The blogged wandering of Robert W. Anderson
OpenDNS is a cool service. I use it. It basically provides two kinds of services:
- Better DNS Servers: to get this service, you just switch your DNS settings to their servers.
- Extended services: various typo-correction features, domain shortcuts, domain blocking and anti-phishing, and domain usage tracking. To get these services, you create an OpenDNS account.
I use their servers, and while I do have an OpenDNS account, I don’t use any of the extended services.
At least, I don’t intentionally use them.
The problem is that the services are applied based on the IP source address used in DNS queries. IP addresses change. IP addresses are not secure. For most people they are dynamic.
This impacts the reliability of the service . . .
- For example, User A defines OpenDNS extended services associated with their IP address.
- IP address changes.
- User A either doesn’t have the services they are relying on, or gets services they never signed up for.
. . . and has privacy implications . . .
- User A changes their DNS settings, signs up for the additional services, and starts tracking domain queries.
- User B never signs up, but just changes their DNS settings to the OpenDNS servers.
- At some point (before or after A signs up), B gets A’s old IP address.
- A is tracking B’s queries.
Unlikely? Maybe. Possible to exploit? Definitely. Expected by users? I doubt it. In fact, User B probably didn’t think this was possible.
This is such an obvious issue that I went looking on the OpenDNS site for answers. I expected a big warning like this:
Warning: Using OpenDNS with dynamic IPs is an advanced use case. To use OpenDNS with dynamic IPs, you must sign up for an OpenDNS account and reliably update us with your IP address when it changes. If you do not, other users may track your DNS queries and extended services may get applied even though you did not sign up for them.
Expecting I must just be missing something, I posted on the community, and got an unconvincing . . .
not a major issue…and we won’t let it become one
Sounds like stonewalling to me.
So, why do I care? User contracts 101 says if you don’t like the service, don’t use it. OK. I might just quit the sevice. That is fine.
But, the user contract of “just use our DNS servers and everything is better” does not include these major caveats. I think it is misleading.
What do I think they should do about this? I dunno, but here is an idea:
- Split their DNS servers into 2 (Primary / Secondary) pairs. This eliminates the problem for the users who use the OpenDNS servers without signing up for an account.
Promote a warning like the one I give above.
- First pair doesn’t enable any extended services (except for the OpenDNS Guide).
- Second pair is required for the extended services. This pair is provided to users only after sign-up.
These solutions don’t make the problem go away, but they make sure users are informed about what is actually going on. And they make for a sensible user contract.
Tags: DNS, Dynamic IPs, Exploits, OpenDNS, User Contracts
Robert, sorry you felt like I was stonewalling.
Here’s the situation:
1. It can happen as you describe.
2. It has not happened very often.
3. As OpenDNS grows, we can expect it to happen more often IF we don’t do anything. So… we’re doing several things.
I don’t like to talk about stuff we haven’t delivered yet (anti-vaporware), but here’s an example of one of those steps.
Many of the dynamic IP pools have been flagged as such in various ways. When you add a dynamic IP as an OpenDNS network, we’ll recognize that and give you next steps accordingly (checking the box for dynamic by default, lead you to the software downloads required, etc.).
You’re talking about a rare problem now, which we’re aware of, and which we’ll address before it becomes a real issue instead of a “what if” situation.
I’m glad you’re using our service, and I hope you’ll continue. And the feedback is helpful, even if we disagree about the scope of the problem.
Thanks for your comment.
I do wonder when you say “not happened very often”. Is this statement based on user complaints (which we would expect to be minimal) or internal data that show that different accounts have rarely shared IP addresses? Either way, this doesn’t begin to deal with the issue of the user who just uses your servers nor how visible you make this issue to prospective users.
Knowing when IPs are dynamic can mitigate this issue, but without a warning like the one I proposed, I don’t think you are being clear enough to your users. Even with a warning, the user who just uses your servers is counting on your extended services users to update IPs correctly. This is why I suggested the two server pairs.
Statistics being off by default is neither here nor there, it only reduces the likelyhood that it doesn’t happen. That doesn’t make the service more secure or “private”.
wrote @ August 31st, 2008 at 4:13 pm
I’m glad that I’m not the only person who is concerned about this. I first looked to OpenDNS as a way to use a more reliable DNS service since my ISP DNS servers are always going down. When I tried to register my IP address I got the message “Network already registered” which means that someone already registered this dynamic IP address even though I am the one that owns it now. It immediately got me thinking “So someone is possibly tracking me?”.
My concern is over privacy in that if someone else tracks the stats, they can easily begin to see what sites I am visiting and build a profile on my IP address and identity. For example, they can see what bank I use, what company I work for (while checking my email) etc. etc and start to build a profile on an IP address.
