More about OpenDNS, including adult site filtering

My previous posting was an introduction to both DNS and OpenDNS. Here, I offer a brief review of the features and services offered by OpenDNS.

First though, let's consider what happens when DNS breaks. As noted previously, the DNS system translates computer names into IP addresses. So if it breaks, it may seem that your Internet connection is broken when in fact, it's fully functional. That is, from your ISP's perspective everything can be working fine, all the lights on your modem and router* can be normal, but still, you can't get to any Web sites without DNS being alive and well.

To see if DNS is the problem, try to access a few Web sites by their underlying IP address. Here are some to try:

CNET.com       http://216.239.122.51
chow.com       http://216.239.116.39
google.com     http://64.233.167.99
opendns status http://208.67.219.60

Speed and reliability

OpenDNS claims to be fast. I don't doubt this is true, but this is probably not reason enough to switch. For one, it may or may not be faster than the DNS servers you now use. And even if it is faster, the speed boost may not be noticeable (it wasn't to me). Still, it's not hard to find people who claim the Internet runs faster after switching to OpenDNS [here and here]

You can get a feel for the speed at SiteUptime, which offers a free Quick Check that can be used to compare the speed of OpenDNS with your current DNS servers. The OpenDNS DNS servers are 208.67.222.222 and 208.67.220.220. Its Getting Started page shows you how to determine your current DNS servers for many operating systems.

Take all these IP addresses to SiteUptime, chose the city closest to you, in the drop-down menu chose "DNS 53," and enter an IP addresses in the "HostName or URL" box. When I tried this, the two OpenDNS servers responded in 0.010 and 0.009 second, whereas my ISP's DNS servers responded in 0.025 and .027 second. Your mileage will vary.

Unlike speed, reliability may well be a reason, in and of itself, to switch. OpenDNS operates servers in five physical locations, two on the East Coast of the U.S., two on the West Coast, and one in London. This is likely a much more robust setup than that offered by your ISP. It also accounts, in part, for its speed claims--it responds to queries from the location closest to you.

Phishing

Phishing protection is perhaps the most defensive computing reason to use OpenDNS. Heck, anything that helps prevent ID theft is a plus.

Of course, the latest versions of Firefox and Internet Explorer also include phishing protection. There should be no conflict between the protection from your browser and from OpenDNS.

Neither Mozilla nor Microsoft say where their phishing data (the list of known bad Web sites) comes from. In typical corporate-speak, Microsoft says it comes from "several industry partners." OpenDNS gets its list of phishing Web sites from PhishTank, a sister company it describes as "...a collaborative clearing house for data and information about phishing on the Internet." Anyone can report suspected phishing Web sites to PhishTank. And you've got to love the name.

Typos

Another type of intelligence added to the DNS name -> IP address translation involves typing mistakes. OpenDNS fixes a handful of common mistakes and sends you to the place you probably wanted to go in the first place. For example, typing www.javatester.og (missing r) will take you to javatester.org. So, too, will wwww.javatester.org (four leading w's) take you to my JavaTester Web site.

Five w's at the front is too much though, that OpenDNS considers an error. But, the error page wisely asks if you meant to go to javatester.org. OpenDNS users can get to CNET using either cnet.cmo or cnet.comm. Not earth-shattering, but all in all, a nice feature to have.

Site blocking

If you sign up for an account at OpenDNS, then it can block Web sites for you. At home, this could be used to keep children from playing online games while they are supposed to be doing their homework. In a corporate setting, it can be used to prevent access to Webmail as a way of encouraging employees to use the corporate e-mail system. OpenDNS is able to, for example, block Yahoo e-mail (mail.yahoo.com), while still allowing access to the rest of Yahoo.

The bad news here is that I can't see how this blocking can be enforced. A knowledgeable computer user can simply change the DNS servers used by the operating system.

If you're dealing with children though, the "adult" Web site blocking might be very handy, and it's free. OpenDNS has partnered with the iGuard team at St. Bernard Software to provide it with a list of "adult" Web sites it claims is updated daily. How good is this list? Test it for yourself at opendns.com/support/adult/. If it blocks a Web site by mistake, you can override it using a white-listing feature.

Setting it up

The instructions for enabling OpenDNS on its site are pretty good, but they are click-here-type-this instructions and not defensively oriented.

One thing I would add to the instructions is to make a note of your current DNS servers so that, if need be, you can revert back to them. Also, if you have multiple computers on a LAN and want to kick the tires on OpenDNS before fully converting, then change only one computer to use the service.

