Is it safer to use OpenDNS as the default DNS, or is it better to use the
one from my ISP?
Supposedly, OpenDNS has some built-in safety. However, if OpenDNS ever gets
hacked, wouldn't it become the world's greatest phising scheme?
The same applies to any DNS server of course, but my ISP's DNS server is a
less attractive target for hackers.
peter wrote:
> Is it safer to use OpenDNS as the default DNS, or is it better to use the
> one from my ISP?
Both are bad, but you ISP's DNS is the lesser evil.
> Supposedly, OpenDNS has some built-in safety.
Yes, supposedly. As in
> However, if OpenDNS ever gets
> hacked, wouldn't it become the world's greatest phising scheme?
Maybe. But doesn't someone who's using OpenDNS explicitly want to be phished?
> The same applies to any DNS server of course, but my ISP's DNS server is a
> less attractive target for hackers.
And what about your government, your state police and a lot of
censorship-interested companies? Most likely your ISP is blocking
rotten.com, stromfront.org and allofmp3.com as well.
"peter"
>Is it safer to use OpenDNS as the default DNS, or is it better to use the
>one from my ISP?
Safest is to run your own caching DNS server.
Neil W Rickert wrote:
> "peter"
>
>> Is it safer to use OpenDNS as the default DNS, or is it better to use the
>> one from my ISP?
>
> Safest is to run your own caching DNS server.
With ORSN as root zone and as primary cache for the gTLDs.
On Jun 19, 4:23 pm, "Sebastian G."
> Neil W Rickert wrote:
> > "peter"
>
> >> Is it safer to use OpenDNS as the default DNS, or is it better to use the
> >> one from my ISP?
>
> > Safest is to run your own caching DNS server.
>
> With ORSN as root zone and as primary cache for the gTLDs.
Why on earth would you think that's "safer?"
We're giving more control and insight into the DNS than anyone ever
has. OpenDNS has done more to secure the DNS in less than a year than
the old guard of the Internet has in the last 20 years. DNSSEC where
is it? Blocking of botnets, phishing sites, etc at the resolver, at
the edge of the network where it has the most directed impact without
wide-spread repercussions? ORSN is the last thing on earth to be
using. They are a political hedged bet, nothing to do with security
or "safer."
-davidu (from OpenDNS, obviously)
davidu wrote:
>>>> Is it safer to use OpenDNS as the default DNS, or is it better to use the
>>>> one from my ISP?
>>> Safest is to run your own caching DNS server.
>> With ORSN as root zone and as primary cache for the gTLDs.
>
> Why on earth would you think that's "safer?"
Simple: DNS is constructed that if there's disagreement in the root zone,
then the majority of the root servers dominates. Out of the 13 root servers,
7 are in the USA. Thus the USA can dictate disruption and censorship.
For the gTLDs: Just remember VeriSign's sitefinder. It's really better to
have a backup of such a zone.
> We're giving more control and insight into the DNS than anyone ever
> has. OpenDNS has done more to secure the DNS in less than a year than
> the old guard of the Internet has in the last 20 years.
Utter bullshit. OpenDNS has only done three things:
- promoting themselves
- destabilizing the system with additional TLDs not belonging to the ICANN root
- censorship
What exactly did they do for security?
> DNSSEC where is it?
Good question. OpenDNS doesn't even work with DNSSEC at all due to a broken
signature chain at the root.
> Blocking of botnets, phishing sites, etc at the resolver, at
> the edge of the network where it has the most directed impact without
> wide-spread repercussions?
Yes, this is exactly what OpenDNS is doing.
> ORSN is the last thing on earth to be using. They are a political hedged
> bet, nothing to do with security or "safer."
What a nonsense. ORSN is exactly the right approach against the current
problems.
> -davidu (from OpenDNS, obviously)
A clueless idiot, obviously.
davidu
>On Jun 19, 4:23 pm, "Sebastian G."
>> Neil W Rickert wrote:
>> > "peter"
>> >> Is it safer to use OpenDNS as the default DNS, or is it better to use the
>> >> one from my ISP?
>> > Safest is to run your own caching DNS server.
>> With ORSN as root zone and as primary cache for the gTLDs.
>Why on earth would you think that's "safer?"
>We're giving more control and insight into the DNS than anyone ever
>has. OpenDNS has done more to secure the DNS in less than a year than
>the old guard of the Internet has in the last 20 years.
I guess that makes you a true believer :(
> Blocking of botnets, phishing sites, etc at the resolver, at
>the edge of the network where it has the most directed impact without
>wide-spread repercussions?
OpenDNS "protects" you from phishing sites by giving out false
information. A DNS server that deliberately gives out false
information is a security risk. I advise against using OpenDNS.
