User hits a security-blocked domain => please send an admin alert email.
My request: A user hits a page/domain that's blocked, for security (malware, botnet, and other security reasons), and an administrative alert email is immediately fired off to the Umbrella admin account or another designated user in the account.
I can see how this might be overwhelming for a large organization using Umbrella, but for small organizations, or for Prosumer customers like myself who are the end-user themselves, this might be very helpful.
Yes, I realize this info appears in the Security report within the Dashboard -- I already review that periodically. But more immediate awareness of such activity, such as via email, would be enlightening and helpful.
And yes, as the end-user myself, I should see the block page myself in my browser, and that should be enough. But I'm also considering the blocking activity as it may happen by malware/botnet already on my computer, or ads/widgets within my browser, or installed dekstop applications -- situations where a block page won't appear to the end-user.
And if this functionality were to be developed, it might also be good for content/category blocks as well, but I'm mostly concerned with the Security categories.
My request seems to differ somewhat from these:
https://support.opendns.com/entries/21889695-Email-alert-of-malware-botnet-activity
https://support.opendns.com/entries/21926700-Email-Daily-Report-of-Blocked-Domains
https://support.opendns.com/entries/22339569-Send-me-an-email-when-blocked-sites-is-higher-than-normal-
Thanks.
-
This would be an awesome addition. I don't have time to monitor my dashboard every second of every day; however, I am tethered to my email account and a real-time alert like this will expedite my mitigation/remediation procedures. Why has this not already been implemented? Again, very good option for increased security notifications.
-
It needs to be pointed out that OpenDNS knows nothing about pages that are visited, only DNS lookup requests it receives. If a domain is already cached in your local environment (such as a device's local cache, the DNS server on your router, or anything else) no traffic will ever reach OpenDNS, though it is likely that OpenDNS handled the initial lookup that placed that information in the cache in the first place). Also DNS lookups do not necessarily have anything to do with what someone is actively doing on their computer. A lookup could be initiated because an ad on a webpage that someone is visiting needed it (such as an image, script, etc.)
Nor does all of this happen in the browser where the user can see it. An ad (on a webpage, or as part of a free app) could attempt to load a script from a domain that gets blocked and it may never display anything in the ad)
I don't see this or any other automated alerting feature (as were linked to in the OP) being added to the free home product, since it's intended as a basic product. Various kinds or reporting are available in different paid products though.
I doubt real time alerting will be added to many, if any products since real-time alerting is a bit pointless for a DNS system like this. Once the blocked lookup is made traffic to that domain has been blocked, and even if something continually tries to access that domain OpenDNS will have no idea about it since the cached information will continue to be used, not a fresh lookup at OpenDNS. It's just a block to a domain that has been blocked for "security" reasons, it's not an indicator of ongoing network activity, and there is no real way to tell (from DNS data) if it's just an attempt to load a webpage or part of an ATP attempting to compromise your entire network. The information you receive is very minimal and very sketchy, and generally full of flash flags and red herrings. This information generally only can tell you something with the passage of time and as patterns emerge.
-
I would definitely like to have this feature also. But I have something to add to this suggestion: There should be some threshold where blocked hits get tallied and a summary email sent at the end of the day. Without this, some of us could sometimes get dozens of blockage notifications a day.
-
Regardless of whether OpenDNS knows anything about the Domain Name, we have implemented this tool with the idea that there is value in not going to certain sites. If my users are hitting these sites, then I want to know because it's usually an indicator of what could be a very large problem.
Being proactive is high on most everyone's list.
Please sign in to leave a comment.
Comments
6 comments