Want to read Slashdot from your mobile device? Point it at m.slashdot.org and keep reading!

 



Forgot your password?
typodupeerror
×

New(?) Anti-Fraud DNS service 186

knownsense writes "A new DNS system to foil spammers, abusers, and other ills of the Internet is around the corner, reports Wired. It claims to be more user-friendly than your ISP's DNS. Among its claimed advantages . . . Faster myspace(!?), coordination with spamhaus, and typo-squatter squashing. The actual service is called OpenDNS."
This discussion has been archived. No new comments can be posted.

New(?) Anti-Fraud DNS service

Comments Filter:
  • Advantage? (Score:5, Funny)

    by Anonymous Coward on Monday July 10, 2006 @08:03AM (#15690415)
    Among its claimed advantages . . . Faster myspace


    Anti-fraud or not, someone's getting lied to there.
  • Adverts? (Score:5, Insightful)

    by HugePedlar ( 900427 ) on Monday July 10, 2006 @08:05AM (#15690423) Homepage
    "Currently, web surfers simple(sic) get an error message when they attempt to navigate to an unused domain. OpenDNS users will instead be routed to a company server that will present a list of search engine results and paid advertisements."

    No thanks.
    • Re:Adverts? (Score:5, Insightful)

      by trezor ( 555230 ) on Monday July 10, 2006 @08:11AM (#15690463) Homepage

      Second that.

      Plus trying to get the entire internet to change one of its key components is a rather ambitious attempt.

      The guy even admits that the current phishing and scamming attempts are a social problem, not a technological one. Who's to say this new system won't be abused?

      I'll save my enthusiasm for something else.

      • Re:Adverts? (Score:5, Insightful)

        by KiloByte ( 825081 ) on Monday July 10, 2006 @08:18AM (#15690509)
        Who's to say this new system won't be abused?

        Suspecting abuse in a SiteFinder-like system? You must be joking...

        Two words: censorship and advertising. Isn't this everything we want?
      • Re:Adverts? (Score:5, Informative)

        by bigpat ( 158134 ) on Monday July 10, 2006 @10:05AM (#15691250)
        Plus trying to get the entire internet to change one of its key components is a rather ambitious attempt.

        This is not to replace the "entire internet" with a new DNS system. From my read of their website, it is a individual choice to set up your computer using their DNS servers. And they are being very clear about how their servers will behave and what they will do with incorrectly typed addresses. This is from the same guys who have been running one of the most reliable free DNS services, everydns [everydns.net].

        • Re:Adverts? (Score:4, Insightful)

          by jafiwam ( 310805 ) on Monday July 10, 2006 @10:17AM (#15691339) Homepage Journal
          It doesn't matter. NXDOMAIN response needs to exist for a lot of other reasons that makes the 14 year old myspace user getting an ugly error message over a spammer's search page irrelevant.

          I don't care if he's the queen mother pope jesus vishnu all in one. What the guy is proposing is fucking stupid.

          Stop fucking with DNS. Gimme a friggin IP when I query with a hostname. Gimmie a hostname when I query an IP. STOP THERE. THAT'S IT. NOTHING MORE TO SEE.

          If something more "friendly" needs to happen, it needs to happen at the application layer instead.

          • If something more "friendly" needs to happen, it needs to happen at the application layer instead.

            DNS happens at the application layer.
          • an SPF record is nice once in a while though, to help reduce spam. :)
            • Well, it sort of sounds like he's talking about doing away with MX records as well. That should help with spam :-)
          • It doesn't matter. NXDOMAIN response needs to exist for a lot of other reasons that makes the 14 year old myspace user getting an ugly error message over a spammer's search page irrelevant.

            You're forgetting who their target audience is ... end users. Grandma, as it were.

            Your ISP's servers will not be using this for their DNS servers. In fact, nobody's servers will be using it. The only systems that will use it are desktop systems, probably only desktop systems used by less technical users.

            I h

    • Re:Adverts? (Score:5, Funny)

      by kjart ( 941720 ) on Monday July 10, 2006 @08:15AM (#15690488)

      Agreed. I enjoy how users are 'protected' from phising/spam/advertising by this service by getting more ads! It's like pushing someone out of the way of a speeding car and then punching them in the face.