In article
Neil W Rickert
> davidu
> >On Jun 19, 4:23 pm, "Sebastian G."
> >> Neil W Rickert wrote:
> >> > "peter"
>
> >> >> Is it safer to use OpenDNS as the default DNS, or is it better to use
> >> >> the
> >> >> one from my ISP?
>
> >> > Safest is to run your own caching DNS server.
>
> >> With ORSN as root zone and as primary cache for the gTLDs.
>
> >Why on earth would you think that's "safer?"
>
> >We're giving more control and insight into the DNS than anyone ever
> >has. OpenDNS has done more to secure the DNS in less than a year than
> >the old guard of the Internet has in the last 20 years.
>
> I guess that makes you a true believer :(
>
> > Blocking of botnets, phishing sites, etc at the resolver, at
> >the edge of the network where it has the most directed impact without
> >wide-spread repercussions?
>
> OpenDNS "protects" you from phishing sites by giving out false
> information. A DNS server that deliberately gives out false
> information is a security risk. I advise against using OpenDNS.
It's only a security risk if it's doing so without your knowledge,
consent, or control. IIUC, this is a user-configurable option, so you
have control. And if you use OpenDNS because you *want* this type of
protection, then it's with your consent.
Your comment is like claiming that a firewall is a security risk because
it causes Denial of Service when it prevents you from accessing certain
sites or using some applications.
--
Barry Margolin, barmar@alum.mit.edu
Arlington, MA
*** PLEASE post questions in newsgroups, not directly to me ***
*** PLEASE don't copy me on replies, I'll read them in the group ***
Barry Margolin wrote:
> It's only a security risk if it's doing so without your knowledge,
> consent, or control. IIUC, this is a user-configurable option, so you
> have control.
AFAICS this is without your control.
> And if you use OpenDNS because you *want* this type of
> protection, then it's with your consent.
It is within your consent if they add sites on their censorship list which
are not related to phishing at all, and this without your knowledge?
> Your comment is like claiming that a firewall is a security risk because
> it causes Denial of Service when it prevents you from accessing certain
> sites or using some applications.
It is. A firewall shouldn't do such a thing.
On Jun 23, 5:05 am, "Sebastian G."
> Barry Margolin wrote:
> > It's only a security risk if it's doing so without your knowledge,
> > consent, or control. IIUC, this is a user-configurable option, so you
> > have control.
>
> AFAICS this is without your control.
>
> > And if you use OpenDNS because you *want* this type of
> > protection, then it's with your consent.
>
> It is within your consent if they add sites on their censorship list which
> are not related to phishing at all, and this without your knowledge?
You have no idea what OpenDNS does. You have no idea that we give you
full control over your DNS in a way you never have before.
>
> > Your comment is like claiming that a firewall is a security risk because
> > it causes Denial of Service when it prevents you from accessing certain
> > sites or using some applications.
>
> It is. A firewall shouldn't do such a thing.
Wow. That's exactly what a firewall does. It presents a barrier
based on specified rules. Don't be naive and believe that a firewall
is only designed to prevent things from getting in to a network, a
proper firewall should also restrict what is going out. And firewalls
can and often do work at all layers of the OSI stack. It's not just
about blocking ports. That's a firehose approach and (that alone)
doesn't work on today's Internet.
davidu wrote:
>>> And if you use OpenDNS because you *want* this type of
>>> protection, then it's with your consent.
>> It is within your consent if they add sites on their censorship list which
>> are not related to phishing at all, and this without your knowledge?
>
> You have no idea what OpenDNS does.
I'd rather say this applies to you.
> You have no idea that we give you full control over your DNS in a way you
> never have before.
And you seem to have no idea how utterly bullshit this is. Not just wrt. to
what OpenDNS does (censorship that is not just limited to proclaimed
phishing hosts), but also how I'm running my very own DNS server (recent
BIND9 with some patches and a well-understood configuration).
>>> Your comment is like claiming that a firewall is a security risk because
>>> it causes Denial of Service when it prevents you from accessing certain
>>> sites or using some applications.
>> It is. A firewall shouldn't do such a thing.
>
> Wow. That's exactly what a firewall does.
No, this is not even remotely what a firewall does.
> It presents a barrier based on specified rules.
And the rules are supposed to implement to filter out everything you don't
want to work. If it blocks something that is supposed to work, the firewall
is obviously misconfigured.
> And firewalls can and often do work at all layers of the OSI stack.
You may or may not notice that there are various differences between the
internet protocol stack and the OSI model.
In article <5e4gl5F373m16U1@mid.dfncis.de>,
"Sebastian G."
> Barry Margolin wrote:
>
>
> > It's only a security risk if it's doing so without your knowledge,
> > consent, or control. IIUC, this is a user-configurable option, so you
> > have control.
>
>
> AFAICS this is without your control.
