Malicious Web sites install code without our knowledge, or rely on our gullibility, in order to hijack our computers. Anti-malware software can help by blocking known attacks, but does little or nothing about new vectors. Some software, like McAfee’s security package, can show whether a site linked via a search engine is known to be safe or malicious. But OpenDNS can go a step further.
OpenDNS promoted itself as a way to avoid being exploited by the Flashback malware last month, but it takes a little unpacking of that claim to understand how the service can help. Flashback attacked Macs by using an exploit in Java triggered when a user visited a Web site hosting the necessary malicious code (see “How to Detect and Protect Against Updated Flashback Malware,” 5 April 2012). Once the malware was installed, Flashback attempted to contact command-and-control servers at obscured domain names built into the code. (Security firms and anti-virus companies ferreted out these domains
and registered those that weren’t already controlled, while those already registered were blocked by ISPs and other parties.) When successful, Flashback’s goal was to infect network applications and steal identity and financial information, transmitting it back to those command-and-control servers.
You could thus be protected from infection if your computer were deterred from visiting compromised and malicious sites that have all manner of code that could cause you trouble. And you could reduce the liability of being infected if Flashback were blocked from connecting to its command-and-control sites. OpenDNS provides both those benefits by controlling DNS lookups.
DNS (Domain Name System) is as complex as any other bit of Internet plumbing, but simple to explain at its highest level. It converts a name of a host and domain, like www.tidbits.com, into an Internet Protocol (IP) number, like 184.108.40.206. DNS enables users to initiate connections to remote servers by using human-readable names instead of the numeric IP addresses that operating systems rely on.
When you switch your Mac or router to use OpenDNS instead of your ISP’s DNS servers, OpenDNS can intercept a DNS request and respond based on what it knows about the destination IP address. This is used for simple but useful purposes, such as fixing a typo like
.com. (Basic OpenDNS features are free; the firm offers a $20 per year account with additional reporting, support, and controls, and more expensive business and academic institution accounts.)
But it can do more. OpenDNS built a system called PhishTank that accepts reports of “phishing,” or schemes in which spam email messages lure unwary recipients to counterfeit Web sites designed to steal passwords, credit card numbers, or other personal information. PhishTank relies on community reporting and review, letting users examine reports and vote on whether a given Web site should be categorized as one that’s associated with phishing.
Here’s the key for how OpenDNS can protect you from malware. When you’re using OpenDNS, if you visit a Web site identified as being involved in phishing scams, the site is blocked, and OpenDNS displays a message warning you about the site. Other network applications that try to connect to a PhishTank-listed IP address are simply blocked. OpenDNS also maintains a list of servers that are used to control zombified computers, and blocks access to those as well. Finally, OpenDNS can optionally keep DNS from resolving to private address ranges, the ones reserved for use only on local networks (like the 192.168.0.0–192.168.255.255 set) that would never be used for publicly reachable domain names. That might seem unnecessary, but malware
can try to rewrite DNS to point to other compromised machines on the same network or to load a Web site from the computer on which it’s running.
I’ve been using OpenDNS for years, and I also recommend it as something you could set up for friends, family, and colleagues who may not be sophisticated enough to avoid phishing attacks, or who ask you for help in protecting their computers. Adam and Tonya Engst point out that kids — notably young teenagers — are also a prime audience for protection via OpenDNS, since the teens that they’ve observed often click seemingly randomly on Web pages (and in program interfaces in general), exercising little or no discretion as to whether a risk is involved.
You can use OpenDNS at either the level of a single computer, or, more effectively, at your router, so it protects your entire network. (In fact, for laptops, it’s worth doing both, so you’re protected even when you’re away from your home or office network.) For a single Mac, manually enter OpenDNS’s two DNS server IP addresses (220.127.116.11 and 18.104.22.168) into the DNS view of the appropriate network adapter’s Advanced dialog.
For an AirPort base station, run AirPort Utility, edit your base station’s configuration, and in the Internet view, enter 22.214.171.124 in the Primary DNS Server field and 126.96.36.199 into the Secondary DNS Server field.
A final option for advanced users is to use OpenDNS’s DNSCrypt software, currently in beta. DNSCrypt encrypts DNS lookups, which can prevent malicious redirection on public networks or in subverted nations. I wrote more about DNSCrypt at Macworld.
OpenDNS certainly can’t prevent malware attacks or even protect against unknown malicious Web sites. But by using DNS as part of an Internet-wide reporting and deterrence approach, and requiring that you install no software to take advantage of the benefits, OpenDNS can play a useful role in your overall security strategy.