OpenDNS is the best tool!  Especially combined with a pix and firewall.

You are filtering content for internal to outbound addresses, so the configuration for this, when properly setup AND TESTED takes care of security issues.

As with any DNS server, you will be protecting binary systems, either via chrooted bind, or a combination of chrooted bind and a PAE kernel, AppArmour, or SELinux.  Of course simple items like turning off kernel TCP forwarding, checking Bind cache, and DNS forwarders, while also watching TTL, in conjunction with a tested PIX and hammered down listen addresses, you will offset the risks.

OpenDNS is not prey to DNS rebinding attacks, DNS cache poisening, or Dan Kaminsky's DefCon 16 examples (like AT&T and Cox).

Reference:  http://blog.opendns.com/category/security/


(503)754-4452 Blackberry || Obnosis.com



> Date: Mon, 22 Sep 2008 22:54:30 -0700
> From: bfrancom@gmail.com
> To: plug-discuss@lists.plug.phoenix.az.us
> Subject: Re: Easy to use firewall and invisible proxy?
>
> I've been looking at OpenDNS for content filtering, but am leery
> because of the privacy issues.
> http://www.opendns.com/smb/solutions/filtering/
>
> On Mon, Sep 22, 2008 at 10:48 PM, Alan Dayley <alandd@consultpros.com> wrote:
> > Recomendations sought: Easy to use firewall and invisible proxy.
> >
> > I have friends and family that want a firewall and invisible proxy
> > with content filtering as a gateway on their Internet connection. I
> > know some of the usual suspects like IPCop[1] with Copfilter[2].
> > Dan's Guardian[3] is also nice for content filtering but does not
> > always behave well with Copfilter.
> >
> > So, rather than continue my late night search, I thought I'd ask here
> > about possible solutions. There must be some out there already, such
> > as those used in schools and the like. Does anyone have some
> > recommendations?
> >
> > Alan
> >
> > [1]http://www.ipcop.org
> > [2]http://www.copfilter.org
> > [3]http://dansguardian.org
> > ---------------------------------------------------
> > PLUG-discuss mailing list - PLUG-discuss@lists.plug.phoenix.az.us
> > To subscribe, unsubscribe, or to change your mail settings:
> > http://lists.PLUG.phoenix.az.us/mailman/listinfo/plug-discuss
> >
> ---------------------------------------------------
> PLUG-discuss mailing list - PLUG-discuss@lists.plug.phoenix.az.us
> To subscribe, unsubscribe, or to change your mail settings:
> http://lists.PLUG.phoenix.az.us/mailman/listinfo/plug-discuss


Stay up to date on your PC, the Web, and your mobile phone with Windows Live. See Now