I learned long ago that there is value in having someone else manage DNS services for my small business. Up until now, I've used OpenDNS. In my opinion, it is the best SOHO option for both name resolution and controlling access to questionable sites. However, that might all change with the introduction of Symantec's Norton DNS.
Norton DNS is a component in the emerging Norton Everywhere offering, eventually providing control over sites your employees or family members can visit or blocking access to sites known to distribute malicious content. I say eventually, because although OpenDNS beta blocks malicious site access, the user management console is still unavailable.
If you are still using your ISP's DNS services, I highly recommend you move to something a little safer. Most ISPs do not provide services that allow you to control content. Many of them also fail to apply security patches to their DNS applications. These are important components of any Internet security strategy.
Installing and configuring anti-malware software, client firewalls, and client policy solutions are all final defensive line controls. They protect your systems if exploits make it that far into your home or office network. However, the first line of defense should always be preventive controls placed as far as possible from the attacker's target, including:
- Configuring perimeter firewalls (including home routers) as closed, allowing only explicitly approved traffic to pass to the internal network.
- Take steps to keep target systems away from malware in the first place.
The first bullet is a no-brainer. Most home routers do this by default. If you are unsure about your home or SOHO perimeter configurations, run the free ShieldsUp service. It will tell you whether any holes exist.The objective described in the second bullet is harder to achieve. It requires either installation of an in-house service, such as Websense, or use of a third-party provider. Although Websense provides a great product, it is far beyond the budgetary reach of home or SOHO users. Norton DNS now provides affordable, possibly free protection. (The official Norton DNS Web page states that it will be free for non-commercial use.)
Unlike OpenDNS, you can't yet set site categories you wish your users, or you, to avoid. This feature of OpenDNS accomplishes three things. First, it focuses business system access on business sites. Second, access to inappropriate sites (porn, hate, weapons, etc.) is restricted. This is an important consideration for homes with children or a business trying to avoid accusations of providing a hostile work environment. However, Norton DNS does prevent users from visiting sites Norton Safe Web identifies as harboring exploits.
In a future release of Norton DNS, Symantec plans integration with Norton Online Family to allow application of site restrictions. According to a forum post,
As some other posters have mentioned, the focus of Norton DNS today it to protect users from phishing and malware sites. Norton Online Family is a great option for parental controls.
In the future, our goal is to integrate these two services so that IF you want to optionally apply content filtering for parental controls, you will be able to do it via Norton DNS. (dnadir, June 2010).
Setting up Norton DNS for Windows 7
Sometime over the next few weeks, Symantec will release a client for setup and management. However, manual setup for a single PC is easy if you have Windows XP. You just follow the provided directions. I used the following steps to set it up in Windows 7. You can use this same process to move to any DNS service of your choice. (To change DNS settings for all computers in the network, change the DNS server address in your DHCP service settings.)
1. Open the Control Panel from the Start Menu.
2. Click on View network status and tasks.
3. Click on the network connection you want to move to Norton DNS.
4. Click on Properties and then click on Internet Protocol Version 4 (For testing purposes, I turned off IPv6 functionality by unchecking the related box).
5. Click on Properties once again and enter the Norton DNS IP addresses as shown below.
6. Refresh your IP configuration by typing ipconfig /renew at a command prompt.
7. Verify the change by typing ipconfig /all at a command prompt and make sure the DNS servers show the new settings (You can also visit the Norton DNS verification page).
The beta works as advertised. I've been using it for several days without issue. It doesn't appear any faster or slower than OpenDNS, the service I use on all my systems. However, the lack of controls to select which sites to block prevents me from using it as a home solution. With eight grandchildren, I need a better safety net to ensure something unexpected doesn't pop up on my screen. This also applies to managing user access at my small business site.
I like the path Symantec is following. However, I think I'll keep OpenDNS until Symantec offers all the services I need for home or small business use.
Tom is a security researcher for the InfoSec Institute and an IT professional with over 30 years of experience. He has written three books, Just Enough Security, Microsoft Virtualization, and Enterprise Security: A Practitioner's Guide (to be published in Q1/2013). Before joining the private sector, he served 10 years in the United States Army Military Police with four years as a military police investigator. He has an MBA and CISSP certification. He is also an online instructor for the University of Phoenix.