    • Doesn't Microsoft already do this in IE?
    • by khasim ( 1285 ) <brandioch.conner@gmail.com> on Monday July 10, 2006 @08:20AM (#15690519)
      This is nothing more than another attempt to make some money off of the basic infrastructure of the Internet. DNS is free right now. And to some people, that means that there is a chance to "monetize" that service.

      But how to turn a profit from something that's being given away for free right now?

      You'd have to offer some additional incentives. Like "phishing blocking" or claiming that a popular website would "load faster".

      As far as I know, the DNS resolution has never been the problem for MySpace loading slowly. It's slow because so many other people are hitting their servers and bandwidth. And since Win2K, Microsoft has included a caching DNS app so once you do hit MySpace, you've cached the address on your workstation. You can't get much faster than that.
      • Monetizing DNS service is like trying to monetize traffic signage; the system as a whole doesn't work without universal service.

        I don't think it would work from a user-support perspective, either; alternative root server systems offering expanded top level domains largely failed previously.

        A "value added" DNS server with filtering, etc might be worthwhile if run at the standards of other high-quality free services (Wikipedia, etc). The problem with their model, though, is they're inviting marketers to the
    • Re:Adverts? (Score:2, Insightful)

      by nstlgc ( 945418 )
      I'd say mod parent up but it's already modded through the roof. That comment pretty much says it all. Remember what VeriSign pulled just a couple of years ago? This is exactly the same thing, just with some extra beef wrapped around.
      • But it's also voluntary. That's what lets me ignore this service, and lets muppets who want a page like VeriSign put up get one if they so desire. I'm sure as hell not gonna use it, and I'm going to tell everyone else I know not to, but I'm not gonna stand in their way of letting people make dumb decisions. My problem will come when an ISP requires that I use their service.
    • This is not like the VeriSign SiteFinder [google.com]. They're not redirecting unused domains to advertisement pages for everyone. They only do it for those who use their DNS servers. It is a free service which is supported by advertising. That sort of thing is common and accepted on the Internet. The article also says that if they can figure out the misspelling they will re-direct you to the site you wanted.
    • Re:Adverts? (Score:3, Insightful)

      by shrtcircuit ( 936357 )
      No kidding, seems like Verisign tried something along those lines a while ago - redirecting users who typed in bad domain names to corporate-sponsored pages. Kinda defeats the purpose of running the unbiased systems which arguably control the Internet, eh?

      I *WANT* users to see a "oops, you fucked up" page when they mistype a URL. That is what tells them they screwed up. What I don't want to happen is for them to go to some domain-park search display with ads and crap that have nothing to do with my site,
  • by Tim C ( 15259 ) on Monday July 10, 2006 @08:06AM (#15690427)
    And know little of networking and other sysadmin type subjects, but:

    Users who type "wordpres.sorg" or "craigslist.or" into their browser's address field are automatically routed to the correct address, instead of getting a 404 error page.

    Since when were DNS lookup failures responded to with HTTP error codes?
    • by remembertomorrow ( 959064 ) on Monday July 10, 2006 @08:09AM (#15690452)

      He was probably referring to the fact that Internet Explorer, by default, shows "friendly" HTTP and DNS error messages, such as "This page cannot be displayed."

      That part was definitely written incorrectly, but we all know what he meant (I hope).

      • I assume that that's what was meant, but even that isn't a 404 error. Just because the pages that IE use for lookup failure and 404s look similar doesn't mean that they're the same error condition.

        I was under the impression that Wired was relatively technical; perhaps I was wrong. (I've never actually read it, so I could well be)
        • I was under the impression that Wired was relatively technical; perhaps I was wrong. (I've never actually read it, so I could well be)


          In a nutshell: yes, you are wrong. And you haven't really missed much.

          Wired occasionally has something worth reading, but most of it is just fluff and ads for expensive toys. I stopped taking it seriously years ago. Articles like this remind me why.
          • Wired occasionally has something worth reading, but most of it is just fluff and ads for expensive toys. I stopped taking it seriously years ago. Articles like this remind me why.

            Wired is to technology as Discover is to science.
        • I was under the impression that Wired was relatively technical; perhaps I was wrong.
          No, Wired is quite technical. If you're into DTP and Xpress hacks.
    • And on top of this, let's all congratulate these guys on breaking the RFCs by "helping" shovel us to the address we "meant" to type in.. Let's not report back an error and help the end user correct their mistake, but transparently forward them so they never know.

