Learn about Linux
Download Linux
Get Linux helpSpecial Offers
Feature
Faster, safer Internet with OpenDNS
Share
Print
Comments"OpenDNS runs a really big, smart cache, so every OpenDNS user benefits from the activities of the broader OpenDNS user base," says Allison Rhodes, community manager of OpenDNS. She says OpenDNS runs a high-performance network that is geographically distributed and serviced by several redundant connections. Currently, OpenDNS has four servers in the US and one in the UK. Live system statistics are available for all the servers. You can also view the current status of the servers and daily DNS requests for the past 30 days. One a typical day last month, Rhodes says OpenDNS responded to half a billion DNS queries.
"We have large clusters of servers in each of our five locations," says David Ulevitch, founder and CEO of OpenDNS. "We not only distribute our load locally within each cluster, but we distribute our load globally using the border gateway protocol. Every OpenDNS user always reaches our closest datacenter automatically, no matter where he is on the planet. This means that each time we bring up a new location we increase our reliability, decrease latency, and increase performance for our users."
But with servers only in the US and UK, what about users in, for instance, Asia? Ulevitch explains that users in Asia are serviced through the Seattle and Palo Alto datacenters and get a better performance from OpenDNS than their local nameserver, because latency is not the only determinant in nameserver resolution performance. "We operate a high performance nameserver with a large cache on our widely deployed network, which means we are also very close to other nameservers on the Internet."
I tested that claim from my home base in India. After switching to OpenDNS, content-laden Web sites like news.com, cnn.com, bbcworld.com, and myspace.com loaded a lot more quickly, ping times were considerably lower, and query response times (measured with dig -x site ) to news.com, lxer.com, osnews.com, distrowatch.org, and bbcworld.com were lower by 10 to 25% compared to times when I was using my ISP's DNS.
Users see benefits
My tests confirmed what other OpenDNS customers have found. Robert Grabowsky is the vice president of Ra Security Systems, which provides managed security services for companies, universities, and government agencies with between 30 and 10,000 users. "With so many users to satisfy," Grabowsky says, "it's important to tune security devices to balance the greatest protection with the best possible performance. Many aspects of Web browsing performance have been easily controllable, except for DNS." He believes that administrators don't fully appreciate the benefits of DNS. "Once they get it to work, they set it and forget it without much further thought about performance or anything else for that matter."
Grabowsky chose OpenDNS primarily for its speed. "For Web pages that reference multiple domains, browser page rendering can be the difference between a couple of seconds and 10, 15, or 20 seconds. That is pretty significant reduction in time, which translates to an increase in user satisfaction."
More than just a fast resolver
Apart from loading Web pages faster, OpenDNS warns naive users when they try to visit a phishing site. "Not only are their DNS responses quick," Grabowsky says, "but they give back even more by protecting users against known active phishing sites."
| PhishTank API |
|---|
|
If you are a developer and want to make use of the anti-phishing data collected by OpenDNS, read up on the freely available PhishTank API, which is designed to make it easy for developers to incorporate anti-phishing technology into their tools. Opera 9.1 uses data collected by PhishTank to protect its users from phishing sites. |
Another benefit of using OpenDNS is convenience. OpenDNS corrects common spelling mistakes on the fly, so if you accidentally type ".cm" or ".cmo" instead of ".com," you'll still get to the site you intended to visit. If the site doesn't exist, you'll end up on a search results page with advertisements. That's where OpenDNS makes money. "OpenDNS makes money by serving clearly labeled advertisements on search results pages where we cannot resolve the URL you're trying to get to," Rhodes says.
To some this might bring back memories of VeriSign's highly unpopular Site Finder service. Verisign used Site Finder to display information about products by redirecting users who tried to access unregistered domains. OpenDNS says that unlike VeriSign, OpenDNS is an opt-in service.
