A number of our users have written in today asking if OpenDNS is vulnerable to the recent multi-vendor DNS security issue disclosed today by my good friend and security researcher Dan Kaminsky.
I’m very proud to announce that we are one of the only DNS vendor / service providers that was not vulnerable when this issue was first discovered by Dan. During Dan’s testing he confirmed (and we later confirmed) that our DNS implementation is not susceptible to the attack that was discovered. In other words, if you used OpenDNS then you were already protected long before this attack was even discovered.
In fact, for those of you who were listening in on the Microsoft press call this morning, you’ll note that OpenDNS was suggested as the easy and simple solution for anyone who can’t upgrade their DNS infrastructure today. Pointing your DNS servers to forward requests to OpenDNS and firewalling all other DNS traffic off at your server will help mitigate this risk.
We’re going to write more about this issue in the next 24 hours to address the vulnerability in detail and explain why we aren’t affected but I wanted to get the word out now so that you know you are safe using OpenDNS.
Thanks and happy resolving… 
Update: Bert Hubert, author of PowerDNS, alerted me to the fact that PowerDNS was also not vulnerable when this issue was discovered. That’s not surprising considering Bert is one of the authors of the wonderful DNS forgery resilience Internet Draft that has recently been published. I updated the statement in bold appropriately.
bert hubert
You weren’t the only one, David!
Bert Hubert
PowerDNS
posted on July 8th, 2008 at 2:08 pm
Jonathan Yaniv
Absolutely awesome!! I was worried about this vulnerability but I’m happy to know that OpenDNS isn’t affected at all.
Thanks David!
posted on July 8th, 2008 at 2:36 pm
Jonathan Yaniv
This is actually really good for OpenDNS, its anniversary is coming up soon, and what better way to celebrate than being one of the few that aren’t vulnerable, and maybe, we can get 2 million submitted domains in domain tagging before or on the day of the anniversary, it shouldn’t be hard to do, we are quite close to that big 2.0
Jonathan
posted on July 8th, 2008 at 2:40 pm
John Ball
Great news indeed! OpenDNS was referenced again at DSLreports.com for those who needed a temporary workaround until one’s server could be patched.
posted on July 8th, 2008 at 7:43 pm
Erik
Out of curiosity: OpenDNS resolves all requests on its own? If not, then OpenDNS might get some forged addresses from vulnerable DNS-Servers, wouldn’t it?
Again, I’m just nosy.
posted on July 9th, 2008 at 12:23 am
Matt Nordhoff
PowerDNS is safe? That means at least one of my web hosts is golden, then.
Not that we’re compiling a list, but I’m pretty sure djbdns is safe too.
posted on July 9th, 2008 at 1:09 am
The biggest security patch release in Internet history | (-) HatSecurity.com
[…] of now, the best workaround is to use third-party DNS service such as OpenDNS which is not vulnerable to the discovered flaw, until your current DNS service provider is […]
posted on July 9th, 2008 at 6:03 am
saffolino
Good job
posted on July 9th, 2008 at 7:00 am
Mark
It’s ironic that while OpenDNS was one of the few DNS service providers that weren’t affected, the company they use for their ads, Yahoo, not only was affected, but was still using BIND8 which was unable to be patched to fix the vulnerability.
posted on July 9th, 2008 at 8:18 am
David Ulevitch
@Mark
Maybe they should be forwarding all DNS requests internally to OpenDNS. That’d help buy some time preventing the need to upgrade BIND versions. As an aside, the fact that we use them for ads in no way exposes OpenDNS users to any potential vulnerability. All that matters is if your recursive DNS provider is secure.
@Matt Nordhoff
Yes, djbdns is in the clear. We’re actually big DJB fans here (and I have been for years, even before I started EveryDNS.Net seven years ago which runs a modified tinydns codebase).
posted on July 9th, 2008 at 8:22 am
Why you should use OpenDNS. | The OSM Blog
[…] search engines that don’t help you at all, and they are fast. Finally, they were one of the only DNS providers who were not vulnerable to the latest security […]
posted on July 9th, 2008 at 9:03 am
Ben D.
But even if my Windows 2003 DNS server forwards all internal DNS requests to OpenDNS (which it does), what’s to prevent ‘responses’ from being spoofed?
In other words, how does using OpenDNS protect me? Isn’t any DNS client potentially vulnerable?
Maybe I’m not understanding the vulnerability correctly.
posted on July 9th, 2008 at 10:07 am
DNS Fool » A Big Day for DNS Security
[…] systems are not susceptible, including dnscache from djbdns, OpenDNS, and PowerDNS. Kaminsky comments on how Dan Bernstein was years ahead of everyone else with […]
posted on July 9th, 2008 at 10:24 am
Charles Sprickman
Poor Bernstein. One of the first to write about this many years ago, but no one gives him credit or notes that:
-dnscache was not “vulnerable”
-all the patches that help make everything more random simply make you less vulnerable, but do not address the root cause of the problem
http://cr.yp.to/djbdns/forgery-cost.txt
posted on July 9th, 2008 at 10:07 pm
Lynoure Braakman
MaraDNS and Deadwood were also fine (see http://marc.info/?l=maradns-list&m=121560639013865&w=2 for more info )
posted on July 9th, 2008 at 10:13 pm
Mike
I am truly grateful for OpenDNS, and for the fact that it is not vulnerable to the latest DNS exploit(s).