>
> > And if you use OpenDNS because you *want* this type of
> > protection, then it's with your consent.
>
>
> It is within your consent if they add sites on their censorship list which
> are not related to phishing at all, and this without your knowledge?
>
> > Your comment is like claiming that a firewall is a security risk because
> > it causes Denial of Service when it prevents you from accessing certain
> > sites or using some applications.
>
> It is. A firewall shouldn't do such a thing.
I was using the term to refer to security software in general. How
about the options in many browsers to block phishing sites?
The point is that most users don't want to keep track of malware,
phishing, etc. -- they WANT to delegate that responsibility to someone
else. This implies that they trust that third party to act responsibly.
It's like hiring a security guard. This presumably makes things MORE
secure. You have to assume, though, that the security guard isn't
buddies with thiefs who he's going to allow into the building. Most of
the time this assumption is warranted. And you're pretty much forced
into assuming this -- you can't watch the front door yourself and also
get your real work done.
--
Barry Margolin, barmar@alum.mit.edu
Arlington, MA
*** PLEASE post questions in newsgroups, not directly to me ***
*** PLEASE don't copy me on replies, I'll read them in the group ***
Barry Margolin wrote:
> I was using the term to refer to security software in general. How
> about the options in many browsers to block phishing sites?
This is, of course, bullshit as well.
> The point is that most users don't want to keep track of malware,
> phishing, etc.
Then tell'em don't install any, and to simply not fall for phishing. Now
that's really easy...
> -- they WANT to delegate that responsibility to someone else.
And why should we care? The fact is that, how much they might want it
either, they simply can't delegate responsibility, especially not for if the
cause is their utter idiocy.
> This implies that they trust that third party to act responsibly.
So, and has OpenDNS claimed to be responsible or even reliable?
> It's like hiring a security guard. This presumably makes things MORE
> secure.
A security guard is competent on his field and is getting paid to do the job
as you intend it. And a security guard doesn't require you to remove other
security measures like the front door. Now so much to your failed analogy.
> you can't watch the front door yourself and also get your real work done.
That's why we LOCK the front door. Now will you please stop trying to kid
me? Nothing of this will change that OpenDNS deliberately introduces wrong
DNS replies for whatsoever reasons, adds non-ICANN TLDs, create a new
incomptabile root zone without any authority, breaks any authority chains
anyway (no chance for root-delegation), and much more.
It's a wonder that this POS even works, but it's no wonder that some people
actually like this POS, becaus eit shows their lack of competence, knowledge
and probably sanity.
At any rate, you're even worse off than with your ISP's caching DNS server
or the ICANN root.
On Jun 23, 8:47 am, "Sebastian G."
> davidu wrote:
> >>> And if you use OpenDNS because you *want* this type of
> >>> protection, then it's with your consent.
> >> It is within your consent if they add sites on their censorship list which
> >> are not related to phishing at all, and this without your knowledge?
>
> > You have no idea what OpenDNS does.
>
> I'd rather say this applies to you.
Sebastian,
Let's be crystal clear right now. You can, with OpenDNS, get standard
RFC compliant DNS with NXDOMAIN's being returned, no phishing
protection, no adult blocking, and nothing else. I understand that
you have ZERO clue what the service does, but I figured you would at
least try and see.
Every administrator that configures OpenDNS decides what functionality
they want. Guess what? Admins love being able to have a simple place
to say "Hey, I want to block myspace.com" and when they do that, it
doesn't affect you in any way. That's the entire point. The DNS
results on the recursive nameserver are modified based on the src_addr
making the requests.
>
> > You have no idea that we give you full control over your DNS in a way you
> > never have before.
>
> And you seem to have no idea how utterly bullshit this is. Not just wrt. to
> what OpenDNS does (censorship that is not just limited to proclaimed
> phishing hosts), but also how I'm running my very own DNS server (recent
> BIND9 with some patches and a well-understood configuration).
What censorship are we imposing? Nobody makes you block a domain.
It's about giving you power and control, not to mention a more
reliable and faster service.
>
> >>> Your comment is like claiming that a firewall is a security risk because
> >>> it causes Denial of Service when it prevents you from accessing certain
> >>> sites or using some applications.
> >> It is. A firewall shouldn't do such a thing.
>
> > Wow. That's exactly what a firewall does.
>
> No, this is not even remotely what a firewall does.
What does it do then?
>
> > It presents a barrier based on specified rules.
>
> And the rules are supposed to implement to filter out everything you don't
> want to work. If it blocks something that is supposed to work, the firewall
> is obviously misconfigured.
What's that have to do anything I said? That statement is a strawman.
>
> > And firewalls can and often do work at all layers of the OSI stack.
>
> You may or may not notice that there are various differences between the
> internet protocol stack and the OSI model.
