Force Google SafeSearch with a button

Posted May 20, 2015 by David Redekop to DNS Feature

We love it that Google has made the SafeSearch option enforceable at the network level. For their details see:

https://support.google.com/websearch/answer/186669?hl=en

In addition to enabling this feature with a simple profile management button, all DNS queries are also policy-enforced, which means that any device attempting to use alternate DNS servers continues to get policy-enforced answers.

Below is our introductory video:

OpenDNS Updater now supported

Posted June 27, 2014 by David Redekop to DNS

As a DNSthingy subscriber, you can now consolidate DynDNS and OpenDNS updater onto your on-premise DNSthingy device by utilizing this feature on your dashboard:

DNSthingy-OpenDNS-Updater-fullscreen-800

This is what the OpenDNS area looks like in more detail:

DNSthingy-OpenDNS-Updater-detail

Enjoy your “updater” consolidation on your dynamic public IP networks!

This should simplify the updates from various devices and services we all use. We should note that the update is called from our controller, not from any software on your device. We use the first public IP that the device finds on its outbound traffic to update OpenDNS.

How to avoid DNS-based profiling

Posted June 3, 2014 by David Redekop to DNS

Image courtesy freedigitalphotos.netPlease forgive the NerdSpeak in this article in advance. Nevertheless, I encourage you to read on, get informed and learn about the Domain Name System (DNS). It is as critical to the Internet as your arteries are in your human body.

DNS as a fundamental building block of the Internet leaves numerous “breadcrumbs” behind as you use Internet services. This has largely been off anyone’s radar. For one thing, Google has earned a tremendous degree of trust in their brand, so when they launched a fast open resolver about five years ago, the world adopted it very quickly.

However, their public DNS resolver is completely void of any privacy policy. This leaves them open to sharing this data with 3-letter government agencies without violating any terms of service. To be clear, nobody is accusing them of doing this, including us. They have rightfully earned their trust, but we should all be aware of what the possibilities are.

Let’s take a step back. DNS is basically finding out where www.something.com lives. Since computers can only understand numbers, but we as humans like to use letters and words, it has been likened to the world’s largest dynamically-updated “phone book of the Internet”. It is almost magical that this is even possible!

Typically, your upstream DNS provider is one of these:

  1. Your ISP-provided DNS server(s). This happens by virtue of setting up your ISP-provided router, or using a router with default settings.
  2. Google DNS. (8.8.8.8 and 8.8.4.4) If your tech-inclined self or nerdy friend set this up for you, this is a very common choice. Google uses anycast to get as close to you as they can.
  3. OpenDNS – either FamilyShield, OpenDNS or Umbrella. (208.67.22x.xxx) This is one of our favourite ways to filter because of the great groundwork laid by the cool people at OpenDNS. OpenDNS also uses anycast to be virtually everywhere.

These are not the only options, but the most common ones. In a scenario where you’re using a DNS-based geo-unblock service of some kind, your upstream provider is your subscription DNS proxy.

In each of these cases, 100% of your queries are sent to the DNS provider. This allows them to profile you and know if you are an evernote user, a gmail user, if you browse or buy your travel from expedia, etc. You may not care, but you should at least be aware.

In each of the above cases, you should understand the business motives behind them to better assess where you feel more comfortable given your situation.

Google’s biggest reason for ever providing an open resolver (8.8.8.8 and 8.8.4.4) is that it gave them instantaneous and almost-free access to extensive profiling on a per-IP basis they didn’t have before. For example, if you use Google DNS and you’re an active eBay user and never even use Google for search, they have a tremendous profile on you on the amount of times ebay.com is visited and even the amount of times you access paypal.

Now that we’ve covered how these “breadcrumbs” leave a trail, let’s discuss how you can avoid such profiling, if that is a concern to you.

It is with full disclosure that one of these options is using our DNSthingy services. What else do you expect from a company blog, right? Anyhow, here are our transparent reasons:

  1. We have a published privacy policy.
  2. We provide as many on-premise DNS resolutions as possible on a cached basis. This means fewer queries that leave “breadcrumbs”.
  3. We never centrally log DNS queries, except in cases where you temporarily opt-in for support purposes.
  4. We distribute DNS queries based on your needs and DNSthingy preferences.
  5. You choose your resolver of last resort. This is the DNS server that is used if none of the filtering applies to a given query.

There is an alternate method to avoid DNS-based profiling by a single upstream resolver. That is to use a Recursive Resolver yourself that does not use a Forwarder. Bind can achieve this on just about any platform, or the DNS Server that is built into any Windows Server operating system. It is worth mentioning, though, that a man-in-the-middle between you and the Internet could still profile you but it would not be done on a mass basis like an upstream resolver would.

As with any privacy and confidentiality issues, awareness is always the first step to better safety online.