lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [thread-next>] [day] [month] [year] [list] 
Date: Mon, 2 Aug 2010 15:53:45 -0700
From: bk <chort0@...il.com>
To: "Paulo Cesar Breim (PCB)" <paulo@...im.com.br>,
	full-disclosure@...ts.grok.org.uk
Subject: Re: OpenDNS is acting improperly !!!


On Aug 2, 2010, at 7:59 AM, Paulo Cesar Breim (PCB) wrote:

> Are you OpenDNS partner ?
> 
> I am telling about a security problem. You are so stupid to understand.
> 
> 
> On 02/08/2010, at 11:47, bk wrote:
> 
>> On Jul 31, 2010, at 10:03 AM, Paulo Cesar Breim (PCB) wrote:
>> 
>>> NSLookup has the same problem. Always return opendns IP.
>>> 
>>> paulo
>> 
>> 
>> Quit being so dense:  http://www.opendns.com/solutions/household/guide/ -- While you're at it, read up on how DNS works.
>> 
>> If you don't like that, don't use OpenDNS.  This has been known for years.
>> 
>> --
>> chort
> 

a) Stop top-posting, it destroys the thread

b) It's not a security issue, that's how it's designed to work.  How else are they going to "correct" typos, make suggestions, and block "bad" sites all just through DNS?

Personally I don't like how their service changes responses, and I'm smart enough to know how to setup my own DNS servers safely, so I don't use OpenDNS.  I also tell all my corporate customers not to use it for their servers due to afore-mentioned issues.  Just because I don't like how it works doesn't make it a "security problem".

So once again my advice is:

a)  Don't use it if you don't like it

b)  Learn how DNS works.  "ping" is not a DNS utility.  Except for very few edge cases, anything that makes a DNS resolution call (ping, dig, nslookup, host, telnet, curl, whatever) are all going to get the same results (um, that's what DNS is designed to do), so posting follow-ups such as "dig has the same problem" only prove you're too dumb to understand DNS.

Next you're going to claim every MTA is insecure because they allow you to send an e-mail with a different "From: header" sender than the "MAIL FROM" envelope sender.

--
chort
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