Again, a strawman. Before replying, check out what OpenDNS offers and
educate yourself.
Thanks,
David Ulevitch
On Jun 23, 4:03 pm, "Sebastian G."
> That's why we LOCK the front door. Now will you please stop trying to kid
> me? Nothing of this will change that OpenDNS deliberately introduces wrong
> DNS replies for whatsoever reasons, adds non-ICANN TLDs, create a new
> incomptabile root zone without any authority, breaks any authority chains
> anyway (no chance for root-delegation), and much more.
What are you talking about? I'm not getting into the discussion about
how ineffective ICANN is but we do follow their TLDs. Show me a TLD
we've created. I challenge you to name one.
As for "wrong DNS replies" -- that's another claim with zero evidence.
Are you finished?
-David
Barry Margolin
>I was using the term to refer to security software in general. How
>about the options in many browsers to block phishing sites?
Quite different, in my opinion. Whereas OpenDNS returns deliberately
false information, the phishing filters in firefox and in IE7 advise
that a site has been reported as a phish site. They don't actually
block access - you can choose to continue to the site.
>The point is that most users don't want to keep track of malware,
>phishing, etc. -- they WANT to delegate that responsibility to someone
>else.
That's fine. I don't like the method used by OpenDNS, and I am
unwilling to trust their DNS servers.
davidu wrote:
> Let's be crystal clear right now. You can, with OpenDNS, get standard
> RFC compliant DNS with NXDOMAIN's being returned, no phishing
> protection, no adult blocking, and nothing else.
I didn't manage to get such a behaviour. Can you enlighten me a bit?
> The DNS results on the recursive nameserver are modified based on the src_addr
> making the requests.
Which is even more stupid.
>>> You have no idea that we give you full control over your DNS in a way you
>>> never have before.
>> And you seem to have no idea how utterly bullshit this is. Not just wrt. to
>> what OpenDNS does (censorship that is not just limited to proclaimed
>> phishing hosts), but also how I'm running my very own DNS server (recent
>> BIND9 with some patches and a well-understood configuration).
>
> What censorship are we imposing?
"we"? Anyway, I already mentioned some well-known examples (which might also
be related to OpenDNS's peering partners which filter various DNS requests).
> It's about giving you power and control, not to mention a more
> reliable and faster service.
It's doing what? Excuse me, but how should this work?
>>> It presents a barrier based on specified rules.
>> And the rules are supposed to implement to filter out everything you don't
>> want to work. If it blocks something that is supposed to work, the firewall
>> is obviously misconfigured.
>
> What's that have to do anything I said? That statement is a strawman.
And it's precisely a counter-argument to the BS you're writing.
>>> And firewalls can and often do work at all layers of the OSI stack.
>> You may or may not notice that there are various differences between the
>> internet protocol stack and the OSI model.
>
> Again, a strawman.
And a counter-argument. Now, how exactly do you block Skype with a firewall?
davidu wrote:
> On Jun 23, 4:03 pm, "Sebastian G."
>
>> That's why we LOCK the front door. Now will you please stop trying to kid
>> me? Nothing of this will change that OpenDNS deliberately introduces wrong
>> DNS replies for whatsoever reasons, adds non-ICANN TLDs, create a new
>> incomptabile root zone without any authority, breaks any authority chains
>> anyway (no chance for root-delegation), and much more.
>
> What are you talking about? I'm not getting into the discussion about
> how ineffective ICANN is but we do follow their TLDs. Show me a TLD
> we've created. I challenge you to name one.
..cmo
Just to name a favorite example directly from the opendns.org front page
advertisement... the FAQ also mentions .og ...
> As for "wrong DNS replies" -- that's another claim with zero evidence.
So? Then I must have been mislead by the "New! Block adult sites. Accurate
and free." advertisement.
> Are you finished?
Not yet.
that cannot be "auto-corrected" gets redirected to an advertisement page.
D'Oh, and then there's a press release "OpenDNS is not SiteFinder, for
obvious reasons", with an interview of David A. Ulevitch... oh geez, sorry I
fell for your scheme, you stupid troll. A Gmail mail address? You must be
kidding...
Seems like since 07-04-22 some idiot also added very wrong implemented
recursion for unqualified queries.
And I better stop thinking about this braindead DNS hijacking before I
really get sick.
In article
Neil W Rickert
> Barry Margolin
>
> >The point is that most users don't want to keep track of malware,
> >phishing, etc. -- they WANT to delegate that responsibility to someone
> >else.
>
> That's fine. I don't like the method used by OpenDNS, and I am
> unwilling to trust their DNS servers.
That's your perogative. But it doesn't make OpenDNS a security hole for
the people who DO want to make use of its features.
