Best DNS choice for a financial institution?
-
I work at a financial institution and am currently the only sysadmin here. I'm still green and learning as I go.
I've been working to improve security by cleaning up firewall access rules and other things. One thing I did recently was switch our DNS from the ISP provided addresses to OpenDNS's servers. I just made the change but then I had the thought, is this ok to do? Is this secure?Does anyone know if it's wise for me to use OpenDNS or if I should look into any other DNS options? Any input is welcome.
-
I don't see anything wrong with this. OpenDNS, Google DNS, Comodo DNS, are all big names that are very unlikely to fall victim to DNS poisoning attacks.
-
@coliver said in Best DNS choice for a financial institution?:
I don't see anything wrong with this. OpenDNS, Google DNS, Comodo DNS, are all big names that are very unlikely to fall victim to DNS poisoning attacks.
Yeah I was just trying OpenDNS out because someone mentioned that they seem to filter out some "bad"/spam sites and things of that nature. Example: I've had some people accidentally type the wrong URL (off by a letter) and it takes them to a malicious website.
-
@dave247 said in Best DNS choice for a financial institution?:
@coliver said in Best DNS choice for a financial institution?:
I don't see anything wrong with this. OpenDNS, Google DNS, Comodo DNS, are all big names that are very unlikely to fall victim to DNS poisoning attacks.
Yeah I was just trying OpenDNS out because someone mentioned that they seem to filter out some "bad"/spam sites and things of that nature. Example: I've had some people accidentally type the wrong URL (off by a letter) and it takes them to a malicious website.
They do no such thing.
-
@dave247 said in Best DNS choice for a financial institution?:
@coliver said in Best DNS choice for a financial institution?:
I don't see anything wrong with this. OpenDNS, Google DNS, Comodo DNS, are all big names that are very unlikely to fall victim to DNS poisoning attacks.
Yeah I was just trying OpenDNS out because someone mentioned that they seem to filter out some "bad"/spam sites and things of that nature. Example: I've had some people accidentally type the wrong URL (off by a letter) and it takes them to a malicious website.
Not that I'm aware. IIRC they are just a DNS service unless you buy into Umbrella.
-
@dave247 OpenDNS is just fine to use, like the other major DNS providers they will probably be a step up from your ISP provided service.
What they don't do is filtering of any kind unless you add a paid service on. I've started running my own DNS server now that does block known advertising IP addresses called Pi-Hole (Yes, I've seen many names that are better.)
-
OpenDNS is part of Cisco. Far better than using your ISP.
-
@travisdh1 said in Best DNS choice for a financial institution?:
@dave247 OpenDNS is just fine to use, like the other major DNS providers they will probably be a step up from your ISP provided service.
What they don't do is filtering of any kind unless you add a paid service on. I've started running my own DNS server now that does block known advertising IP addresses called Pi-Hole (Yes, I've seen many names that are better.)
Ah yes, that really makes sense now that you mention it.
-
@jaredbusch said in Best DNS choice for a financial institution?:
@dave247 said in Best DNS choice for a financial institution?:
@coliver said in Best DNS choice for a financial institution?:
I don't see anything wrong with this. OpenDNS, Google DNS, Comodo DNS, are all big names that are very unlikely to fall victim to DNS poisoning attacks.
Yeah I was just trying OpenDNS out because someone mentioned that they seem to filter out some "bad"/spam sites and things of that nature. Example: I've had some people accidentally type the wrong URL (off by a letter) and it takes them to a malicious website.
They do no such thing.
Not really helpful.
-
@dave247 What Jared was noting is that they do not block sites or spam just because you use their DNS. You need to use OpenDNS with Content Filtering and enforce your clients to use their DNS or force all DNS queries on your firewall to go through the OpenDNS to maintain the content filtering.
-
@jaredbusch said in Best DNS choice for a financial institution?:
@dave247 said in Best DNS choice for a financial institution?:
@coliver said in Best DNS choice for a financial institution?:
I don't see anything wrong with this. OpenDNS, Google DNS, Comodo DNS, are all big names that are very unlikely to fall victim to DNS poisoning attacks.
Yeah I was just trying OpenDNS out because someone mentioned that they seem to filter out some "bad"/spam sites and things of that nature. Example: I've had some people accidentally type the wrong URL (off by a letter) and it takes them to a malicious website.
They do no such thing.
How would you classify this functionality then?
-
@danp said in Best DNS choice for a financial institution?:
@jaredbusch said in Best DNS choice for a financial institution?:
@dave247 said in Best DNS choice for a financial institution?:
@coliver said in Best DNS choice for a financial institution?:
I don't see anything wrong with this. OpenDNS, Google DNS, Comodo DNS, are all big names that are very unlikely to fall victim to DNS poisoning attacks.
Yeah I was just trying OpenDNS out because someone mentioned that they seem to filter out some "bad"/spam sites and things of that nature. Example: I've had some people accidentally type the wrong URL (off by a letter) and it takes them to a malicious website.
They do no such thing.
How would you classify this functionality then?
is that in the free service?
-
@dashrender Yes it is.
