In a previous article, I discussed OpenDNS and it’s proxying/filtering capabilities, suggesting that by changing the DNS servers your computer uses for queries will bypass OpenDNS’ content filtering. While this part remains accurate, my suggestion that using a root DNS server from Wikipedia’s article was a bad one. After actually having tried it, I discovered it does not work for whatever reason. Maybe they restrict DNS queries to edge DNS servers in order to prevent being taken down by a DDoS. Anyway, use 4.2.2.1 – 4.2.2.6 instead.
I also made the mistake of assuming that if you are stuck behind an OpenDNS proxy, you probably don’t have the ability to change what DNS servers your computer is using. Apparently, hotels and other establishments are using it on their “public” wireless. Ethical and legal ramifications aside, setting your computer to use 4.2.2.1 will bypass OpenDNS filtering. So, again, just to burn these numbers into your mind:
4.2.2.1
Quick instructions on how to change this: (from this guy)
Click on “My Computer”. Click on “My Network Places”. Click on “View Connections”. Right click on the connection that supports your Internet connection and go to “Properties”. Double click on the Internet Protocol TCP/IP option. Make sure “Use the following DNS server address” is selected, and input the above recommended DNS.
To check go to “Start > Run > “cmd” ”. Type in “ipconfig /all” and you should see the DNS you input where it says “DNS”.
Those DNS servers (4.2.2.1-4.2.2.6) are apparently owned by Verizon as a throwback for something. So, they might just stop working one day.
I have grown uncomfortable with using OpenDNS as my DNS provider. While their privacy policy is adamant that they do not keep records, they provide statistics for your account. I’m not saying they are in any way malicious, but after seeing this…
Bum bum ba dum...............
…I am hesitant to send all my traffic to them.
A FINAL NOTE:
OpenDNS remains a solid choice for people wishing to set up easy, potentially effective content filtering for their network. Their actions to stop Conficker and other malware are commendable. They make it simple for people to move away from their using their ISP’s often-slow DNS servers. However, their content filtering should not be considered effective in any environment that does not control which DNS servers machines on that network can use. Also, there are glaring privacy concerns for any one that cares about that kind of thing.
The End………………………………………………………………………?
I think they’re quite malicious. Just sayin.
Pingback: Bypassing OpenDNS at Sector 930
Hi.
The real reason using the root nameservers won’t work is that they are not set up to handle recursive queries. When you send one of the root servers a domain, it responds by telling you where to look next, ie, who is authoritative for that tld, you then look there, and so on, down the line, till you get the nameserver(s) for the specific domain you are looking to resolve. Therefore you cannot just send them a domain name and have them resolve it for you. This is not a security feature per se, it is just how DNS itself works.
Nothing stopping you from having your own nameserver pull info from the root servers however. Run BIND or whatever on a spare box, make sure it has info for *all* of the root servers ( otherwise it will fail ) and let it do the work for you. That way you’re not dependent on OpenDNS, your ISP, or Verizon to do your lookups for you.
It is also worth nothing that you can opt out of the statics program now. Doing so will halt all logging of traffic that passes over your account, and adds that much needed layer of privacy.
I am a very private person, and I use OpenDNS on my home networks. When combined with a properly configured Windows security policy (to disable DNS/IP editing), it works very well to keep the kids off 4Chan and the like.
Just some more food for thought. Good articles though.