OpenDNS for Network Security

Video Statistics and Information

Video

Captions Word Cloud

Reddit Comments

Captions

hello again as you know I'm Eli the computer guy over here for everyman IT comm ed today's class is open DNS for network security so like we talked about before in the hacking DNS DNS or domain name services are an integral part of all networking for computers so what DNS does is DNS Maps what are called fully qualified domain names to IP addresses so when you go to cnn.com your computer talks to a DNS server that DNS server says cnn.com is at IP address 208 50 5.66 for your computer then goes to 208 55 dat 60 6.4 it does not go to cnn.com it goes to that IP address so what makes DNS very powerful is that if you can compromise the DNS servers you can redirect users to whatever website that you you want them to go to so if you can make their computer go to your DNS server if you're if you're trying to hack their computer if they type in google.com you can have them go to some sex or some porn sites so instead of going to the IP address for google.com you would send them to the IP address of a porn site well what Open DNS allows you to do is instead of compromising instead of attacking the computers on the network what you can do is if somebody types in the domain name let's say wws XCOM Open DNS will redirect them to an IP address of the Open DNS server which will present them with a website that says ah you're blocked you cannot go any further so if if if people on your network are trying to go to sex com anal but rape com you know anything like that you can prevent them from going because when their computer tries to get the IP address for the domain name the IP address that they will get will be an incorrect one it will send them to the open DNS servers versus you know anal but rape servers the other thing that's very nice with OpenDNS is not only can it help protect your sir your computers on the network from from people I say going to porn sites or virus sites or any of that but it also allows you to block your users from going to any number of other websites if you do not want your employees going to facebook.com eurocom myspace.com you can actually go into the open dns control panel and block those websites so open dns not only secures you from things like viruses and such but it can also help secure your internal network from you know all your employees going out to facebook.com you know you're paying them 15 20 bucks an hour it would be really nice if they did their job versus you know Facebook and all that not only that but what makes the DNS so powerful as a security process is this is not simply your web browser blocking certain sites this is not that Firefox blocks you from going to a website or that you know you have some filter and Internet Explorer or Google Chrome this works at the network layer of your operating system so not only can you not go to the website you know sex comm through Internet Explorer or Firefox or Chrome but also if you even try to do a ping command the ping command will return the IP that different IP addresses so you so you won't be going out why this is important is because many of the viruses and many of the malware that infect your computer try to do something called phoning home what phoning home is is once your computer is infected with viruses it then tries to go out and communicate with servers on the Internet to pull in more viruses so so getting infected with one virus isn't always that bad the problem is that one virus will then go out to servers on the internet and then keep pulling more and more and more and more and more viruses so you did something dumb and infected yourself your computer with one virus that virus then automatically infected your computer with a hundred two hundred thousand more viruses well one of the ways that these viruses phone home is they use domain names so X Y Z dot 55 X X com instead of IP addresses well if you you've configured your DNS to not allow that to happen when they try to go to that weird little domain name to phone home and pull malware onto your computer they'll get redirected to to the Open DNS servers and it won't happen so DNS is a fundamental component of all networking again not just web browsing but you know email basic stuff so again as I talked about in the hacking class if you can compromise DNS you can just make a mess of an entire network when you play with DNS you're not talking about you know messing with one computer or two computers or the server you can't you can either take down or protect an entire network using DNS so this class is going to go over how to use Open DNS why it works and you know frankly this is like one of the greatest thing since sliced bread so give me a second we'll go into this so in order to explain how open DNS works again we'll just do a little bit of a review of DNS in general to explain you know how open DNS works and why it works so well so as we talked about before if you're sitting down at your computer right here and you want to go to cnn.com so you want to go to a website well remember computers don't care about things like cnn.com yahoo.com msn.com that doesn't mean a darn thing to a computer the only thing the computer really cares about is IP addresses - Oh 8.65 6.55 dot one one ninety two dot one sixty eight dot one dot one ten zero dot one dot ten that's what the computer cares about the computer really doesn't care about cnn.com so what happens is when you want to go to cnn.com your computer communicates with something called a DNS server a domain name services server in the domain name services server it will say that cnn.com 208 55 60 6.1 it will then return this IP address to your computer 208 55 60 6.1 your computer will then use that IP address to go out onto the internet find the cnn.com server and then ask for for the website from the cnn.com server so your computer talks to a DNS server the DNS server returns the IP address your computer then uses that IP address