      And what happens when someone registers wordpres.org? Then where are we? Well, I meant wordpres, not wordpress.. Thanks for sending me where I don't want to be.. A haven for phishers?
      • And on top of this, let's all congratulate these guys on breaking the RFCs by "helping" shovel us to the address we "meant" to type in.. Let's not report back an error and help the end user correct their mistake, but transparently forward them so they never know.

        Google does this with the "I'm feeling lucky" button. A lot of people use this or use google to type in addresses instead of the url bar, beacause it is far more user freindly. Errors are not always good user interface design.

        And what happens when
      • when someone registers wordpres.org DNS succeeds, and it works transparently. It's only if the name ISN'T found in DNS that this service would do it's "magic". I'm not a fan, not even any connection to the company, but you're just setting up a straw man for something you don't understand...
  • by tdemark ( 512406 ) on Monday July 10, 2006 @08:06AM (#15690430) Homepage
    But it has to be better, it has "Open" in its name.
  • Interesting (Score:3, Insightful)

    by kjart ( 941720 ) on Monday July 10, 2006 @08:08AM (#15690444)

    The main advantage appears to be that they will prevent you from opening known phising sites. In terms of being faster, I'm not sure how they would be faster than my ISP since my ISP's DNS servers are presumably much closer to my machine than theirs. Any idea how they could make claims like that? Also, though the summary mentions foiling spammers, I saw nothing about that in the article. From the sound of the post, I thought this was something like SPF [openspf.org] even though that doesnt seem to be the case at all.

    • Re:Interesting (Score:4, Insightful)

      by vtechpilot ( 468543 ) on Monday July 10, 2006 @08:28AM (#15690563)
      Here is how the faster claim works. Say there is a 150ms round trip between you and your ISP's name server. You computer requests the IP for www.slashdot.org. If you are lucky then www.slashdot.org is in the name server's RAM cache, and you get a fast response in just a little over 150ms. If not (and for the majority of websites, its not) then the name server has to search its disk cache (this is where it is most likely to be. If its still not found, then your ISP's server has to look up slashdot.org with the root servers, and get the name server for that domain, and next it has query the dns server for slashdot.org to find the machine named www. each of these taking more time.

      I presume what they do is have machines with loads of RAM (how many dns entries could you keep in say 4GB anyway?) and try to serve as many requests as possible from a RAM cache rather than disk cache. Thats my guess anyway.
      • "If you are lucky then www.slashdot.org is in the name server's RAM cache, and you get a fast response in just a little over 150ms. If not (and for the majority of websites, its not)"

        All the more reason to run your own local DNS cache: it will have cached answers YOU are most likely interested in and be a faster link than your ISPs.

        An even better reason to run your own cache (not just forwarding to your ISPs nameservers) would be trust. Do you trust your ISPs cache to be secure and free from DNS poison? I s
      • Dual (and higher) Opteron boxes are coming down in price. You can get a rackmount dual Opteron with 16GB or 32GB, maybe more. Some systems with more processors allow more RAM. Nevermind clusters.

        Is there any way to determine, or at least reasonably estimate, how many public DNS entries there are at a point in time? If so, one has an idea how much RAM is requiired.
  • by Anonymous Coward on Monday July 10, 2006 @08:09AM (#15690448)
    Your ISP probably does the same thing already. These guys claim to have a much bigger cache, so they're more likely to have cache hits than misses.

    They also offer ads & search results for non-existent domains, and they claim they will filter out phishing sites.

    Not really a big deal though even on a cache miss, a DNS query doesn't take that long.
  • Better how? (Score:5, Insightful)

    by Anonymous Coward on Monday July 10, 2006 @08:11AM (#15690458)
    A broken, non standards compliant DNS isnt a better DNS, it's a crippled DNS. The phishing and scamming is more of a social problem than a technical problem. The last thing i want is for some DNS host to filter my queries. The open part of open_dns is a farce. This is a commercial venture trying to make a profit by skirting around well defined standards. OpenDNS will be plagued with problems like people who run the dns getting nice kick backs from scammers to keep domains from being filtered, etc. There will be false blocks by accident etc. OpenDNS would have the ability to push companies and personal sites around. Who knows what the OpenDNS people are catering to. What if they catered to the Christian right, and started blocking non wholesome content, etc. This is a bad idea people. -koft
    • Re:Better how? (Score:4, Interesting)

      by Vorondil28 ( 864578 ) on Monday July 10, 2006 @08:46AM (#15690661) Journal
      I believe this would qualify as a hack. [catb.org]
      Hack
      1. n. Originally, a quick job that produces what is needed, but not well.
      ...
      In this case, the real problem is the people behind the scams, but to fix it they're mucking a system that already works beautifully now.

