tag:blogger.com,1999:blog-4088979.post6573579305662301772..comments2023-10-16T06:06:25.012-04:00Comments on TaoSecurity Blog: Scalable Infrastructure vs Large Problems, or OpenDNS vs ConfickerRichard Bejtlichhttp://www.blogger.com/profile/13512184196416665417noreply@blogger.comBlogger11125tag:blogger.com,1999:blog-4088979.post-3370549934005408842009-04-10T05:07:00.000-04:002009-04-10T05:07:00.000-04:00This comment has been removed by the author.Unknownhttps://www.blogger.com/profile/08073872885954224595noreply@blogger.comtag:blogger.com,1999:blog-4088979.post-47711281265161756542009-04-10T05:04:00.000-04:002009-04-10T05:04:00.000-04:00This comment has been removed by the author.Unknownhttps://www.blogger.com/profile/08073872885954224595noreply@blogger.comtag:blogger.com,1999:blog-4088979.post-44997856613588397482009-04-02T02:05:00.000-04:002009-04-02T02:05:00.000-04:00It's probably good to keep in mind that the CONFIC...It's probably good to keep in mind that the CONFICKER botnet has a built in p2p network which means it doesn't really need any of the 250 or 50,000 domains to work in order for it to get upgraded. <BR/><BR/>So saying OpenDNS is going to protect you because it will block the 50,000 domains doesn't exactly give the whole picture.Anonymousnoreply@blogger.comtag:blogger.com,1999:blog-4088979.post-51994618206482614212009-03-31T20:10:00.000-04:002009-03-31T20:10:00.000-04:00I would like to point out that OpenDNS is directin...I would like to point out that <B>OpenDNS is directing traffic destined for www.google.com through proxy servers they operate.</B><BR/><BR/>You can check this for yourself, but FYI :<BR/><BR/>normal results (might be depending on your geographical location) :<BR/><BR/>C:\Tools\isc-dig>dig www.google.com +short<BR/>www.l.google.com.<BR/>74.125.79.104<BR/>74.125.79.99<BR/>74.125.79.103<BR/>74.125.79.147<BR/>C:\Tools\isc-dig><BR/><BR/>when using OpenDNS servers :<BR/><BR/>C:\Tools\isc-dig>dig www.google.com @208.67.222.222 +short<BR/>google.navigation.opendns.com.<BR/>208.69.34.230<BR/>208.69.34.231<BR/><BR/>C:\Tools\isc-dig>dig www.google.ca @208.67.222.222 +short<BR/>www.google.com.<BR/>google.navigation.opendns.com.<BR/>208.69.34.231<BR/>208.69.34.230<BR/><BR/>C:\Tools\isc-dig>dig www.google.co.uk @208.67.222.222 +short<BR/>www.google.com.<BR/>google.navigation.opendns.com.<BR/>208.69.34.231<BR/>208.69.34.230<BR/><BR/>C:\Tools\isc-dig><BR/><BR/><BR/>Credits to find this out (AFAIK) go to HD Moore - see <A HREF="http://blog.metasploit.com/2008/07/on-dns-attacks-in-wild-and-journalistic.html" REL="nofollow">here</A><BR/><BR/>David Ulevitch from OpenDNS states in a comment on above blogpost <BR/><BR/><I>"With regards to the Google redirect, it is done to solve some issues caused by newer versions of the Google toolbar. We do it in as clear a way as possible (hence the CNAME instead of just returning an IP).<BR/>We also make it easy to turn off just by going to "Settings -> Advanced Settings" and unchecking the box for the proxy. 99.999% of people don't care, and for the few who do, that's why we make it as crystal clear as we do. And finally, we do not keep logs of ANY of the traffic that passes through it."</I><BR/><BR/>You could discuss whether or not they are open about this, and to what degree (see http://www.opendns.com/support/article/244 ) and whether or not this infringes their privacy statements but - most importantly :<BR/><BR/>(1) be aware of this<BR/><BR/>(2) do your own evaluation of benefits and tradeoffs<BR/><BR/><BR/>Regards<BR/>Tomas Vanhoof<BR/><BR/>P.S.: Richard, please keep up the excellent work you do by running this blog! You have a positive impact on the professional lives of thousands of people and this blog contributes to make systems and networks all over the world being operated more securely! Thank you very much for that!Anonymousnoreply@blogger.comtag:blogger.com,1999:blog-4088979.post-87427431655633648622009-03-31T15:31:00.000-04:002009-03-31T15:31:00.000-04:00What's to stop a future version or worm from just ...What's to stop a future version or worm from just doing it's own DNS lookups?