Perhaps I will switch to OpenDNS after all. In fact, I should have done this a while ago on most of the nets I deal with routinely.
The commentary in this posting is rather interesting as well. If you don’t trust OpenDNS, and I can’t say that I blame you, a comment poses a worthy option:
- I run a local dns server that randomizes source ports whose network facing NAT does not derandomize source ports.
- My local server resolves through the root servers. The queries are sent to a random root.
- I limit my dns server to strictly use TCP queries and not to use UDP for queries.
Metasploit code now jupes entire domains.