Protect your Business and Family with OpenDNSAdam Oswald
OpenDNS offers a suite of Internet filtering and security features targeted at levels from the home environment to corporates. The service works by replacing the Internet’s standard address book system (DNS) with a custom service which then allows you to limit, track, and manage access to the Internet and to help protect your staff and family from malware, phishing, and inappropriate content.
OpenDNS was bought by Cisco in late 2015 and is now being integrated with their extensive product and service portfolio. With Cisco’s backing, the service will likely continue to grow in the corporate market and at this stage it appears that cisco will continue to support the home and small business markets. Basic filtering and lookup services remain available at no cost with more sophisticated services available for a fee.
The nature of the service means that security can be set up and managed at a single point where all new devices plugging into the network are automatically included, simplifying administration and reducing or removing the need to load custom software onto each device.
Many of our clients have migrated away from device specific software lockdown tools to OpenDNS in an effort to reduce the impact of device specific tools on performance, and to reduce administration costs. The service is not perfect and is best used as part of a layered strategy, but it is a low impact, high value service that we recommend for most sites.
How can OpenDNS help your Family or Business?
The OpenDNS service can help with:
- Protect families and employees from adult content on the internet by blocking these sites.
- Improve productivity and conserve bandwidth by blocking time wasting sites, or blocking all sites except for a group selected by you.
- Reduce the risk of malware infection by blocking sites that are known to contain malicious software and exploits.
- Block “phishing” sites that try to trick you into giving up your identity and login information.
- Improve the responsiveness of web browsing in cases where ISP DNS servers have poor response times.
- Improved confidentiality, Integrity, and availability of the DNS service by implementing improvements to standard DNS protocols such as support for CurveDNS and DNSCrypt.
- Gain visibility of your internet traffic with access to logs of sites visited by your users and sites that were blocked.
How it Works – Take control of the Domain Name Service (DNS)
When you enter the name of a web site like www.computeralliance.com.au into your browser, you are asking something like “Please show me the Computer Alliance web site”. Easy you might think, but one little problem crops up: your browser and computer may have no idea where the Computer Alliance web site is located. Oops.
The web “address” you type into a browser is more akin to a name than a street address. A comparable request to a friend might be something like “Please head down to Computer Alliance and check out their stock and pricing for me”. If your friend knowns our physical address, all good, otherwise they have no idea how to reach us.
So what does the friend do? Well, they ask! You are the closest source who might know the address so they ask you first, and if you know, then problem solved, but if you don’t you might then look it up for them using a more comprehensive address book.
Internet addressing works in a similar way, using what we call the Domain Name System. DNS is a protocol that lets computers look up domain names like www.computeralliance.com.au and find out their numerical internet address (something like 126.96.36.199), the one more like the street address that you must have in order to contact the site.
Similar to the idea of your friend finding the address by checking their own memory, and then asking you, DNS works on a hierarchy where your computer will check to see if it has recently looked up the address and already knows it, and if not will then ask its closest DNS service, probably your modem/router. If that service doesn’t know either, it will know about a more comprehensive server further up the chain to ask. Eventually the address will come back down the chain to be passed back to your browser.
The address of your local DNS server is normally assigned to your computers automatically and in most cases will point to a DNS service on your router or local server. That server will then pass queries on to your internet providers DNS servers.
With OpenDNS as your DNS provider, replacing your ISPs DNS servers, you can still receive the full range of usual address lookups, but also take some control over the responses to manage access to the address. In this way you can make use of OpenDNS systems that identify and categorise sites by content and by security risk, and then automatically block sites that you don’t want accessed. You can also select specific sites to block, or block everything and only allow specific sites.
How to Set up – Manually Set DNS
You can make changes to which DNS server your devices use when they don’t already know an address. One method is to change the entries for DNS servers on all individual client devices, such as PCs, but it is normally easier and more secure to only change the local DNS server on your network that all other devices rely on for their initial DNS query.
Your router may use DHCP to automatically give out local addresses and its own address as a DNS server to all devices attached to the network (that’s the standard setup for most environments). Then all you need do is change the routers DNS settings that look to external DNS servers so that it in turn looks to OpenDNS servers for its DNS queries to pass back to your devices.
Limitations – Bypassing OpenDNS
You may see an evident flaw in this method. If a user manually changes their computers DNS server settings to some alternate (for example Googles DNS servers) rather than the router, they may be able to bypass filtering. This can be a problem and is one reason OpenDNS should be used as one element in a multilayered security strategy.
In environments that are heavily locked down, using best practice security measures, users (and any malware that takes control of a user account) will not be able to change local DNS settings and attempts to query other servers may be blocked. Even in those environments there may be possibilities to bypass OpenDNS and a range of other systems may be used to detect or block those bypasses.
The potential of bypassing OpenDNS depends on the intent of users, the knowledge of users, and the security setup of the environment. In most environments the risks of inadvertent or intentional bypassing is minimal.
Setting up Blocking a Policy
The level of control available varies with the level of service chosen, but all levels allows you some broad blocking options that is generally appropriate for most sites. You can select a typical collection of settings with a single button, or take more control and manually set which categories to allow or disallow, and even go to the detail of blocking specific sites.
Various reports on Internet activity are available to help you keep an eye on sites that users are attempting to access. This can sometimes show up possible problems on your network where a certain application may continually attempt to access a particular site (such as malware trying to talk back to its servers or to infect other computers).
Blocking Malicious Sites
OpenDNS receives reports of malicious activity related to web sites and adds those sites to its blocking lists. A default security policy is applied in addition to the general blocking policy specifically to deal with these threats.
If a user attempts to go to one of those sites, or as often the case, if a computer is directed there by malware, then they will be blocked and so protected from malware that may be present on the site.
In cases where OpenDNS may get it wrong or the user may feel they have good reason to access a site, the interface allows users to submit a request to the site administrator to review the site and approve access.
Attempts to access that site are also logged so you can monitor if there may be an ongoing problem of malware infection with one of your computers.
OpenDNS Active Directory Integration
Most business sites use Active Directory to manage users, devices, and their access permissions. If your business has a server based environment, you probably use Active Directory.
By integrating OpenDNS with your Active Directory environment you can set up group and user based settings for OpenDNS. That might mean, for example, that senior managers might have less restrictive access to various web sites where staff with less need to access the Internet might be heavily locked down.
AD Integration requires two components:
1. Virtual Appliance
- Runs in a virtualized server environment (Hyper-V, VMWare)
- Forwards local DNS queries to your existing DNS servers and
- Forwards external DNS queries with non-sensitive metadata to the OpenDNS service.
- Runs in your Active Directory environment,
- Securely communicates non-sensitive user and computer login info to the Virtual Appliances.
- Securely communicates non-sensitive user and computer group info to the OpenDNS service
The Process of Setting up OpenDNS
Given that the basic OpenDNS service is free and straightforward to set up at the router level, I usually suggest simply signing up and giving it a go. If it causes issues for you, its quick to revert to your prior DNS settings.
Once you get a feel for its possibilities, its time to look at the more advanced options and see if a paid plan is worthwhile. To take it further in a business environment you should also review your site security (usually a good idea anyway) and consider how OpenDNS is best integrated.
Much of this work can be done by tech savvy senior staff or home users, or for advanced setup options you might want to consult with our technical staff at ABT (Alliance Business Technologies).