      But in the end, no one is being forced to use it. This won't have any affect on the current system, so whomever they "cater to" won't matter to the overwhelming majority of people who stick with vanilla DNS.
  • Not going to work (Score:3, Informative)

    by andrewman327 ( 635952 ) on Monday July 10, 2006 @08:11AM (#15690459) Homepage Journal
    From TFA: "The OpenDNS system, which will open its servers to the public Monday, wants to be a more user-friendly name resolution service than those provided by ISPs, with technology to keep fraudulent sites out of its listings, correct some typos and help browsers look up web pages faster.


    These are such lofty claims that I doubt they will be able to live up to them. I like the idea that competitive services will appear, but if that happens I believe that OpenDNS will be a big loser.

  • Ahh, yes, YARDNS (Score:4, Insightful)

    by wowbagger ( 69688 ) on Monday July 10, 2006 @08:11AM (#15690462) Homepage Journal
    Ahh, yes - Yet Another Root Domain Name System, like AlterNic.

    One that also does redirection in the case of an invalid domain name, thus breaking code (like mail servers) that rely upon being able to detect bogus domains.

    One that requires users to change their DNS settings, with all the attendant breakage and difficulties for troubleshooting.

    One that will ALSO load down the upstream DNS servers, since the users won't be using their ISP's name servers.

    And I am sure their policy of blocking spammy sites' resolution will sit very well with the Slashdot Zeitgeist.

    Yes, I am sure this will be a spectacular success, just like AlterNIC is.
    • Ahh, yes - Yet Another Root Domain Name System, like AlterNic.

      From their FAQ: Is OpenDNS a root nameserver? [opendns.com]: "No. OpenDNS is a recursive nameserver. OpenDNS software talks to the root nameservers when necessary."

      Only on slashdot could you be completely wrong and Insightful at the same time.
  • by Bloodwine77 ( 913355 ) on Monday July 10, 2006 @08:12AM (#15690471)
    If people want to filter out bad sites and auto-correct bad URL's then that sounds like a job for a client-side application, not for DNS servers. DNS does one thing and it does it well: it acts like a phonebook for IP addresses. There is no bias in its resolutions. Keep it simple and let it do its job without red tape.
  • Service is pretty cool for people who can't run Bind (or something similiar). However for those that can, I am guessing its probably just as effective as running a caching only DNS server and maybe Squid to emulate their phishing blocking (assuming you have access to known phishing sites). As a matter of fact, the local version should be even faster (although the cache will obviously be smaller so there is a tradeoff). Off the top of my head, I am not sure how you could do the spell checking. Does Bind have a similiar option?
    • No, its partly that (but really, who cares how many milliseconds are shaved off your DNS queries while the standard lookups are acceptably quick).

      Its the spamhaus integration that makes this interesting - all those IP addresses for http://66.199.20.6/www.paypal.com/ [66.199.20.6]... will be blocked and all the not-technically-savvy users will have another layer of protection from phishing. If the websites you go to to buy your herbal viagra found their A records returning nothing, it'll help against the spammers too.
      If t
  • I give it 2 weeks (Score:4, Interesting)

    by Intron ( 870560 ) on Monday July 10, 2006 @08:16AM (#15690491)
    How long until the service is sued by either
    • A user who it fails to block from a phish site, or
    • A "legitimate" business that gets blocked?

    Its one thing to supply facts, but this service is editorializing DNS. I think they are leaving themselves open to attack based on their choices.
  • by muftak ( 636261 ) on Monday July 10, 2006 @08:19AM (#15690514)
    So using DNS servers that are 23 hops and 170ms away from me is meant to be faster than using ones 4 hops and 5ms away? Think they need some sort of distributed system with servers in every country, and some good peering.
  • by mxs ( 42717 ) on Monday July 10, 2006 @08:23AM (#15690534)
    This POS is neither new nor newsworthy nor useful, at least not for the reasons they try to sell it to you for.

    An alternative-root DNS system will never work (since Critical Mass is impossible to attain).

