drawbacks of doing this either way? (And thanks to you and David both on this.)

What are the benefits / drawbacks of doing this either way? (And thanks to you and David both on this.)

Why you might want to leave your laptop configured to automatically get the DNS addresses from the DHCP server: It is possible that you can't use OpenDNS in some locations, for example because of corporate firewall settings, or because the corporate DNS contains host name definitions that are for use on the corporate LAN and not published to the outside Internet.

Why you might want to hardcode the OpenDNS ip addresses in your laptop settings: You trust the security and/or performance of OpenDNS more than you trust the security and/or performance of the DNS servers set up by each of the different places you take your laptop.

Why you might want to configure your home router or WiFi access point to tell its DHCP clients to use OpenDNS servers: You trust OpenDNS security and or performance more than the DNS servers provided by your ISP, and configuring it on your home router gives you one place to set it for all computers at your home, assuming that they are all configured to obtain ip address and DNS settings via DHCP from your router. If you have to use the DHCP provided DNS at work, then configuring OpenDNS on your router allows you to not have to change laptop settings between home and office, you just have it always set to get DNS addresses automatically from DHCP wherever you are.

If your laptop makes it easy to have different network configurations based on location, then you can decide to hardcode OpenDNS when you are in one location and get DNS addresses from DHCP when you are somewhere else.

If your laptop makes it easy to have different network configurations based on location, then you can decide to hardcode OpenDNS when you are in one location and get DNS addresses from DHCP when you are somewhere else.Got it, and thanks!

I often wait while the "looking up..." message stares at me.
Maybe it's because I'm closer to the OpenDNS nodes?

Occasionally I see a momentary pause (less than a second), but I used to see much longer delays when using my ISP's DNS.

Maybe it's because I'm closer to the OpenDNS nodes?
"Closer" is all relative in the electronic world. Ping times from coast to coast ought to be less than 100 milliseconds. Indeed the pings to both the public OpenDNS IPAddresses are 30 milliseconds.

I am afraid that it is server overload. OpenDNS may be on the verge of becoming a victim of its own success.

Indeed the pings to both the public OpenDNS IPAddresses are 30 milliseconds.
And when I ping both addresses, I get results in the 10-12 millisecond range.

By "closer," I meant fewer hops.

Sidney, what's your take on the severity of the current brouhaha?

o Even the vaunted DJB says his server is vulnerable.

o Those who know say DNSSEC is vulnerable

o The current industry-wide fix extends the window for massive poisoning attacks to 8-10 hours. That's encouraging, but not a solid solution.

TCP instead of UDP? (slow). Switch to TCP after a flood? What won't break every piece of DNSware ever written?

Sidney, what's your take on the severity of the current brouhaha?

Quite severe. The exploit is now out there and unpatched sites have been hacked.

Even the vaunted DJB says his server is vulnerable.

He always said so, even back in 2001 (http://cr.yp.to/djbdns/forgery.html). He advocated randomizing source ports back then, but only as a way to multiply the cost of the attack by a factor of 65536, not as a way to make the attack impossible.

Those who know say DNSSEC is vulnerable

Do you have a reference for that? I didn't find any. I did find two recent vulnerability reports, each having to do with specific bugs in specific implementations of DNSSEC, but those were just program bugs that were quickly patched. DJB has said that DNSSEC is not a solution, but what he specifically said was that running DNNSEC is not a solution because it has not been deployed by the root servers or just about anyone else, so it will not help you if you run it, and he didn't expect it to be deployed. With Kaminsky's revelation of how serious the cache poisoning problem is, it now looks more likely that ICANN will end up doing something about DNSSEC. Oh, DJB did have another problem with DNSSEC, that a rogue employee of the administrator of the root servers (at the time Network Solutions) could take over the Internet. That is true, but it is a different class of problem. Besides, I don't see how someone like that could do it any more easily than they can now.

DJB does have a solution that involves having all domain names have a digital fingerprint appended to them, so that instead of microsoft.com you would have something like
microsoft-AF19FA272F94998DFDB5DE3DF8B506E4A1694E46.com

You can get security with that, but I think that would be a hard sell as a fundamental change to DNS on the Internet.

The current industry-wide fix extends the window for massive poisoning attacks to 8-10 hours. That's encouraging, but not a solid solution

Everyone agrees with that. The point was to mitigate the immediate emergency and then go to work on a permanent solution, which everyone seems to think is most likely going to be DNSSEC.

TCP instead of UDP? (slow). Switch to TCP after a flood? What won't break every piece of DNSware ever written?