<BR/><BR/>I suppose one could firewall all outgoing to DNS except to OpenDNS.Unknownhttps://www.blogger.com/profile/11781437808923952311noreply@blogger.comtag:blogger.com,1999:blog-4088979.post-67932943874957624902009-03-31T11:43:00.000-04:002009-03-31T11:43:00.000-04:00The nmap scan at least uses a port 445 control...c...The nmap scan at least uses a port 445 control...can't the worm just omit that port when it disables local firewall protection, or does it even need to have that open? If nmap sees it as filtered, I'm guessing it can't fingerprint it. I ran the new nmap and it seemed to do the check AFTER determining that 445 was open.Anonymousnoreply@blogger.comtag:blogger.com,1999:blog-4088979.post-66191280896887927802009-03-30T20:57:00.000-04:002009-03-30T20:57:00.000-04:00That's a fair point. Presumably OpenDNS are going ...That's a fair point. Presumably OpenDNS are going to spell out when a blocked name is accessed via your web browser, much like they do for other services?<BR/><BR/>I guess i was initially thinking in such a situation there would be little or no info on why a particular dns name was not working. <BR/><BR/>I know OpenDNS do 'report errors' via web rewriting- do they also offer any sort of mail bouncebank if you encoutered a problem with a domain via smtp or other common protocol?zonkynoreply@blogger.comtag:blogger.com,1999:blog-4088979.post-35576905694690500882009-03-30T20:48:00.000-04:002009-03-30T20:48:00.000-04:00zonky, outsourcing site categorization and blockin...zonky, outsourcing site categorization and blocking is nothing new. Most companies using a web proxy or other similar tools are already blocking traffic based largely on lists of malicious domains generated outside one's own organization. How is using OpenDNS any worse? You always have the potential to block non-malicious sites, and how aggressive you want to be with blocking will depend largely on risk.Nathaniel Richmondhttps://www.blogger.com/profile/16307898781407130985noreply@blogger.comtag:blogger.com,1999:blog-4088979.post-60415788810771943612009-03-30T20:42:00.000-04:002009-03-30T20:42:00.000-04:00Agreed, there are never absolutes. But if opendns ...Agreed, there are never absolutes. But if opendns are seriously proposing to be blocking 50,000 domains from DNS a day, does that not become a new form of a Denial of Service attack?<BR/><BR/>I just feel sorry for the American-Armenian foundation of Kingston, Edgware, Guilford (based) Xenophobes, and their inability to aquire a domain that may work for a certain percentage of the internet.zonkynoreply@blogger.comtag:blogger.com,1999:blog-4088979.post-17236334841480650552009-03-30T20:33:00.000-04:002009-03-30T20:33:00.000-04:00Hi Zonky,There are no perfect answers here, but th...Hi Zonky,<BR/><BR/>There are no perfect answers here, but this one looks best given the alternatives. And, if you don't like it, you don't have to use it. That works well I think!Richard Bejtlichhttps://www.blogger.com/profile/13512184196416665417noreply@blogger.comtag:blogger.com,1999:blog-4088979.post-49890394743254638412009-03-30T20:20:00.000-04:002009-03-30T20:20:00.000-04:00So now you can create malware which encourages DoS...So now you can create malware which encourages DoS attacks by OpenDNS against potentially legitimately registered domains?<BR/><BR/>Aren't we giving OpenDNS a bit too much power?zonkynoreply@blogger.com