Announcement

**toad** · Jul 10, 2008, 09:48 AM

Re: DNS Security Flaw

Open DNS? Sounds good, but i

ngo@dicker:~$ apt-cache search dns|grep open
ingo@dicker:~$

How do you use open DNS (at least for a session)?

**MoeNeigh** · Jul 10, 2008, 10:23 AM

Re: DNS Security Flaw

You can get open DNS at http://www.opendns.com/

It is free, and they have an FAQ (How It Works) tab to help.

My system tests "safe" with open DNS, but my ISP's (Earthlink's) DNS fails.

**toad** · Jul 10, 2008, 10:30 AM

Re: DNS Security Flaw

Cheers, I did your test and my ISP was okay.

I tried the openDNS thing and it appears I havn't got network-admin installed, but again an apt-cache search came up with nothing...

**MoeNeigh** · Jul 10, 2008, 10:37 AM

Re: DNS Security Flaw

Glad your ISP's DNS passed the test.

Now since my ISP's DNS failed, it would be nice if either:

(1) A patch would be issued by kubuntu -OR-

(2) Some kind soul would tell me how to make the change I made in my DNS to open DNS stick after restarting my computer. I'll bet it has to do with changing some configuration file in addition to making the change in System Settings.

Here's some more news about possible forthcoming patches:

http://www.linux.com/feature/141080

**toad** · Jul 10, 2008, 10:41 AM

Re: DNS Security Flaw

Sorry, I totally ignored your plight

Does your dhclient.conf revert back to its original state on reboot?

**MoeNeigh** · Jul 10, 2008, 11:11 AM

Re: DNS Security Flaw

Originally posted by toad

Does your dhclient.conf revert back to its original state on reboot?

Apparently, it does. Most of the text in the dhclient.conf file is commented out. In the little bit that is not, there is no place to enter a DNS address. That file also references #script "/etc/dhcp3/dhclient-script", but the dhclient-script is nowhere to be found, not even in superuser mode with all files, including hidden, displayed.

This is all that is not commented out:

send host-name "<hostname>";
request subnet-mask, broadcast-address, time-offset, routers,
domain-name, domain-name-servers, host-name,
netbios-name-servers, netbios-scope;
timeout 30;

I don't see any place to enter a DNS number, although addresses of various kinds are shown in the commented-out portions.

**Detonate** · Jul 10, 2008, 12:05 PM

Re: DNS Security Flaw

I've been using openDNS for years. It works great. If you are connected to a router or to a DSL or Cable modem, you have to change the DNS settings in those devices. Your computer automatically uses the DNS servers listed there. Instructions are on the openDNS web site.

**MoeNeigh** · Jul 10, 2008, 12:22 PM

Re: DNS Security Flaw

I have a router supplied by Earthlink. I have no idea how to make changes to that. This is what I found on the OpenDNS site:

How to use OpenDNS when your router does not allow DNS changes

If you are unable to configure your router to use our DNS servers, please try configuring your computer instead. You will get the same benefits, although you will have to change each individual computer.

Of course, they didn't get into any specifics about configuring the computer. So I'm back to finding the magic configuration file to change to *force* kubuntu to make those changes stick. I used Linspire for many years, and had Earthlink DSL there. When I made the change to the DNS setting to OpenDNS in Linspire's system settings, the setting stuck -- even when the computer was rebooted. I didn't have to burrow through any additional configuration woo to get things to stay put.

**MoeNeigh** · Jul 10, 2008, 12:44 PM

Re: DNS Security Flaw

Sorry, Detonate, upon further inspection of the OpenDNS website, I *did* find these instructions which worked:

To avoid having your settings get revoked after reboots, or after periods of inactivity, do this:

$ sudo cp /etc/resolv.conf /etc/resolv.conf.auto
$ sudo gedit /etc/dhcp3/dhclient.conf
# append the following line to the document
prepend domain-name-servers 208.67.222.222,208.67.220.220;
# save and exit
$ sudo ifdown eth0 && sudo ifup eth0

You may be required to change eth0 to your own network device's name if it uses a non-standard name.

The only thing I had to change was "gedit" to "kate" for kubuntu. I also had a feeling that a line had to be added to dhclient.conf, but I didn't know what it was. Now I do.

Thank you. I like OpenDNS.

**Detonate** · Jul 10, 2008, 03:52 PM

Re: DNS Security Flaw

Glad it worked out for you !!

**walfred** · Jul 10, 2008, 07:20 PM

Re: DNS Security Flaw

Interesting.
I worked on network security some years ago and definitely I'm not updated.
That way I read the CERT bulletins and one workaround should be to run your own resolver.
So, my suggestion is to do the very same config you wrote above to comply the OpenDNS settings and a plus would be to install the package lwresd.

This is a light DNS server that reads your /etc/resolv.conf and set those IPs as Forwarders.
That way, when your DNS servers does not know the resolution for an URL, it asks the servers on /etc/resolv.conf and would be nice if those servers are from OpenDNS.

My two cents.

**toad** · Jul 11, 2008, 02:06 AM

Re: DNS Security Flaw

Glad you got it working, MoeNeigh. Perhaps you could edit the subject line of your first post to include SOLVED so others can benefit from your experience.

Thanks.

Announcement

DNS Security Flaw

DNS Security Flaw

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment