User hits a security-blocked domain => please send an admin alert email.
My request: A user hits a page/domain that's blocked, for security (malware, botnet, and other security reasons), and an administrative alert email is immediately fired off to the Umbrella admin account or another designated user in the account.
I can see how this might be overwhelming for a large organization using Umbrella, but for small organizations, or for Prosumer customers like myself who are the end-user themselves, this might be very helpful.
Yes, I realize this info appears in the Security report within the Dashboard -- I already review that periodically. But more immediate awareness of such activity, such as via email, would be enlightening and helpful.
And yes, as the end-user myself, I should see the block page myself in my browser, and that should be enough. But I'm also considering the blocking activity as it may happen by malware/botnet already on my computer, or ads/widgets within my browser, or installed dekstop applications -- situations where a block page won't appear to the end-user.
And if this functionality were to be developed, it might also be good for content/category blocks as well, but I'm mostly concerned with the Security categories.
My request seems to differ somewhat from these:
https://support.opendns.com/entries/21889695-Email-alert-of-malware-botnet-activity
https://support.opendns.com/entries/21926700-Email-Daily-Report-of-Blocked-Domains
https://support.opendns.com/entries/22339569-Send-me-an-email-when-blocked-sites-is-higher-than-normal-
Thanks.
-
This would be an awesome addition. I don't have time to monitor my dashboard every second of every day; however, I am tethered to my email account and a real-time alert like this will expedite my mitigation/remediation procedures. Why has this not already been implemented? Again, very good option for increased security notifications.
-
It needs to be pointed out that OpenDNS knows nothing about pages that are visited, only DNS lookup requests it receives. If a domain is already cached in your local environment (such as a device's local cache, the DNS server on your router, or anything else) no traffic will ever reach OpenDNS, though it is likely that OpenDNS handled the initial lookup that placed that information in the cache in the first place). Also DNS lookups do not necessarily have anything to do with what someone is actively doing on their computer. A lookup could be initiated because an ad on a webpage that someone is visiting needed it (such as an image, script, etc.)
Nor does all of this happen in the browser where the user can see it. An ad (on a webpage, or as part of a free app) could attempt to load a script from a domain that gets blocked and it may never display anything in the ad)
I don't see this or any other automated alerting feature (as were linked to in the OP) being added to the free home product, since it's intended as a basic product. Various kinds or reporting are available in different paid products though.
I doubt real time alerting will be added to many, if any products since real-time alerting is a bit pointless for a DNS system like this. Once the blocked lookup is made traffic to that domain has been blocked, and even if something continually tries to access that domain OpenDNS will have no idea about it since the cached information will continue to be used, not a fresh lookup at OpenDNS. It's just a block to a domain that has been blocked for "security" reasons, it's not an indicator of ongoing network activity, and there is no real way to tell (from DNS data) if it's just an attempt to load a webpage or part of an ATP attempting to compromise your entire network. The information you receive is very minimal and very sketchy, and generally full of flash flags and red herrings. This information generally only can tell you something with the passage of time and as patterns emerge.
-
I would definitely like to have this feature also. But I have something to add to this suggestion: There should be some threshold where blocked hits get tallied and a summary email sent at the end of the day. Without this, some of us could sometimes get dozens of blockage notifications a day.
-
Regardless of whether OpenDNS knows anything about the Domain Name, we have implemented this tool with the idea that there is value in not going to certain sites. If my users are hitting these sites, then I want to know because it's usually an indicator of what could be a very large problem.
Being proactive is high on most everyone's list.
-
I agree with the initial request by 'dumbdude' and the feature requested by 'chad2014'.
As a domestic user who is choosing to pay for the VIP product to assist with protecting my children, a rapid communication like this will assist me with appropriate responses to curious kids.
Finding out about a blocked domain many hours or days later is not very helpful. I would prefer to know immediately via email and if, as 'chad2014' describes, I was experiencing many many blocked domains, then I would prefer an email sent at the end of the day (or a defined number of days, like a week etc) with a summary of blocked domains.
