Setting up new security appliances or rolling out security software to an organisation's users is usually a time-consuming and frustrating experience.
But there is a free service available that will not only boost security, but also improve the daily life of your users: OpenDNS. It is quick and simple to set up, delivers safer Web usage and also reduces page load times. OpenDNS provides a quick win for network administrators tasked with controlling user access to Web content and protecting them from phishing attacks.
DNS, short for domain name system, is a critical component of the Internet and translates human-friendly computer names into IP addresses, for example, www.google.com to 18.104.22.168. Most networks use the DNS servers assigned by their Internet Service Provider or point directly to the root servers.
OpenDNS, however, is a DNS resolution service that can be used as an alternative by everyone, from home users to networks of major enterprises. Enterprises can simply point to the DNS servers provided by OpenDNS, instead of using those offered by an ISP. OpenDNS first launched in July 2006, and in April this year, it hit the milestone of answering more than 10 billion DNS queries in a single 24-hour period. Impressive, but let's examine how to use OpenDNS to improve enterprise security.
Web content filtering
The two key security services OpenDNS provides are Web content filtering and phishing protection. Content filtering is set up via a dashboard on the OpenDNS website, and desired filtering levels can be set using their numerous content categories. Preferences can also be customized by adding additional categories or individual websites. You can also set up different filtering levels for different networks within your organisation. You don't need any expensive or complex network appliances to do it, although per-machine preferences aren't possible unless a machine has a public IP address.
I also really like the fact that you can add your own corporate logos and security messages to the pages that appear if a user tries to access a blocked site. This is a great way of letting everyone know that your Internet policy is being enforced and that proactive security measures are in place.
Phishing protection is provided by using OpenDNS' PhishTank. PhishTank is a collaborative clearing house for data and information about phishing on the Internet; it's a very effective way of flagging suspected scams and verifying their illegitimacy. Other tools include detailed statistics to monitor network traffic and spot any problematic trends. The CacheCheck tool can be used to diagnose DNS query problems, while SmartCache enables users to access websites that may be down due to authoritative server failures.
There are some other nice features, such as typo auto-correction and "Browser Shortcuts," which allow users to map a short term to a long URL via the address bar. Full marks go to using OpenDNS for making the dashboard easy to use and settings easy to customize. Its numerous support articles provide very clear instructions and solutions backed up by a ticketed support service.
Administrators can quickly pinpoint any machines infected with particular viruses and worms, like Conficker for example, by checking their OpenDNS Dashboard. Any networks with PCs that try to connect to Conficker addresses are flagged on the administrator's private statistics page. It, of course, prevents infected machines from connecting to these rogue servers.
I should make it clear that OpenDNS doesn't provide domain name hosting services or authoritative DNS. It also can't see your private network, so it can't resolve internal requests for resources such as printers and network shares. Your local DNS resolution service, such as Active Directory or BIND, will need to continue resolving these requests with external DNS requests forwarded to OpenDNS.
DNS servers are critical to the smooth and safe working of the Internet, and a compromised DNS server gives a hacker truly dangerous opportunities. OpenDNS takes security very seriously, but security professionals using their service should subscribe to their RSS feed to stay updated on any issues that may arise.
OpenDNS is not the only alternative DNS service out there -- others include NeuStar's DNS Advantage and FreeDN. Using OpenDNS, however, is a long way out in front and its relationship with Netgear, announced at the start of this year, will certainly keep it in the top tier.
About the author:
Michael Cobb, CISSP-ISSAP is the founder and managing director of Cobweb Applications Ltd., a consultancy that offers IT training and support in data security and analysis. He co-authored the book IIS Security and has written numerous technical articles for leading IT publications.