January 31, 2007

Faster, safer Internet with OpenDNS

Author: Mayank Sharma

The domain name system (DNS) maps human-understandable Web site addresses into numeric IP addresses. Launched in July 2006, OpenDNS adds a few free services on top of the traditional DNS to block phishing Web sites and auto-correct common misspelled URLs. And thanks to some clever traffic routing and load-balancing technology, OpenDNS can also deliver Web pages faster.

"OpenDNS runs a really big, smart cache, so every OpenDNS user benefits from the activities of the broader OpenDNS user base," says Allison Rhodes, community manager of OpenDNS. She says OpenDNS runs a high-performance network that is geographically distributed and serviced by several redundant connections. Currently, OpenDNS has four servers in the US and one in the UK. Live system statistics are available for all the servers. You can also view the current status of the servers and daily DNS requests for the past 30 days. One a typical day last month, Rhodes says OpenDNS responded to half a billion DNS queries.

"We have large clusters of servers in each of our five locations," says David Ulevitch, founder and CEO of OpenDNS. "We not only distribute our load locally within each cluster, but we distribute our load globally using the border gateway protocol. Every OpenDNS user always reaches our closest datacenter automatically, no matter where he is on the planet. This means that each time we bring up a new location we increase our reliability, decrease latency, and increase performance for our users."

But with servers only in the US and UK, what about users in, for instance, Asia? Ulevitch explains that users in Asia are serviced through the Seattle and Palo Alto datacenters and get a better performance from OpenDNS than their local nameserver, because latency is not the only determinant in nameserver resolution performance. "We operate a high performance nameserver with a large cache on our widely deployed network, which means we are also very close to other nameservers on the Internet."

I tested that claim from my home base in India. After switching to OpenDNS, content-laden Web sites like news.com, cnn.com, bbcworld.com, and myspace.com loaded a lot more quickly, ping times were considerably lower, and query response times (measured with dig -x site) to news.com, lxer.com, osnews.com, distrowatch.org, and bbcworld.com were lower by 10 to 25% compared to times when I was using my ISP's DNS.

Users see benefits

My tests confirmed what other OpenDNS customers have found. Robert Grabowsky is the vice president of Ra Security Systems, which provides managed security services for companies, universities, and government agencies with between 30 and 10,000 users. "With so many users to satisfy," Grabowsky says, "it's important to tune security devices to balance the greatest protection with the best possible performance. Many aspects of Web browsing performance have been easily controllable, except for DNS." He believes that administrators don't fully appreciate the benefits of DNS. "Once they get it to work, they set it and forget it without much further thought about performance or anything else for that matter."

Grabowsky chose OpenDNS primarily for its speed. "For Web pages that reference multiple domains, browser page rendering can be the difference between a couple of seconds and 10, 15, or 20 seconds. That is pretty significant reduction in time, which translates to an increase in user satisfaction."

More than just a fast resolver

Apart from loading Web pages faster, OpenDNS warns naive users when they try to visit a phishing site. "Not only are their DNS responses quick," Grabowsky says, "but they give back even more by protecting users against known active phishing sites."

PhishTank API

If you are a developer and want to make use of the anti-phishing data collected by OpenDNS, read up on the freely available PhishTank API, which is designed to make it easy for developers to incorporate anti-phishing technology into their tools. Opera 9.1 uses data collected by PhishTank to protect its users from phishing sites.

OpenDNS uses PhishTank, which is an online collaborative anti-phishing database. The PhishTank data, when tied to OpenDNS, protects users by blocking DNS lookup queries that match an entry in the database. "The PhishTank data," says Ulevitch, "comes from the community. Members of PhishTank submit suspected phishing sites via the Web, email, or API. Other members of the community verify whether a submission is or is not a phish. Each member's accuracy over time affects the influence of their vote. Those members who have contributed the most, and been the most accurate, have the most weight in the community decision about whether a site is phishing or not."

Another benefit of using OpenDNS is convenience. OpenDNS corrects common spelling mistakes on the fly, so if you accidentally type ".cm" or ".cmo" instead of ".com," you'll still get to the site you intended to visit. If the site doesn't exist, you'll end up on a search results page with advertisements. That's where OpenDNS makes money. "OpenDNS makes money by serving clearly labeled advertisements on search results pages where we cannot resolve the URL you're trying to get to," Rhodes says.

To some this might bring back memories of VeriSign's highly unpopular Site Finder service. Verisign used Site Finder to display information about products by redirecting users who tried to access unregistered domains. OpenDNS says that unlike VeriSign, OpenDNS is an opt-in service.

In December OpenDNS added another free service called CacheCheck to assist domain owners. Rhodes says, "If you are moving a domain from one DNS host to another, CacheCheck can help you make that transition smoother. In effect, you tell OpenDNS to 'refresh now,' ahead of Time-To-Live (TTL) expiration." This will refresh the OpenDNS cache, flushing the old entry, and will direct visitors to the new location of a domain. CacheCheck can also be used by people trying to visit a domain that isn't resolving. It helps explain the reasons for a domain's non-availability (for example, non-responsive nameservers) and in some cases can help fix the problems themselves by refreshing the cache.

Appeals to ISPs

With its speed, phishing protection, typo correction, and control, OpenDNS naturally appeals to ISPs, who can use OpenDNS for free. Jeffrey A. Campbell is the general manager of Express High Speed Internet, a broadband ISP in the Turks & Caicos Islands, British West Indies. "Our connectivity is via sub-sea fiber to the US Internet backbone. Our upstream provider has poor US connectivity, and as a result DNS lookups were taking a very long time to complete," Campbell says.

He says that since Express High-Speed started using OpenDNS, it has saved 80ms+ in lookup time. "As we do about 3,400 Web requests a minute, and move approximately 65GB a day of Web data, this can make a huge difference in perceived end user response time. Overall, unscientifically, users noticed a 1-3sec improvement in loading a complex Web page like www.news.com."

Campbell says, "We added OpenDNS to our network as our primary forward resolvers on both of our large Web caches (2TB and 400GB), which handle our Web load 80/20. We run Bind9 locally on both of the machines to cache responses so that we don't introduce extra latency when the cache confirms each IP."

Campbell says his users appreciate other features of OpenDNS as well, such as typo correction and phishing protection. "I've been in the ISP business since 1994 and I think [OpenDNS] is one of the most dramatic and easily implemented performance enhancements available."

Using OpenDNS

Setting up OpenDNS is fairly simple. There's no software to download. All it requires is changing your default DNS nameservers to those of OpenDNS. If you know where to specify the DNS nameservers, simply replace your existing ones with OpenDNS's 208.67.222.222 and 208.67.220.220. If you aren't sure, use OpenDNS's detailed instructions with screenshots for several popular routers, operating systems, and mobile phones.

You can also register a free account with OpenDNS that will allow you to control the DNS features provided by OpenDNS. You can, for example, disable typo correction and phishing protection on your IP address or enable dynamic DNS update if you want to use OpenDNS and don't have a static IP address. In addition to this, users also get a couple of graphs showing traffic details on their IP address for the last 30 days.

"There is no other service," Ulevitch says, "that delivers different DNS preferences to different users in real-time, giving the user management of network preferences at the DNS level." He says that this transfer of control of DNS settings to users signifies the "open" in the company name.

As to the future of OpenDNS, Rhodes says, "We're seeing that ISPs and enterprises have found tremendous value in the service we provide. So as we continue to improve OpenDNS for our current customers, we're also working on features that will be useful to ISPs and enterprises."

Click Here!