Comments

12 comments

  • Avatar
    maintenance

    "'Curious as to whether OpenDNS was engaged when this occurred"

    What does this mean? Engaged with what?

    Mind the fact that the authoritative NS was changed and this has nothing to do with recursive DNS servers, or a MITM between a user and server.

     

    "and how it affected data delivered to endpoints..."

    This is even less clear.  It seems similar to the wording in the Ats Technica article "(DNS) servers used to route Internet traffic", which is plain wrong. Routers route internet traffic. I know what the intent of that sentence fragment is, but it is completely technically wrong. (Again, authoritative NS is what is implied here as well.)

    I'm not sure you can rephrase your statement of curiosity so that it is clear or makes sense, but could you give it a try?

    0
    Comment actions Permalink
  • Avatar
    apluswebmaster

    @maintenance

    Calm down a bit, OK? Don't read so much into it - 'just a simple question. I've been an OpenDNS user for years and wouldn't have it any other way.

    I know OpenDNS has ways to block botnets and the like, and I'm not asking for specifics on how they do that, or how the "Umbrella" team does what they do. I simply asked if they were aware of it (maybe quicker than the rest of are), and if the have the capability to lessen the impact of a DNS hijack.

    See? No subterfuge behind the question. 'Not asking for any secrets to be bared, or anything like that. Just a simple "Hello, how do you do, did you know what was happening at the time", or do they care about it, or can they do anything even when it's recognized.

    .

     

    0
    Comment actions Permalink
  • Avatar
    rotblitz

    "did you know what was happening at the time"

    Yes, described here: http://arstechnica.com/security/2013/10/hijacking-of-av-firms-websites-linked-to-hack-on-network-solutions/
    Ah, asking OpenDNS?  Not a good platform here!  You'll want to open a support ticket to get an official answer.  This forum rarely shows official statements of this kind, only for technical support and assistance with their services.  The http://blog.opendns.com/ site may also contain official statements.

    "do they care about it, or can they do anything even when it's recognized."

    Care about, certainly yes.  Do anything, most likely no.  They certainly also care about Syria, but can't do anything.  It's simply not their business.

    0
    Comment actions Permalink
  • Avatar
    apluswebmaster

    "... asking OpenDNS?  Not a good platform here!  You'll want to open a support ticket to get an official answer..."

    Not a good platform? 'Not looking for an "official" answer.

    'Just wanted to get some idea if OpenDNS is -aware- of DNS hijacks maybe before it's generally known, and if one of the moderators here would have some insight as to how it's handled, if at all. Simple question - 'not asking for "official" or complex answers.

    .

     

    0
    Comment actions Permalink
  • Avatar
    rotblitz

    Sure, fair enough.  Let's wait for the outcome.

    0
    Comment actions Permalink
  • Avatar
    apluswebmaster

    OK - no offense. I'll look for one of those guys with an orange "O" logo to respond.

    No rush on getting a straight answer...

    .

    0
    Comment actions Permalink
  • Avatar
    maintenance

    Lol mate I'm plenty calm.  I wasn't insinuating anything like subterfuge or looking for secrets. I meant only what I plainly said, which is that the "question", as put forward originally, simply does not make sense.  Which is why I asked you to rephrase it. And I tried to be clear on where it didn't make sense in a couple places, and where the Ars Technica article was poorly worded and could have mislead you.

    For example, what I said about the authoritative NS records being changed: How would anyone aside from the maintainer of those particular records know that they had been changed via some exploit or hack? Nothing automated (at least outside those systems) would detect this. Certainly, someone visiting the sites and being offered something which is clearly not the normal site content would know that *something* happened, but not necessarily what. A recursive DNS server will serve the IP in the authoritative records because it got a valid response when querying the NS.

    When something like this is recognized, OpenDNS will do something about it, just like the Conficker domain names for the day. But in this case the first response very likely would have been for the domain owners and/or Network Solutions  to correct the records (and ask as many large recursive DNS operators to flush their caches, hopefully!).

    Good work on Network Solutions part, though, with the password-reset vulnerability. You think they would have stayed ahead of the game with the sweet deal they got when the internet went public. (Regardless as to who has owned the company since.)

    0
    Comment actions Permalink
  • Avatar
    apluswebmaster

    "... When something like this is recognized, OpenDNS will do something about it"

    OK then, to simplify, if that's the question then, what is that "something"?

    .

    0
    Comment actions Permalink
  • Avatar
    jedisct1

    What happened to Google, Avira, Eset, Redtube, Mazda, Twitter, Sprite, Skype, Rapid7 and more has little to do with the DNS protocol.

    Some registrars don't take security seriously. If they receive a fax saying "hey, please add evildude@example.com as a new technical contact for this domain" with a random fake signature, they will blindly do it. Some don't secure they infrastructure, allowing bad guys to access their database.

    You can run the most secure servers in the world, you remain dependent on the security of your registrar. When name servers are changed, your servers are still super secure, yet users are redirected elsewhere when typing your name, and there is nothing you can do, except wait for your registrar to revert the changes.

    What we do at OpenDNS is monitor popular domain names (which is very different from the Alexa list) to detect when one of their IP resolves to a new ASN.

    It still requires some human validation before we decide to block an IP within an unexpected ASN. For example, ISPs are often hosting Google proxies, so Google domains can actually resolve to IPs not in Google ASNs. Also, if a name server hijacker redirects a popular domain to an IP which is not his "yay, we defaced this site, we are 3l33t" page, but to an IP hosting benign services, we don't want to block it.

    Still, we saw all these name servers hijacks pretty much before everybody else, and we quickly blocked the related IPs, including the bad name servers IPs.

    And we are also currently rewriting parts of our system (replacing Hadoop jobs with realtime feeds) in order to be able to react even faster, see http://bit.ly/GAPeKU

     

    0
    Comment actions Permalink
  • Avatar
    maintenance

    I didn't even want to guess that OpenDNS might be watching that sort of activity, but you do! Of course, it makes sense to keep monitoring to a manageable set of popular domain names, but I'm still impressed.  Especially since you caught it early. I know you do a lot of research and investigation, but the full picture of exactly what (and I'm sure it changes) I do not know.  Right on, OpenDNS.

     

    I should be reading the blogs more. They have a lot more content than they used to, and I've been slacking. (Well, I never really got into the habit of looking at Umbrella after the redesigns, TBH. Fie on me.)

    0
    Comment actions Permalink
  • Avatar
    apluswebmaster

    "Some registrars don't take security seriously... we saw all these name servers hijacks pretty much before everybody else, and we quickly blocked the related IPs, including the bad name servers IPs..."

    THAT'S what I'm talkin' about. Now that's the answer I was looking for. Thank you!.

    .

    0
    Comment actions Permalink
  • 0
    Comment actions Permalink

Please sign in to leave a comment.