Yup, the consensus I've seen is that would be at least as disruptive as switching to DNSSEC and not as effective. People suggested it as a theoretical possibility based on the fact that the DNS specs do not preclude using TCP instead of UDP, but since it is never done you cannot count on actual implementations continuing to work (or to handle the load even if they are written to understand TCP) if the change were made. And it would still not protect against a class of forgery attacks that DNSSEC is designed to prevent. If we have learned anything from DJB is that it is best to use a secure design to protect against perceived weaknesses instead of waiting until someone clever figures out a practical exploit for the weakness.

If we have learned anything from DJB is that it is best to use a secure design to protect against perceived weaknesses instead of waiting until someone clever figures out a practical exploit for the weakness.
Not true, because sales, management, and engineering will almost always overestimate the speed and reliability with which they can implement the project, let alone design it right in the first place.

DH

:o :rolleyes:
Forgot to take my happy pill today :(

It is very unlikely that it could be used against an ISP. More likely it would be used to attack a business with a DNS server on the same fast LAN as machines that can be taken over by trojan horses. ISPs tend not to keep machines like that on the same LAN as their public servers and also tend to have better defences against flooding attacks.

From all I hear using OpenDNS is as safe a choice as you could find.
As I understand it, one way to protect yourself might be to examine the site certificate. If one were intentionally misdirected to a bogus site by a corrupt DNS, even if the bogus site used SSL *and* appeared outwardly legit, it still unlikely that it could cough up a legit certificate.

Certificates can be viewed by clicking the icon to the left side of the address entry drop down box in Firefox 3 [and earlier I hope?].

DH

As I understand it, one way to protect yourself might be to examine the site certificate. If one were intentionally misdirected to a bogus site by a corrupt DNS, even if the bogus site used SSL *and* appeared outwardly legit, it still unlikely that it could cough up a legit certificate.

Certificates can be viewed by clicking the icon to the left side of the address entry drop down box in Firefox 3 [and earlier I hope?].

DH Apparently this precaution will not work when logging in to tapcis forum. Not that it's a big deal, but I wonder if it's an option in vbulletin ?

DH

it still unlikely that it could cough up a legit certificate

Unless they had already used the DNS spoofing to trick you into accepting an update of your root certificates. That shouldn't be possible without you having a chance to verify an SSL certificate, but imagine what someone could do if they controlled what you saw when there are addresses like mozilla.org and microsoft.com in your browser address box, and if they could supply javascriot that seems to come from sites that are on your NoScript whitelist. It's conceivable that they could trick you into clicking something to accept an update and then they have you.

I wonder if it's an option in vbulletin ?

I've seen some discussion on their forums about why it isn't. The password is hashed with MD5 and no salt when you enter it by typing it into a login. If you are logged in automatically with a cookie, the cookie that gets sent has the password hashed more securely using MD5 with a heap of salt. There is no provision for adding SSL on top of that unless the entire website including all images is served under SSL. So the password is never sent in the clear, but I would not use the same password that I used for something more valuable such as my banking.

-- sidney

It is very unlikely that it could be used against an ISP. More likely it would be used to attack a business with a DNS server...
Heh, do a lookup on IP 194.7.41.152.

Then try 194.7.41.151, 194.7.41.153, 194.7.41.150, 194.7.41.154, etc.

I got some spam that claims to be from Amazon.com, and the first received header has the first IP address I listed. Thus, I assumed it really was from Amazon, and I complained. Amazon claimed, "not ours," and that message was injected at 207.171.164.45. A dig shows most of Amazon's addresses are in the 207.171.*.* block.

I got some spam that claims to be from Amazon.com, and the first received header has the first IP address I listed

That isn't a result of the DNS cache poisoning vulnerability. Amazon is having problems policing their cloud computing service. Two articles from early July:

Amazon: Hey Spammers, Get Off My Cloud! (http://blog.washingtonpost.com/securityfix/2008/07/amazon_hey_spammers_get_off_my.html) (Security Fix, Washington Post blog)

Justin Mason's blog reaction to it (http://taint.org/2008/07/02/162007a.html) which goes into much greater depth. FYI, Justin is the original author of SpamAssassin and is still active on the Apache SpamAssassin Project Management Committee and so knows of what he speaks.

it still unlikely that it could cough up a legit certificate.Hey! Even Microsoft can't always cough up a legit certificate:

http://www.tapcis.com/forums/attachment.php?attachmentid=361&d=1216242705

I would not use the same password that I used for something more valuable such as my banking.A good idea under any circumstances!

Amazon is having problems policing their cloud computing service.
I saw those articles at that time, but I was under the impression that the IP addresses used in those would be in the Amazon netblock.

>Do you have a reference for that?

Only less succinct versions of what you just gave me (g).