Web Development

Safe browsing with Norton DNS

I like the path Symantec is following. However, I think I'll keep OpenDNS until Symantec offers all the services I need for home or small business use.

I learned long ago that there is value in having someone else manage DNS services for my small business.  Up until now, I’ve used OpenDNS.  In my opinion, it is the best SOHO option for both name resolution and controlling access to questionable sites.  However, that might all change with the introduction of Symantec’s Norton DNS.

Norton DNS is a component in the emerging Norton Everywhere offering, eventually providing control over sites your employees or family members can visit or blocking access to sites known to distribute malicious content.  I say eventually, because although OpenDNS beta blocks malicious site access, the user management console is still unavailable.

Security considerations

If you are still using your ISP’s DNS services, I highly recommend you move to something a little safer. Most ISPs do not provide services that allow you to control content. Many of them also fail to apply security patches to their DNS applications. These are important components of any Internet security strategy.

Installing and configuring anti-malware software, client firewalls, and client policy solutions are all final defensive line controls. They protect your systems if exploits make it that far into your home or office network. However, the first line of defense should always be preventive controls placed as far as possible from the attacker’s target, including:

  • Configuring perimeter firewalls (including home routers) as closed, allowing only explicitly approved traffic to pass to the internal network.
  • Take steps to keep target systems away from malware in the first place.

The first bullet is a no-brainer.  Most home routers do this by default.  If you are unsure about your home or SOHO perimeter configurations, run the free ShieldsUp service.  It will tell you whether any holes exist.

The objective described in the second bullet is harder to achieve.  It requires either installation of an in-house service, such as Websense, or use of a third-party provider.  Although Websense provides a great product, it is far beyond the budgetary reach of home or SOHO users. Norton DNS now provides affordable, possibly free protection.  (The official Norton DNS Web page states that it will be free for non-commercial use.)

Unlike OpenDNS, you can’t yet set site categories you wish your users, or you, to avoid. This feature of OpenDNS accomplishes three things. First, it focuses business system access on business sites. Second, access to inappropriate sites (porn, hate, weapons, etc.) is restricted. This is an important consideration for homes with children or a business trying to avoid accusations of providing a hostile work environment.  However, Norton DNS does prevent users from visiting sites Norton Safe Web identifies as harboring exploits.

In a future release of Norton DNS, Symantec plans integration with Norton Online Family to allow application of site restrictions.  According to a forum post,

As some other posters have mentioned, the focus of Norton DNS today it to protect users from phishing and malware sites. Norton Online Family is a great option for parental controls.

In the future, our goal is to integrate these two services so that IF you want to optionally apply content filtering for parental controls, you will be able to do it via Norton DNS. (dnadir, June 2010).

Setting up Norton DNS for Windows 7

Sometime over the next few weeks, Symantec will release a client for setup and management. However, manual setup for a single PC is easy if you have Windows XP. You just follow the provided directions. I used the following steps to set it up in Windows 7. You can use this same process to move to any DNS service of your choice. (To change DNS settings for all computers in the network, change the DNS server address in your DHCP service settings.)

1.  Open the Control Panel from the Start Menu.

2.  Click on View network status and tasks.

3.  Click on the network connection you want to move to Norton DNS.

4.  Click on Properties and then click on Internet Protocol Version 4 (For testing purposes, I turned off IPv6 functionality by unchecking the related box).

5.  Click on Properties once again and enter the Norton DNS IP addresses as shown below.

6.  Refresh your IP configuration by typing ipconfig /renew at a command prompt.

7.  Verify the change by typing ipconfig /all at a command prompt and make sure the DNS servers show the new settings (You can also visit the Norton DNS verification page).

The final word

The beta works as advertised. I’ve been using it for several days without issue. It doesn’t appear any faster or slower than OpenDNS, the service I use on all my systems. However, the lack of controls to select which sites to block prevents me from using it as a home solution. With eight grandchildren, I need a better safety net to ensure something unexpected doesn’t pop up on my screen. This also applies to managing user access at my small business site.

