In my recent Editors’ Notes post on Consumer Reports’ recommendation that Mac users dump Safari because the Apple browser lacks the anti-phishing tools of Firefox and Opera, I focused on behavioral changes one can make that minimize the risks of phishing attempts. I didn’t, however, discuss a relatively simple configuration change you can make to your Mac that will give you a real anti-phishing tool—in Safari or any other browser you might want to use.
Consumer Reports touted Firefox or Opera over Safari because of the built-in anti-phishing tools in those first two browser; Safari has no such built-in capability. There is, however, a free service you can use that will give every browser on your Mac a full set of anti-phishing tools (and additional tools, if you choose to use them). This service is called OpenDNS, and it’s a free replacement for your Internet service provider’s (ISP) domain name servers.
So just what are domain name servers? A domain name server looks up addresses in the Domain Name System (DNS). In other words, a domain name server is the phone book for the Internet—it translates domain names (www.macworld.com, for example) into Internet protocol (IP) addresses (184.108.40.206, in the case of macworld.com). When you load a Web site, it’s this IP address that’s used to find the server, not the server’s name you typed into the URL bar. Without the DNS, you’d have to know the IP address of any Web site you wanted to use—not a very practical method for browsing the Web.
By default, you are more than likely using the DNS servers provided by your ISP. These are typically included in the setup instructions you used when setting up your Internet connection. But just as there are many companies providing telephone books, there are many different DNS servers you can use—you aren’t required to use the DNS servers provided by your ISP. OpenDNS is one such alternative “phone book,” and it’s one that comes with many features (most are optional) that you probably won’t find in your ISP’s DNS servers. One of those features is phishing protection, based on OpenDNS’ PhishTank project. Once you’ve set your Mac to use OpenDNS’ DNS servers, you get this protection automatically, in any application that uses DNS servers to resolve names.
Note that OpenDNS is able to provide its services for free because it changes how your browser behaves when you enter a non-existent URL, say for asdfjklasjxznn.com. If you enter that URL using your normal DNS servers, you’ll get a standard “page not found” error message. If you load that URL using OpenDNS, however, you’ll see the image at right (click the image for a larger version). The ads you see there are what help OpenDNS pay for its services. If the prospect of seeing such ads when you enter a bad URL concerns you, then you’ll want to pass on this solution. For me, though, it’s a small price to pay for an excellent free service.
Setting up OpenDNS
So how do you use OpenDNS in place of your ISP’s DNS servers? The answer depends on which version of OS X you’re using, how you connect to the Internet, and how your current DNS server information has been set. Answering this question for every version of OS X and every possible network configuration simply isn’t possible in this space. Instead, I’ll provide some generic configuration advice, a specific example, and a pointer to OpenDNS’ own very usable installation instructions.
First, the generic advice: To replace your ISP’s DNS servers with the OpenDNS DNS servers, re-read the installation instructions that your ISP provided. When you get to the step about setting up the DNS servers, replace whatever DNS server IP addresses you've been provided with the OpenDNS DNS server addresses: 220.127.116.11 and 18.104.22.168. Save your changes, and you’re done.
As one specific example of a configuration change, here’s what you’d do if you’re using OS X 10.5 on a machine that connects to the network via AirPort, but has a locally-assigned DNS server (that is, defined on that Mac). Launch System Preferences and open the Network pane. Select AirPort in the leftmost column, then click Advanced. A new sheet will drop down, displaying a number of tabs across the top. Click on the DNS tab, and then click the plus sign at the bottom left of the DNS Servers window. The cursor will move to a blank line in the DNS Servers window; type the first OpenDNS DNS server address here,
22.214.171.124. Click the plus sign again, and enter the second OpenDNS DNS server address,
If you see any other addresses listed above these new entries, click on each one and then click the minus sign to remove them. (If you see entries that are grayed out, that means that another machine—your AirPort Base Station or other router, for instance—is providing the DNS server information. If that’s the case, you’ll need to change that machine’s DNS server information to point to the OpenDNS DNS servers.) Once you’ve only got the two OpenDNS DNS servers’ information visible, click OK. This will return you to the AirPort screen; once that appears, click Apply to, well, apply the changes you just made.
If you need more specific installation instructions, the OpenDNS’ Web site has a number of how-to guides for many different computers and operating systems, as well as 14 different brands of home routers (including the AirPort Base Station).
Confirm the setting
After clicking Apply, the changes you’ve made should take effect in about a minute or less. To confirm that your system is using the new DNS, the quickest thing to do is open up Terminal (in Applications -> Utilities), and run a quick
nslookup, which runs a name system lookup on the URL you specify. Included in the results is the IP address of the name server that was used to run the query:
$ nslookup www.macworld.com Server: 126.96.36.199 Address: 188.8.131.52#53 Non-authoritative answer: Name: www.macworld.com Address: 184.108.40.206
As seen here, the Server and Address both point to the OpenDNS DNS server addresses I entered earlier, meaning that my machine is using the OpenDNS DNS servers for address lookups.
Changing your DNS servers isn’t very difficult to do, and by using OpenDNS, you’ll get the benefit of an active and constantly-updated anti-phishing tool, regardless of your browser of choice. If you don’t feel you’ll always be able to spot a potential phishing scam in your e-mail, using OpenDNS is a great solution that will allow you to keep using Safari with some peace of mind. (But remember, no anti-phishing tool is going to be 100 percent accurate, so you’ll want to practice “safe clicking” as I described in the prior article, too.)
In the long run, I really think that something like an Internet-wide anti-phishing tool, such as the one offered by OpenDNS, makes more sense than any number of browser-specific tools. With individual tools, your phishing protection will vary based on which browser you’re using; with a DNS-level tool, though, you’ve got the same level of protection regardless of your browser choice. Hopefully we’ll eventually see an Internet-wide solution, so that you’ll have the freedom to use whichever browser you prefer without worrying about the quality (or lack thereof) of its built-in anti-phishing tools. Until that happens, though, OpenDNS is a great alternative.