OpenDNS Offers Speed and Security

By optimizing lookups and providing some security against phishing attacks, OpenDNS brings welcome improvements to a key service.

By Charlie Schluting | Posted Jun 6, 2007
Print ArticleEmail Article
  • Share on Facebook
  • Share on Twitter
  • Share on LinkedIn
Charlie Schluting

OpenDNS is a great idea. It's a public, non-evil service that provides both performance improvements and a safety net for all Web browsing. Oh, and it's free. We can't help but wonder why it took this long for something like OpenDNS to come around.

Let's take a look at why this is a really useful service, first from the home user's perspective, then from the "network administrator's" viewpoint.

DNS is, of course, the magic goo that makes the Web work. When you request a Web site, say google.com, your computer must turn that into an IP address before making a connection to the remote site's Web server. The amount of time it takes to load a page can be completely dependent on the remote Web server, but most of the time there are other factors involved.

When you obtain an IP address for your computer (or router) from your ISP, it also gives you a few DNS servers to use. Your ISP normally runs these, and they are likely not run well. Every additional millisecond that you wait for a DNS response is noticeable; Web sites will often appear to load slowly because of slow DNS responses.

OpenDNS's first purpose was to provide humongous caches of DNS information. All DNS servers cache entries, but if only a few thousand people use a server, the server's cache isn't going to be very large. An extremely large cache of the most popular domains means that a DNS server can respond without contacting the root servers. If an entry isn't cached, the DNS server must contact the root servers to find out what the Name Server record for the domain is, and then it must contact the domain's server. All in all, it's a slow process when an entry isn't cached.

Aside from providing a huge cache for performance reasons, OpenDNS also implemented some neat (and some not-so-neat) frills.

Intercepting DNS requests for known phishing sites (define) and substituting your own IP address, which points at a Web page to notify users about the evilness of the site, can counter phishing attempts. Many commercial products do nothing more than that, and they cost thousands of dollars per year.

OpenDNS provides real-time phishing site interception. It's not foolproof, because it does rely on blacklists of known phishing sites, but it will likely catch the majority of all phishing attempts. OpenDNS lists the most common blacklist provider in its FAQ, citing that these are the "public" ones it can talk about. This implies it also uses a secret DNS blacklist, which is maintained very well.

Phishing interception alone is reason enough to point your family's home computers at OpenDNS's servers. It's a simple configuration change in all operating systems, and their Web site shows you how.

The Business Case

But that's just the tip of the iceberg. Every small to medium business IT consultant, small-time ISP, or any other advice purveyor should be touting OpenDNS. Another feature that's only available with extremely expensive network equipment, or extremely expensive Linux admins who are clue-full enough to set up a similar solution, is Web site filtering.

OpenDNS allows you to create an account to change some settings, and one of those happens to be Web site filters. Just like an expensive proxy server, you can give a list of unwanted Web sites, and all of your OpenDNS-using machines will be restricted. Now, this certainly isn't foolproof, but it keeps the honest people honest. Real proxy servers aren't foolproof either, by the way.

It's all peaches and cream, right? Well no. OpenDNS is a company, which is a good thing. Its employees are dedicated and experienced enough to run this great service in a reliable and effective manner. Unfortunately nobody works for free. OpenDNS's revenue is ad-based. When you get redirected from a known phishing site, you also get to view a few advertisements. If you've configured domain blocking, the Web page you view that notifies you of your restriction is also laden with advertisements.

However, they are all text-based ads, and they're only shown in a few instances. If you enter a non-existent domain in your Web browser, the OpenDNS page will present you with a "Did You Mean" list of suggestions. It looks just like Google, but the search button says, "Powered by Yahoo!" This confuses us greatly.

In a show of extreme non-evil, OpenDNS does not display ads when you make a common typo. Let's say you type "yahoo.cm" in your browser's address bar. That's a perfect opportunity for the service to jump in with ads, but no, it just corrects it to "yahoo.com" and sends you on your merry way. A standard Web browser would have no choice but to return an error, but if you use OpenDNS, common typos are O.K.

We've probably left out some features, but here's a quick rundown of the most useful and impressive OpenDNS benefits:

  • Massive cache, seeded by millions of Web surfers, which can provide amazingly fast DNS responses
  • Phishing interception
  • Domain typo correction
  • Custom logos on the "oops" pages (along with the ads—you can't get rid of those)
  • Site-specific settings, to block certain domains, for example

OpenDNS is poised to take advantage of the masses, but unlike past DNS "enhancements," it's non-evil. And I don't mean the Google "non-evil until nobody is looking" type of non-evil. So don't worry about man-in-the-middle attacks; OpenDNS is great, and competent enough to run secure servers, so that other evildoers can't take advantage of their position.

Comment and Contribute
(Maximum characters: 1200). You have
characters left.
Get the Latest Scoop with Enterprise Networking Planet Newsletter