-
@danp That only blocks access to sites from internal to external not viceversa.
-
@dbeato Not sure I understand your point. Noone ever claimed that it was a firewall.
-
@dashrender said in Best DNS choice for a financial institution?:
@danp said in Best DNS choice for a financial institution?:
@jaredbusch said in Best DNS choice for a financial institution?:
@dave247 said in Best DNS choice for a financial institution?:
@coliver said in Best DNS choice for a financial institution?:
I don't see anything wrong with this. OpenDNS, Google DNS, Comodo DNS, are all big names that are very unlikely to fall victim to DNS poisoning attacks.
Yeah I was just trying OpenDNS out because someone mentioned that they seem to filter out some "bad"/spam sites and things of that nature. Example: I've had some people accidentally type the wrong URL (off by a letter) and it takes them to a malicious website.
They do no such thing.
How would you classify this functionality then?
is that in the free service?
This is really all I was going for.. better than nothing
-
OpenDNS is good. Or just use Google, it's not bad.
-
@reid-cooper said in Best DNS choice for a financial institution?:
OpenDNS is good. Or just use Google, it's not bad.
For pure DNS probably so - but the OP is claiming (and JB is refuting) that OpenDNS provides filtering for free that no one else does.
And from my own testing about 3 years ago, I agree with the OP, OpenDNS did provide a free level of filtering, but I don't recall what the limitations were.
-
@travisdh1 said in Best DNS choice for a financial institution?:
@dave247 OpenDNS is just fine to use, like the other major DNS providers they will probably be a step up from your ISP provided service.
What they don't do is filtering of any kind unless you add a paid service on. I've started running my own DNS server now that does block known advertising IP addresses called Pi-Hole (Yes, I've seen many names that are better.)
I like Pi-hole because they tell advertisers to shut their piehole.
-
@dashrender said in Best DNS choice for a financial institution?:
@reid-cooper said in Best DNS choice for a financial institution?:
OpenDNS is good. Or just use Google, it's not bad.
For pure DNS probably so - but the OP is claiming (and JB is refuting) that OpenDNS provides filtering for free that no one else does.
And from my own testing about 3 years ago, I agree with the OP, OpenDNS did provide a free level of filtering, but I don't recall what the limitations were.
IIRC the filtering was free for home use only.
-
@penguinwrangler said in Best DNS choice for a financial institution?:
@dashrender said in Best DNS choice for a financial institution?:
@reid-cooper said in Best DNS choice for a financial institution?:
OpenDNS is good. Or just use Google, it's not bad.
For pure DNS probably so - but the OP is claiming (and JB is refuting) that OpenDNS provides filtering for free that no one else does.
And from my own testing about 3 years ago, I agree with the OP, OpenDNS did provide a free level of filtering, but I don't recall what the limitations were.
IIRC the filtering was free for home use only.
https://www.opendns.com/home-internet-security/
That looks to be right. They offer a free tier for home use.
-
@penguinwrangler said in Best DNS choice for a financial institution?:
@dashrender said in Best DNS choice for a financial institution?:
@reid-cooper said in Best DNS choice for a financial institution?:
OpenDNS is good. Or just use Google, it's not bad.
For pure DNS probably so - but the OP is claiming (and JB is refuting) that OpenDNS provides filtering for free that no one else does.
And from my own testing about 3 years ago, I agree with the OP, OpenDNS did provide a free level of filtering, but I don't recall what the limitations were.
IIRC the filtering was free for home use only.
Has that always been the case or did this change with the purchase by Cisco?
-
It's always been that way. Not that it's stopped anyone from using it anyway. I 2nd local Pi-hole installation. Add OpenDNS on top and you have a nice extra layer of filtering.
-
I just reverted my DNS settings to what they were before. Screw it.
-
@dave247 Why? ISP DNS servers are the worst thing you can pick. If you don't want to mess with OpenDNS, go with Google servers.
-
@marcinozga said in Best DNS choice for a financial institution?:
It's always been that way. Not that it's stopped anyone from using it anyway. I 2nd local Pi-hole installation. Add OpenDNS on top and you have a nice extra layer of filtering.
Actually, it was free for business at one time.
-
That's 5 years ago, probably before I even bothered with DNS filtering. Squid used to do the job before. HTTPS everywhere changed all that.
-
@marcinozga said in Best DNS choice for a financial institution?:
@dave247 Why? ISP DNS servers are the worst thing you can pick. If you don't want to mess with OpenDNS, go with Google servers.
Got any good info to back that statement up? I'm not saying I don't believe you, but I've always just heard that via word of mouth.. not sure if it's really true or not
-
@dave247 said in Best DNS choice for a financial institution?:
I just reverted my DNS settings to what they were before. Screw it.
That's the one thing I would not do. If you are concerned about speed or security, you never use ISP DNS. That's been a best practice for over a decade (since the advent of free, enterprise DNS options like Google.) The one option that should never get considered is ISP DNS.
-
@marcinozga said in Best DNS choice for a financial institution?:
@dave247 Why? ISP DNS servers are the worst thing you can pick. If you don't want to mess with OpenDNS, go with Google servers.
Exactly.