If you have antivirus software, do you maintain all the signatures
yourself, or do you let it download them from the AV vendor
automatically? Even if YOU maintain it yourself, do you think that 90%
of computer users could do this competently?
--
Barry Margolin, barmar@alum.mit.edu
Arlington, MA
*** PLEASE post questions in newsgroups, not directly to me ***
*** PLEASE don't copy me on replies, I'll read them in the group ***
Barry Margolin wrote:
> But it doesn't make OpenDNS a security hole for the people who DO want
> to make use of its features.
And doesn't have to, because it already is one.
> If you have antivirus software, do you maintain all the signatures
> yourself, or do you let it download them from the AV vendor
> automatically? Even if YOU maintain it yourself, do you think that 90%
> of computer users could do this competently?
And what exactly does antivirus software have to do with security? Beside
introducing vulnerabilities?
In article <5e9vbnF37225uU1@mid.dfncis.de>,
"Sebastian G."
> Barry Margolin wrote:
>
> > But it doesn't make OpenDNS a security hole for the people who DO want
>
> > to make use of its features.
>
> And doesn't have to, because it already is one.
>
> > If you have antivirus software, do you maintain all the signatures
> > yourself, or do you let it download them from the AV vendor
> > automatically? Even if YOU maintain it yourself, do you think that 90%
> > of computer users could do this competently?
>
> And what exactly does antivirus software have to do with security? Beside
> introducing vulnerabilities?
It seems like you have a completely different idea of computer security
than most of the rest of us. If we're not talking the same language, we
can't have a reasonable discussion, so I give up.
--
Barry Margolin, barmar@alum.mit.edu
Arlington, MA
*** PLEASE post questions in newsgroups, not directly to me ***
*** PLEASE don't copy me on replies, I'll read them in the group ***
Barry Margolin wrote:
> In article <5e9vbnF37225uU1@mid.dfncis.de>,
> "Sebastian G."
>
>> Barry Margolin wrote:
>>
>>> But it doesn't make OpenDNS a security hole for the people who DO want
>>> to make use of its features.
>> And doesn't have to, because it already is one.
>>
>>> If you have antivirus software, do you maintain all the signatures
>>> yourself, or do you let it download them from the AV vendor
>>> automatically? Even if YOU maintain it yourself, do you think that 90%
>>> of computer users could do this competently?
>> And what exactly does antivirus software have to do with security? Beside
>> introducing vulnerabilities?
>
> It seems like you have a completely different idea of computer security
> than most of the rest of us. If we're not talking the same language, we
> can't have a reasonable discussion, so I give up.
Well, if you don't want to proclaim that virus scanners could provide
reliable protection against viruses (which they can't, by design), then your
point is obviously moot. And if you want that, then should better reconsider
the definition of security.
Now, you almost no user did AV software actually provide any measurable
benefit. At best it just stretches the time until the systems become
infected anyway, or rather delude the detection of the compromise. It can't
provide any means to secure a chronically insecure system.
At any rate, stop telling nonsense. OpenDNS does modify DNS replies without
your strict control (thus you can't see if they actually adhere to the
configuration you provided and not modify much more, or way less, or in a
different way), and it definitely breaks root-delegation. In comparison to a
non-defective stub resolver (as most people use), and unmodified
caching-only name server (as most ISPs provide) or especially an own name
server (as competent users run), this is definitely a decrease in security.
And, whether you like it or not, using the additional crap features
intentionally makes the protocol violation even worse. But I guess you don't
understand the technical means of the difference between NXDOMAIN and
SERVFAIL in terms of a DNS resolver, so better asks the guys who had to
fiddle with the consequences of VeriSign's SiteFinder attack.
In article <5ebffkF38ks34U1@mid.dfncis.de>,
"Sebastian G."
> Well, if you don't want to proclaim that virus scanners could provide
> reliable protection against viruses (which they can't, by design), then your
> point is obviously moot. And if you want that, then should better reconsider
> the definition of security.
Security is not an absolute, it's a continuum. Virus scanners are not
total protection, but having them is better than not having them.
> At any rate, stop telling nonsense. OpenDNS does modify DNS replies without
> your strict control (thus you can't see if they actually adhere to the
> configuration you provided and not modify much more, or way less, or in a
> different way), and it definitely breaks root-delegation. In comparison to a
> non-defective stub resolver (as most people use), and unmodified
> caching-only name server (as most ISPs provide) or especially an own name
> server (as competent users run), this is definitely a decrease in security.
I don't use OpenDNS myself. But I know that many people use it because
they've had reliability problems with their ISPs' nameservers, and
they've found OpenDNS's track record to be better.
As far as I understand it, OpenDNS only rewrites names as part of its
typo-correction feature. I think this is what you're referring to by
"breaks root-delegation". But I assume it only corrects names that
don't exist, so there's no harm done. And this is a user-selectable
option -- if you want normal root delegation, don't use it.
