User hits a security-blocked domain => please send an admin alert email.

Comments

11 comments

  • Avatar
    cfec

    This would be an awesome addition.  I don't have time to monitor my dashboard every second of every day; however, I am tethered to my email account and a real-time alert like this will expedite my mitigation/remediation procedures.  Why has this not already been implemented?  Again, very good option for increased security notifications.

    0
    Comment actions Permalink
  • Avatar
    mattwilson9090

    It needs to be pointed out that OpenDNS knows nothing about pages that are visited, only DNS lookup requests it receives. If a domain is already cached in your local environment (such as a device's local cache, the DNS server on your router, or anything else) no traffic will ever reach OpenDNS, though it is likely that OpenDNS handled the initial lookup that placed that information in the cache in the first place). Also DNS lookups do not necessarily have anything to do with what someone is actively doing on their computer. A lookup could be initiated because an ad on a webpage that someone is visiting needed it (such as an image, script, etc.)

    Nor does all of this happen in the browser where the user can see it. An ad (on a webpage, or as part of a free app) could attempt to load a script from a domain that gets blocked and it may never display anything in the ad)

    I don't see this or any other automated alerting feature (as were linked to in the OP) being added to the free home product, since it's intended as a basic product. Various kinds or reporting are available in different paid products though.

    I doubt real time alerting will be added to many, if any products since real-time alerting is a bit pointless for a DNS system like this. Once the blocked lookup is made traffic to that domain has been blocked, and even if something continually tries to access that domain OpenDNS will have no idea about it since the cached information will continue to be used, not a fresh lookup at OpenDNS. It's just a block to a domain that has been blocked for "security" reasons, it's not an indicator of ongoing network activity, and there is no real way to tell (from DNS data) if it's just an attempt to load a webpage or part of an ATP attempting to compromise your entire network. The information you receive is very minimal and very sketchy, and generally full of flash flags and red herrings. This information generally only can tell you something with the passage of time and as patterns emerge.

    0
    Comment actions Permalink
  • Avatar
    chad2014

    I would definitely like to have this feature also.  But I have something to add to this suggestion: There should be some threshold where blocked hits get tallied and a summary email sent at the end of the day.  Without this, some of us could sometimes get dozens of blockage notifications a day.

    0
    Comment actions Permalink
  • Avatar
    cdsdave

    In the age of Crypto* this really needs to happen. It's too often not blocked, or blocked eventually, BUT reaction time is paramount to success.

    0
    Comment actions Permalink
  • Avatar
    airneil

    Regardless of whether OpenDNS knows anything about the Domain Name, we have implemented this tool with the idea that there is value in not going to certain sites. If my users are hitting these sites, then I want to know because it's usually an indicator of what could be a very large problem. 

    Being proactive is high on most everyone's list. 

    0
    Comment actions Permalink
  • Avatar
    g.smith

    Agree. 

    We used this with CWS and was great.

    Shame this isnt available on OpenDNS.  CWS is/was better.

    0
    Comment actions Permalink
  • Avatar
    lodestonedns

    I agree with the initial request by 'dumbdude' and the feature requested by 'chad2014'.

    As a domestic user who is choosing to pay for the VIP product to assist with protecting my children, a rapid communication like this will assist me with appropriate responses to curious kids.

    Finding out about a blocked domain many hours or days later is not very helpful. I would prefer to know immediately via email and if, as 'chad2014' describes, I was experiencing many many blocked domains, then I would prefer an email sent at the end of the day (or a defined number of days, like a week etc) with a summary of blocked domains.

    Given the age of this post I am wondering what chance of progress there is?

    Thanks

     

    0
    Comment actions Permalink
  • Avatar
    rotblitz (Edited )

    @lodestonedns

    This feature request is/was for the Umbrella service only.  Did you mean this as well, or another service?

    Btw, a daily report email is available with Umbrella, not an immediate email alert.

    Given that this is implemented for Umbrella, it will most likely not be implemented for any kind of home service.

