Open DNS

Then you'd have to point your TCP/IP settings to query the router for DNS (i.e. plug in your router's IP address as a DNS server), otherwise it won't do so.

 

That is correct, I assumed that the DHCP service of the router is used.
If you want to test openDNS on one computer, you could modify the IP-settings for that computer.

 

Incidentally, one can use this link to easily check whether or not OpenDNS is being used...

http://welcome.opendns.com/

 

I am using openDNS right now The internet seems much snappier which is nice. I also like the spell check and phishing protection. Another nice feature is the fact that all I had to do was change my router's DNS settings, but that is because it runs linux

Alphalutra1

 

That's not a feature of OpenDNS, and it's not because you use Linux. I just installed Ubuntu and had no DNS until I plugged in my router's IP address--probably because I don't use DHCP. With DHCP, I'd expect it to "just work" on Windows or Linux.

 

For me, the results are somewhat variable. Using my ISPs DNS, I often have a 1-2 second hesitation before the webpage begins to open. This is the case over half the time. With Open DNS, I'm rarely seeing that hesitation. While I haven't tried to actually measure the difference, on the average I'd estimate I'm getting pages opened at least a full second faster, often closer to 2 seconds. Getting the same results with both Ubuntu and Win98. For me, the question is not so much whether Open DNS is that fast, but whether my ISPs DNS is that slow. Even when I was on dialup, I didn't have that initial hesitation before the page started to load.
Rick

 

Normally yes - indeed if a request exceeds one packet DNS should use TCP for it instead.

UDP can be used for secure communcations provided the application is prepared to do all the work normally done by TCP (splitting data into packets, marking each packet with a connection ID, verifying that packets have arrived at their destination, adjusting transmission rate to match network capacity) and SSL (exchange of public keys, verifying keys with certificate authority, generating session keys and encrypting data) but it is designed for speed rather than reliability so would not be a good choice.

An encrypted secure channel would require the facilities offered by TCP and SSL so it is unlikely that a bespoke "Secure UDP" implementation would offer any major performance advantages.

Tor does not handle ICMP or UDP ruling out pings and DNS lookups from the command line (along with a number of DoS/DDoS techniques). Almost any application using TCP (the vast majority) should be able to be routed via Tor by Socksifying it but please don't try pushing Windows Updates (or other bandwidth-intensive applications) through it (see here for why).

 

Thank you Paranoid2000 for the excellent explanations and packetizing them so I can understand.

If I may ask one(okay four ) more questions on this subject...

DNS is on UDP, so how are TOR (and SSH) proxy clients able to forward these DNS(UDP) requests generated by the browser through the secure connection?
Normally when the browser is not setup to proxy, the DNS requests are handed off to svchost.
Is the normal (non proxy) DNS request from browser to svchost handled via SOCKS or some other form of direct communication with svchost?

Could a similar connection to OpenDNS (via SOCKS5) be setup if they offered such a Secure SOCKS DNS Service?
Such a setup might even work on the TOR exit nodes so the DNS lookups would be secure end to end. No DNS leaks.
The secure tunnel would only need to be established at the startup of the TOR server, then DNS requests would pass through the tunnel.
Would the performance in this case still be a killer?

 

They don't - just passing the web page HTTP request through to the other end and letting that handle the IP address lookup is almost surely how they do it.

This applies if you have the DNS Client Service running in Windows - shut this down and future DNS requests will be done by the application itself. This is a good security measure in that it allows you to use a firewall to control DNS access on a per-application basis (plus the DNS Client Service can cause delays if you have a large Hosts file).

In the case of anonymising proxies like JAP and Tor, web traffic should not need DNS requests to be passed through - the exit node can handle any DNS lookups needed (this means that you would not benefit from OpenDNS while using JAP/Tor unless the exit node was also using it). This means that DNS leaking should be a non-issue unless your browser was incorrectly set up.

The only case where sending DNS requests through JAP/Tor might make sense would be if you had an application that did its own DNS requests, e.g. a personal firewall looking up connection details for logging purposes. In such cases, there is currently no way to route such requests via Tor (and there is unlikely to ever be one, given the abuse it could be put to) so if you are concerned about your ISP being able to track you in this way (whether it is a possibility depends on the firewall in question), then disabling such a feature would be the best option.

 

you can use one of these to see the all the packets to and from your computer, it shows the DNS requests -
https://www.wilderssecurity.com/showthread.php?t=56378

i like this http://www.nirsoft.net/utils/smsniff.html all you have to do is install this then the sniffer program, then when you run the sniffer program you have to tell it to use the wincap driver and select which Adapter to use, if it doesn't work first time try a different adapter.

