User hits a security-blocked domain => please send an admin alert email.

Comments

6 comments

  • Avatar
    cfec

    This would be an awesome addition.  I don't have time to monitor my dashboard every second of every day; however, I am tethered to my email account and a real-time alert like this will expedite my mitigation/remediation procedures.  Why has this not already been implemented?  Again, very good option for increased security notifications.

    0
    Comment actions Permalink
  • Avatar
    mattwilson9090

    It needs to be pointed out that OpenDNS knows nothing about pages that are visited, only DNS lookup requests it receives. If a domain is already cached in your local environment (such as a device's local cache, the DNS server on your router, or anything else) no traffic will ever reach OpenDNS, though it is likely that OpenDNS handled the initial lookup that placed that information in the cache in the first place). Also DNS lookups do not necessarily have anything to do with what someone is actively doing on their computer. A lookup could be initiated because an ad on a webpage that someone is visiting needed it (such as an image, script, etc.)

    Nor does all of this happen in the browser where the user can see it. An ad (on a webpage, or as part of a free app) could attempt to load a script from a domain that gets blocked and it may never display anything in the ad)

    I don't see this or any other automated alerting feature (as were linked to in the OP) being added to the free home product, since it's intended as a basic product. Various kinds or reporting are available in different paid products though.

    I doubt real time alerting will be added to many, if any products since real-time alerting is a bit pointless for a DNS system like this. Once the blocked lookup is made traffic to that domain has been blocked, and even if something continually tries to access that domain OpenDNS will have no idea about it since the cached information will continue to be used, not a fresh lookup at OpenDNS. It's just a block to a domain that has been blocked for "security" reasons, it's not an indicator of ongoing network activity, and there is no real way to tell (from DNS data) if it's just an attempt to load a webpage or part of an ATP attempting to compromise your entire network. The information you receive is very minimal and very sketchy, and generally full of flash flags and red herrings. This information generally only can tell you something with the passage of time and as patterns emerge.

    0
    Comment actions Permalink
  • Avatar
    chad2014

    I would definitely like to have this feature also.  But I have something to add to this suggestion: There should be some threshold where blocked hits get tallied and a summary email sent at the end of the day.  Without this, some of us could sometimes get dozens of blockage notifications a day.

    0
    Comment actions Permalink
  • Avatar
    cdsdave

    In the age of Crypto* this really needs to happen. It's too often not blocked, or blocked eventually, BUT reaction time is paramount to success.

    0
    Comment actions Permalink
  • Avatar
    airneil

    Regardless of whether OpenDNS knows anything about the Domain Name, we have implemented this tool with the idea that there is value in not going to certain sites. If my users are hitting these sites, then I want to know because it's usually an indicator of what could be a very large problem. 

    Being proactive is high on most everyone's list. 

    0
    Comment actions Permalink
  • Avatar
    g.smith

    Agree. 

    We used this with CWS and was great.

    Shame this isnt available on OpenDNS.  CWS is/was better.

    0
    Comment actions Permalink

Please sign in to leave a comment.