Is OpenDNS safe to use?

13 replies [Last post]
oshirowanen
Offline
Joined: 02/28/2014

Anyone know anything about OpenDNS? Is it safe to use, or should it be avoided? If it should be avoided, what are the alternatives?

t3g
t3g
Offline
Joined: 05/15/2011

I use OpenDNS, but with the OpenDNS DNSCrypt proxy that is available for Ubuntu 12.04/Trisquel 6: https://launchpad.net/~shnatsel/+archive/dnscrypt

Technically I am encrypting data between me and my DNS provider (OpenDNS) meaning that my ISP or anyone else cannot see my DNS traffic. Of course, OpenDNS is on the receiving end and have my data. But when you think about it, do we really have a choice? A DNS server is required and no matter if you use the one that comes with your ISP or 3rd party, its just how it works.

ssdclickofdeath
Offline
Joined: 05/18/2013

It may be better to you your ISP's DNS server, oshirowanen, because they already know the web sites you visit.

perezza.manuel
Offline
Joined: 03/15/2014

DNS as in quickest shortcut to insecurity with all kinds of powerful counterparties watching over it.

For legitimate traffic, I suggest using your own caching resolver validating DNS's RR with DNSSEC. To my knowledge "UNBOUND" is the best for this atm.

DNSSEC is not implemented by mostbigcashcompanies.com and will plug you directly into the root servers/gTLDS owned by good/bad guys depending on what activity you are running. DNSSEC will validate up to the domain user domain.More info here http://nohats.ca/wordpress/blog/tag/dnssec/.

For private traffic you can decide to trust a third party. But there is always a risk of them coming back at you. This is your decision after all. For a normal user I strongly recommend a VPN service. I found https://www.privateinternetaccess.com to be quite cheap.

GNUser
Offline
Joined: 07/17/2013

Using TorBrowser will protect yourself from revealing any info about your surfing to your ISP. However, it also has some disadvantages.
One question I have (it might be terribly stupid, lol), is if DNS is only used when accessing "www.namewebsite.com" or if it is also used even if we use "123.456.789.0" being this the IP of the website. Like, for example, if I was to remember the IP of a website and enter it directly, would I still use a DNS?
I never tried OpenDNS, but I think your suggestion of encrypting the traffic between you and the DNS is a good idea.

andrew
Offline
Joined: 04/19/2012

On 16/03/14 00:10, gnuser wrote:
> Using TorBrowser will protect yourself from revealing any info about
> your surfing to your ISP. However, it also has some disadvantages.
> One question I have (it might be terribly stupid, lol), is if DNS is
> only used when accessing "www.namewebsite.com" or if it is also used
> even if we use "123.456.789.0" being this the IP of the website.
> Like, for example, if I was to remember the IP of a website and
> enter it directly, would I still use a DNS?

If you enter the IP directly it shouldn't use DNS, AFAIK. However, many
hosts will have many websites hosted on a single IP address (HTTP/1.1
introduced the 'host' header to deal with this) so entering an IP
address won't always work.

Regarding Tor Browser, DNS requests are sent through the Tor network to
maintain anonymity.

Andrew.

G4JC
Offline
Joined: 03/11/2012

OpenDNS is fair, however I have never seen them deny keeping logs. OpenNIC is the best alternative since a majority of their user operated servers on purposely don't log your DNS queries. http://www.opennicproject.org/

Additionally you can still use DNSCrypt which adds considerably strong security against DNS leaking. http://dnscrypt.org/

As others mentioned however, DNS is not a do all. You will need to use other methods to protect all internet traffic.

perezza.manuel
Offline
Joined: 03/15/2014

I strongly discourage any user to use the tor network for the following reasons:

1) Bundled browser is full of vulnerabilities (Remote access included)
2) Most of the nodes are owned by people who will perform Mitm attacks even more if you use a layer 7 encrypted protocol. The chances of having an outgoing node that does spy and perform Mitm are absolutely not 0.
3) The bandwith on that network is limited. Even if that network transport all kind of dogshit, it does also transport legit traffic in countries where acting out of the box might get you killed.

OP was "is OpenDNS safe to use?" ... My answer is no because you do not own it.

oshirowanen
Offline
Joined: 02/28/2014

Is it possible to create your own basic personal DNS server? A bit like creating your own personal email server? Or is such a personal setup not possible in DNS form for some reason?

I understand how to create a personal email server because I understand what email is and how it works. However, I am still a little unclear as to what a DNS server actually is and what is actually does. I'll read about it asap.