I like the path Symantec is following. However, I think I’ll keep OpenDNS until Symantec offers all the services I need for home or small business use.

About

Tom is a security researcher for the InfoSec Institute and an IT professional with over 30 years of experience. He has written three books, Just Enough Security, Microsoft Virtualization, and Enterprise Security: A Practitioner's Guide (to be publish...

14 comments
alandc
alandc

OpenDNS blocks malicious site access, the user management console is available that lets you specify categories of site you wish to allow or block. It works BEST with fixed IP addresses (from your ISP) but can even work with leased addresses if you run the OpenDNS client updater. This article sounds like it was written in 2006. Have you even used the OpenDNS website to manage your connection? If you configure your firewall/router correctly (there are at least two different ways for network administrators to accomplish this) it can be near impossible to browse somewhere inappropriate.

scallahan58
scallahan58

After attempting to use several resource gobbling Symantec products, and having to hack them out of my system when their uninstallers didn't work, I wouldn't touch anything from mSymantec with a ten foot pole!

alandc
alandc

I have to agree with the other folks expressing reservations about the Symantec/Norton brand. I have experience the same as most technicians with a product that: a) Doesn't protect against most malware. b) Is near to impossible to uninstall. The newer versions use even more CPU power to run and although the end users seem happier with the products I'm avoiding them. They've lost reputation and trust that will need to be rebuilt.

Gis Bun
Gis Bun

So you are equating "bloatware" software on your PC with non-bloatware software [we'll assume] that never shows up on your PC? That make sense. As for uninstallers that don't work, every PC is different. Some have problems installing service packs, most don't. I've only seen 2 cases where I couldn't uninstall their software correctly. When was the last Symantec product that you have installed, BTW? 4 years ago? 5? Current versions are lighter.

Tech_Monkey
Tech_Monkey

I was using OpenDNS (free) at home for years until they implemented automatic filtering. Thanks, but no thanks. Switched to Google DNS, no issues thus far.

SmartAceW0LF
SmartAceW0LF

From putting my 2 cents worth in here in full. Suffice to say however that this is what I would anticipate from the upper echolon of office dwellers.

bcgreaves
bcgreaves

Symantec/Norton is a memory hog. Yes, they really do TRY to help but the software is cumbersome and quite frankly, not that good. I have Corp. Edition on my network and very often, my users get infected on their laptops (off of my network where the firewall I have doesnt protect them). Most of Symantec's products if you notice are pretty sizeable downloads. Check your resources after installing any of their products,,, memory hogs. AVG's produts appear to take up less resources and work better (IMO).

SmartAceW0LF
SmartAceW0LF

Is that they lend their name to such a longstanding deplorable product such as Norton. What could have changed within the last couple of years that would change YOUR mind about giving them a second chance after 15 years of crap? As for me, I am glad they have the OEM deal they do with most PC Mfgrs. Its job security for me.

alandc
alandc

The automatic filtering is not of normally blocked sites (i.e. gambling, porn, drugs adn illegal activity). It is only those sites you and I both wish were legally kicked completely off the Internet. It's those guys who install virus and malware on your computers and try to steal your bank, credit card, and identity. I can only assume from your post you misunderstand OpenDNS (or support the activities of identity thieves?). Maybe your an IT guy who makes a lot of money of computer that get infected with malware!

bboyd
bboyd

Just removed a month old consumer copy last week. [beat skull on desk] Everyone else AV product seems to uninstall from the windows Add/Remove programs system just fine. Given that there are a good number of higher performing lower overhead alternatives why even consider it. They need to go a long way to formally prove they are worth even a second glance now.

apotheon
apotheon

Some people prefer to do their own filtering, rather than trusting that in the hands of some service provider. I can sympathize -- especially given that I write about security professionally, and occasionally need access to domains that other people might like to have blocked for them so they do not have to think about it. Given the number of times I have seen "helpful" site blocking abused to push an agenda also makes me a bit hesitant to trust someone else's network filtering, and others may have the same qualms.