If you’ve considered a free DNS service for your client resolving needs, there is more than one game in town, now. DNS Advantage, a NeuStar, Inc. service, has just come online. Should you think about switching away from OpenDNS? Should OpenDNS be worried?
First, some background is in order. OpenDNS, which we wrote about last June, is the leading provider of free DNS services. DNS services of this nature may be called client resolving, recursive DNS, and we’ve recently heard the confusing term, “external DNS.”
About DNS Services
DNS is, of course, the magic goo that makes the Web work. When you request a Web site, say google.com, your computer must turn that into an IP address before making a connection to the remote site’s Web server. The amount of time it takes to load a page can be dependent on the remote Web server, but most of the time there are other factors involved.
When you obtain an IP address for your computer (or router) from your ISP, it also gives you a few DNS servers to use. Your ISP normally runs these, and they are likely not run well. Every additional millisecond that you wait for a DNS response is noticeable; Web sites will often appear to load slowly because of slow DNS responses.
Free DNS providers, for client computers, are focused on providing fast response times. They do this by caching large amounts of data, so that a DNS request can be served from local data, as opposed to doing a full recursive lookup. A full lookup involves asking the root servers for a Name Server (NS) record for a domain, and then asking that domain’s server for the answer. Suffice it to say: much faster from a local cache. There’s strength in numbers; the more people that a DNS server, the faster it is, because it will have more cached data.
The real advantage, and something OpenDNS has taken advantage of, is that by controlling the resolver, you can block access to certain Web sites. Known phishing sites, for example, can be made inaccessible without resorting to expensive appliances and proxies installed at each site.
New on the block, DNS Advantage, provided by UltraDNS, run by NeuStar, seeks to take some market share from OpenDNS. The service’s Web site lists a remarkably similar set of features, yet the only one that appears to be working is the fundamental resolving itself … almost.
When you enter a domain that does not exist in your Web browser, for example, UltraDNS tries to redirect you to a special page, searchportal.information.com. During our testing, this page rarely loaded, leaving us with the impression that our non-existent test domains actually existed but were simply slow to load. Perhaps we just tested at a bad time. When it does work, you get dropped onto the search page at information.com. OpenDNS, by contrast, attempts to correct the most common typos and send users on their ways—without advertisements.
Furthermore, DNS Advantage advertises that its DNS servers will block access to malicious sites, such as ones containing malware or phishing pages. During our testing we were unable to trigger this blocking.
Using publicly available data from anti-phishing sites such as Spamhaus and PhishTank), we attempted to access sites that have been identified as suspicious or plainly malicious for months. We were never denied access via DNS Advantage’s blocking service. Firefox, on the other hand, ended up blocking most of the sites using its blocklists. Using DNS Advantage provided no Advantage in this regard.
The DNS Advantage FAQ concedesthat the service’s malicious site blocking isn’t perfect:
Q. I found a website DNS Advantage should be blocking. What should I do?
A. We do our best to stay on top of the growing list of blocked domains. However, there may be some that we don’t protect against yet. We are in the process of creating a mechanism to submit these types of websites to us.
During our testing, the value of “some” was equal to 100 percent of the 150 sites we attempted to visit while using DNS Advantage for DNS queries.
DNS Advantage also has no mechanism by which users can block certain Web sites for all of their clients, but the FAQ says this functionality is in the works.
OpenDNS includes some fancy features for its users’ domains. They can configure OpenDNS to block Web sites, based on the criteria they specify, for all of their client machines. This includes adult sites, social networking sites, and whatever else they specify.
OpenDNS also allows remote sites to configure a custom redirection page, so users aren’t just blindly redirected to some foreign site with no rationale. Couple that functionality with the DNS activity reports OpenDNS also provides, and OpenDNS is a clear winner.
Features aside, a major benefit to using DNS providers is speed. Huge caches of DNS information provide the fastest possible Web browsing experience, if the services are stable. Until last week, dnsadvantage.com indicated that “a portion of” the UltraDNS servers were utilized for the DNS Advantage service. Currently, the Web site indicates that all 14 servers run by UltraDNS are used for DNS Advantage services.
OpenDNS’s Web site shows the locations of its five geographically dispersed servers, with plans to add another soon. Both providers publish this information, but the piggy-backed nature of DNS Advantage (on UltraDNS) is questionable, considering the changes in published data we observed.
DNS Advantage has shown that the barrier to entry for free DNS providers is quite low, but an easy peek under the covers reveals that the DNS service itself is not what’s most important. Even assuming that a newcomer can provide equally stable and speedy DNS responses, the true value add is in the features.
Given that the stability is there, OpenDNS provides the required stability and speed, and it offers truly innovative features to help users manage their sites. OpenDNS seems more seasoned and focused on the problem at hand: We recommend sticking with it.