Are you really claiming that even if you turn off all the options that
modify DNS responses, that OpenDNS still interferes with DNS lookups?
Or are you just spreading FUD because they *could* do so. Well, so
could ISPs, and so could the Internet root or GTLD servers. In fact, a
few years ago the GTLD servers DID do this -- Network Solutions
implemented a "feature" where nonexistent domains were redirected to
their search page. This affected practically all ISPs, not just users
who opted into a particular service.
So just about any use of DNS is a security problem -- you're implicitly
trusting the operators of all those servers to do what we expect.
Whether OpenDNS is more or less secure depends on your personal needs
and expectations.
--
Barry Margolin, barmar@alum.mit.edu
Arlington, MA
*** PLEASE post questions in newsgroups, not directly to me ***
*** PLEASE don't copy me on replies, I'll read them in the group ***
In article <5ebffkF38ks34U1@mid.dfncis.de>,
"Sebastian G."
> And, whether you like it or not, using the additional crap features
> intentionally makes the protocol violation even worse. But I guess you don't
> understand the technical means of the difference between NXDOMAIN and
> SERVFAIL in terms of a DNS resolver, so better asks the guys who had to
> fiddle with the consequences of VeriSign's SiteFinder attack.
BTW, I *do* understand this. I don't want to boast, but I am recognized
as one of the DNS experts on the Internet -- ask anyone in
comp.protocols.dns.bind.
And the SiteFinder issue wasn't one of NXDOMAIN vs. SERVFAIL. The
problem with SiteFinder was that it couldn't tell the difference between
a query coming from a web browser (which can deal with being redirected
to a search server) and one coming from a mail server (which should get
an error so that it can bounce the message back with an appropriate
error). This is less likely to be a problem for the typical OpenDNS
user, because they're just running applications like web browsers, not
mail servers.
And since OpenDNS allows you to opt out of the rewrite feature, if
you're running a server you should do so.
--
Barry Margolin, barmar@alum.mit.edu
Arlington, MA
*** PLEASE post questions in newsgroups, not directly to me ***
*** PLEASE don't copy me on replies, I'll read them in the group ***
Barry Margolin wrote:
> In article <5ebffkF38ks34U1@mid.dfncis.de>,
> "Sebastian G."
>
>> Well, if you don't want to proclaim that virus scanners could provide
>> reliable protection against viruses (which they can't, by design), then your
>> point is obviously moot. And if you want that, then should better reconsider
>> the definition of security.
>
> Security is not an absolute, it's a continuum.
Security also has various properties, one of the is *reliability*. Something
that virus scanners are lacking, by design.
Now, just write a virus. It will infect systems until someone detects it,
submits it to an AV vendor, who then creates and delivers a signature. In
the meantime, you're hosed.
Oh, and then write one that constantly modifies itself by reordering its
instructions based on a keyed CSPRNG. Trivially this will bypass any
signatures and behaviour detection.
Well, do I have to mention that the real solution against viruses is a
no-exec policy, thus only running applications from a whitelist? Trivial,
practicable, reliable, secure.
> Virus scanners are not
> total protection, but having them is better than not having them.
Interestingly I can clearly verify that the contrary is true on this machine.
infections without virus scanners: 0
vulnerabilities without virus scanners: 0
infections with virus scanners: 0
vulnerabilities without virus scanners: well, just KAV alone would provide
13 vulnerable kernel hooks...
So, you think that introducing new vulnerabilities to a very secure system
makes it better? Better wrt. to which criteria?
> As far as I understand it, OpenDNS only rewrites names as part of its
> typo-correction feature. I think this is what you're referring to by
> "breaks root-delegation".
Well, that's the consequence.
> But I assume it only corrects names that don't exist, so there's no harm
> done.
Well, this is definitely harm, because it will even "correct"
www.i-dont-exist-coz-i-was-spetl-wrong.com.
> And this is a user-selectable
> option -- if you want normal root delegation, don't use it.
Breaking root delegation is imposed for all recursive queries, and even
explicit delegation is broken due to the inaccurate replies.
> In fact, a few years ago the GTLD servers DID do this -- Network Solutions
> implemented a "feature" where nonexistent domains were redirected to
> their search page. This affected practically all ISPs, not just users
> who opted into a particular service.
Guess that's why you should want root-delegation-only, and why they got
slammed by ICANN. And with OpenDNS you'd practically make this problem apply
to all your queries, not just one single gTLD. Excellent idea!
Barry Margolin wrote:
> And the SiteFinder issue wasn't one of NXDOMAIN vs. SERVFAIL.
Oh, it was, depending on your DNS resolver.
