PCA Forums

I'd like to get some of your thoughts on OpenDNS from any of you who may be using it. Our outside consultant is wanting us to move to OpenDNS and is graciously willing to set us up (as if it's so damn difficult) for the mere cost of $100 then $3/mo per user (we have 60 people).

The best part is that we have to opt-out and if we do, they'll bill us for any clean-up as a result of malware that would have otherwise been caught by OpenDNS. I think they're just fúcking thieves, considering that OpenDNS is free to the public, no?

Sheesh!

First off I setup ALL my clients routers and my own router to use OpenDNS as the DNS. Doing this alone will allow OpenDNS to block known phishing sites. You can test it by browsing this site after changing the DNS:
http://internetbadbuys.com
If it's blocked, you'll be forwarded to an OpenDNS page that informs you the site was blocked.

I've been using the free personal version for filtering a couple of my client's offices. Before data phones became common, the girls in the front office would browse Facebook and check their personal email on the PCs during the day and wind up with all kinds of malware on them.

You still setup OpenDNS as the default DNS for the whole network, but you also setup an account and OpenDNS needs to know your IP. If you don't have a static IP, you have to install a small IP pinger app on one of the office PCs that just updates your IP with OpenDNS daily (same app, essentially, that Dynamic DNS services use).

From the control panel you can do general filtering by category (EG: social networks, classifieds, dating) or specifically whitelist or blacklist a domains.

You also get some basic stats.

This is adequate for a small office (which these are - less than 10 users). The office manager at each office has the OpenDNS login so they can whitelist any domains they need that are getting blocked by the general categories.

It probably violates the terms of service to use it at an office because you're supposed to use it for personal (home) use, but I know lots of offices that use it.

Your office sounds a bit too big for this, but there is a small business enterprise version that has a fee, and probably gives you a lot more features:
https://www.opendns.com/enterprise-secu ... tions/smb/
No idea how much it costs, but I'd price it out yourself first to see how much of a markup that company is getting. No reason you couldn't easily deploy this yourself since you're there to administer it. The biggest hassle is whitelisting. That will be a headache for the first few weeks and then it'll settle down.

The other hassle is that I GUARANTEE that the partners and office manager (if you have one) will want unfiltered access (or they will the first time one of them can't get on a sketchy website they want to get on) and you'll have to exclude them from the filtering. They're usually the worst people to give unfettered access too. LOL! That's where the enterprise version might let you give the honchos a little more freedom than the peons, and still block some of the nastiest stuff.

I would assume there's a lot more detailed control in the enterprise version. The personal version is a blanket filter on the whole office - you can't do filters for individual workstations. I bet the enterprise does. You probably get a lot more detailed stats too.

Just keep in mind that anyone who's a techie can easily bypass it. When I have to sit down at a workstation that's using it, and it blocks me from downloading a utility from MajorGeeks.com (it's blocked as a "download site"), all I do is change that workstation's DNS temporarily to use Google's DNS servers, and then I change it back when I'm done. Most people aren't that knowledgeable though.

Wow, that seems kind of like blackmail. Use this and pay us or you're not covered and we charge you lots of money. Not to mention, I doubt they would go along with the unfiltered access for anyone.

Where is this $3 a month going to? Them or the service? If it goes to them, that seems pretty offensive. Also the part about billing you for any malware you got that OpenDNS would have blocked. How the hell would they know? Do they think it catches everything?

There is also the Symantec one:

http://en.wikipedia.org/wiki/Norton_ConnectSafe

They have three levels depending on what you want to block. It is very basic and doesn't have many of the options that are available to OpenDNS though.

Yeah, I didn't like their approach to this. Then again, I'm not liking their way of doing things. They are in essence trying to take over and do my job, keeping me out of the loop. That pisses me off, immensely.

I know OpenDNS is good but I'm sure we can implement it ourselves and save some cash. I DO have (as FP said) attorneys that will want unrestricted access. They ask for that now on our Sonicwall, because they're family law and they need to access all kinds of crap, in order to find dirt on an opposing spouse they believe is lying.

I'm going to look at all the alternatives but I was wanting some feedback from you guys, since some of you actually know what you're doing. LOL

Ok thought I would chime in. I have an office of about 10 people and we use the free version of open DNS. The free version limits you to 15 or so white listed sites. Other than that it works nicely.

As far as getting around it that's a bit more complicated but not bad. We have our own DNS and dhcp servers. So any workstation that needs unfiltered goes through a secondary DNS server that has its forwarded setup as Google DNS. All others go through the primary DNS server. Those workstations simply have a dhcp reservation that gives them a different DNS.

Now for the circumvention. We use a router board router. We setup a forward rule on the DNS port to go to the open DNS ip, if the ip doesn't match the secondary DNS server. This basically eliminated any issue on our network because if a user changes there DNS manually, it goes to open DNS anyways.

Hope this helps.

Hmm.....nicely done.

And even better if they change their DNS manually, it breaks their domain connectivity which then they tell me it's not working so I know who's trying to get around the system.

Hopefully this helps. If you use a routerboard I can give you some config info to get it setup.