to go out onto the Internet to communicate with the cnn.com server and then the cnn.com server puts gives you gives you the website that so this is how this works now as we talked about you know in the hacking DNS class generally there are two places where this domain name mapping happens one is what's called the hosts file that sits on the computer itself if you have a Windows computer there's something called the hosts file you can go in there and you'll see it'll say give you an IP address a space and then a domain name so that's the first place that the computer looks to to map domain names to IP addresses after that what will happen is in its IP configuration it will have a primary and secondary DNS server so those are IP addresses that state if you cannot find a domain name in the hosts file then go to this DNS server to try to resolve the the domain name if you cannot find a domain name in the first DNS server go to the second DNS server to resolve the domain name so that's how domain name resolution happens so normally you go out to the normal public DNS servers and they they give you sex calm or facebook.com or you know anal you know midgets with gerbils calm you know that that's it will give you the IP address for that so what you can do is you can change the DNS server that your computer goes to so instead of going to the normal public DNS server that you would normally go to you can go to the open DNS server and that open DNS server will look for your computer account or for your network account and depending on what your network account is set up for it will either allow you or not allow you to go to different domains so if you're allowed to go to a domain it will give you the proper IP address and if you're not allowed to go the domain it will give you a different IP address that will basically not allow you to get to the domain you're trying to go to so the easiest way to set this up so that it protects your entire network is you plug in the Open DNS DNS server numbers into your router so you have your computer here like we talked about before then you have your router that's on the internet and then you have their DNS servers that are sitting off in their server farm so what you do is in your router you put in their DNS servers their primary and secondary DNS servers I don't know them off the top of my head but let's say 208 55 60 6.1 and 208 55 60 6.2 that gets plugged in to your router it's also important that it gets plugged into what's called your d8 piece DHCP server so what will happen is when your computer asks for a debt for an IP address from the DHCP server it will be given its the IP address 192.168.1.1 will be given the subnet mask 255.255.255.0 it'll be given the default gateway 192 dot 168 1 whatever and then it will be given these domain name servers so that goes into your computer so when it's trying to resolve the domain name it will try to go to these servers well what Open DNS does is in the control panel you can go to a little website and open up the control panel on the website and you plug in what your external IP address is so the external IP address is your IP address before the internet so I don't know 197 dot 55 60 6.1 well what happens is you plug that in 60 6.50 5.1 you plug that in to the Open DNS control panel what happens is when your computer goes to their DNS servers their dns servers will read what IP address you came from it will find the account security that corresponds with the IP address that you came from and then it will give you DNS accordingly so if this office here this person at this office doesn't want any employees get to facebook.com when they try to go to facebook.com they will get this you are not allowed because of Open DNS if there is enough office on the internet down here you know and they have a IP address of 207 66 250 5.1 so they're at a different IP address when they go to the Open DNS servers they will be given a different security policy for their domain services so they may be allowed to go to facebook.com they may be allowed to go to gambling comm etc etc etc so this is a basic overview of how DNS and Open DNS works so basically remember that your computer or really any networking devices that you're using they don't really care about the domain names cnn.com everyman IT comm Eli the computer guy comm they don't care about that that doesn't mean a darn thing to them what they care about is IP addresses so when your computer tries to contact a website such as everyman IT comm your computer will ask a DNS server what the IP address of everyman IT comm is the DNS server will return the IP address then your computer goes to that IP address ask for the website and then you get it well if the DNS server sends back a bad IP address your computer is still going to go to that bad IP address and and you won't know the difference so with Open DNS what happens is like I say if you want to go to sex comm your computer asks for the IP address of sex comm the Open DNS server doesn't return the IP address of sex calm the the open DNS server returns an IP address of one of their servers and when you go to it basically you just get this webpage it says you are not allowed to go here that's pretty simple what makes Open DNS really really nice though is that what we're going to show you in a minute is they have a control panel that allows you to say what site you do or don't want your users to see so you can make it really really restrictive where they can't see porn sites or gambling sites or Facebook sites social networking you know really restrictive or you can make it really really easy like I say you you may allow I don't know maybe maybe your your your you know you're working at the hustler club so so you want your employees to be able to go to sex sites but darn it you don't want them to go to Facebook well you can allow them to go to sex comm and whatever com but not allow them to go to facebook.com so they go to sex com they'll get the proper IP address if they