    Myspace will not get faster. Whoever made you believe that is selling snake oil, too.

    In fact, your DNS will actually slow down by a good bit; at least if you belong to the majority of the world (unlike root DNS servers, which actually deliver geographical and network dispersion). The big cache they are so proud of will create lots of problems if they actually do it differently from regular DNS resolver caches that you have at every major (and minor) ISP -- and those will be a lot closer to you than OpenDNS ever will.

    Fixing typos is a double-edged blade. Sure it's nice if slashdo.torg works. How about whitehouse.gom, though ? And who decides that microsaft.com is really typo-squatter ? (They might just make nice juices !)

    Their business model is funny, too. They sell advertisement for search pages in case they can't figure out where you want to go. This is hilarious, really. The selling point is that it can send you to the right page when you make a typo, but not figuring out what a typo was supposed to mean makes them more money. Hrrm. The better they become at their game, the less money they get ! Brilliant !
    (Not to mention that this is precisely what got Verizon into hot water with their SiteFinder crap).

    How on earth will OpenDNS stem the tides of spam ? Even IF it had a chance doing that purely with DNS, if it was relevant at all Spammers would find a way to make it inconsequential.

    Last, but not least, their company is small. There is no oversight. I don't know whether I want to trust a group of 20 people to decide who is an abuser and who is not. I'd rather have hundreds of parties involved in the process, providing a stable balance to one another. (Fun scenario : OpenDNS gets bought out by DirectRevenue.com, starts redirecting EVERY DNS request to their own servers, encasing every website with a nice adbar. Oops. (points for doing it after attaining critical mass).
    • by davidu ( 18 ) on Monday July 10, 2006 @10:03AM (#15691232) Homepage Journal

      This POS is neither new nor newsworthy nor useful, at least not for the reasons they try to sell it to you for.

      Well, to be fair, you're responding to the article and not the service. But I'm going to go through and answer each of your points because this post seems to cover a lot of the really important topics.

      An alternative-root DNS system will never work (since Critical Mass is impossible to attain).

      I couldn't agree with you more and we are *NOT* an alternate root. If you are using our service, you are using the real ICANN assigned roots. Period. Full Stop.

      OpenDNS is new particularly because of how we do what we do. We have built a recursive nameservice. That means that we are making the changes only for a client and not for the entire Internet. The article, while good at trying to cover a hard topic, fails to mention that not only are we opt-in but we can set preferences for different users.

      So if you don't want us catching typos, we won't. If you just want straight, normal DNS that's just using a bigger and faster cache, that's just fine by us. We aren't going to mess with you later for deciding that you just want a more reliable DNS. But when you setup your neighbor or mom or brother or friend you might decide they are better off with an added layer of security. The choice is, of course, yours and always will be.

      Myspace will not get faster. Whoever made you believe that is selling snake oil, too.

      First, MySpace is just an example, of course. It does like 10 DNS requests on the homepage loading web,ad,image server FQDNs. But to respond, empirical evidence thus far (from really smart people) would disagree with that statement. Hopefully we'll have some good and more scientifically grounded data soon. If you want to help out with that, let me know.

      In fact, your DNS will actually slow down by a good bit; at least if you belong to the majority of the world (unlike root DNS servers, which actually deliver geographical and network dispersion). The big cache they are so proud of will create lots of problems if they actually do it differently from regular DNS resolver caches that you have at every major (and minor) ISP -- and those will be a lot closer to you than OpenDNS ever will.

      Most resolvers tend to churn through their cache long before TTLs expire so what you're saying isn't exactly true. In many instances most recursive DNS servers toss out a bunch of glue that is consistently being re-fetched. While it's important to respect TTLs (and we absolutely do), it's also important to keep stuff in your cache to get the benefit of the TTL that was set by the zone owner. That's not happening and that's making your DNS not perform well. And it's more than just adding more ram to the system. DNS is 20 years old and it's now a quite critical piece of infrastructure. It's beautiful in many ways, but one way in which it isn't is with how resolvers work. Really, nobody has ever spent much time working on making a killer resolver until recently.

      Fixing typos is a double-edged blade. Sure it's nice if slashdo.torg works. How about whitehouse.gom, though ? And who decides that microsaft.com is really typo-squatter ? (They might just make nice juices !)