Finally, you may think you have converted an entire network to OpenDNS, but all the ducks may not be in a row. Normally, computers on a LAN are assigned their DNS servers at the same time they are assigned an IP address, using a protocol called DHCP. Thus, the standard way to convert all machines to OpenDNS is by modifying the DHCP server software. In non-techie terms, this means making a configuration change to the router. However, it is possible for a computer to always use certain DNS servers regardless of DHCP. So after modifying the router, I suggest restarting each computer and verifying that it is, in fact, using OpenDNS.

Its start page will tell you if OpenDNS is being used or not, as will itsbuttons page (see above).

Making money

All the services described so far are free, as are a couple I skipped over. So how does OpenDNS make money? Quoting its Knowledge Base:

"OpenDNS makes money by offering clearly labeled advertisements alongside organic search results when the domain entered is not valid and not a typo we can fix. OpenDNS will provide additional services on top of its enhanced DNS service, and some of them may cost money. Speedy, reliable DNS will always be free."

Time will tell how profitable this is, if at all. The founder, David Ulevitch, claimed the company was "nearly profitable" in back in July.

Wrapping up

OpenDNS is a service worth paying for. My hope is that ISPs will pay for it and brag about it as a way to obtain or retain customers. This would be a win for the ISP, which no longer needs to be bothered doing its own DNS, a win for their customers and a win for OpenDNS. The only loser would be the bad guys.

If you take the OpenDNS plunge, you're not alone. Its home page shows how many name -> IP address translations it is doing per second. The last few days it has varied between 37,000 and 46,000. Multiplied out, this comes out to more than 3 billion requests a day. Five months ago, it was handling only 1.4 billion requests a day.

Even if you don't use OpenDNS now, it can come in handy as an emergency fallback, should something go wrong with your current DNS servers.

* I wrote The blinking lights on a router are talking to you back in July.

See a summary of all my Defensive Computing postings.

[kjzxdhfjkuhds]

this advice is bogus. recursive dns is extraordinarily easy to get right, either as an isp, or an enterprise, or a university, or an individual. most technical people run recursive dns on their laptops so that they are not dependent on anything other than the root, TLD (think .COM), and other authority nameservers where all dns information ultimately comes from. apple, microsoft, ISC BIND, and a whole lot of other alternative software systems, are free for the using. OpenDNS, by comparison, is hardly "a service worth paying for".

[BarryRGreene]

I do not see how this is the "best advice" for ISPs and other Service Providers. The fundamental business principle I've seen for financially successful SPs is their ability to understand what their customers are doing with their network. DNS is a valuable tool to mine for that information (with the appropriate national privacy law/regulations applied). Giving this source of information to someone else is giving away the business keys to your network.

In addition, in the world of security, where you customers are unknown victims of crimes, data from your recursive severs (where you can see IP and look-ups) is a powerful and cheap tool to find your victimized customers. Knowing which of your customers are victimized (i.e BOTed) is the first step in helping them AND protecting your network from the miscreant who is controlling their computer. So why would an ISP/SP want to give that away to OpenDNS?

[ruminator]

See OpenDNS Part I -- the reply (12/17/07) to "thedreaming" which echoes the sentiments of these two commenters above. From what has been noted, it appears little if any research or analytical thinking went into the writing of these two OpenDNS blogs.

[David_Ulevitch]

Barry,

Service Providers and their vendors (you) are doing nothing to help provide a better customer experience to end-users. Comcast made that clear when they started deploying Sandvine's technology. Verizon made that clear when they rolled out Paxfire's technology. None of these things do anything to create a benefit for users. None of these things make users more secure.

OpenDNS is the only solution out there focused on delivering value to the user. We're also able to do it for the ISP. The fact that we can let an ISP know about infected customers is invaluable. Companies use our service to discover that today. To streamline that into a service-provider-centric kind of report would be trivial.

Service Providers aren't giving up anything by using OpenDNS -- just the burden of running a reliable and safe DNS service. What they gain is greater user satisfaction, more insight into the DNS traffic on their network and a lower cost of operating their business.

I know you know better, but it doesn't show in your comments.

[David_Burt]

I wrote of the review of OpenDNS filtering here http://filteringfacts.org/2008/01/01/review-opendns-adult-site-blocking/ . I generally agree with Michael's comments -- it's a great home filtering solution for parents with younger children, but not secure enough for other uses without some additional lock down tools. -- David Burt

[nicksgsr]

I suggest St. Bernard and the iPrism group not be considered for any kind of Internet fitering by the readers. Poor product and poor customer service. We purchased three of their hardware appliances (~$12K) which they remotely disabled when we chose not to renew their expensive update service (~$8K/year). The hardware and the update service were separate issues. The hardware management was "klutzy" and didn't permit management at the user or group level. Do not recommend any of their products be purchased because of how they disabled the hardware when we did not renew their update service.