try to go to facebook.com again though they'll get OpenDNS thing and and they won't be able to go anywhere so this is how open DNS works like I said it's just a phenomenal wonderful thing we use it here in our router because yeah I mean it just it just makes life a lot simple and like I say it secures the entire network by putting the DNS information into your router or into your DHCP server it just just protects everything one shot it's it's very nice so here we are at the Open DNS dashboard so Open DNS dashboard is basically just you know in just another web GUI interface that you'll go to another web control panel you go to WWF in DNS comm and you create an account with them and then once you're done creating the account you'll be able to log in and see a dashboard that looks like this Open DNS has a couple of different service types so they have the free version the biz small-business version and the enterprise version the free version I think is I think is good works really well so we're using the free version and you know the business version has it has a few different options so you know what you get is up to you but basically you're going to be seen this the same stuff they have a stats tab for the free version there's nothing here that we can really look at so so we're not going to worry about that the main thing that we will worry about is this Settings tab here now before I go into the settings I want to show you what it is that Open DNS does so basically if I open up a new tab here and I wanted to go to a website let's say sex comm so sex comm you know it's been a busy day I'm really stressed so I want to just see some some sex now since this is a business environment as a boss I don't want people to go to sex comm so when they try to go to sex comm they will see a page that looks like this it says open dns this domain is blocked so if they try to go to a sex website they're going to see domain is block so if I say anal sex com yeah this is blocked again so here at Elie the computer guy our repair shop I blocked all of these sex sites because there's no reason any of my guys need to be seeing porn at the middle of the day now again as we talked about a little bit earlier you can configure open DNS to block any number of different types of sites so you could have block sex you could block gambling you can block social networking you know I don't know if you work at a you know the Larry Flynt you know the hustler club maybe you want your people to be able to see porn sites but you don't want them to go facebook.com/ you know you know who knows well basically you are able to go into open DNS and say what websites you don't want your visitor your users to be able to go to and what if they try to go to that site they will see a page that looks like this so to set this up we just go back to the open DNS settings page now I've already set up our office here so I can't reset it up again but you'll see this as a label 855 North Howard Street and this says our external IP addresses so I have configured our router here to use their DNS servers so when my computer goes to their DNS server their DNS server will be able to read my external IP address and then based upon this IP address they will then present me with it with the settings that I have configured if I want to create a new network basically I just tell it a few bits of information here and then do add this network this network has already been added so we can't add it so if I want to change your configuration so I can go here yeah and this shows what configurations what sites I don't want my people to see so they give you some default stuff so hi protects against all adult video sites illegal activities social networking video sharing yadda yadda yadda moderate low etc so for me I have a custom setting here so I don't want them to go to alcohol sites hate and discrimination sites proxy sites tasteless weapons porn nudity dating adult themes adware drugs gambling lingerie sexuality so this is just trying to keep a our internal system safe and to just keep me from you know and it kind of nasty little lawsuit around the road you can see you can block people though you can block them from search engines so if you didn't want them to go to Google you could block them from going to Google social networking so this would block all social networking you know Facebook MySpace or coop or whatever it is if anybody actually uses it game so if you don't want your people playing games you know when you're paying them $20 an hour oh oh ah yeah if you've ever had employees you'd understand but yeah if you don't want your employees playing games while you're paying them $20 an hour you can check this and they will no longer be able to play games the only thing that I will say is be very careful when you're selecting these things because sometimes your employees do need to do things you may not realize that they need to do like like some people actually do use Facebook for real marketing and real business so if you shut them off of Facebook you may come to find you don't have problems you know ecommerce shopping you may say well I don't want my people going onto Amazon or Ebay because they're just wasting time well this may also block you know whatever procurement websites that your people need to go to you know if you're secretary needs to go to Staples calm and you've blocked ecommerce websites well then you know you may not have paper clips this week but basically this is all you do you check all of this stuff you say you know what what you want and then you hit apply they've also got different settings over on the left-hand side so you've got the security settings do you want to protect against malware and botnets phishing protection suspicious responses customization you know what kind of pictures that people want to see stats and advanced settings but basically all you do is you go in here you set all this up then what you do is you go to your router so on our network our router