      We don't redirect typos like that. We have a ton of requests to do that, but we don't yet for exactly the reason you point out. It's a tough road to go down, and if we do it, it'll be a preference you set with a little checkbox or something. Not a choice I should be making for you. Our goal is to empower you to control what used to be this black box of a memory structure in a DNS server and add some transparency to it for you. That was lost a bit in the article as it focused mostly on the security aspects of our service but there's more; much more.

      Their business model is funny, too.

      • Wow. A really informative response by *the expert* to a fairly typical knee-jerk post. Good job. I don't currently have any use for the OpenDNS service, but I'm a lot more interested after this response than I was from the article. I hope y'all do well.
      • Hey, the guy's got a /. id of 18, so its got to be ok. :)
        • by davidu ( 18 ) on Monday July 10, 2006 @01:42PM (#15692816) Homepage Journal
          So true.

          What happens is nobody has tried the service that's posting this stuff. There's so much misinformation it's hard to know where to start. But I think the best thing I can say is this:

          People at EveryDNS have been using my services for years. We're one of the largest and most free services on the Internet. We've stood up to lawsuits from assholes like Diebold and others in the past in the name of our users. I wouldn't ever scam or do that nasty stuff this thread is saying I would. I have an open email, open door, and open phone policy. I am me, and there's a good amount of clue behind me, and even smarter people around me.

          So when I say this service is not going to spy on you or tell your parent that you look at porn, I'm serious. Read our privacy policy and know that we use the service too.

          Here's the last thing, These can all be preferences. People that don't want typo's caught or other things can have a preference set that gives them just a better and more optimized DNS. When people ask us about our privacy policies I ask you, what does your ISP do? I mean, ATT just said they own all your data and they're being accused of working with the government to spy on you. We don't do that.

          Check it out,
          David Ulevitch
    • Verisign, not Verizon, but please, rant on. Don't let BEING COMPLETELY WRONG slow you down.
  • faster? (Score:5, Informative)

    by mtenhagen ( 450608 ) on Monday July 10, 2006 @08:26AM (#15690549) Homepage
    I did a quick test:

    - DNS query -

    - dutch hosted .org -

    opendns
      Query time: 1228 msec - they have to query upstream
      Query time: 261 msec
      Query time: 192 msec
      Query time: 192 msec
      Query time: 193 msec

    my isp
      Query time: 74 msec - they have to query upstream
      Query time: 29 msec
      Query time: 30 msec
      Query time: 29 msec
      Query time: 29 msec

    - us hosted .net -

    opendns
      Query time: 380 msec - they have to query upstream
      Query time: 192 msec
      Query time: 193 msec
      Query time: 193 msec
      Query time: 193 msec

    my isp
      Query time: 184 msec - they have to query upstream
      Query time: 29 msec
      Query time: 30 msec
      Query time: 29 msec
      Query time: 29 msec

    - Ping test -
    Ping to open dns: 192ms
    Ping to my isp: 29ms

    - Conclusion -
    The dns repsonse is the same as the ping so they will never get faster then my isp.
    • The dns repsonse is the same as the ping so they will never get faster then my isp.

      Anecdotal evidence is just that... Anecdotal.

      And your ISP isn't my ISP. Heck, I used to work for a very large ISP and we have DNS problems on occasion and we have to manually move people to different servers as they called in to complain.

      Secondly, if you have Comcast (I never worked for them though but had hellacious problems with DNS lookups last year), you might have DNS problems depending on where you live. Often times I w
  • by daitengu ( 172781 ) * on Monday July 10, 2006 @08:27AM (#15690558) Homepage Journal
    I can understand why slashdot geeks wouldn't want their DNS servers messed with, I'm among you, however most of the internet users out there aren't nearly as computer literate as we are, and this service I believe would be really good for them. Netcraft has been trying to fight the good fight against phishing and scamming sites for a long time, and here's a group of guys who are really blocking them at the source.

    I applaud their efforts, while it may not be for me, I think a lot of people are going to find it very useful.
    • by 99BottlesOfBeerInMyF ( 813746 ) on Monday July 10, 2006 @08:47AM (#15690666)

      I can understand why slashdot geeks wouldn't want their DNS servers messed with, I'm among you, however most of the internet users out there aren't nearly as computer literate as we are, and this service I believe would be really good for them.

