888.300.3118
Technology Blog
A Reason to Question OpenDNS
This is an issue that I noticed some time ago, and I was reintroduced to it a few days back when debugging a DNS issue on a server. The problem regards poisoned DNS entries in OpenDNS that point to their own Squid Cache servers for www.google.com (possibly, many others). The proof of this can be seen here:
dig +short @208.67.222.222 www.google.com
google.navigation.opendns.com.
208.67.216.231
208.67.216.230
Definitely not the real records, which are actually:
dig +short www.google.com
www.l.google.com.
74.125.53.99
74.125.53.104
74.125.53.106
74.125.53.147
74.125.53.103
74.125.53.105
When we examine the server headers of the two OpenNDS IP addresses, we see:
curl -I 208.67.216.230
HTTP/1.0 200 OK
Date: Sun, 12 Jan 2010 07:08:59 GMT
Expires: -1
Cache-Control: private, max-age=0
Content-Type: text/html; charset=ISO-8859-1
Server: gws
X-XSS-Protection: 0
X-Cache: MISS from .
Via: 1.0 .:80 (squid)
Connection: close
What does all of this mean? It means that OpenDNS has gone out of their way to divert traffic to www.google.com through their caching servers, from people who use them as a resolver. In this type of setup, they are able to cache, monitor and data mine any and all traffic that goes through through the servers.
From their privacy page, we see:.
For customers using OpenDNS optional features such as "Shortcuts",
typo correction and content filtering, DNS requests for certain
domains may be directed through an HTTP proxy or other server.
The data from the HTTP proxy or other server is generally kept
for approximately 24 hours for technical reasons, except for
backup or archival copies which are not generally accessed in
the normal course of business.You have to admire the term "generally" (which is a pretty general term).