It gives me a great deal of peace-of-mind knowing that not only can I select entire categories of websites to block DNS-based access to, I can restrict entire top-level domains (TLD’s) (for example, *.cn), which will cut out between 80 and 90% of all hacking attacks to my servers.
I am truly grateful to OpenDNS, and to their making this service free. I will gladly pay more, if you need to beef up your servers and infrastructure, now that you’ve been “outed” (lol) by “the popular press” as one of the Internet’s very-few secure DNS facilities.
Thank you again!
- Mike S.
A (Very) New OpenDNS User
posted on July 9th, 2008 at 11:37 pm
So, What Does This Mean? - The PuritanBoard
[…] Rich’s suggestion — it looks like OpendDNS was never susceptible to this problem based on their blog post. __________________ Dr. Stephen Kellam Ruling Elder Redeemer ARP Church (Blacksburg, VA) Husband […]
posted on July 10th, 2008 at 3:23 am
Gabriel
AFAIK, OpenDNS and Neustar hasn’t this vulnerability from day one.
posted on July 10th, 2008 at 10:52 am
Tom
I have an ActionTec GT704WG wireless router provided by my ISP, Verizon. My DNS server addresses were changed in Windows to OpenDNS, so my question is: Am I good to go or do I need a vendor patch for the router, also?
posted on July 10th, 2008 at 11:00 am
(Yet Another) Mark
Couldn’t an unpatched client (like the glibc resolver) still be vulnerable to IP spoofing of OpenDNS itself? It seems unlikely, I must admit, but isn’t just as likely since AFAICT the exploit would have required spoofing at some point in the chain of events?
posted on July 11th, 2008 at 10:56 am
On the Internet, How Do You Know If You Are Talking to a Dog? | Disruptive Library Technology Jester
[…] of DNS cache poisoning. One such service is called OpenDNS, and they made quite a big point about not being vulnerable to this problem. At a very basic level, you use OpenDNS by setting your DNS servers to 208.67.222.222 and […]
posted on July 15th, 2008 at 6:51 pm
Jeffrey S.
You know what my computer just said after hearing about this news that OpenDNS was safe from any DNS-based attacks?
“PHEW!!!”
posted on July 18th, 2008 at 2:12 am
Killer Free Service That You’re Probably Not Using | It Does Compute
[…] Internet, Networking, Web Browsing Update: OpenDNS is not vulnerable to a DNS cache poisoning attack that was recently discovered. OpenDNS has written about the multi-vendor vulnerability on the OpenDNS blog. […]
posted on July 22nd, 2008 at 7:06 pm
Internotes − OpenDNS Blog » OpenDNS – Keeping you safe day after day
[…] OpenDNS Blog » OpenDNS – Keeping you safe day after day This entry was posted on Mercredi, juillet 23rd, 2008 at 11:04 and is filed under Citation. You can follow any responses to this entry through the RSS 2.0 feed. Both comments and pings are currently closed. […]
posted on July 23rd, 2008 at 1:32 am
Zero Day mobile edition
[…] July 8th, David Ulevitch at OpenDNS posted a statement that OpenDNS isn’t vulnerable : “I’m very proud to announce that we are one of the only DNS vendor / service providers […]
posted on July 25th, 2008 at 8:26 am
Just use OpenDNS at MasterMaq’s Blog
[…] the day it launched two years ago, and have used them on some machines ever since. Turns out that OpenDNS is one of the few that were unaffected by this flaw: I’m very proud to announce that we are one of the only DNS vendor / service […]
posted on July 25th, 2008 at 2:47 pm
That Whole DNS “thing” » Solo Technology
[…] far as the vulnerabilities go, they claim not to be vulnerable. Kaminsky and the testing app at his site seem to agree. Curious about your DNS provider? Try that […]
posted on July 26th, 2008 at 8:15 pm
Vanvalkinburgh.org » Blog Archive » OpenDNS Blog » OpenDNS – Keeping you safe day after day
[…] OpenDNS Blog » OpenDNS – Keeping you safe day after day. […]
posted on July 26th, 2008 at 10:34 pm
Tony Bruguier
I am a bit confused. Even with the latest patches, the vulnerability remains:
http://tech.slashdot.org/tech/08/08/09/123222.shtml
One can only mitigate the problem, since the issue is a problem in the specification of the DNS protocol itself. OpenDNS probably does not use BIND, but that doesn’t matter. Actually, you probably have a custom-made program.
I suspect you probably have a very large pipe, making you more vulnerable to poisoning. Could you expand on the protection measures that you have taken?
Tony
posted on August 9th, 2008 at 4:59 pm