is our cable router you log in to whatever router it is so whatever router connects you to the outside world and provides the DHCP IP addresses for your network you plug in Open DNS domain name servers into your router and you're good to go that's basically all you do so this is a basic demonstration of Open DNS again this is a web service so you know the pages that I'm showing you today may not be the same an hour from now you know they can change this at any time they want and honestly if you're messing around with DNS you should understand enough about networking that well if I haven't shown you how to do something here today you should be able to figure it out on your own remember DNS is the cornerstone to your networking if you screw up the NS you're going to screw up your entire network so if you don't understand tcp/ip you don't understand networking this is probably over your head hire somebody at 100 bucks an hour to figure this out for you but this is basically how Open DNS works and how you can figure everything so that's a class on open DNS for network security like I say I think it's a wonderful wonderful tool we have it working on our little router here one of the reasons like I say that we set it up for our shop here is we get a lot of computers that come in that are infected with viruses and just have all this nasty stuff on them well one of the problems that we have is when we connect the computer to the Internet in order to download antivirus definitions or Windows updates etc well as soon as that computer is connected to the Internet the all the viruses and malware on the computer can try to phone home and pull in new crap and make our lives well miserable well the nice part using Open DNS is we plug it into the internet our entire DNS is protected so when those little viruses and malware all that try to phone home they're not able to they pull back a bad IP address and then they fail out it means it's a lot easier for us to be able to to protect the systems and clean the systems up you know we don't they're they're not reinstalling viruses as fast as we are uninstalling them all so like I say you know I I think I'm talking to a lot of you know consultants and business people out there but you know for the employees that are out there I don't mean this to be offensive but the reality is employees waste a lot of time employees you know salary employees hourly employees they get paid to do a job unfortunately for some reason in the modern world people think they should get paid fifteen twenty a hundred dollars an hour for looking at Facebook updates I don't have anything wrong with people looking at Facebook updates but I know as an employer I sure as hell don't want to pay for it so you know in your office if you're having a problem with people going to Facebook or my myspace or AOL or any of this by using Open DNS you can just shut it down they simply cannot cannot get to it anymore so so hopefully they're getting back to work but this was a class on OpenDNS like I say it's it's just it's it's just absolutely wonderful the one thing I will remind you is again if you do not have a static IP address for your for your network you know if you have not purchased a static IP address from your ISP remember to install that little dynamic IP address application from Open DNS what that does is when you install it on your computer every once in a while it will tell Open DNS what your current external IP address is so when you go and you use the Open DNS servers they know what it what account you're dealing with so when you install that little application you know install it on one of the servers install it on some computer that's going to be on 24 hours a day and will always be on don't install it on the Secretary's computer that only comes in on Monday the problem is is because if that computer is turned off you know your ISP Verizon or Comcast changes your dynamic IP address which they can do at any time well then when you go to the Open DNS servers they won't know who you are then your your security policies won't work etc but again like I say it is a wonderful wonderful thing currently you know right now it's a April 21st 2011 they have three pricing strategies for Open DNS they have a free version that that's fine for commercial use basically it allows you to use it in like three networks you can have 25 whitelisted or blacklisted sites and it gives you a bunch of other stuff we use the free service the free service just works fine for us I see no reason to pay for it if you want to go up another level they do have a normal business service it costs you five dollars per user per year you know it gives you more options again I'm telling you as a computer professional if somebody deals with small businesses and security all the time five dollars a year to protect your DNS is cheap that is like nothing that's like a penny an hour per employee or less it's like half a penny per hour a quarter of a penny per hour so that is definitely worth it if you need that higher level service they of course as with everything have some insane uber enterprise level plan that you can purchase they don't tell you what the cost of that is that's kind of one of those you know if you need to buy that that means you're willing to spend ten thousand dollars a year for it you can call them on that but whether you want the free version or the business version freeze great it's great that it's free but like I say even if you need the business version five dollars per user per year and that that's a no-brainer I mean that's just that's just cheap by any means so as you know I'm Eli the computer guy over here for everyman I t-dot-com again this was open DNS for network security I look forward to seeing you at the next class

Info

Channel: Eli the Computer Guy

Views: 170,495

Rating: undefined out of 5

Keywords: OpenDNS, for, Network, Security

Id: 0Vd5UisrN1A

Channel Id: undefined

Length: 28min 28sec (1708 seconds)

Published: Fri Apr 22 2011