OpenDNS Netgear router MASSIVE VULNERABILITY DETECTED
My main network has a Draytek router port 53 locked down with OpenDNS. I thought this makes things very secure, and prevent other DNS services from being used on connected devices. I thought there was nothing that could break this (other than dodgy use via Tor)
However I was wrong, because I have discovered that ANOTHER OPENDNS PRODUCT HELPS TO TO BREAK THIS WITH EASE.
if you take a netgear router and connect it to the main network then you are able to configure the filter on the 2nd router to override the main network. You can do this by creating another OpenDNS account and set the filter category to 'none' and nothing will be blocked on the sub-network. Similarly you can switch the filter off on the Network Map of the genie app.
I believe that this is a major vulnerability that destroys the whole OpenDNS concept.
A kid could take a cheap Netgear DSL router and connect and thereby bypass the existing filter. The existing filter should not be ignored and a secondary filter on the same IP should honor existing settings. I hope OpenDNS can close this loophole soon.
-
You are wrong in different ways. There is no "OpenDNS Netgear router" in the world. OpenDNS do not produce or sell Netgear routers, but Netgear do. There is just a collaboration in the way that Netgear's Live Parental Controls use the OpenDNS service in a special way.
"ANOTHER OPENDNS PRODUCT"
What other OpenDNS product are you talking about? They just provide a recursive DNS service, no "products".
"if you take a netgear router and connect it to the main network then you are able to configure the filter on the 2nd router to override the main network. You can do this by creating another OpenDNS account and set the filter category to 'none' and nothing will be blocked on the sub-network."
Did you test this out? Does it really work? That would be a feature, not a vulnerability! Because this way you could easily achieve different filtering for different user groups.
"I believe that this is a major vulnerability"
The term vulnerability is clearly wrong here. Vulnerability is something which allows unauthorized people to do things they should not be able to do. A legitimate user within a network using the available features is not an attacker and the fact is not a vulnerability.
"A kid could take a cheap Netgear DSL router and connect and thereby bypass the existing filter."
This sounds like someone lost control over their children and now expects that Netgear (not OpenDNS!) takes control back on their behalf...
Also, why should a kid take such efforts, easy to be seen by parents? They simply go with the device where they have internet access via free WiFi or mobile network to get out of any restrictions. You had to make your home a prison to prevent from happening this. -
rotblitz, I really don't need to respond to some of your nitpicking.
The facts are clear.
Any school / office / home that relies on OpenDNS can easily be bypassed by using a service from the OpenDNS toolkit.
Someone can bring along their own router, plug it in, and set it to be without any filter. I assume that they could even do this when connecting via Wifi, by using it in bridge mode.
I tried this with a Netgear DSL router acquired for about $20. It didn't help that the main router was locked down the port 53, it was internally overridden at OpenDNS.
The only away around this is if you use strict binding on the main router to stop unauthorized devices from connecting to the network, but that can majorly restrictive in most scenarios.
Whilst I agree that it can sometimes be advantageous to deploy different schemes, it really is a major hole for filtering. There should at least be an option to prevent this.
-
Are you the same person as marked79?
Regardless, I'm sure you have pointed out your concerns to Netgear. Did you? The concerns you have raised are purely related to the local router equipment, totally unrelated to the service which OpenDNS is providing in this context, as I said. Let's see what measures will be taken by Netgear about this.
"Any school / office / home"
I would not expect schools or offices using a Netgear home router, far from someone bringing in another Netgear router to connect it to the primary Netgear router. Routers at institutions should be accessible by authorized staff only, not by any believable user. This is rather a pure theoretical scenario, not clear facts. But ok, it may be technically feasible.
-
rotblitz, I am same person marked79.
This is very much related to OpenDNS.
I don't know if you are getting me, I am saying that you can use a home router to bypass a business setup that might be used in school / office / home.
1. My MAIN router is a business router (Draytek Vigor2860) and has a standard OpenDNS account configured so that port 53 is locked down to OpenDNS IPs only.
2. I have then used a Netgear home router to bypass the main network by virtue of its built in OpenDNS account.
3. This means that internally OpenDNS are allowing the 'built in' account to override an existing OpenDNS account, in spite of the fact that it is already associated with a particular IP address - this is a problem that OpenDNS has control over and could easily prevent.
4. I don't see why the same problem shouldn't exist on any school / office / home network (unless they employ restrictive policies re. connecting devices).
5. If you try to create a second standard OpenDNS account behind the same public IP, it will not let you do it. It will tell you that the IP is already linked to another account. However the accounts that are 'built in' to routers such as netgear allow the bypass via the genie app.
6. I should in fact contact OpenDNS, I was just wondering if this had already been acknowledged by anyone else.
-
"I don't know if you are getting me, I am saying that you can use a home router to bypass a business setup that might be used in school / office / home."
Yes, agreed. And because it is about a router, it has nothing to do with OpenDNS. OpenDNS do not supply routers, but Netgear do. The router firmware and Genie app are Netgear's.
"This means that internally OpenDNS are allowing the 'built in' account to override an existing OpenDNS account, in spite of the fact that it is already associated with a particular IP address - this is a problem that OpenDNS has control over and could easily prevent."
That's the difference between OpenDNS Home and Netgear LPC: OpenDNS Home identifies your DNS queries by your IP address, whereas LPC identifies them by your router's device ID (MAC address).
"I don't see why the same problem shouldn't exist on any school / office / home network (unless they employ restrictive policies re. connecting devices)."
Because users are usually not able to connect another router to the existing router.
"If you try to create a second standard OpenDNS account behind the same public IP, it will not let you do it. It will tell you that the IP is already linked to another account. However the accounts that are 'built in' to routers such as netgear allow the bypass via the genie app."
Yes, as I said: OpenDNS Home identifies your DNS queries by your IP address, whereas LPC identifies them by your device ID (MAC address). Different technical designs and different working principles.
"I should in fact contact OpenDNS, I was just wondering if this had already been acknowledged by anyone else."
If you don't report it to Netgear, but to OpenDNS, nothing will happen, especially not if you post it in a community forum. Same you could post it on Facebook, Twitter, Instagram or YouTube...
For OpenDNS there is nothing to acknowledge. They just do their part of the job relating to LPC. And it works as it is supposed to work. But from the Netgear router side there is certainly room for improvements. -
- That's the difference between OpenDNS Home and Netgear LPC: OpenDNS Home identifies your DNS queries by your IP address, whereas LPC identifies them by your router's device ID (MAC address).
Fine, but OpenDNS has the ability to ensure that OpenDNS Home and Netgear LPC do not clash in the ways that I have described earlier - OpenDNS run the servers that do the processing and can respond as appropriate. Its for OpenDNS to ensure that its services are robust and cannot be undermined in the way that I have described. They way it is now weakens the effectiveness of their product.
- Because users are usually not able to connect another router to the existing router.
A security product should be intrinsically secure and not be dependant on implementation.
- For OpenDNS there is nothing to acknowledge. They just do their part of the job relating to LPC. And it works as it is supposed to work. But from the Netgear router side there is certainly room for improvements.
I disagree with you on this point, for the reasons given in my previous two sentences.
Thank you for your lively responses, rotblitz. I think I will needs to take this up directly with the relevant parties and see how they respond.
Please sign in to leave a comment.
Comments
7 comments