Lots of good came out of Dan Kaminsky’s discovery of a major vulnerability in most of the Internet’s recursive DNS servers. First and foremost, his responsible disclosures and efforts to work with every major vendor have saved us all from some serious headaches.

Since OpenDNS’s servers are not vulnerable - never were vulnerable, actually - lots of you switched to OpenDNS. That’s the second good thing. OpenDNS is absolutely the most secure DNS service available and the more SysAdmins who choose to use the service, the safer and more secure the entire Internet will be. We want to welcome all of you new OpenDNS users and say thanks for making the switch. You’ve made a good call and we’ll continue to work hard to ensure you enjoy our great service for years to come.

Since you’ve now seen the benefits of OpenDNS, we’d like to invite you to pay it forward by telling other SysAdmins and Internet users about OpenDNS. Please take a minute and use this form to tell your friends and colleagues about the benefits of making the switch. They’ll think you’re super smart for knowing about such a great service, and surely thank you.

Now, all of you new users: Check out this Getting Started task list. OpenDNS is a powerful service will all sorts of awesome features. Have you done all of the items below yet?

- Add a logo and custom message. We let you put your logo and message on the OpenDNS Guide and block pages. You can switch it up and put different messages in different places, where appropriate.

- Set up Shortcuts. No matter if you’re at home or at a large corporation, you can put Shortcuts to great use. They’re like AOL Keywords, but you control them, they’ll work across your entire network and they’re browser-independent.

- Set up Web content filtering. You’ll see in your account that OpenDNS has more than 50 categories to choose from. No appliance necessary and your filtering preferences will take effect in just a few minutes.

There are several more advanced features, too. Poke around in your Dashboard to see all that OpenDNS has to offer.

Again, welcome from the entire OpenDNS team.

A number of our users have written in today asking if OpenDNS is vulnerable to the recent multi-vendor DNS security issue disclosed today by my good friend and security researcher Dan Kaminsky.

I’m very proud to announce that we are one of the only DNS vendor / service providers that was not vulnerable when this issue was first discovered by Dan. During Dan’s testing he confirmed (and we later confirmed) that our DNS implementation is not susceptible to the attack that was discovered. In other words, if you used OpenDNS then you were already protected long before this attack was even discovered.

In fact, for those of you who were listening in on the Microsoft press call this morning, you’ll note that OpenDNS was suggested as the easy and simple solution for anyone who can’t upgrade their DNS infrastructure today. Pointing your DNS servers to forward requests to OpenDNS and firewalling all other DNS traffic off at your server will help mitigate this risk.

We’re going to write more about this issue in the next 24 hours to address the vulnerability in detail and explain why we aren’t affected but I wanted to get the word out now so that you know you are safe using OpenDNS.

Thanks and happy resolving…

Update: Bert Hubert, author of PowerDNS, alerted me to the fact that PowerDNS was also not vulnerable when this issue was discovered. That’s not surprising considering Bert is one of the authors of the wonderful DNS forgery resilience Internet Draft that has recently been published. I updated the statement in bold appropriately.

We just launched a subtle new feature for all OpenDNS account holders (it’s free) that helps protect against a class of DNS vulnerabilities known as DNS Rebinding attacks. In short, these attacks take advantage of design flaws or weaknesses in how some Internet applications (notably web browsers) cache DNS data so that internal network resources can be accessed by external servers regardless of firewall settings.

This can happen because the browser (or similarly exploitable vector) acts as a conduit between the private internal resource and the external server. In plain English this means that some bad guy on the Internet can access your home access point, wireless access point, internal file server or any other networked device on your network just by getting you to load some javascript on a webpage.

While this might seem like a browser issue, it’s fundamentally a DNS issue. This is why OpenDNS created what will become a new class of filtering tools called Suspicious Response Filters.

These new filters are different from the filtering options we’ve offered to date in one important way. Rather than filtering based on the DNS question being asked (eg, “Where is foo.com?”) these filters inspect the DNS reply before we send it back to you (eg, “Does this reply point to an internal resource?”). Like most of our features, this is an industry first. No other major DNS software or service offers anything like this.

When I started OpenDNS I often told people one of my main goals was to design a global DNS service that empowered people to let the good DNS in and keep the bad DNS out, for whatever definition of good and bad they had. This feature gets us one step closer to delivering on that promise.

The feature is turned off by default, but I encourage everyone to go into your account and turn it on. Those of you with domains that point to private address space legitimately (to your intranet, for example) should also visit the domain whitelist page and whitelist your domain. Naturally, any domain in your whitelist will not have its responses filtered in any way and will be explicitly allowed.