Comment 5 for bug 1133777

Hi David,

Thanks very much for being on-side with this issue -- you have earned a lot of respect from me with this kind of sensible approach. My number one concern here is that a decision that has such huge implications like this needs to be in the hands of the user, and most importantly, opt-in rather than opt-out.

In situations where an enterprise deploying OpenDNS on their network, it is typically done by changing the forwarders for their LAN DNS server, and they have static IP addresses allowing them to authenticate themselves strongly with OpenDNS.

Unfortunately for Mint users, they won't have this kind of luxury. As soon as they roam onto any network with other users where there is no such agreement with OpenDNS, they will be vulnerable to these sorts of issues. When opting in to OpenDNS, users typically do it will full knowledge of these repercussions and take steps to address it by setting up an account.

I think it's very important to make sure the view that OpenDNS does not like people engaging in behaviour like Mint has is articulated somewhere on the OpenDNS website, as I fear this is not an isolated incident, or will be the last!

I am however less impressed with the lack of response from Linux Mint's developers. This is a grave privacy and security issue because of the potential for other networks users (not even network administrators) to impose restrictions on users of OpenDNS without authorisation. In addition, NXDOMAIN hijacking I would be less upset about if I knowingly opted in to the OpenDNS service, but Mint has made that choice for me.

If I were naïve to the workings of DNS, I'd suspect foul play on the part of Mint, such as a revenue sharing agreement. It wouldn't be the first time that a Mint [0] or another distributor [1] has engaged in such conduct!

Sadly this has left me with a bad experience from Mint.

Michael.

References:
[0]: https://lwn.net/Articles/471484/
[1]: https://lwn.net/Articles/428196/