A couple of readers, including one of our own expert geeks, had a few points to add about my recent column on OpenDNS, a free service that allows users to filter certain types of incoming content from their computer or network.
By following an easy set of online instructions (www.opendns.com), users can reassign the task of translating Web addresses to OpenDNS. Once the service is in charge of turning the Web addresses into their corresponding server locations, you get more control over what actually gets into your network. That can be particularly valuable if youre trying to protect children from certain types of content.
But the problem with this strategy, according to IBM Distinguished Engineer and IT Security Architect Jeff Crume, is that its as easy to undo as it is to implement. Any user with some degree of tech savvy can change the DNS settings, completely circumventing OpenDNS.
As a content filtering solution, it is only going to be as good as the level of cooperation you have from end users, Crume said in an email. If those end users are kids youre trying to corral, I wouldnt put a great deal of confidence in this mechanism.
Turning OpenDNS into the gatekeeper of your home or business network also means added protection, most notably from phishing. Scam sites like these can look just like legitimate ones, but are built to capture personal information like username/password combinations and banking information.
Relies on big assumption
How well OpenDNS protection works, Crume says, depends on how much information the company has managed to gather on malicious sites.
As a security defense, the most it would be able to do is block some of the drive-by download sites that try to infect your system, Crume said. Even that relies on a big assumption that it knows which ones are doing this, which is no small feat given the ever-changing landscape of Web sites popping up on the Internet.
To keep up, OpenDNS uses a site it maintains called PhishTank (www.phishtank.com), a database of information that allows any users to submit sites they think could be scams. Votes from the PhishTank community then determine whether a site receives a phishing designation.
Its hard to know how complete this list really is. But by comparing known phishing sites from this database to the addresses you try to access from your network, OpenDNS is able at least to protect users from a constantly evolving list contributed by the crowd.
Be aware of limitations
Crume mentioned one additional caveat for prospective users of OpenDNS: privacy. By default, Internet service providers are typically the ones responsible for using the Domain Name System to interpret Web addresses. That means every URL you type or click is processed by divisions in companies like Comcast, Time Warner Cable, Verizon or AT&T. Switching services means this Internet usage information is in the hands of OpenDNS instead.
While that might not be a bad thing, Crume said, its something for users to think about.
If privacy is a big issue for you, then you need to decide whom you trust more with this information, OpenDNS or your ISP, Crume said.
To be clear, none of this necessarily means you shouldnt use OpenDNS (for what its worth, I still do). Like many services designed to protect users, its a solution with some limitations best suited for certain situations.
Whats important is that youre aware of those limitations so you can decide whether its a good fit.
Send technology questions to firstname.lastname@example.org. Please include your name, city and daytime phone number. Sorry, we cant answer every question.