Comments on: More about OpenDNS, including adult site filtering

Following up on the previous posting that introduced OpenDNS.

[kjzxdhfjkuhds]

this advice is bogus. recursive dns is extraordinarily easy to get right, either as an isp, or an enterprise, or a university, or an individual. most technical people run recursive dns on their laptops so that they are not dependent on anything other than the root, TLD (think .COM), and other authority nameservers where all dns information ultimately comes from. apple, microsoft, ISC BIND, and a whole lot of other alternative software systems, are free for the using. OpenDNS, by comparison, is hardly "a service worth paying for".

[David_Ulevitch]

DNS is easy to setup, you're right -- but that's not enough. It's flakey and it provides no management of a technology that is rife with bad data. Organizations are no longer content (nor should they be) by just letting DNS pass through their firewalls unchecked. BIND does nothing to protect users from malicious content being transited over DNS nor does it provide any tools to let IT folks see what's going on and take steps to remediate it.

I expect that will change, fortunately, as more DNS companies follow our lead.

[BarryRGreene]

I do not see how this is the "best advice" for ISPs and other Service Providers. The fundamental business principle I've seen for financially successful SPs is their ability to understand what their customers are doing with their network. DNS is a valuable tool to mine for that information (with the appropriate national privacy law/regulations applied). Giving this source of information to someone else is giving away the business keys to your network.

In addition, in the world of security, where you customers are unknown victims of crimes, data from your recursive severs (where you can see IP and look-ups) is a powerful and cheap tool to find your victimized customers. Knowing which of your customers are victimized (i.e BOTed) is the first step in helping them AND protecting your network from the miscreant who is controlling their computer. So why would an ISP/SP want to give that away to OpenDNS?

[ruminator]

See OpenDNS Part I -- the reply (12/17/07) to "thedreaming" which echoes the sentiments of these two commenters above. From what has been noted, it appears little if any research or analytical thinking went into the writing of these two OpenDNS blogs.

[David_Ulevitch]

Barry,

Service Providers and their vendors (you) are doing nothing to help provide a better customer experience to end-users. Comcast made that clear when they started deploying Sandvine's technology. Verizon made that clear when they rolled out Paxfire's technology. None of these things do anything to create a benefit for users. None of these things make users more secure.

OpenDNS is the only solution out there focused on delivering value to the user. We're also able to do it for the ISP. The fact that we can let an ISP know about infected customers is invaluable. Companies use our service to discover that today. To streamline that into a service-provider-centric kind of report would be trivial.

Service Providers aren't giving up anything by using OpenDNS -- just the burden of running a reliable and safe DNS service. What they gain is greater user satisfaction, more insight into the DNS traffic on their network and a lower cost of operating their business.

I know you know better, but it doesn't show in your comments.

[David_Burt]

I wrote of the review of OpenDNS filtering here http://filteringfacts.org/2008/01/01/review-opendns-adult-site-blocking/ . I generally agree with Michael's comments -- it's a great home filtering solution for parents with younger children, but not secure enough for other uses without some additional lock down tools. -- David Burt

[nicksgsr]

I suggest St. Bernard and the iPrism group not be considered for any kind of Internet fitering by the readers. Poor product and poor customer service. We purchased three of their hardware appliances (~$12K) which they remotely disabled when we chose not to renew their expensive update service (~$8K/year). The hardware and the update service were separate issues. The hardware management was "klutzy" and didn't permit management at the user or group level. Do not recommend any of their products be purchased because of how they disabled the hardware when we did not renew their update service.