Whitelist of OpenDNS VIP: Increase the quota limit to 100+
I am aware it is a business decision, but the problem with the current limit of 50 domains is very simple and obvious:
To enable SSL certificate revocation checks (OCSP, CRL), you should allow about 30 TLDs of various certificate authorities (such as geotrust.com,globalsign.com, globalsign.net, comodoca.com, comodoca3.com, comodoca4.com etc etc...).
Then you will have to allow another 25 TLDs or so (for example windowsupdate.com, microsoft.com etc etc), just to get updates for your router, computer, any smart devices or certain applications like browsers, or any other piece of software that needs to be updated from time to time.
That means if you want to follow common security practice, you will have to whitelist more than 50 TLDs just for all these background connections.
I would therefore suggest to look into the following options:
1) Establish "whitelist categories" together with a category like "software updates and security checks".
There is a similar idea here already
https://support.opendns.com/entries/41148354-WHITELIST-CATEGORIES
2) Offer a new package like "Super-VIP" for those customers who want more.
I certainly would spend more money if I could protect my whole home network with a whitelist of about 500-1000 TLDs.
3) For obvious reasons the current quota limit for VIP users should be raised to 100, so that customers can whitelist the few websites they need together with the background connections that their devices need.
To me personally OpenDNS VIP is a very valuable cloud service even without the whitelist feature, and I am happy with STATS and the other configuration options.
However, a "whitelist only"-mode that covers only 50 TLDs doesn't seem to make any sense these days.
-
"Establish "whitelist categories" together with a category like "software updates and security checks"."
What I heard from staff some time ago, there is already a global whitelist of domains not being blocked when enabling the whitelist-only mode in VIP or Umbrella. So you can save these. Especially these software update domains and maybe also the SSL certificate revocation check domains may be included, I'm not sure. You may open a support ticket to explicitly ask for this information, or you can find out yourself by simply raising a DNS lookup for domains in question to see if the real IP address is being returned, not an OpenDNS IP address.
Btw, the Umbrella package comes with a much higher amount of whitelist and blacklist entries, could be "about 500-1000" domains (not TLDs, this is something different).
Given these facts, if you really still need more than 50 whitelist entries, open a support ticket. They maybe give you more. I'm confident that they are able to do so.
-
"What I heard from staff some time ago, there is already a global whitelist of domains not being blocked when enabling the whitelist-only mode in VIP or Umbrella. So you can save these."
We are using Umbrella in my company and according to the dashboard there were definitely some ocsp/crl domains reported as being blocked, when I tested the whitelist mode.
You have "inspired" me to open a ticket, but either way there is a problem.
(Btw, opendns.com is whitelisted by default and if that TLD is in your whitelist (txt file), you will get an error during upload.)
"Btw, the Umbrella package comes with a much higher amount of whitelist and blacklist entries"#
Yes, Umbrella Insights offers 5000 entries and network protection, but I would have to purchase minimum 10 licenses, which is a little bit too steep for the average private household.
"Given these facts, if you really still need more than 50 whitelist entries, open a support ticket. "
I am convinced there is a problem, either with documentation/dashboard or that technically certain domains are blocked although they are relevant for security.
A support ticket can't fix this for all VIP users, though maybe only very few are using the whitelist mode these days.
-
I just have a simple family with 3 kids I use the VIP service for. Due to the wide variety of sites used by kids of 3 different age ranges, I have both my white and blacklists at 50 and I constantly have to delete one when we find a kid not getting homework done due to a new site they found. bumping this up to 75 or 100 would be a big improvement. I've used the general categories as best as I can figure. Happy to provide my lists in case opendns wants to analyze my usage or discuss.
Thanks for the consideration. Happy customer of many years....
Please sign in to leave a comment.
Comments
6 comments