In December OpenDNS added another free service called CacheCheck to assist domain owners. Rhodes says, "If you are moving a domain from one DNS host to another, CacheCheck can help you make that transition smoother. In effect, you tell OpenDNS to 'refresh now,' ahead of Time-To-Live (TTL) expiration." This will refresh the OpenDNS cache, flushing the old entry, and will direct visitors to the new location of a domain. CacheCheck can also be used by people trying to visit a domain that isn't resolving. It helps explain the reasons for a domain's non-availability (for example, non-responsive nameservers) and in some cases can help fix the problems themselves by refreshing the cache.
Appeals to ISPs
With its speed, phishing protection, typo correction, and control, OpenDNS naturally appeals to ISPs, who can use OpenDNS for free. Jeffrey A. Campbell is the general manager of Express High Speed Internet, a broadband ISP in the Turks & Caicos Islands, British West Indies. "Our connectivity is via sub-sea fiber to the US Internet backbone. Our upstream provider has poor US connectivity, and as a result DNS lookups were taking a very long time to complete," Campbell says.
He says that since Express High-Speed started using OpenDNS, it has saved 80ms+ in lookup time. "As we do about 3,400 Web requests a minute, and move approximately 65GB a day of Web data, this can make a huge difference in perceived end user response time. Overall, unscientifically, users noticed a 1-3sec improvement in loading a complex Web page like www.news.com."
Campbell says, "We added OpenDNS to our network as our primary forward resolvers on both of our large Web caches (2TB and 400GB), which handle our Web load 80/20. We run Bind9 locally on both of the machines to cache responses so that we don't introduce extra latency when the cache confirms each IP."
Campbell says his users appreciate other features of OpenDNS as well, such as typo correction and phishing protection. "I've been in the ISP business since 1994 and I think [OpenDNS] is one of the most dramatic and easily implemented performance enhancements available."
Using OpenDNS
Setting up OpenDNS is fairly simple. There's no software to download. All it requires is changing your default DNS nameservers to those of OpenDNS. If you know where to specify the DNS nameservers, simply replace your existing ones with OpenDNS's 208.67.222.222 and 208.67.220.220. If you aren't sure, use OpenDNS's detailed instructions with screenshots for several popular routers, operating systems, and mobile phones.
You can also register a free account with OpenDNS that will allow you to control the DNS features provided by OpenDNS. You can, for example, disable typo correction and phishing protection on your IP address or enable dynamic DNS update if you want to use OpenDNS and don't have a static IP address. In addition to this, users also get a couple of graphs showing traffic details on their IP address for the last 30 days.
"There is no other service," Ulevitch says, "that delivers different DNS preferences to different users in real-time, giving the user management of network preferences at the DNS level." He says that this transfer of control of DNS settings to users signifies the "open" in the company name.
As to the future of OpenDNS, Rhodes says, "We're seeing that ISPs and enterprises have found tremendous value in the service we provide. So as we continue to improve OpenDNS for our current customers, we're also working on features that will be useful to ISPs and enterprises."
Comments
on Faster, safer Internet with OpenDNSNote: Comments are owned by the poster. We are not responsible for their content.
The first comment is just too nice. Let me explain:
The domain name system (DNS) maps human-understandable Web site addresses into numeric IP addresses...
That shows a deep understanding of the DNS. In fact, for the author, the equation Internet == WWW seems to hold<nobr> <wbr></nobr>:-(
and auto-correct common misspelled URLs
This one is downright worrying.
And thanks to some clever traffic routing and load-balancing technology, OpenDNS can also deliver Web pages faster.
So nowadays the delivery of Web pages is the job of DNS?
I really, really hope that this thing ain't serious. Sorry-
I suspect he's saying that web pages will return faster because the DNS request will be faster.
If that is true, then I agree with that statement. What I don't agree with is that their doing so is unique or that they were particularly clever in doing so. IP anycast has been in use for years on most of the root servers, and many other DNS servers as well. In a nutshell you give geographically distributed servers the same IP address and advertise them into the global routing table from different peers. Because there can be only one route in the IP routing table, each BGP router in the Internet picks the fastest route.
The auto correction of mispelled URLs reminds me of when Verisign put wildcards at the root level to do something similar. That didn't last long because of public outcry.
