Protecting your home network with OpenDNS for free

Protecting your home network with OpenDNS for free

There are many ways to carry out a cyber attack.  You can go super technical with smashing the stack, super strength with brute forcing, or super easy with social engineering.  If you have a psychopath trying to get into your system for their own amusement, there really is very little you can do to defend yourself (except read Pieter Hintjens awesome book, The Pyschopath Code).  This is why security professionals have been saying for years that if the hackers aren't already inside your system, they will be soon.

So what are we as mere mortals supposed to do against these super villians?  One thing is to understand that the majority of time they are just looking to recruit your computer for their nefarious activities.  If you are already following the recommended guidelines of patching your computer, picking strong passphrases (passwords are dead), running firewalls and thinking before you click, then the past defense you can set up is to block the nefarious computer crackers once they are inside or have convinced you to click.

Domain Name Service

Domain Name Service, or DNS, is the protocol that is used on the Internet to translate names like, "security.ias.edu", into an Internet Protocol (IP) address, like, "23.23.83.148".  You can think of DNS like an old time phone book.  In a phone book, you would look up Jenny Tutone's name in order to see her phone number is 867-5309.  So you can think of DNS as a giant phone book for the Internet.

When the nefarious cracker breaks into your computer or convinces you to click on a link, the majority of time, it looks up an IP address with DNS to an evil website or computer on the Internet to download malicious instructions to follow.  This article discusses how to interrupt this IP address lookup, so that the phone home can't happen.

DNS works like this, when you look up a site, like "security.ias.edu", you first break it down in its domain components.  You can think of it like a proper name where "ias.edu" is the lastname, and "security" is the first name.  Just like a phone book, you would look the name up by the last name first, and then by the firstname.  Unlike proper names, though, domain names can have many components.  So, technically, "edu" is the lastname, "ias" is the next to last name and "security" is the first name.  You start with the lastname and get more and more specific as you move toward the firstname (or hostname).

When we had phonebooks, they were split into multiple books because of the number of people in the world.  Every city/municipality would have its own phone book to cut down on the size.  If you needed to call someone in another town, you might have to go to the library and pick a different phonebook to look them up.

The Internet has a similar problem. Before DNS, everyone just had a copy of all the names to IP addresses.  In the early 80's, though, this got out of control, and DNS was born.  They split out the services and had a different one setup for .com's, .org's, .edu's etc.  Then you would contact the ".edu" service to tell you where to look for ".ias.edu".  Then, you would contact the ".ias.edu" service to find out where "security.ias.edu" was.  Every Internet Service Provider (ISP) would have their own DNS servers to do all this running around for the user and find the answer to their query.

OpenDNS (now a part of Cisco)

In July 2006, OpenDNS opened its doors to "provide a safer, better, and faster internet browsing experience for all OpenDNS users".  The basic idea was to replace the DNS servers that the ISP provided with some that did something special.  They identified malicious sites on the the Internet, and returned a fake IP address for them that redirected the user to a safe landing page instead.  This simple redirection is very effective at interrupting nefarious connections by never letting them happen in the first place.

Imagine that you were trying to call your Aunt Hilda and looked her name up in the phone book, but you accidentally chose the wrong Hilda Hopperstein.  The phone number you are actually calling is for a 900 number service that will cost you money.  Now, imagine that the phone book could recognize that 900 numbers aren't what you want and redirect you to another number that simple said, "sorry, you dialed the wrong number, we think this one is malicious".  That is exactly what OpenDNS does for you.

Setting it up

You've made it this far.  Setting it up is easier and quicker than what you've read.  It will start working immediately and not cost you a dime.  You have two choices going forward.

  1. OpenDNS Home: This is the original product and blocks access to malicious and nefarious sites that try to steal your information. (DNS servers: 208.67.222.222 and 208.67.220.220)
  2. OpenDNS Family Shield: All the benefits of OpenDNS Home and it will block adult content as well (DNS servers: 208.67.222.123 and 208.67.220.123)

All you need to do is set your DNS servers to point to OpenDNS.  If you want more fine grain control, you can optionally set up a free account with them.

Once you are set up you can test your site by opening a test site here: http://www.internetbadguys.com.  This is a site owned and operated by OpenDNS for the sole purpose of testing your set up.  It will clearly state on the site whether or not you are using their service.

If you run an enterprise network, I recommend taking a look at Cisco Umbrella (OpenDNS for the workplace), or a similar service from another provider.

Results?

I've been running OpenDNS at my home for about a decade now.  When it first came out, I remembered thinking this is going to be a game changer.  Since then, some malware has been shipped with IP addresses instead of domainnames, which makes it not work.  Also, new hostnames are created all the time that might have a quick exploit and then disappear.  It is difficult to stay ahead of these, but OpenDNS does a very good job.

In the end, next to running your own DNS infrastructure with feeds (like Farsight's awesome passive DNS feed), your best bet is just to use OpenDNS.  Again, it is quick, easy, free and will block the vast majority of attacks that plague our world.