 

I was joking about the linux part and all, but some routers do not have the function of serving as the default DNS server. Through DHCP, they send the information to the client that the router is the default DNS server, and the router then is in charge of contacting the ISP's DNS addresses that it has been given. However, by using static IP addresses, the client has to provide the information themselves, to either be the router if it supports it, or the ISPs actual DNS addresses. Either will work.

Cheers,

Alphalutra1

 

That is exactly how they do it.
With your help and this Wiki: Microsoft DNS I think I understand now.
The key part was this:

So the DNS Lookup Client is actually a dll that the browser uses to do the lookup.
Also interesting that it mentions over UDP or TCP. That statement leaves the door open to the possibility of TCP DNS communication.

Thank you.
The Wiki also explains how the DNS Lookup Client (DNSAPI.DLL) will hand off the DNS request to the DNS Client Service/DNSCACHE (DNSRSLVR.DLL) (if running), which then does the actual lookup and passes the info back to the browser.
But because the DNS Client Service runs from a DLL, it needs SvcHost.exe in order to run as a service.
That's why it appears that svchost is doing the lookups which then passes the DNS reply back to the application.

I see, the DNS leaking happens on the client computer due to misconfiguration. I misused the term DNS Leaks.

What I meant to suggest was that it might be possible to create a secure DNS server where no DNS requests/replies travel in the clear at any point.
This would mean that the TOR exit node would maintain a SOCKS5 connection with OpenDNS (if they offered this service) and pass the DNS request/reply through to the (currently non-existant) Secure OpenDNS service.
This SOCKS5 connection would certainly add some delay, but the SOCKS5 connection would not have to be constantly established/broken for each DNS request, it could be constantly connected during the TOR server session. Whether this delay would still be a killer, I don't know.

The Wiki article alluded to the possibility of DNS over TCP.
The purpose would be a secure DNS lookup all the way from the client computer to the DNS server on a TOR network.
OpenDNS currently does not offer such a DNS over SOCKS service.
Even if they never offer this type of service, the DNS education was very valuable.

Thank you!

P.S. I would still like to know if you think the delay would still be a killer, but that would be another question.

 

Thanks for the packet sniffer info iceni60

I've used Ethereal (now called Wireshark) in the past a little.

 

Hi Guys,

If you've changed to OpenDNS, & you have a router you should also change, the DNS there as well. In my Netgear router after logging on to the router at:

Basic Settings

Use These DNS Servers <enter the values for primary & secondary>

208 67 222 222
208 67 220 220

<apply> wait for the update & your done!

Take Care
rico

 

If you want to test response time this little app is very helpful

http://www.codeproject.com/cs/internet/dnstester.asp


Verizon.net has fast DNS 4.2.2.1 to 6

 

Only today I knew this DNS server, and seems a great idea to improve the DNS requests...

Until now is working very well on my home router...

I already tried TreeWalk several times in the past without much success because sometimes it starts to use 100% of CPU when your connections goes down and restart...
Didn't liked it support also...

 

Open DNS got first server in Europe - London - Try to ping: 208.67.222.222 or 208.67.220.220
I can not use it, because I get ping 120 ms in comparision to my current DNS server with 14ms.

 

Pinged 17 ms

Pinged my ISP DNS 9 ms

Gerard

 

Where do you go to test your "ping?"

Also is a lower # better in a test result?

Thanks.

 

http://en.wikipedia.org/wiki/Ping - the lower, the better, 0 is an ideal.

Start - cmd - enter - ping 208.67.222.222 - enter - you will get 0 ms.
Though I used SIW (screen), because my win refuses to ping (permissions).

But I just read, that that pinging DNS server does not matter, because it is about how fast can Open DNS server get a response vs current DNS, so it is better to try it, I will as soon as I can.

 

Tried using both, I live in India, Treewalk works flawlessly on my 2K and XP64 without any hitches, Open DNS couldnt' match TW's performance, maybe if they move a server closeby things might improve but I doubt it will match TW as its using your own machine for DNS.

 

I just started to use OpenDNS, everything seems to be a bit faster, cool.

 

I'm using it for about 1 month, and until now everything works very well...

 

very nice read and lesson,made this classic a sticky

 

For uncached DNS requests, TreeWalk still has to contact a remote DNS server, which may or may not be faster than OpenDNS.