Public DNS servers: Less privacy in exchange of a security layer

There are several free public DNS servers on the Internet. Google, Scrubit and DNSadvantage are some of them. OpenDNS is the one I have selected to test in Ubuntu for a while. They offer web content filtering and basic protection against known phishing, botnets and some known worms.


Inserting in the /etc/resolv.conf the OpenDNS name servers is an easy task: Their name servers are 208.67.222.222 and 208.67.220.220. If you are using DHCP, add those name servers, separated by a comma, in the file /etc/dhcp3/dhclient.conf, using the following line:
prepend domain-name-servers 208.67.222.222,208.67.220.220;

There are however some additional steps to take if our ISP uses a dynamic public IP address. OpenDNS provides a simple utility for those using MS Windows or MacOS. In Linux, we have to follow the next steps. After visiting several sites that provide input on this scenario (e.g. in Ubuntu docs or in the ddclient site), I summarise only those effective valid steps:
0. Sign in to the OpenDNS site, create your network and configure your security and content filtering settings.
1. Install ddclient e.g. in Ubuntu
$ sudo apt-get install ddclient
2. Configure the file /etc/ddclient.conf in this manner
ssl=yes
daemon=300
protocol=dyndns2
use=web
server=updates.opendns.com
login=yourlogin
password=yourpassword
yournetworknameintheopendnssite


3. If there is a /var/cache/ddclient/ddclient.cache file, erase the "ip=" segment [although you can skip this step]

4. Now it is advisable to
4.1 Test ddclient using the command line
$ sudo ddclient -daemon=0 -noquiet -debug
4.2 Start the daemon at boot up by writing in the file /etc/rc.local the line
/usr/sbin/ddclient -daemon 300 -syslog
before exit 0.

5. The ddclient daemon can be stopped with
sudo killall ddclient
or started with
sudo /etc/rc.local

And ready to surf! Now they will gather all the sites you visit (privacy loss). However, that was already the case wih your ISP's name service.

These "secure" name servers can constitute an additional security layer for home browsers, provided that they require a naming service. However, if they type an IP address directly (or a trojan within their box), then there is no additional security layer. Sites like this one can provide the IP address of a site directly.

A little final note: These OpenDNS services, web filtering and basic phishing protection, take around 5 minutes to get updated with a new IPaddress. Take that into account, the first 5 minutes of use of your browser will provide "unprotected" web surfing.

Happy name resolution! (and happy to read your comments)

Little addendum triggered by a cunning comment from a committed reader: An alternative to the use of these public DNS servers is running your own DNS server, configured to obtain names from the Internet root domain name servers. Certainly, a better alternative from a security standpoint. However, this option is only viable for those IT savvy individuals with sufficient skills, and resources, to run their own name service.

1 comments:

miguel said...

opendns is a company... should I say something more?

I tend to feel uncomfortable with "big players", and if privacy is not a big enough issue, what do you think about abuse?

dslreports.com -> OpenDNS-bad

at the end, they all want to make money... diversity is the key.