    0
    Comment actions Permalink
  • Avatar
    lodestonedns

    Sorry, the following is a bit long:

    My demographic is "a father implementing some internet controls for my family of young children".

    I started with OpenDNS, selected 'consumer' and considered the 4 options fairly clearly described here:

    https://www.opendns.com/home-internet-security/

    So I noted that 'OpenDNS Home VIP' was a good yearly price and had the year of stats and an allow-list mode in case something was being blocked which I really needed access to, instead of explaining why the domain should not be blocked, I could take control and add it to the allow-list.

    Sounded perfect for me, I signed up, and I've been using the service for a week and am happy with the price point, the simplicity and the ability to select the groups which concern me and I can look at the logs - particularly the logs of 'blocked domains'.

    However, I realised this afternoon that I had no time stamps anywhere in the logs. I can 'bodge' a date search function by searching on individual dates, but it would be slow and tedious to do it over a large time period. Also a day is too long a time period, I need to know when it happened down to the minute.

    So 'googled' my issue, found this post and thought I would add my 'plus-vote' to it.

    Since then I have tried to find what the 'next product up the chain" is - probably the Small Business version of the Enterprise range of solutions?

    So to answer your 3 questions/statements:

    1 - I suppose I meant the comment to be for my service 'OpenDNS Home VIP', but in reality I didn't understand the branding well enough to clearly differentiate between the Umbrella service or the OpenDNS service (I realise now it boils down to consumer & enterprise)

    2 - Thanks for letting me know about the daily report email in Umbrella, it is a start, but if it costs much more than what I'm paying then I'm not sure an end of day email is enough.

    3 - Yes I can appreciate the idea around: 'implemented for enterprise means not likely for the consumer'

    I spent some time reading much of this thread, but I don't feel the next step is clear.

    If you could clarify it would be great.

    The next two products 'up the ladder' I can identify are:

    Consumer - OpenDNS Umbrella Prosumer

    &

    Umbrella’s DNS-layer security - DNS Security Essentials

    My key question is: (drum roll) which of these provide time stamps on the logs and an email alert (I suppose a daily email is ok)?

    ...and what is the cost for one network just like I've set up for 'OpenDNS Home VIP'?

    Thanks

     

    0
    Comment actions Permalink
  • Avatar
    rotblitz (Edited )

    You should know that for the home/consumer services there are nearly no security related blocks.  These are:

    • Phishing domains (by default and if not disabled at the dashboard).
    • Malware/botnet - "At this time, this feature blocks the Conficker virus and the Internet Explorer Zero Day Exploit" - nothing else.
    • Domains with private IP addresses assigned.

    I'm not sure if you really want emails for these events, because you may not face these at all, so you wouldn't get any emails.  (Emails are not supported anyway yet for OpenDNS Home VIP.)

    The following services come with date/time stamp in the activity report for every DNS lookup:

    • Premium DNS, now called DNS Monitoring.  This is free, but you cannot block anything with it.  You just see the enhanced logs at the Umbrella dashboard.  And I am not aware of email reports.
    • Umbrella, any variation of this paid enterprise service.  And you can block domains as you want.  And there is an optional daily email report.

    The service Prosumer is for you only if you want to cover roaming Windows or Mac laptops.  It does not have network coverage, so probably isn't what you want.  You have to install a client software on the computers which you want to protect.

    A simple Umbrella package costed $380/year for 10 users (minimum) when it could be ordered still on the website.  Now you would have to contact Sales to obtain an offer.
    https://umbrella.cisco.com/products/umbrella-enterprise-security-packages

    I'm not sure what your next step should be.  Maybe contact Sales?  Or raising a separate email idea for the OpenDNS Home VIP service?

    1
    Comment actions Permalink
  • Avatar
    ricardo_hidalgo

    Hello there, do you know how to change the receiver user about this mails? because in my organization only one user receive this email but is not adminitrator of this solution althought has full admin role

    0
    Comment actions Permalink

Please sign in to leave a comment.