Aha-we possibly have a 'chicken and egg race' here, if we're being super
paranoid. Can they check their home DNS setup using the doxpara or the
dns-oarc tools before the cache gets poisoned and they get sent to a fake
doxpara site and then can't trust anything? Lol. I suppose the best thing
would be to switch to OpenDNS anyway.
Seriously though, that's a good point. It's a similar thing to our process
of making sure their home machines aren't used to connect to our network;
why? because we can't be assured that their home machines are free of
spyware etc.
Whereas we have a greater degree of confidence with regards to their
laptops.
So, I think you're doing what I am here. Making sure they are guided as much
as possible. My interest was less for the home to work connections as it was
with just building awareness and telling them to contact their ISP if the
test comes up poor or to switch to OpenDNS as you and others have suggested.
> >-----Original Message-----
> >From: Petter Bruland [mailto:pbruland (at) fcglv (dot) com [email concealed]]
> >Sent: Tuesday, July 29, 2008 3:06 AM
> >To: Ayaz Ahmed Khan; Murda Mcloud
> >Cc: security-basics (at) securityfocus (dot) com [email concealed]
> >Subject: RE: DNS flaw for home users...
> >
> >Now for the next step, how do you get your home users to do just that?
> >
> >I only have a handful of employees who also have VPN access back to our
> >office, and I'm making my rounds to make sure they are using OpenDNS.
> >The rest were emailed a PDF with step by step instructions on how to
> >change their home router, and soon I will be getting support calls from
> >them I bet.
> >
> >** If anyone related to the OpenDNS project reads this list, thank you!!
> >**
> >
> >-Petter
> >
> >-----Original Message-----
> >From: listbounce (at) securityfocus (dot) com [email concealed] [mailto:listbounce (at) securityfocus (dot) com [email concealed]]
> >On Behalf Of Ayaz Ahmed Khan
> >Sent: Saturday, July 26, 2008 7:55 AM
> >To: Murda Mcloud
> >Cc: security-basics (at) securityfocus (dot) com [email concealed]
> >Subject: Re: DNS flaw for home users...
> >
> >On Thu, Jul 24, 2008 at 8:42 AM, Murda Mcloud <murdamcloud (at) bigpond (dot) com [email concealed]>
> >wrote:
> >> Bit of searching netted me this on Kaminsky's site:
> >>
> >> http://www.doxpara.com/
> >> Click on the DNS checker.
> >> Also here:
> >> https://www.dns-oarc.net/
> >>
> >> the second one gives pretty graphs.
> >>
> >
> >Home users whose ISPs have not patched the DNS servers/resolvers should
> >consider using DNS servers that are already patched. OpenDNS is one of
> >them.
> >
> >--
> >Ayaz Ahmed Khan
> >
> >"I'm returning this note to you, instead of your paper, because it (your
> >paper) presently occupies the bottom of my bird cage."
> > -- English Professor, Providence College
paranoid. Can they check their home DNS setup using the doxpara or the
dns-oarc tools before the cache gets poisoned and they get sent to a fake
doxpara site and then can't trust anything? Lol. I suppose the best thing
would be to switch to OpenDNS anyway.
Seriously though, that's a good point. It's a similar thing to our process
of making sure their home machines aren't used to connect to our network;
why? because we can't be assured that their home machines are free of
spyware etc.
Whereas we have a greater degree of confidence with regards to their
laptops.
So, I think you're doing what I am here. Making sure they are guided as much
as possible. My interest was less for the home to work connections as it was
with just building awareness and telling them to contact their ISP if the
test comes up poor or to switch to OpenDNS as you and others have suggested.
> >-----Original Message-----
> >From: Petter Bruland [mailto:pbruland (at) fcglv (dot) com [email concealed]]
> >Sent: Tuesday, July 29, 2008 3:06 AM
> >To: Ayaz Ahmed Khan; Murda Mcloud
> >Cc: security-basics (at) securityfocus (dot) com [email concealed]
> >Subject: RE: DNS flaw for home users...
> >
> >Now for the next step, how do you get your home users to do just that?
> >
> >I only have a handful of employees who also have VPN access back to our
> >office, and I'm making my rounds to make sure they are using OpenDNS.
> >The rest were emailed a PDF with step by step instructions on how to
> >change their home router, and soon I will be getting support calls from
> >them I bet.
> >
> >** If anyone related to the OpenDNS project reads this list, thank you!!
> >**
> >
> >-Petter
> >
> >-----Original Message-----
> >From: listbounce (at) securityfocus (dot) com [email concealed] [mailto:listbounce (at) securityfocus (dot) com [email concealed]]
> >On Behalf Of Ayaz Ahmed Khan
> >Sent: Saturday, July 26, 2008 7:55 AM
> >To: Murda Mcloud
> >Cc: security-basics (at) securityfocus (dot) com [email concealed]
> >Subject: Re: DNS flaw for home users...
> >
> >On Thu, Jul 24, 2008 at 8:42 AM, Murda Mcloud <murdamcloud (at) bigpond (dot) com [email concealed]>
> >wrote:
> >> Bit of searching netted me this on Kaminsky's site:
> >>
> >> http://www.doxpara.com/
> >> Click on the DNS checker.
> >> Also here:
> >> https://www.dns-oarc.net/
> >>
> >> the second one gives pretty graphs.
> >>
> >
> >Home users whose ISPs have not patched the DNS servers/resolvers should
> >consider using DNS servers that are already patched. OpenDNS is one of
> >them.
> >
> >--
> >Ayaz Ahmed Khan
> >
> >"I'm returning this note to you, instead of your paper, because it (your
> >paper) presently occupies the bottom of my bird cage."
> > -- English Professor, Providence College
[ reply ]