This tutorial was written to help promote the 20th Cybersecurity Awareness Month campaign (October 2023). I want both you and your families to be safe from hackers and internet thieves. Many of us do online shopping for the holidays, so here is one thing I can recommend that you do for your family’s internet browsing security: set up OpenDNS protection. OpenDNS offers consumers many of the same benefits enjoyed by enterprise customers using the Cisco Umbrella family of cloud-delivered security solutions.
There are many different security threats out there. For example, browser redirects and attacks are a constant threat. By utilizing the Cisco OpenDNS servers, you can limit attackers’ ability to steal your data or put ransomware on your computer.
What You’ll Learn
- What is a Domain Name System (DNS), and how hackers can use it against you
- Which devices you need to protect
- How to set up OpenDNS protection
- How to validate that your DNS protection is enabled
What You’ll Need
- The ability to change your DNS settings on your home router
What Is DNS? How Do Hackers Use It Against You?
DNS resolution is how computers find the IP address of web servers so that browsers can load web pages. There are many techniques that attackers use when they manipulate DNS. Suffice it to say, we want to take these options away from them.
Imagine if you accidentally clicked a link in an email that redirected you to a domain that started downloading malware to your computer? Doing so could cost you financially and put your personal data at risk.
With OpenDNS as your DNS server, this attack would be blocked. The OpenDNS Cisco security team is constantly working to update DNS domain sites that are known to host malware and ransomware and block those sites. Having that layer of protection is a step in the right direction to prevent website redirects, phishing websites, and attempts to infect your computer with attacks like command-and-control callbacks.
Which Devices Do I Need to Protect?
Any device with an IP address that needs to resolve to the internet to get access to services needs to be protected. For example, your internet TV device downloads content from your service provider; you want to make sure that device is not compromised. You may have kids who use mobile phones to access school assignments and use the internet for research. The goal should be to protect any PC, tablet, phone, or device that connects to your network.
How to Set Up OpenDNS Protection
How can we set this up in order to protect our family and friends when they connect to our home networks? The simple answer is to change your DNS records for your DHCP IP address pool.
For example, my service provider’s wireless access point and firewall are all in one box, which is where the settings need to be changed. Depending on your home router, you might want to refer to the manufacturer’s documentation in order to find where the DHCP settings are located. To set up OpenDNS protection, you must change the DNS provided to the inside clients through the DHCP settings. The OpenDNS servers are:
- 208.67.222.222
- 208.67.220.220
If your service provider requires IPv6 DNS servers, then use:
- IPv6: 2620:119:35::35
- IPv6: 2620:119:53::53
For my home internet with Spectrum, I had to go into my service provider internet router and change the DNS. My home service provider provides DHCP, and the DNS is set to the router’s IP address. On my client machines in this network, the DNS will appear as the service provider’s router. We will see an output of this later.
In a corporate environment, it looks a bit different. Some firewalls, such as the Cisco 5508, will require the DNS update to occur on the DHCP profile. In the following example, we have a configuration of DHCP for an inside network that includes the OpenDNS servers:
dhcpd dns 208.67.222.222 208.67.220.220
dhcpd lease 86000
dhcpd domain acme.net
!
dhcpd address 192.168.1.25-192.168.1.75 Inside
dhcpd enable Inside
In the following image, we see that now that we have changed the service provider internet router, our client machine still points to the service provider router for DNS resolution:
However, as seen in our first image, we configured the service provider internet router such that it proxies DNS requests to use OpenDNS. How can we validate that the protection is enabled? We will cover that in the next topic.
How to Validate DNS Protection Enabled
Once you have changed the DHCP settings to include the OpenDNS servers, you can test to make sure that it is working correctly. Go to this OpenDNS-hosted link; you should see the following:
If it does not show a webpage with a check mark and a “Welcome to OpenDNS!” message, you will need to troubleshoot your clients to make sure that the IP settings they have received from the DHCP service have the OpenDNS servers listed. Another option is to manually change the IP configuration of devices on the network, but that should be reserved as a last resort.
Another test you can do to check that you are utilizing OpenDNS servers is to go to www.internetbadguys.com, which is designed to test your threat security without actually exposing you to a real threat. If you get a message that this site is blocked, then you have succeeded in changing your DNS servers.
