Expert Texture Home Contact me About Subscribe Digipede Connect on LinkedIn rwandering on Twitter rwandering on FriendFeed

rwandering.net

The blogged wandering of Robert W. Anderson

Dynamic IP and OpenDNS? Watch out.

February 27, 2008 at 12:31 pm · Filed under Web 2.0

OpenDNS is a cool service.  I use it.  It basically provides two kinds of services:

  • Better DNS Servers: to get this service, you just switch your DNS settings to their servers.
  • Extended services:  various typo-correction features, domain shortcuts, domain blocking and anti-phishing, and domain usage tracking.  To get these services, you create an OpenDNS account.

I use their servers, and while I do have an OpenDNS account, I don’t use any of the extended services. 

At least, I don’t intentionally use them.

The problem is that the services are applied based on the IP source address used in DNS queries.  IP addresses change.  IP addresses are not secure.  For most people they are dynamic.

This impacts the reliability of the service . . . 

  • For example, User A defines OpenDNS extended services associated with their IP address.
  • IP address changes.
  • User A either doesn’t have the services they are relying on, or gets services they never signed up for. 

. . . and has privacy implications . . .

  • User A changes their DNS settings, signs up for the additional services, and starts tracking domain queries.
  • User B never signs up, but just changes their DNS settings to the OpenDNS servers.
  • At some point (before or after A signs up), B gets A’s old IP address.
  • A is tracking B’s queries.

Unlikely?  Maybe.  Possible to exploit?  Definitely.  Expected by users?  I doubt it.  In fact, User B probably didn’t think this was possible. 

This is such an obvious issue that I went looking on the OpenDNS site for answers.  I expected a big warning like this:

Warning: Using OpenDNS with dynamic IPs is an advanced use case.  To use OpenDNS with dynamic IPs, you must sign up for an OpenDNS account and reliably update us with your IP address when it changes.  If you do not, other users may track your DNS queries and extended services may get applied even though you did not sign up for them. 

Expecting I must just be missing something, I posted on the community, and got an unconvincing . . .

not a major issue…and we won’t let it become one

Sounds like stonewalling to me.

So, why do I care?  User contracts 101 says if you don’t like the service, don’t use it.  OK.  I might just quit the sevice.  That is fine.

But, the user contract of “just use our DNS servers and everything is better” does not include these major caveats.  I think it is misleading.

What do I think they should do about this?  I dunno, but here is an idea:

  1. Split their DNS servers into 2 (Primary / Secondary) pairs.  This eliminates the problem for the users who use the OpenDNS servers without signing up for an account.
    • First pair doesn’t enable any extended services (except for the OpenDNS Guide).
    • Second pair is required for the extended services.  This pair is provided to users only after sign-up. 
  2. Promote a warning like the one I give above. 

These solutions don’t make the problem go away, but they make sure users are informed about what is actually going on.  And they make for a sensible user contract.

 trackback

Tags: , , , ,

    Trackback

8 Comments »

    John Roberts wrote @ February 27th, 2008 at 12:43 pm

Robert, sorry you felt like I was stonewalling.

Here’s the situation:
1. It can happen as you describe.
2. It has not happened very often.
3. As OpenDNS grows, we can expect it to happen more often IF we don’t do anything. So… we’re doing several things.

I don’t like to talk about stuff we haven’t delivered yet (anti-vaporware), but here’s an example of one of those steps.

Many of the dynamic IP pools have been flagged as such in various ways. When you add a dynamic IP as an OpenDNS network, we’ll recognize that and give you next steps accordingly (checking the box for dynamic by default, lead you to the software downloads required, etc.).

You’re talking about a rare problem now, which we’re aware of, and which we’ll address before it becomes a real issue instead of a “what if” situation.

I’m glad you’re using our service, and I hope you’ll continue. And the feedback is helpful, even if we disagree about the scope of the problem.

Regarding privacy, I’d point out the OpenDNS privacy policy at http://www.opendns.com/privacy/ and underline that network statistics are OFF by default for anyone with an account and network.

John Roberts
OpenDNS

    Robert W. Anderson wrote @ February 27th, 2008 at 1:19 pm

John,

Thanks for your comment.

I do wonder when you say “not happened very often”. Is this statement based on user complaints (which we would expect to be minimal) or internal data that show that different accounts have rarely shared IP addresses? Either way, this doesn’t begin to deal with the issue of the user who just uses your servers nor how visible you make this issue to prospective users.

Knowing when IPs are dynamic can mitigate this issue, but without a warning like the one I proposed, I don’t think you are being clear enough to your users. Even with a warning, the user who just uses your servers is counting on your extended services users to update IPs correctly. This is why I suggested the two server pairs.

Statistics being off by default is neither here nor there, it only reduces the likelyhood that it doesn’t happen. That doesn’t make the service more secure or “private”.

Regarding stonewalling, it was not just your response in the forums, but also my collective experience at the OpenDNS that makes me feel this is being swept under the rug. For example, why doesn’t your privacy policy point out the vulnerability?

Robert

    Van Glass wrote @ August 31st, 2008 at 4:13 pm

Hi Robert,

I’m glad that I’m not the only person who is concerned about this. I first looked to OpenDNS as a way to use a more reliable DNS service since my ISP DNS servers are always going down. When I tried to register my IP address I got the message “Network already registered” which means that someone already registered this dynamic IP address even though I am the one that owns it now. It immediately got me thinking “So someone is possibly tracking me?”.

My concern is over privacy in that if someone else tracks the stats, they can easily begin to see what sites I am visiting and build a profile on my IP address and identity. For example, they can see what bank I use, what company I work for (while checking my email) etc. etc and start to build a profile on an IP address.

    Robert W. Anderson wrote @ August 31st, 2008 at 8:18 pm

Van, thanks for the comment. Last I checked, OpenDNS has done nothing to improve this situation. And of course, the more successful they are the more this problem does happen. Pretty disingenuous.

The “gift of safe”? More like the “gift of pseudo-random”.

    Michael wrote @ July 9th, 2009 at 9:36 pm

I really don’t think they have any way around it. They can’t tell if someone has a dynamic IP period. They just have to hope that the people with dynamic IPs download their software that monitors it. Sure they can make it default to dynamic IP and send everyone to download the software, but the problem is still there. Perhaps if they require the software to be installed before their service can be used, that would mostly solve it. There still could be little gaps between when the user’s IP changes and when the monitoring software catches it and sends the info back to OpenDNS. That’s a tough one.

    Robert W. Anderson wrote @ August 12th, 2009 at 2:52 pm

I suggested a way around this in my post, actually. It doesn’t solve the technical problem, but does resolve the dubious user contract.

    Anonymous wrote @ August 27th, 2009 at 9:48 pm

I believe the most minimally intrusive method of solving this would be to implement what you suggest: dns serving groups. OpenDNS group A is for people that have an account and use all the crap they offer (crap in the good way). group B is for people like me, that don’t care about all the crap they offer and just want better DNS support. group B would be zero tracking whatsoever and any ip’s that show up in both group A and group B will automatically flushed from group A.

Easy. No need to install software or do anything different than anybody does now, except have to worry about 4 dns addresses instead of 2.

    Anonymous wrote @ August 27th, 2009 at 9:51 pm

BTW I’ve also had this “rare occurrence” happen to me on my university network, which does have a fixed number of assigned dynamic IPs available. True, in the scheme of the world, 2 people having the same IP and “contacting” each other thru OpenDNS is pretty slim, but in a tiny group such as an office or university with fixed numbers of rotating IP addresses, this can be a serious problem.

Your comment

HTML-Tags:
<a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>