Sean
Heh, I should really have read closer, I see they addressed that.
What does this have to do with Linux or Open Src?
Posted by: Anonymous Coward on January 31, 2007 07:43 PMWhat's going on here?
Re:How is this service profitable for them?
Posted by: Anonymous Coward on January 31, 2007 11:59 PMI've never charged a cent for EveryDNS and it's been profitable for about six years now.
Yahoo Mail is still free.
Google is still free.
Not sure what you're talking about there... Some sites certainly move to a model where you can upsell a more premium service but keep the core service free. There's nothing wrong with that.
OpenDNS makes money right now. Not enough, but it makes money.<nobr> <wbr></nobr>:-)
-david
Re:How is this service profitable for them?
Posted by: Anonymous Coward on February 02, 2007 08:40 AMPaul.
Honestly, OpenDNS might be interesting for some, but this article also seems to be quite misleading. Are you sure this is not an add? From all the praise OpenDNS receives it almost seems like that...
Nice that they offer free DNS service though. But in order to use their DNS service, you have to trust them, because technically they could point your bank or anything site to any address that they want if they had intentions todo so.
I need 100% assurance of privacy, security, safety and anonymity of my DNS provider.
We have a very clear privacy policy. What's the privacy policy of your current ISP?
Also, we're focused on DNS meaning we're less likely to succumb to things like cache poisoning attacks or similar threats compared to networks which might run older versions of BIND or similar software which have a history of being susceptible to various attacks.
That's not a FUD argument I'm making, just some perspective. But you're right, ultimately you have to trust us, just like you trust your ISP or your phone company.
Of course they couldn't. Unless you're stupid enough to do your online banking without worrying about ssl.
The trust you need to give them is that they won't do dumb things with the incorrect or phishing urls. Personally, I would never use OpenDNS because of this. You just don't mess with a protocol as established and important as dns. Maybe, maayybee if it were used only for web browsing but that's obviously not the case.
How could DNS affect ping times when the timer doesn't start until after DNS resolution has completed?
Speed. There's no reason to be proud of beating the average isp's dns server. You want speed? Run bind on your own home server. It's not like there's any innovation here, they're just doing decently what most isps seem to really suck at.
Spelling correction and phishing guarding. Sorry, this is a very bad thing to be doing via dns. Far, far better to do it via the browser (many already correct spelling mistakes) where it can be more carefully controlled. Nevermind the raft of other non-web applications that should not be corrected. Dns should never have fuzzy results, based on someone's best effort to fix a problem. If you screw up (give the wrong domain name) fix it, don't continue in ignorance of your mistake.
Breaks anti-spam and other NX domain tests
Posted by: Anonymous Coward on February 01, 2007 05:51 PMAlso, the reporting is just shoddy... As others have pointed out, DNS does nothing to reduce ping times, and further "dig -x" is for looking up PTR records (by automatically doing the 1.2.3.4 to 4.3.2.1.in-addr.arpa conversion for you), not A records (which is what news.com would resolve to).
The only argument I actually buy is that it might allow sites with lots of ads to load faster because it has all the ad server addresses cached already.
On the other hand, a lot of content delivery services rely on your ISP's IP address to know roughly where you are, so they know which content server their globally load-balanced DNS should tell you to go to. With OpenDNS, you'll get the content server closest to the OpenDNS cluster, which is probably not a good thing if you're in Asia and there's a local content delivery server (because you'll get the content from the US instead of your near-by server).
--
chort / <a href="http://www.smtps.net/" title="smtps.net">http://www.smtps.net/</a smtps.net>
There is no configuration files, data files, programs, source code, or technical details or specifications that are publically available. The in-house DNS server is not possible for people to obtain. So exactly what here is "open" ?
PRIVACY - ( <a href="http://www.opendns.com/privacy/" title="opendns.com">http://www.opendns.com/privacy/</a opendns.com> )
* Cookies - OpenDNS use cookies, it places them on all visitors who visit the OpenDNS website, even if they do not have an account. They use this to track the visitors. "OpenDNS uses cookies to help OpenDNS identify and track visitors, their usage of OpenDNS website, and their website access preferences."