      Most internet users don't know or care what a DNS server is. For this to succeed you need to capture the hearts and minds of the ISPs. Luckily for them, ISPs are very concerned about DNS right now as it is critical, somewhat vulnerable, and they are lacking visibility into it. Unluckily for them, the entrenched players have all started jumping on this and providing real solutions. Why block all requests to a DNS name when legitimate researchers and security people might need to get there? What about when a cracked server that still hosts legitimate content as well? what about when the FQD is a forum with 99% legitimate traffic and 1% worms and phishing?

      This solution is a shotgun where a scalpel is needed. Block worm traffic as detected by the DNS request, not all traffic to that domain. Also, contrary to what people seem to be thinking here, the main DNS issue is not worms or phishing (ISPs don't care that much) but they do care about large chunks of their traffic to the DNS servers coming from misconfigured servers repeatedly querying them. Since, in many cases, these servers are their own, blocking them with a fancy, broken DNS server is not the best plan. Redirecting other ISPs' server to an ad a million times a day will not yield any long-term profit (since no person sees them) Rather, fixing their own servers and notifying others/filtering at the peering edge is the way to go. Since ISPs are now able to do that, I foresee a large yawn when operators see OpenDNS (what a misleading name, kind of like OpenXML).

  • they are located next to where the NSA operates its spyware on top of ATT. Hmmmmm, I wonder ...... With a centralized DNS, this will make for a nice way to control the internet.

    Personally, I have one word: Next.
  • Sites can periodically change their IPs. Is some kind of testing included in the caching app that makes sure that the cached IP numbers still work? And, even if the testing is periodic, will sites that change their IP numbers be broken longer than the usual propagation time of changes?

    And they'dk *better* not cache *.homeip.net and *.dyndns.com.....

    -b.

    • *All* recursive DNS servers/resolvers do caching. They also obey something called 'TTL' for records when doing so, and dynamic-IP services such as those you refer to set a suitably short TTL so as to cause caching to expire appropriately.

      That they cache data isn't really that noteworthy, its more them calling attention to it in their marketing more than anything else. Perhaps they have configured their servers to support a very large cache, so that it doesnt have to delete anything until the TTL does call f
      • Really the more useful part of this (for the average used) would be the blocking of known phish sites and/or typo correction, than the caching. And to be honest, I don't see that greate a value in it.

        Nor I. AFA phish scams, I type the (bank or whatever) site name into the browser myself - I don't click on links asking for account information in emails. Typo correction? What's the big deal about getting an error message that the named site doesn't exist and for you to reenter the name? What if you were

  • Comment removed based on user account deletion
  • by fishbot ( 301821 ) on Monday July 10, 2006 @10:13AM (#15691309) Homepage
    FTFA: "Those who click on a link in a phishing e-mail that attempts to take them to a fake site and con them into entering their credit card number won't even make it to the website, if OpenDNS knows about it."

    A false sense of security is worse than no security at all. "if OpenDNS knows about it" indeed ... so when can the user trust that OpenDNS has successfully caught the phishing attempt, and when should they check that it has failed? The answer is simple; they should perform the same checks WITH OpenDNS as without, except now there will be a whole raft of users who don't know that and the phishing will get worse.

    The road to Hell is paved with good intentions ...
  • Improved system? (Score:3, Informative)

    by sgt scrub ( 869860 ) <<saintium> <at> <yahoo.com>> on Monday July 10, 2006 @11:31AM (#15691878)
    I'm sorry. When I think of system I think of daemons. Improvements to the DNS system would be appreciated. Someone to provide me with commercialized redirections and pay per use DNS service doesn't equate to improvement.

    Sites providing free email without protecting their URIz with spf protection is what needs to be fixed. This would help to kill spammers pretending to be google, yahoo, aol, et al.

    For a real improvement in DNS use spf http://www.openspf.org/ [openspf.org] and urge others to use it too.
  • Checklist (Score:3, Funny)

    by linvir ( 970218 ) * on Monday July 10, 2006 @11:48AM (#15692009)
    Your company advocates a

    (*) technical ( ) legislative ( ) market-based ( ) vigilante

    approach to fighting spam. Your idea will not work. Here is why it won't work. (One or more of the following may apply to your particular idea, and it may have other flaws which used to vary from state to state before a bad federal law was passed.)

