OpenDNS malware protection

Started by Cale Stultz, July 11, 2011, 02:39:08 PM

Previous topic - Next topic

0 Members and 6 Guests are viewing this topic.

Cale Stultz

Received and email from OpenDNS today announcing that they were offering protection from malware at the IP address level.  They say they can stop malware from getting to my workstations. 

Has anyone used them for this and if so what has been your experience?  The price seems right and since in the past three months I've had to spend hours creating new profiles for a couple of users who got hit, we are thinking of using them.
Cale Stultz
White Insurance Agency
Black Mountain NC
25 users; 2003 server; Vista business; Fax@vantage 7.2; TAM 10.4

Bloody Jack Kidd

stopping by hostname is their strong suit - blocking by ip I would imagine is going to require some type of agent or proxy.

I'm not sure of their pricing structure, but you can do quiet well with your own DNS blackhole.
Sysadmin - Parallel42

Jason@KiteTech

Quote from: Bloody Jack Kidd on July 11, 2011, 10:34:59 PM
stopping by hostname is their strong suit - blocking by ip I would imagine is going to require some type of agent or proxy.


They could simply poison the routes of known bad IP's, so they don't hop anywhere.
Jason Gobbel

The Kite Technology Group

Mark

Quote from: Bloody Jack Kidd on July 11, 2011, 10:34:59 PM
stopping by hostname is their strong suit - blocking by ip I would imagine is going to require some type of agent or proxy.

I'm not sure of their pricing structure, but you can do quiet well with your own DNS blackhole.

I have seen OpenDNS block by IP.
Mark Piontek, MBA
Director of Information Systems
BS in Information Systems Security

Bloody Jack Kidd

I've have to run wireshark to verify, but it's possible that a browser trying to go to http://123.123.123.123 generates a PTR lookup - then OpenDNS can do something.  But a piece of malware trying to connect to a CNC at 123.123.123.123 may not generate DNS activity, which negates a DNS safety feature.
Sysadmin - Parallel42

Mark

Quote from: Bloody Jack Kidd on September 06, 2011, 10:02:18 AM
I've have to run wireshark to verify, but it's possible that a browser trying to go to http://123.123.123.123 generates a PTR lookup - then OpenDNS can do something.  But a piece of malware trying to connect to a CNC at 123.123.123.123 may not generate DNS activity, which negates a DNS safety feature.

Trust me, I was furiously confused when it happened to me.  I was specifically trying to walk past the Free OpenDNS filtering that *I* setup! lol  I was also getting annoyed that they kept sending me stuff about how great their paid service is and I thought it was laughable because it was *so easy to bypass*.

I didn't spend too much time on it, but I wasn't able to view what I wanted by IP.
Mark Piontek, MBA
Director of Information Systems
BS in Information Systems Security