* Aggregated Statistics - OpenDNS collects statistics of what websites you visit, and which you visit most frequently.
* IP addresses - "OpenDNS also collects potentially personally-identifying information like Internet Protocol (IP) addresses of website visitors and IP addresses from which DNS requests are made.", there is no reason why they should collect the IP address of from which DNS requests are made, this is bad for your privacy as it allows them to see every website you visit.
TERMS OF USE ( <a href="http://www.opendns.com/terms/" title="opendns.com">http://www.opendns.com/terms/</a opendns.com> )
Rules and Conduct - The OpenDNS rules of conduct, forbids you from downloading warez, forbids you from saying "John, I am gonna kick your ass if you don't give me a cheeseburger", forbids you from IM'ing someone saying they're dumb, forbids you to watch obscene pictures on the Internet. Forbids you from downloading software that contain viruses, forbids you to pretend you are someone you're not.
ADVERTISEMENT
Everytime you try to resolve a domain name that does not exist, it resolves to an IP address running a webserver with advertisement. This will put unnecessary stuff into your cache in your browser, and cause unnecessary waste of your bandwidth, which if you use an ISP where you pay for your bandwidth, it will cost you. If you use anything other than a web browser, it will try to connect to the IP address and fail to connect instead of not just bothering to connect since the address does not really exist. This is not all that different from "Site Finder".
It breaks anti-spam and other NX domain tests.
If we need still, can setup our own DNS cache server.
There is no configuration files, data files, programs, source code, or technical details or specifications that are publically available. The in-house DNS server is not possible for people to obtain. So exactly what here is "open" ?
PRIVACY - ( <a href="http://www.opendns.com/privacy/" title="opendns.com">http://www.opendns.com/privacy/</a opendns.com> )
* Cookies - OpenDNS use cookies, it places them on all visitors who visit the OpenDNS website, even if they do not have an account. They use this to track the visitors. "OpenDNS uses cookies to help OpenDNS identify and track visitors, their usage of OpenDNS website, and their website access preferences."
* Aggregated Statistics - OpenDNS collects statistics of what websites you visit, and which you visit most frequently.
* IP addresses - "OpenDNS also collects potentially personally-identifying information like Internet Protocol (IP) addresses of website visitors and IP addresses from which DNS requests are made.", there is no reason why they should collect the IP address of from which DNS requests are made, this is bad for your privacy as it allows them to see every website you visit.
TERMS OF USE ( <a href="http://www.opendns.com/terms/" title="opendns.com">http://www.opendns.com/terms/</a opendns.com> )
Rules and Conduct - The OpenDNS rules of conduct, forbids you from downloading warez, forbids you from saying "John, I am gonna kick your ass if you don't give me a cheeseburger", forbids you from IM'ing someone saying they're dumb, forbids you to watch obscene pictures on the Internet. Forbids you from downloading software that contain viruses, forbids you to pretend you are someone you're not.
ADVERTISEMENT
Everytime you try to resolve a domain name that does not exist, it resolves to an IP address running a webserver with advertisement. This will put unnecessary stuff into your cache in your browser, and cause unnecessary waste of your bandwidth, which if you use an ISP where you pay for your bandwidth, it will cost you. If you use anything other than a web browser, it will try to connect to the IP address and fail to connect instead of not just bothering to connect since the address does not really exist. This is not all that different from "Site Finder".
It breaks anti-spam and other NX domain tests.
Faster, safer Internet with OpenDNS
Posted by: Anonymous [ip: 168.234.233.19] on September 14, 2007 05:41 PMSnort says ..... five times ...
208.67.222.222 xxx.xxx.xxx.xxx DNS SPOOF query response with TTL of 1 min. and no authority
*Wrong!*
Posted by: Anonymous Coward on January 31, 2007 06:54 PMExample:
www.geocities.com/~hacker is a page with an exploit.
How does OpenDNS fix this? It can't, or it can block all of www.geocities.com
Wrong solution.
#