This week we had another Internet security exploit revealed. And while I don't want to get into the details, let's just say that if you aren't using OpenDNS.com for your home network, now is the time to take the five minutes and get it done. It is simple (well, as these things go), it is free, and it will protect you from any number of issues in the future. And you might get better browsing performance as a result.
Before I tell you how to do this, let's have a brief explanation of what the Domain Name System is for those of you that really want to know. Think of what a phone book (remember them, before we used online searches to look up a friend's number, seems so quaint now) does – it allows you if you know someone's name to look up their phone number. The names are in alphabetical order, so if you know the alphabet, you can quickly page through and find the person, if they are listed.
The DNS does something similar, except for computers: if you type in "google.com" it translates that name into a sequence of four numbers, called an IP address, which in this case for google.com is 220.127.116.11. Paul Mockapetris, a gentleman I have spent some time with and one of the Internet bright lights, put the thing together in the early 1980s, which is enshrined in RFC 882, even before Al Gore had invented the Internet itself.
The overall Internet infrastructure has a series of master phone books, or DNS root servers, located at strategic places around the world and maintained by a collection of public, semi-public, and private providers. They talk to each other on a regular basis, to make sure that as we add new domains they are in synch. As you can imagine, if someone wants to "poison" one of the entries, or misdirect Internet traffic to a phony domain, it can be done with the right amount of subterfuge.
Here is where OpenDNS comes into play. When you set up your home network, typically you don't give your DNS settings any further thought. If you have a cable or DSL modem, you hook it up and it automatically gets its DNS settings from the cable or phone company's DNS servers.
What I am suggesting is that you change these settings, to reflect the DNS servers at OpenDNS. There are instructions on their Web site, but basically you specify the two (one is used for backup) DNS IP addresses for your router or DSL/cable modem. If you have a wireless gateway from Netgear or someone similar, you make the entries there. You need to know the router's IP address, and how to access it via its Web interface.
There are a few nice things about using OpenDNS. First, you can set it up to block objectionable domains, so that you might be able to get around your kids seeing something that you would rather they didn't. They also spend time to block known exploit domains, so you have a better chance of not getting trapped by some hacker. You also get better DNS service, because they have servers that will return the domains supposedly faster than the ones for the general Internet. They also catch common typos, so if you are like me and make mistakes typing in names in your browser, they can usually direct you to the place you intended.
How do they make money? If you type in an unknown domain name, you are directed to their search page where they show ads, just like the Google search pages.
OpenDNS is not the answer for everyone, and businesses should go a step further and protect their DNS servers on their networks. While I don't want to get into that here, you can find out more about the explot from the experts, start with this blog post here:
It is sad that the Internet is at risk: this exploit is serious, and goes at the core protocol that everyone uses all day long. Hopefully, the engineers will find a fix soon.
- ► 2010 (39)
- ► 2009 (55)
- ▼ July (4)
- David Strom
- David Strom has looked at hundreds of computer products over a more than 20 year career in IT and computer journalism. He was the founding editor-in-chief of Network Computing magazine, and now writes for Baseline, Information Security, Tom's Hardware, and the New York Times.