> The problem with SiteFinder was that it couldn't tell the difference between
> a query coming from a web browser (which can deal with being redirected
> to a search server) and one coming from a mail server (which should get
> an error so that it can bounce the message back with an appropriate
> error). This is less likely to be a problem for the typical OpenDNS
> user, because they're just running applications like web browsers, not
> mail servers.
Ehm... what about P2P applications, VoIP stuff, etc.? It fails for the very
same problem.
Since I'm also missing a little part of the discussion: In which way should
OpenDNS be preferable to a simple stub resolver recursing on a typical
ISP's caching-only DNS server with the ICANN root or the ORSN root?
In article <5ebj4uF387t8pU1@mid.dfncis.de>,
"Sebastian G."
> Barry Margolin wrote:
>
> > In article <5ebffkF38ks34U1@mid.dfncis.de>,
> > "Sebastian G."
> >
> >> Well, if you don't want to proclaim that virus scanners could provide
> >> reliable protection against viruses (which they can't, by design), then
> >> your
> >> point is obviously moot. And if you want that, then should better
> >> reconsider
> >> the definition of security.
> >
> > Security is not an absolute, it's a continuum.
>
>
> Security also has various properties, one of the is *reliability*. Something
> that virus scanners are lacking, by design.
>
> Now, just write a virus. It will infect systems until someone detects it,
> submits it to an AV vendor, who then creates and delivers a signature. In
> the meantime, you're hosed.
Without the AV software, you're hosed forever. Which is better?
>
> Oh, and then write one that constantly modifies itself by reordering its
> instructions based on a keyed CSPRNG. Trivially this will bypass any
> signatures and behaviour detection.
>
> Well, do I have to mention that the real solution against viruses is a
> no-exec policy, thus only running applications from a whitelist? Trivial,
> practicable, reliable, secure.
But since the OS doesn't do that, you need other protection. As an end
user you can't change the OS policy, you're stuck with it. You need a
solution that works within its limits.
Should we stop trying to develop cures and vaccines for STDs because the
real solution is to not have sex with people with STDs? Sometimes you
have to live with the fact that the "real solution" isn't going to
happen, and you make do with a "good enough" solution.
And the "no-exec" policy will only protect you from malware based on
executing applications. It does nothing to protect you from phishing
sites. And a whitelist only works if you know what programs to allow.
What about a trojan that looks like a desirable program? If it's
masquerading as a game you want to play, you'll put it on the whitelist
(that's the very definition of a Trojan Horse).
--
Barry Margolin, barmar@alum.mit.edu
Arlington, MA
*** PLEASE post questions in newsgroups, not directly to me ***
*** PLEASE don't copy me on replies, I'll read them in the group ***
In article <5ebjldF37pj3iU1@mid.dfncis.de>,
"Sebastian G."
> Since I'm also missing a little part of the discussion: In which way should
> OpenDNS be preferable to a simple stub resolver recursing on a typical
> ISP's caching-only DNS server with the ICANN root or the ORSN root?
You said it yourself: "Security also has various properties, one of the
is *reliability*."
Go to BBR and I'll bet you can find dozens of recommendations for
Comcast customers to switch to OpenDNS when they're having DNS problems.
I've personally never had any problem with Comcast's servers, but lots
of other customers have, and they almost always report that their life
is much better after switching to OpenDNS.
--
Barry Margolin, barmar@alum.mit.edu
Arlington, MA
*** PLEASE post questions in newsgroups, not directly to me ***
*** PLEASE don't copy me on replies, I'll read them in the group ***
Barry Margolin wrote:
> Without the AV software, you're hosed forever.
Utter bullshit.
>> Well, do I have to mention that the real solution against viruses is a
>> no-exec policy, thus only running applications from a whitelist? Trivial,
>> practicable, reliable, secure.
>
> But since the OS doesn't do that,
It does. Yours does as well.
> you need other protection.
You mean Windows 2000? Yes, such a functionality can be added by third-party
software.
> As an end user you can't change the OS policy,
Even more bullshit.
> you're stuck with it. You need a solution that works within its limits.
"Solution" and "works" are quite wide terms. Now, virus scanners are neither
- they're measures to limit the damage that stupid users are doing to us. It
doesn't limit the damage they're doing to themselves.
> Should we stop trying to develop cures and vaccines for STDs because the
> real solution is to not have sex with people with STDs?
No, because these cures and vaccines don't hinder the real solution and
don't increase the spread of STD.
> And the "no-exec" policy will only protect you from malware based on
> executing applications. It does nothing to protect you from phishing
> sites.
Nothing protects from phishing sites. It's a PEBKAC.
> And a whitelist only works if you know what programs to allow.
> What about a trojan that looks like a desirable program?
Nothing can protect from trojan horses, however a concept of trust relation
can limit their effect. If this fails, well, then you're hosed, even with
virus scanners.