Van, thanks for the comment. Last I checked, OpenDNS has done nothing to improve this situation. And of course, the more successful they are the more this problem does happen. Pretty disingenuous.
The “gift of safe”? More like the “gift of pseudo-random”.
wrote @ July 9th, 2009 at 9:36 pm
I really don’t think they have any way around it. They can’t tell if someone has a dynamic IP period. They just have to hope that the people with dynamic IPs download their software that monitors it. Sure they can make it default to dynamic IP and send everyone to download the software, but the problem is still there. Perhaps if they require the software to be installed before their service can be used, that would mostly solve it. There still could be little gaps between when the user’s IP changes and when the monitoring software catches it and sends the info back to OpenDNS. That’s a tough one.
I suggested a way around this in my post, actually. It doesn’t solve the technical problem, but does resolve the dubious user contract.
wrote @ August 27th, 2009 at 9:48 pm
I believe the most minimally intrusive method of solving this would be to implement what you suggest: dns serving groups. OpenDNS group A is for people that have an account and use all the crap they offer (crap in the good way). group B is for people like me, that don’t care about all the crap they offer and just want better DNS support. group B would be zero tracking whatsoever and any ip’s that show up in both group A and group B will automatically flushed from group A.
Easy. No need to install software or do anything different than anybody does now, except have to worry about 4 dns addresses instead of 2.
wrote @ August 27th, 2009 at 9:51 pm
BTW I’ve also had this “rare occurrence” happen to me on my university network, which does have a fixed number of assigned dynamic IPs available. True, in the scheme of the world, 2 people having the same IP and “contacting” each other thru OpenDNS is pretty slim, but in a tiny group such as an office or university with fixed numbers of rotating IP addresses, this can be a serious problem.
wrote @ June 16th, 2012 at 6:58 am
I’m a great fan of OpenDNS. I configure friend’s network using this service and I’m very much happy about it. However, just a few moments ago, my horror happened before my face. I was struggling to fix it for 3 hour now, until I decided to turn off my router and have it rest for minutes, then restart it again.
My Horror. OpenDNS is stuck with a false (probably previous) IP address! No matter what I do, except the above, there’s just NO WAY for me to have OpenDNS re-scan my IP address! Boy, I felt so helpless! I feel like kicking the computer and the router altogether. hehehe. Glad I did not! haha.
Anyway, I feel like the solution for this matter is for the good team to have a button on the Network Settings page “permanently” placed. So if we ever get stuck with it, we will just have to ask OpenDNS to take a “second look” on our IP Address. Had this button been there permanently, my 3 hours of frustration would have been solved in 3 minutes or less.
My faith is NOT shaken! I will continue using your services… EVEN the extended ones!
Keep up the good work!
wrote @ June 16th, 2012 at 7:55 am
While I’m still at it, I think it would also be a great idea for OpenDNS update client programs and what-have-you routines to send a sign-off command to open-dns when shutting down client computers. I think this is do-able.
However, in cases where a router is configured, I think OpenDNS should consider the “network” offline based on a certain time delay since the last transaction. I believe it is called TTL, based on how long my IP address is maintained by dynamic dns servers online. This can be very tricky, though.
The next question is… how long before OpenDNS queries the domain name to see if the same IP Address is still alive? Or, does it rely on the same TTL given by the dynamic dns providers? If so, that will make it automatic. In my experience, IP addresses gets stuck until OpenDNS detects IP Address change, sometimes via logging-in.
The next problem is when an IP address gets reused within the remaining seconds left on the TTL. Our ISP seem to have a very slow system in monitoring and changing this value. Sometimes, I have already turned off my computer for hours (sometimes for a whole day!), and still have the same IP address when I turn it back on, even during peak and non-peak Internet use. Since IP addresses can be spoofed intentionally, but not easily – without the ISPs support since conflict is bound to arise, I think OpenDNS can be fooled into believing that the same computer/network is still active when in fact it is no longer.
One way to resolve this is for the routers to be given by a secured key, that it will use in transacting with OpenDNS. If that number changes, then OpenDNS can safely say, “this must be another network”. This will require a re-write of all router codes out there.
Another way would be to have a change on how the DNS protocol operates. Including the mac-address of the host where the query originated. But since it does not, being a lightweight protocol, and for security issues involved… there you go.
Thanks for your comments. I have never seen the “stuck” problem, or at least am not aware if it has happened to me.
In practice, I think the “sign off” solution would work for very few people because of multiple devices in the network. My guess is that some very large percentage of OpenDNS users have multiple devices.
The TTL for releasing a customer IP address may be what they do today, again I’ve never seen the “stuck” problem.
Unless they use a fairly short TTL, I don’t see a solution to the problem of applying the wrong OpenDNS settings to a users network (in the dynamic IP case) given the nature of the DNS protocol.
<a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <s> <strike> <strong>