We just launched a subtle new feature for all OpenDNS account holders (it’s free) that helps protect against a class of DNS vulnerabilities known as DNS Rebinding attacks. In short, these attacks take advantage of design flaws or weaknesses in how some Internet applications (notably web browsers) cache DNS data so that internal network resources can be accessed by external servers regardless of firewall settings.

This can happen because the browser (or similarly exploitable vector) acts as a conduit between the private internal resource and the external server. In plain English this means that some bad guy on the Internet can access your home access point, wireless access point, internal file server or any other networked device on your network just by getting you to load some javascript on a webpage.

While this might seem like a browser issue, it’s fundamentally a DNS issue. This is why OpenDNS created what will become a new class of filtering tools called Suspicious Response Filters.

These new filters are different from the filtering options we’ve offered to date in one important way. Rather than filtering based on the DNS question being asked (eg, “Where is foo.com?”) these filters inspect the DNS reply before we send it back to you (eg, “Does this reply point to an internal resource?”). Like most of our features, this is an industry first. No other major DNS software or service offers anything like this.

When I started OpenDNS I often told people one of my main goals was to design a global DNS service that empowered people to let the good DNS in and keep the bad DNS out, for whatever definition of good and bad they had. This feature gets us one step closer to delivering on that promise.

The feature is turned off by default, but I encourage everyone to go into your account and turn it on. Those of you with domains that point to private address space legitimately (to your intranet, for example) should also visit the domain whitelist page and whitelist your domain. Naturally, any domain in your whitelist will not have its responses filtered in any way and will be explicitly allowed.

  • http://www.wackywebs.net Tom Glover

    Very Good Idea, I do believe that some of the fault is blamed on the browsers but, having a dns service that block this issue completely is brilliant and with nothing extra to install it is even better.

  • Terje Petersen

    Whilst it makes sence to have this as an op-in feature for existing OpenDNS users it would make sense to have this option turned on by default for any new accounts.

  • http://www.macmend.com macmend

    yes but how does this effect WAN VPNs, internal mail services, etc that rely on internal repsonses?

  • http://www.opendns.com David Ulevitch


    If you add the domain of your WAN VPN or other trusted domain to your “typo exceptions” and your “whitelist domains” list then we will allow those answers to pass through as trusted and unchecked.


    Because of potential support issues like the one raised by macmend above we have decided to have the feature turned off by default for the time being. Over time as we gain confidence that it doesn’t break things, we might make it the default for new users. :-)

  • Pingback: OpenDNS Blog » Calling Craig Heffner()

  • Pingback: Internet Evolution - Jart Armin - Router Hacking Takes Stage at Black Hat()