Comments on: OpenDNS adopts DNSCurve

By: land in Hosur

land in Hosur — Mon, 12 Dec 2011 10:23:53 +0000

The DNS team is working hard, May god help them

By: Removals Chelsea

Removals Chelsea — Sat, 25 Jun 2011 22:37:30 +0000

I totally agree with @Paula on the aspect of DNS’s security model being outdated. Its what they bring out next that i am vigilant about. It better be more impressive and high tech than the former. Take for example airport security. The technology within needs to be re-examined in my opinion.

By: Paula

Paula — Tue, 03 May 2011 21:03:49 +0000

Yes, DNS’s security model is outdated. What it going to take to change that? Perhaps some massive security breach. Then as usually we’ll make a knee-jerk reaction.

Just like airport security, someone wears bombs on their shoes, suddenly we have to have our shoes checked. Why are we always one step behind?

By: Elaine

Elaine — Sat, 09 Apr 2011 06:18:56 +0000

Don’t worry.

It will only take one rogue script-kiddie to bring the planet to its knees. I’m guessing he’ll launch a tool but not know how far it will go. When an heir to the Philip Morris fortune launched an email virus early on, it literally crashed the Internet (or what passed for it at the time). He didn’t realize how fast it would spread or how often it would replicate.

Shortly after the damage is done, we’ll have a secure system in place. People have a history agreeing on a solution AFTER a disaster.

By: Esther

Esther — Sat, 09 Apr 2011 02:37:45 +0000

With all the security breaches in the last couple of years, it would only make sense to switch to the DNSCurve. DNS security should be a top requirement especially for businesses.

By: Steven Lee

Steven Lee — Sun, 16 Jan 2011 03:32:45 +0000

Great job!

We recently switched our entire VoIP infrastructure to support DNSCurve. It just makes sense from a security perspective.

The whole idea of someone spoofing our DNS and hijacking our customer’s calls (or spying to calls via “VoIP MITM”) just makes me feel sick.

We have been recommending DNSCurve to all of our customers and anyone who will listen to reason.

FYI: We are noticing that about 12% of our total DNS queries are using DNSCurve now. (Mostly from OpenDNS’s servers. lol!)

By: James Jamson

James Jamson — Mon, 23 Aug 2010 07:50:49 +0000

That’s really awesome and all, but what can I do as an end user?? DNScurve protects the last mile, and assuming your databases are not compromised, I’ll get to the right place. But how do I do this? I do make my PC support DNScurve?

Of course OpenDNS needs to support anti-poisoning mechanisms. For example, caching only from un-poisoned servers or using DNSsec to the root servers. A chain is only as strong as its weakest link..

By: OpenDNS, DNSCurve And You

OpenDNS, DNSCurve And You — Sun, 22 Aug 2010 14:09:34 +0000

[...] News of the decision by OpenDNS engineers to move to a DNSCurve solution, all but abandoning the DNSSEC IETF specification. OpenDNS is apparently motivated in the move by both a certain level of impatience with the foot-slogging behavior of the IETF in approving the DNSSEC spec, and a desire to provide enhanced DNS security. A snip of the post by Matthew Dempsky from OpenDNS appears after the jump. [...]

By: Why DNSSEC May Not be a Good Thing « UNIX Administratosphere

Why DNSSEC May Not be a Good Thing « UNIX Administratosphere — Sun, 08 Aug 2010 09:27:43 +0000

[...] operations; OpenDNS is one that comes immediately to mind. Indeed, OpenDNS is opposed to DNSSEC and has implemented DNSCurve [...]

By: David Robarts

David Robarts — Fri, 30 Jul 2010 16:35:53 +0000

DNSSEC = trusted DNS data from untrusted connections and servers (you can verify that the data came from an authorized source). However DNSSEC does not provide any privacy, may cause backward compatibility issues, and exposes some zone enumeration vulnerability (risk reduced by hashing).

DNSCurve = trusted connection between DNS servers (is it not possible to implement DNSCurve at the client?). Data on a DNSCurve server may be polluted if DNS data upstream was not protected by DNSCurve.

If I understand it correctly, the insecure DNS system scales well because most requests are handled by caching DNS servers – the information may have been handled by several DNS servers between the authoritative server and the client. DNSCurve is only compatible with such scaling to the extent that all upstream DNS servers are trusted. It seems like for very large zones DNSSEC is the better option for this reason; however, on smaller branches of the DNS tree, DNSCurve may provide protection with lower overhead.

As a site owner, DNSSEC seems more appealing because only upstream zone authorities need to be trusted (i.e. example.com trusts .com and the root DNS) whereas DNSCurve relies on all the servers between my server and the client (as well as all the servers between server of each upstream zone and the client).