Is filtering "Suspicious Responses" enabled in Family Shield

Comments

3 comments

  • Avatar
    rotblitz

    Why not simply test it out instead of asking here?

  • Avatar
    ericgoldsmith

    Well, I wasn't sure how to test, and didn't want to duplicate work that someone else may have already done.

    So, I figured out how to test with this tool, and the filtering of "Suspicious Responses" does not appear to be enabled on the Family Shield product.

    Any idea why this filtering is not enabled by default? In what cases would you ever want a public DNS server to return an address from a private address space?

    Thanks.

  • Avatar
    rotblitz

    "Any idea why this filtering is not enabled by default?"

    I'm a user like you, but here my two cents and guesses:

    It is not enabled by default, because any filtering is not part at all of a basic pure recursive DNS service.  Such a service must return the information the authoritative nameservers provide.  Consequently, this feature is available only as an option, via the OpenDNS Home dashboard where you can individually configure your recursive DNS to a certain extend.  And FamilyShield is explicitly designed to just filter adult content and circumvention, not anything else.

    "In what cases would you ever want a public DNS server to return an address from a private address space?"

    In all cases where an owner of a domain name wants to point the A records to private RFC-1918 addresses and configures their authoritative DNS accordingly.  There are more such authoritative entries of this sort than you can think of, and most of them are not intended for rebinding attacks but for "legit" purposes, although DNS was not intended to be used this way.  But people use what is technically feasible.

Please sign in to leave a comment.