path: root/wired/old/published/Webmonkey/OpenDNS.txt

Few of us spend much time thinking about the internet's domain name system: the architecture that invisibly translates a browser's request for, say, wired.com into the numeric IP address where the site is hosted.

Yet, despite being largely transparent, the DNS system is not without its problems. Security researcher Dan Kaminsky recently [http://www.wired.com/politics/security/commentary/securitymatters/2008/07/securitymatters_0723 discovered critical a vulnerability] in some DNS servers. Despite trying to keep the information under wraps until a patch could be released, the attack leaked out and venders scrambled to patch their servers.

The DNS flaw that Kaminsky discovered allows a hacker to conduct a "cache poisoning attack" that could be accomplished in about ten seconds, allowing an attacker to fool a DNS server into redirecting web surfers to malicious web sites.

The problem is, how do you know your ISP has applied the patch? There's really no way you can know, short of watching for an e-mail update or press release. But the news isn't something most venders would want to advertise -- uh, sorry, but it turns out our servers are insecure and might make you vulnerable to very simple attacks you'll never notice.

Fortunately there is a solution -- just bypass your ISP's DNS server and use a service like OpenDNS, which was one of the few DNS venders [http://blog.OpenDNS.com/2008/07/08/OpenDNS-keeping-you-safe/ not affected by this latest bug]. Because OpenDNS uses a number of security enhancements above and beyond what your common ISP is likely to employ (like source port randomization) it wasn't affected by the bug Kaminsky discovered.

Not only does OpenDNS offer a more secure setup, you get a host of advanced features and it just might be significantly faster as well.

== Introducing OpenDNS ==

Put simply, OpenDNS is safer and faster DNS replacement. Set up is not much more difficult than setting up a POP e-mail account and you get quite a few extra features as an added bonus.

OpenDNS provides niceties like spelling correction -- type wordpres.org when you meant, wordpress.org? OpenDNS automatically corrects and redirects. OpenDNS also caches IP addresses so it doesn't have to do a fresh look up every time you request a page, which results in faster load times.

Other power user features include the ability to set network-wide keyboard shortcuts (always heading to the Webmonkey homepage? Set up a keyword shortcut and all you need to type is say, "m" and OpenDNS will take you straight to webmonkey.com), phishing blacklists to keep you out of trouble and IP blocking to prevent users from accessing sites you don't want them visiting.

== Getting Started ==

There are two main ways to set up OpenDNS. First off you can set it up for just a single computer -- if you've only got one PC plugged directly into your cable/DSL modem this would be the way to go.

However, these days most of us probably have some sort of router between the modem and our PCs. Let's take a look at how to set up OpenDNS with a router.

The first step is to sign up with OpenDNS -- don't worry, it's painless and free. Once you have an account you need to configure your router to use the OpenDNS DNS servers rather than the defaults your ISP provides.

Most routers have some kind of web-based configuration panel, for instance, Linksys routers can be accessed at [http://192.168.1.1 http://192.168.1.1]. Check your router's documentation to see where the config screen lives, or consult the OpenDNS site which provides [https://www.OpenDNS.com/start specific instructions] for about a dozen different routers.

Once you've logged into your router's config panel, the settings you want to look for are the Static DNS Server settings. Chances are those fields are currently blank, but if not write down your current DNS settings before switching them over OpenDNS, in case you want to return to your old settings for any reason.

Now just plug in OpenDNS's addresses, which are 208.67.222.222 and 208.67.220.220. If your router has space for more than two addresses just leave the extra spaces blank.

Now save your settings. Your router will most likely reboot and once it's done you should head to the [http://www.OpenDNS.com/welcome/ OpenDNS test page] and make sure that you are in fact using the OpenDNS servers.

And that's it, you're done.

== Advanced options ==

Now you're safe from the DNS bug and you can login to your OpenDNS account to configure some advanced options (just click the Dashboard link at the top of the site).

The OpenDNS dashboard has links to all the cool features -- setup keyword shortcuts, block domains, see network statistics and even enable dynamic IP updating.

You maybe wondering how OpenDNS makes any money giving all this stuff away. The answer is that every time you encounter a DNS error, in other words the site doesn't exist, OpenDNS dumps you on a custom error page complete with, you guessed it, Google ads (and a customized Google search page which can be used to search for whatever site you're looking for).

If you like you can customize that error page with your company's logo or any other branding you want. There are also controls for customizing blocked site messages, phishing block pages and more.

== Custom router setups ==

While OpenDNS is pretty easy to set up and the site has great instructions for most stock routers, what if you're using a custom router firmware like [http://www.polarcloud.com/tomato Tomato] or [http://www.dd-wrt.com/dd-wrtv3/index.php DD-WRT]? In that case setup can be a little more difficult. With the DD-WRT firmware in particular you may have a little trouble getting it to play nice with OpenDNS.

Fortunately there are some [http://www.dd-wrt.com/wiki/index.php/OpenDNS DD-WRT forum posts] on the subject and a couple of tips on [http://www.OpenDNS.com/support/article/120 the OpenDNS site] as well. The solution depends on what version of DD-WRT you're using so be sure to have that info on hand before you start searching.

== Conclusion ==

OpenDNS provides an easy way to sidestep the latest DNS bug. Of course there's no guarantee that there won't at some point be a flaw in even the DNS setup that OpenDNS uses, but at least you'll know about since you control most of your DNS settings.

And the fact that you get spelling corrections, phishing protection, IP black/whitelists and a faster browsing experience, well, that's just the icing on the cake.