If you aren’t already using OpenDNS to protect your small-business network, you should take a few minutes now to set it up. The security benefits are well worth the time investment: OpenDNS is free, it has contributed significantly to combat against the Conficker worm, and it will protect you from any number of future attacks. As a bonus, it may enable your network’s users to experience better browsing performance.
Before I describe how to do this, let’s review what the Domain Name System is. Much as a phone book lets you look up people’s phone numbers by looking up their names, the DNS provides a unique-address registry for computers: Type in ‘google.com’ and DNS translates that name into a sequence of four numbers called an IP address (for google.com, it’s 72.14.207.99).
In the overall Internet infrastructure, various public, semipublic, and private providers maintain a series of master phone books, or DNS root servers, at strategic places around the world. The root servers talk to each other regularly to ensure that they remain in sync as users add new domains. If interested parties wants to “poison” an entry or misdirect Internet traffic to a phony domain, they can do so with the right amount of subterfuge. Last year, for example, an Internet provider in Pakistan managed to block access to all of YouTube when it attempted to prevent Pakistani citizens from viewing a video it deemed offensive.
Here’s where OpenDNS comes into play. Normally when you set up your network, you don’t give your DNS settings another thought. If you have a cable or DSL modem, you hook it up and it automatically gets its DNS settings from the cable or phone company’s DNS servers.
I recommend, however, that you change these settings to reflect the DNS servers at OpenDNS. This free service makes its money by serving ads when a user types in a domain that doesn’t exist. The OpenDNS Web site provides instructions for altering your DNS settings, based on the router you use on your network. The whole process–reading through the instructions and implementing the changes–should take you only a couple of minutes.
Using OpenDNS has several benefits. First, you can set it up to block objectionable domains, thereby protecting your business from lawsuits. Second, OpenDNS blocks known exploit domains, so you have a better chance to avoid getting trapped by some hacker. You also get superior DNS service thanks to OpenDNS’s servers, which reportedly return OpenDNS domains faster than ones for the general Internet. And finally the service catches common typos in domains–a big plus for people who make more than their share of mistakes when typing domain names into their browsers.
Adopting OpenDNS is just the first step in securing your DNS resources. If you’re interested in learning more about how to strengthen your defenses, a good place to start is with “Not a Guessing Game” by Paul Vixie. Vixie, one of the original Wise Men of the Internet, has been involved in authoring numerous requests for proposals (RFPs) and protocols. He is currently participating in a substantial effort to create a new series of secure DNS protocol extensions, along with products to support those extensions.
David Strom is a former editor-in-chief of Network Computing, Tom’s Hardware.com and DigitialLanding.com and an independent network consultant, blogger, podcaster and professional speaker based in St. Louis. He can be reached at david@strom.com.