Thanks.

perezza.manuel
Offline
Joined: 03/15/2014

This will help to understand http://www.zytrax.com/books/dns/.
This will answer any pending queries http://unbound.net.

andrew
Offline
Joined: 04/19/2012

On 17/03/14 19:00, perezza.manuel wrote:
> I strongly discourage any user to use the tor network for the
> following reasons:
>
> 1) Bundled browser is full of vulnerabilities (Remote access
> included)

[citation needed]

> 2) Most of the nodes are owned by people who will perform Mitm
> attacks even more if you use a layer 7 encrypted protocol. The
> chances of having an outgoing node that does spy and perform Mitm
> are absolutely not 0.

First of all, an MITM attack is not possible for normal Tor nodes as
they can only see encrypted traffic.

For the exit nodes, however, MITM attacks are indeed possible and have
been done before.* However, if you are using end-to-end encryption, an
MITM attack is presumably not possible without your browser warning you,
providing that the CA system is secure. This is not unique to Tor, by
the way, as MITM attacks are possible on ANY network.

Regarding MITM attacks, you should also read:
https://blog.torproject.org/blog/plaintext-over-tor-still-plaintext

and the usual Tor warnings:
https://www.torproject.org/download/download-easy.html.en#warning

* see "Exposing malicious exit relays" under
https://blog.torproject.org/blog/tor-weekly-news-%E2%80%94-january-22th-2014

> 3) The bandwith on that network is limited.

Indeed, but Tor users often change their web browsing and internet usage
habits to adapt to the slower speeds.

Tor is also much faster now than it was, say, a few years ago.

> Even if that network transport all kind of dogshit, it does also
> transport legit traffic in countries where acting out of the box
> might get you killed.

I don't understand what you mean.

> OP was "is OpenDNS safe to use?" ... My answer is no because you do
> not own it.

I think the meaning of "safety" is vague and difficult to answer.

Andrew.

perezza.manuel
Offline
Joined: 03/15/2014

Hi,

My argument is first based on the fact that the entry point (firefox outdated version) is vulnerable http://cve.mitre.org/cgi-bin/cvekey.cgi?keyword=firefox. Since the entry point is broken, everything that builds on it shall fall to pieces.
Second, I used to use Tor when it took about 10 second to load a simple text page. Trust me it was camped 24/7 years ago. Back then you could count the number of nodes... Any "fast" node would be suspicious because at that time bandwith was expensive.
Third, simple things such as freedom of speech is denied in a lot of places. Tor might be necessary in some cases where the pressure is too heavy and people don't have enough time/money. Instead they could simply download a bundle and upload their files. Denying will take multiple forms, you go check it out.
The users we got here are apparently not under any pressure, don't you think ?

andrew
Offline
Joined: 04/19/2012

On 18/03/14 17:29, perezza.manuel wrote:
> Hi,
>
> My argument is first based on the fact that the entry point (firefox
> outdated version) is vulnerable
> http://cve.mitre.org/cgi-bin/cvekey.cgi?keyword=firefox.

Tor uses the Firefox ESR releases, which Mozilla backports security
patches to. Every seventh Firefox release is an ESR release (10, 17, 24,
...).

More information on ESR releases from Mozilla:
http://www.mozilla.org/en-US/firefox/organizations/

> Second, I used to use Tor when it took about 10 second to load a
> simple text page.

It doesn't usually take ten seconds to load a simple text page these
days, although 'heavy' webpages can take ten seconds or longer.

> Trust me it was camped 24/7 years ago. Back then you could count the
> number of nodes... Any "fast" node would be suspicious because at
> that time bandwith was expensive.

The Tor project has asked organisation, universities etc. to host Tor
nodes. These institutions have very fast network access as they are
located much closer to the internet backbone, unlike typical home
broadband connections. This is also a historical fact, as universities
were among the first institutions to participate in the global Internet.

There is nothing suspicious about the performance of the Tor network, IMO.

> Third, simple things such as freedom of speech is denied in a lot of
> places.

Indeed (but preventing censorship is only one of the many purposes of Tor).

> Tor might be necessary in some cases where the pressure is too heavy
> and people don't have enough time/money. Instead they could simply
> download a bundle and upload their files. Denying will take multiple
> forms, you go check it out. The users we got here are apparently not
> under any pressure, don't you think ?

I don't entirely understand, can you rephrase this?

Andrew.

perezza.manuel
Offline
Joined: 03/15/2014

Ok so after reading abit it looks like they did something to identify "tampering nodes". According to my memory nothing of that kind existed years ago. This explains that.

They talk about your OpenDNS here https://trac.torproject.org/projects/tor/wiki/doc/badRelays

Juicy content, thanx for sharing