Barry Margolin wrote:
> In article <5ebjldF37pj3iU1@mid.dfncis.de>,
> "Sebastian G."
>
>> Since I'm also missing a little part of the discussion: In which way should
>> OpenDNS be preferable to a simple stub resolver recursing on a typical
>> ISP's caching-only DNS server with the ICANN root or the ORSN root?
>
> You said it yourself: "Security also has various properties, one of the
> is *reliability*."
>
> Go to BBR and I'll bet you can find dozens of recommendations for
> Comcast customers to switch to OpenDNS when they're having DNS problems.
Comcast customers are stupid by definition, the gross idiocy of this
provider has been obvious since years.
> I've personally never had any problem with Comcast's servers, but lots
> of other customers have, and they almost always report that their life
> is much better after switching to OpenDNS.
So, and where's your argument? I proclaim that they'd been better off with
the caching-only DNS server of a *serious* provider, or the ICANN root, or
the ORSN root.
In article <5ef89tF3788agU1@mid.dfncis.de>,
"Sebastian G."
> Nothing can protect from trojan horses
If the AV software has its signature, it will.
Nothing can prevent you from unknown trojan horses, though.
--
Barry Margolin, barmar@alum.mit.edu
Arlington, MA
*** PLEASE post questions in newsgroups, not directly to me ***
*** PLEASE don't copy me on replies, I'll read them in the group ***
Barry Margolin wrote:
>> Nothing can protect from trojan horses
>
> If the AV software has its signature, it will.
That's a really big if.
> Nothing can prevent you from unknown trojan horses, though.
Nothing can protect you from known trojan horses which simply don't have any
signature, because they're modifying themselves in a way that doesn't expose
any scanable patterns.
Thus the real solution is to not run any untrustworthy software, whereas
trust has to apply to the vendor, the quality of the implementation and the
quality of the software creation process.
On Jun 27, 6:53 am, "Sebastian G."
> Barry Margolin wrote:
>
> > Go to BBR and I'll bet you can find dozens of recommendations for
> > Comcast customers to switch to OpenDNS when they're having DNS problems.
>
> Comcast customers are stupid by definition, the gross idiocy of this
> provider has been obvious since years.
>
Stop trolling. Lots of people don't have any real choice when it
comes to their broadband provider. You know this. You also know that
OpenDNS doesn't do any of the bad things you mention.
My last message on this thread,
davidu
davidu
> You also know that
>OpenDNS doesn't do any of the bad things you mention.
See
http://www.dslreports.com/forum/remark,18612393
for an example of what OpenDNS does.
On Wed, 27 Jun 2007 15:53:19 +0200, Sebastian G. wrote:
> Comcast customers are stupid by definition, the gross idiocy of this
> provider has been obvious since years.
If the choice is Comcast or nothing, what would you recommend?
Ari wrote:
> On Wed, 27 Jun 2007 15:53:19 +0200, Sebastian G. wrote:
>
>> Comcast customers are stupid by definition, the gross idiocy of this
>> provider has been obvious since years.
>
> If the choice is Comcast or nothing, what would you recommend?
Writing your senator? Here in Germany we successfully forced the Telecom to
resell the lines at fair conditions.
On Thu, 05 Jul 2007 01:50:52 +0200, Sebastian G. wrote:
> Ari wrote:
>
>> On Wed, 27 Jun 2007 15:53:19 +0200, Sebastian G. wrote:
>>
>>> Comcast customers are stupid by definition, the gross idiocy of this
>>> provider has been obvious since years.
>>
>> If the choice is Comcast or nothing, what would you recommend?
>
> Writing your senator? Here in Germany we successfully forced the Telecom to
> resell the lines at fair conditions.
That's good but you didn't answer the question.
On Jul 4, 4:31 pm, Ari
> On Wed, 27 Jun 2007 15:53:19 +0200, Sebastian G. wrote:
> > Comcast customers are stupid by definition, the gross idiocy of this
> > provider has been obvious since years.
>
> If the choice is Comcast or nothing, what would you recommend?
I'd recommend you try it out for yourself and see. You literally have
nothing to lose and it only takes a minute to turn on (and off).
-David
On Wed, 04 Jul 2007 20:25:17 -0700, davidu wrote:
> On Jul 4, 4:31 pm, Ari
>> On Wed, 27 Jun 2007 15:53:19 +0200, Sebastian G. wrote:
>>> Comcast customers are stupid by definition, the gross idiocy of this
>>> provider has been obvious since years.
>>
>> If the choice is Comcast or nothing, what would you recommend?
>
> I'd recommend you try it out for yourself and see. You literally have
> nothing to lose and it only takes a minute to turn on (and off).
>
> -David
Comcast, I use it.