Why It's Time to Think About Managed DNS
Google has made waves with its new DNS service. Here's why you should be thinking about hosted DNS, too, and why OpenDNS should see Google's move as an opportunity.
Clearly, recursive DNS service matters. Google (arguably) doesn't get involved in offering services that are unimportant. Google entering the space can be nothing but good for the existing mainstay, OpenDNS, which offers a much broader set of features than Google's DNS service. (We reviewed OpenDNS in 2007.)
Google's entrance is good news because many people still have no idea how much DNS really matters. ISPs' overloaded and rarely maintained DNS servers, adding even half-seconds to response times, play a big role in how fast Web sites seem to respond. Hopefully for OpenDNS, Google's marketing prowess will get the word out, and OpenDNS will see some benefit by offering a superior service.
Speed, however is not the only reason DNS matters. DNS is a vulnerable point in terms of security, possibly enabling phishing and redirection attacks that even security experts wouldn't notice happening. DNS is scary and important, but neither home user nor enterprise IT pay it much attention. Luckily, OpenDNS (and now Google) have chosen to specialize so users don't need to.
Security people will say speed is only a nice-to-have. Depending on your point of view, it may be the sole deciding factor when switching to a free DNS provider.
Each Web site visited can invoke as many as 5-50 or more DNS lookups, due to advertising or other third party content that often gets integrated within sites. In fact, you will be hard pressed to find a Web site that doesn't have at least one external image, ad, or other piece of data. Fortunately for Web developers, bloggers, and the like, the trend is continuing toward more disparate content being easily mashed together. This is, however, unfortunate for the consumer of the Web site, due to the need to load content from many different sources.
The previous example even assumed everything was working fairly well. ISP-run DNS servers do not often fall into that category. DNS lookup time can easily comprise half (or all) of your Web-site-loading waiting time. This, is why speed matters. Large DNS caches with millions of users to "prime" the cache data means a drastically improved Web experience for all of them.
Many things are possible when DNS is leveraged appropriately, including:
- Security: botnet detection and blocking, phish blocking, blacklisting, etc
- content filtering
- custom DNS failure behavior
- spying on your significant other
We aren't used to writing about non-enterprise products, but since DNS service has such applicability in both consumer and enterprise usage, we took at stab at connecting with the consumer audience with that last bullet point.
DNS is an effective security monitoring tool. Compromised hosts on a network may be told to use a rogue DNS server in Russia, for example, which will return a different IP address for banks and other important sites. Also, a compromised machine will execute DNS lookups to find botnet controllers. This activity can be both monitored for and blocked, but requires use of real-time blacklists and other time-consuming tools to get the most up-to-date information about Internet wrongdoings.
Using a DNS service that focuses on and specializes in doing this makes a tremendous amount of sense. That is, if it allows you to control the experience. Google does not, but OpenDNS provides a Web interface to manage your network(s). You can block access to specific sites, view statistics, and manage various networks individually.
For corporate users, managing allowed sites via DNS is more cost effective than purchasing a Web proxy appliance and person to manage it. We're regrettably beginning to sound like an advertisement, but that is inevitable when talking about something this exciting; OpenDNS even allows you to select categories, e.g. adult content, so managing the content filters is mostly hassle free.
"Is it secure?" you may be wondering, worrying that some user on your network could easily bypass this mechanism. With proxy appliances, enterprising users within your network will find a way around them by running their own proxy elsewhere on the Internet. Blocking these is nearly impossible, but many IT organizations spend mind-boggling amounts of time trying to. With DNS, it is much easier. Sure, users could configure a different DNS server, but your firewall would block all port 53 traffic except that headed to the sanctioned DNS server. The truth is, extremely smart users can still get around this, but that subset of users is quite small.
Ultimately, we're excited that DNS is getting the attention it deserves. Sure, when a security issue comes up everyone scrambles to patch and fantasize about DNSSEC, and people in the security circles do talk about DNS frequently. But nobody addressed the important speed problem, nor made it easier to secure a network, until these free DNS services popped up. Now that DNS service is popular to talk about again, let's not even think about the big scary Google knowing more about you when deciding which to use; think of the features.