This week we had another Internet security exploit revealed. And while I don’t want to get into the details, let’s just say that if you aren’t using OpenDNS.com for your home network, now is the time to take the five minutes and get it done. It is simple (well, as these things go), it is free, and it will protect you from any number of issues in the future. And you might get better browsing performance as a result.

Before I tell you how to do this, let’s have a brief explanation of what the Domain Name System is for those of you that really want to know. Think of what a phone book (remember them, before we used online searches to look up a friend’s number, seems so quaint now) does – it allows you if you know someone’s name to look up their phone number. The names are in alphabetical order, so if you know the alphabet, you can quickly page through and find the person, if they are listed.

The DNS does something similar, except for computers: if you type in “google.com” it translates that name into a sequence of four numbers, called an IP address, which in this case for google.com is 72.14.207.99. Paul Mockapetris, a gentleman I have spent some time with and one of the Internet bright lights, put the thing together in the early 1980s, which is enshrined in RFC 882, even before Al Gore had invented the Internet itself.

The overall Internet infrastructure has a series of master phone books, or DNS root servers, located at strategic places around the world and maintained by a collection of public, semi-public, and private providers. They talk to each other on a regular basis, to make sure that as we add new domains they are in synch. As you can imagine, if someone wants to “poison” one of the entries,  or misdirect Internet traffic to a phony domain, it can be done with the right amount of subterfuge.

Here is where OpenDNS comes into play. When you set up your home network, typically you don’t give your DNS settings any further thought. If you have a cable or DSL modem, you hook it up and it automatically gets its DNS settings from the cable or phone company’s DNS servers.

What I am suggesting is that you change these settings, to reflect the DNS servers at OpenDNS. There are instructions on their Web site, but basically you specify the two (one is used for backup) DNS IP addresses for your router or DSL/cable modem. If you have a wireless gateway from Netgear or someone similar, you make the entries there. You need to know the router’s IP address, and how to access it via its Web interface.

There are a few nice things about using OpenDNS. First, you can set it up to block objectionable domains, so that you might be able to get around your kids seeing something that you would rather they didn’t. They also spend time to block known exploit domains, so you have a better chance of not getting trapped by some hacker. You also get better DNS service, because they have servers that will return the domains supposedly faster than the ones for the general Internet. They also catch common typos, so if you are like me and make mistakes typing in names in your browser, they can usually direct you to the place you intended.

How do they make money? If you type in an unknown domain name, you are directed to their search page where they show ads, just like the Google search pages.

OpenDNS is not the answer for everyone, and businesses should go a step further and protect their DNS servers on their networks. While I don’t want to get into that here, you can find out more about the explot from the experts, start with this blog post here:

http://www.circleid.com/posts/87143_dns_not_a_guessing_game/

It is sad that the Internet is at risk: this exploit is serious, and goes at the core protocol that everyone uses all day long. Hopefully, the engineers will find a fix soon.

I am not sure that I should be telling you this, but your network is a sitting duck for a break-in that is both so elegant and potentially dangerous.

All you need is your Web browser and some basic knowledge, and while I have put a few things together in this post, it didn’t take me more than a few minutes of research to do it. This exploit can easily pass through your firewalls, it can get around your most sophisticated intrusion prevention systems, and once someone is inside your network, they can operate in full view of your anyone, avoiding the scrutiny of even the savviest network administrator.

How so, you might ask? Go to Google and type in the following text in the search field, and you’ll see an example of what I am talking about:

inurl:hp/device/this.LCDispatcher

What is going on here? Simple. Your print servers (among other devices that are connected to your network) have built-in Web and other servers that can be used to launch an attack on your network. Many of these print servers have been long forgotten about by anyone in IT. They operate from a position of trust inside your network—they have to, otherwise no one would get anything printed out on them. And if you click on any of the retrieved pages in our search above, you will be transported instantly to print servers that are sitting ducks for hackers to take over. I managed to connect to ones in China and Germany, and see that some are needing toner or paper, for example.

Yes, it will take a bit more work to install some rogue application, and yes, just Googling them isn’t really an exploit, but you should have gotten a chill up your back as I did when I first started thinking about this situation.

And print servers aren’t the only sitting ducks, just the easiest to explain. How many other IP-connected devices are running on your network that have been long since installed and forgotten about? Web cameras? Industrial equipment? Fax servers? Scanners? These last two could be even more trouble, because they come with phone lines to the outside world that a hacker could use for further exploits.

As the number of these networked devices increases, the situation is only going to get worse. So what can you do to stop these sorts of attacks? First off, take the time to first locate all these forgotten servers. Do a regular scan of what active IPs are out on your network, and see if you can associate all of them with known users. Start doing the research on the unreconized IP addresses.

Second, scan for traffic on port 9100, this is often the port used by print servers and it is an easy way to track down the servers that you have forgotten. Finally, take some time to read through this documentation from HP (if you have HP servers) or something similar from your vendor:

http://h20000.www2.hp.com/bizsupport/TechSupport/Document.jsp?objectID=bpj05999

Those of you that have additional commentary, I would love to hear from you, please post your suggestions and I will share them.

This column also ran in Baseline Magazine’s Web edition this week.

My friend Fred Avolio (who has helped me host my Web Informant mailing list for several years), has put together a master class that will teach even the most experienced IT person the important fundamentals of network security. (And I say this even with him plugging my first book on Internet Messaging.) What I like about Fred is that he has tremendous wisdom and perspective, and shows the reader some old stuff that is still very much au courant. This post is well worth a deep dive.