    ( ) Spammers can easily use it to harvest email addresses
    ( ) Mailing lists and other legitimate email uses would be affected
    ( ) No one will be able to find the guy or collect the money
    ( ) It is defenseless against brute force attacks
    (x) It will stop spam for two weeks and then we'll be stuck with it
    ( ) Users of email will not put up with it
    ( ) Microsoft will not put up with it
    ( ) The police will not put up with it
    ( ) Requires too much cooperation from spammers
    (x) Requires immediate total cooperation from everybody at once
    ( ) Many email users cannot afford to lose business or alienate potential employers
    ( ) Spammers don't care about invalid addresses in their lists
    ( ) Anyone could anonymously destroy anyone else's career or business

    Specifically, your plan fails to account for

    ( ) Laws expressly prohibiting it
    ( ) Lack of centrally controlling authority for email
    ( ) Open relays in foreign countries
    ( ) Ease of searching tiny alphanumeric address space of all email addresses
    ( ) Asshats
    ( ) Jurisdictional problems
    ( ) Unpopularity of weird new taxes
    ( ) Public reluctance to accept weird new forms of money
    ( ) Huge existing software investment in SMTP
    ( ) Susceptibility of protocols other than SMTP to attack
    ( ) Willingness of users to install OS patches received by email
    (x) Armies of worm riddled broadband-connected Windows boxes
    ( ) Eternal arms race involved in all filtering approaches
    ( ) Extreme profitability of spam
    ( ) Joe jobs and/or identity theft
    ( ) Technically illiterate politicians
    ( ) Extreme stupidity on the part of people who do business with spammers
    ( ) Extreme stupidity on the part of people who do business with Microsoft
    ( ) Extreme stupidity on the part of people who do business with Yahoo
    ( ) Dishonesty on the part of spammers themselves
    ( ) Bandwidth costs that are unaffected by client filtering
    ( ) Outlook

    and the following philosophical objections may also apply:

    ( ) Ideas similar to yours are easy to come up with, yet none have ever been shown practical
    ( ) Any scheme based on opt-out is unacceptable
    ( ) SMTP headers should not be the subject of legislation
    (x) Blacklists suck
    ( ) Whitelists suck
    ( ) We should be able to talk about Viagra without being censored
    ( ) Countermeasures should not involve wire fraud or credit card fraud
    ( ) Countermeasures should not involve sabotage of public networks
    ( ) Countermeasures must work if phased in gradually
    ( ) Sending email should be free
    (x) Why should we have to trust you and your servers?
    ( ) Incompatiblity with open source or open source licenses
    ( ) Feel-good measures do nothing to solve the problem
    ( ) Temporary/one-time email addresses are cumbersome
    ( ) I don't want the government reading my email
    ( ) Killing them that way is not slow and painful enough

    Furthermore, this is what I think about you:

    (x) Sorry dude, but I don't think it would work.
    ( ) This is a stupid idea, and you're a stupid company for suggesting it.
    ( ) Nice try, assh0le! I'm going to find out where you live and burn your house down!
  • What would DJB [cr.yp.to] do?

    --
    This .sig intentionally left blank

  • A traceroute from Amsterdam:

    raceroute to 208.67.222.222 (208.67.222.222), 30 hops max, 38 byte packets
    1 router.openswan.xtdnet.nl (193.110.157.158) 256.697 ms 0.638 ms 0.318 ms
    2 384.ae0.cr1.3d12.xs4all.net (82.94.242.233) 58.937 ms 22.735 ms 41.513 ms
    3 0.so-1-2-0.xr1.3d12.xs4all.net (194.109.5.57) 0.856 ms 0.917 ms 75.493 ms
    4 194.151.244.74 (194.151.244.74) 1.123 ms 2.135 ms 0.767 ms
    5 195.190.233.248 (195.190.233.248) 1.572 ms 1.916 ms 1.542 ms
  • It's a good thing this is dead in the water. Too few people care or are aware of the problem for a commercial product to provide any kind of solution. Plus, if the marketing material is accurate, it's already flawed.
    • Safer - helps prevent identity theft and warns against phishing attempts
    • Faster - speeds up your existing internet connection
    • Smarter - corrects spelling mistakes on the fly

    The first bullet is a dubious claim, the second one is clearly bullshit, and the third one makes a mess of bullet one by ma

How many hardware guys does it take to change a light bulb? "Well the diagnostics say it's fine buddy, so it's a software problem."

Working...