Given the age of this post I am wondering what chance of progress there is?
Thanks
-
This feature request is/was for the Umbrella service only. Did you mean this as well, or another service?
Btw, a daily report email is available with Umbrella, not an immediate email alert.
Given that this is implemented for Umbrella, it will most likely not be implemented for any kind of home service.
-
Sorry, the following is a bit long:
My demographic is "a father implementing some internet controls for my family of young children".
I started with OpenDNS, selected 'consumer' and considered the 4 options fairly clearly described here:
https://www.opendns.com/home-internet-security/
So I noted that 'OpenDNS Home VIP' was a good yearly price and had the year of stats and an allow-list mode in case something was being blocked which I really needed access to, instead of explaining why the domain should not be blocked, I could take control and add it to the allow-list.
Sounded perfect for me, I signed up, and I've been using the service for a week and am happy with the price point, the simplicity and the ability to select the groups which concern me and I can look at the logs - particularly the logs of 'blocked domains'.
However, I realised this afternoon that I had no time stamps anywhere in the logs. I can 'bodge' a date search function by searching on individual dates, but it would be slow and tedious to do it over a large time period. Also a day is too long a time period, I need to know when it happened down to the minute.
So 'googled' my issue, found this post and thought I would add my 'plus-vote' to it.
Since then I have tried to find what the 'next product up the chain" is - probably the Small Business version of the Enterprise range of solutions?
So to answer your 3 questions/statements:
1 - I suppose I meant the comment to be for my service 'OpenDNS Home VIP', but in reality I didn't understand the branding well enough to clearly differentiate between the Umbrella service or the OpenDNS service (I realise now it boils down to consumer & enterprise)
2 - Thanks for letting me know about the daily report email in Umbrella, it is a start, but if it costs much more than what I'm paying then I'm not sure an end of day email is enough.
3 - Yes I can appreciate the idea around: 'implemented for enterprise means not likely for the consumer'
I spent some time reading much of this thread, but I don't feel the next step is clear.
If you could clarify it would be great.
The next two products 'up the ladder' I can identify are:
Consumer - OpenDNS Umbrella Prosumer
&
Umbrella’s DNS-layer security - DNS Security Essentials
My key question is: (drum roll) which of these provide time stamps on the logs and an email alert (I suppose a daily email is ok)?
...and what is the cost for one network just like I've set up for 'OpenDNS Home VIP'?
Thanks
-
You should know that for the home/consumer services there are nearly no security related blocks. These are:
- Phishing domains (by default and if not disabled at the dashboard).
- Malware/botnet - "At this time, this feature blocks the Conficker virus and the Internet Explorer Zero Day Exploit" - nothing else.
- Domains with private IP addresses assigned.
I'm not sure if you really want emails for these events, because you may not face these at all, so you wouldn't get any emails. (Emails are not supported anyway yet for OpenDNS Home VIP.)
The following services come with date/time stamp in the activity report for every DNS lookup:
- Premium DNS, now called DNS Monitoring. This is free, but you cannot block anything with it. You just see the enhanced logs at the Umbrella dashboard. And I am not aware of email reports.
- Umbrella, any variation of this paid enterprise service. And you can block domains as you want. And there is an optional daily email report.
The service Prosumer is for you only if you want to cover roaming Windows or Mac laptops. It does not have network coverage, so probably isn't what you want. You have to install a client software on the computers which you want to protect.
A simple Umbrella package costed $380/year for 10 users (minimum) when it could be ordered still on the website. Now you would have to contact Sales to obtain an offer.
https://umbrella.cisco.com/products/umbrella-enterprise-security-packagesI'm not sure what your next step should be. Maybe contact Sales? Or raising a separate email idea for the OpenDNS Home VIP service?
Please sign in to leave a comment.
Comments
11 comments