A number of our users have written in today asking if OpenDNS is vulnerable to the recent multi-vendor DNS security issue disclosed today by my good friend and security researcher Dan Kaminsky.

I’m very proud to announce that we are one of the only DNS vendor / service providers that was not vulnerable when this issue was first discovered by Dan. During Dan’s testing he confirmed (and we later confirmed) that our DNS implementation is not susceptible to the attack that was discovered. In other words, if you used OpenDNS then you were already protected long before this attack was even discovered.

In fact, for those of you who were listening in on the Microsoft press call this morning, you’ll note that OpenDNS was suggested as the easy and simple solution for anyone who can’t upgrade their DNS infrastructure today. Pointing your DNS servers to forward requests to OpenDNS and firewalling all other DNS traffic off at your server will help mitigate this risk.

We’re going to write more about this issue in the next 24 hours to address the vulnerability in detail and explain why we aren’t affected but I wanted to get the word out now so that you know you are safe using OpenDNS.

Thanks and happy resolving… :-)

Update: Bert Hubert, author of PowerDNS, alerted me to the fact that PowerDNS was also not vulnerable when this issue was discovered. That’s not surprising considering Bert is one of the authors of the wonderful DNS forgery resilience Internet Draft that has recently been published. :-) I updated the statement in bold appropriately.

  • http://wiki.powerdns.com bert hubert

    You weren’t the only one, David! :-)

    Bert Hubert
    PowerDNS

  • http://www.jonathanyaniv.com Jonathan Yaniv

    Absolutely awesome!! I was worried about this vulnerability but I’m happy to know that OpenDNS isn’t affected at all.

    Thanks David!

  • http://www.jonathanyaniv.com Jonathan Yaniv

    This is actually really good for OpenDNS, its anniversary is coming up soon, and what better way to celebrate than being one of the few that aren’t vulnerable, and maybe, we can get 2 million submitted domains in domain tagging before or on the day of the anniversary, it shouldn’t be hard to do, we are quite close to that big 2.0 ๐Ÿ˜€

    Jonathan

  • http://www.johndball.com John Ball

    Great news indeed! OpenDNS was referenced again at DSLreports.com for those who needed a temporary workaround until one’s server could be patched.

  • http://www.technovelty.de Erik

    Out of curiosity: OpenDNS resolves all requests on its own? If not, then OpenDNS might get some forged addresses from vulnerable DNS-Servers, wouldn’t it?

    Again, I’m just nosy.

  • http://www.mattnordhoff.com/#yay-jewel Matt Nordhoff

    PowerDNS is safe? That means at least one of my web hosts is golden, then. :)

    Not that we’re compiling a list, but I’m pretty sure djbdns is safe too.

  • Pingback: The biggest security patch release in Internet history | (-) HatSecurity.com()

  • saffolino

    Good job ๐Ÿ˜‰

  • Mark

    It’s ironic that while OpenDNS was one of the few DNS service providers that weren’t affected, the company they use for their ads, Yahoo, not only was affected, but was still using BIND8 which was unable to be patched to fix the vulnerability.

  • http://www.opendns.com David Ulevitch

    @Mark

    Maybe they should be forwarding all DNS requests internally to OpenDNS. That’d help buy some time preventing the need to upgrade BIND versions. As an aside, the fact that we use them for ads in no way exposes OpenDNS users to any potential vulnerability. All that matters is if your recursive DNS provider is secure.

    @Matt Nordhoff

    Yes, djbdns is in the clear. We’re actually big DJB fans here (and I have been for years, even before I started EveryDNS.Net seven years ago which runs a modified tinydns codebase).

  • Pingback: Why you should use OpenDNS. | The OSM Blog()

  • Ben D.

    But even if my Windows 2003 DNS server forwards all internal DNS requests to OpenDNS (which it does), what’s to prevent ‘responses’ from being spoofed?

    In other words, how does using OpenDNS protect me? Isn’t any DNS client potentially vulnerable?

    Maybe I’m not understanding the vulnerability correctly.

  • Pingback: DNS Fool » A Big Day for DNS Security()

  • Charles Sprickman

    Poor Bernstein. One of the first to write about this many years ago, but no one gives him credit or notes that:

    -dnscache was not “vulnerable”
    -all the patches that help make everything more random simply make you less vulnerable, but do not address the root cause of the problem

    http://cr.yp.to/djbdns/forgery-cost.txt

  • http://lynoure.org/blog Lynoure Braakman

    MaraDNS and Deadwood were also fine (see http://marc.info/?l=maradns-list&m=121560639013865&w=2 for more info )

  • Mike

    I am truly grateful for OpenDNS, and for the fact that it is not vulnerable to the latest DNS exploit(s).

    It gives me a great deal of peace-of-mind knowing that not only can I select entire categories of websites to block DNS-based access to, I can restrict entire top-level domains (TLD’s) (for example, *.cn), which will cut out between 80 and 90% of all hacking attacks to my servers.

    I am truly grateful to OpenDNS, and to their making this service free. I will gladly pay more, if you need to beef up your servers and infrastructure, now that you’ve been “outed” (lol) by “the popular press” as one of the Internet’s very-few secure DNS facilities.

    Thank you again!

    – Mike S.
    A (Very) New OpenDNS User

  • Pingback: So, What Does This Mean? - The PuritanBoard()

  • Gabriel

    AFAIK, OpenDNS and Neustar hasn’t this vulnerability from day one.

  • Tom

    I have an ActionTec GT704WG wireless router provided by my ISP, Verizon. My DNS server addresses were changed in Windows to OpenDNS, so my question is: Am I good to go or do I need a vendor patch for the router, also?

  • (Yet Another) Mark

    Couldn’t an unpatched client (like the glibc resolver) still be vulnerable to IP spoofing of OpenDNS itself? It seems unlikely, I must admit, but isn’t just as likely since AFAICT the exploit would have required spoofing at some point in the chain of events?

  • Pingback: On the Internet, How Do You Know If You Are Talking to a Dog? | Disruptive Library Technology Jester()

  • http://eclipsewebjs.spaces.live.com Jeffrey S.

    You know what my computer just said after hearing about this news that OpenDNS was safe from any DNS-based attacks?

    “PHEW!!!”

  • Pingback: Killer Free Service That You’re Probably Not Using | It Does Compute()

  • Pingback: Internotes − OpenDNS Blog ยป OpenDNS โ€“ Keeping you safe day after day()

  • Pingback: Zero Day mobile edition()

  • Pingback: Just use OpenDNS at MasterMaq’s Blog()

  • Pingback: That Whole DNS “thing” » Solo Technology()

  • Pingback: Vanvalkinburgh.org » Blog Archive » OpenDNS Blog ยป OpenDNS โ€“ Keeping you safe day after day()

  • http://www.bruguier.com Tony Bruguier

    I am a bit confused. Even with the latest patches, the vulnerability remains:
    http://tech.slashdot.org/tech/08/08/09/123222.shtml

    One can only mitigate the problem, since the issue is a problem in the specification of the DNS protocol itself. OpenDNS probably does not use BIND, but that doesn’t matter. Actually, you probably have a custom-made program.

    I suspect you probably have a very large pipe, making you more vulnerable to poisoning. Could you expand on the protection measures that you have taken?

    Tony