OpenDNS
July 19, 2006 10:08 AM   Subscribe

I looked and looked, but I think the only catch is they make a few pennies off their search engine, when you misspell a domain or hit an unknown URL.
posted by mathowie at 10:09 AM on July 19, 2006

more here.
posted by shoepal at 10:13 AM on July 19, 2006

It is a creative business idea. Good luck to them.
posted by caddis at 10:13 AM on July 19, 2006

Please remember that OpenDNS is a business, and for profit DNS hosting is somewhat suspect. Please read more about the pros and cons of this service at TeachCrunch.
posted by tumble at 10:13 AM on July 19, 2006

The DNS technical community has been discussing OpenDNS recently and serveral issues with this service have already been pointed out:

It tries to fix known typos for you, in exchange for redirecting you through a website that subjects you to targeted advertising. Things like this make me cringe, but perhaps some folks might find it useful. In any case, this means that they are not participating in presenting a uniform view of the namespace - one of the design criteria of the DNS. This applies to the feature that intercepts requests for known phishing sites also.

I think it's possible to opt out of the typo/phishing services, but I'm sure they are counting on the vast majority of folks not changing the default.

The web isn't the only application in the world. Although unfortunately many people seem to think so. Optimizing a name resolver service for a specific application is not a good
idea.

The typo correction feature will also break a specialized class of applications that needs to know about the non-existence of domain names.

It violates the DNS protocol on some types of responses. This is unlikely to affect typical users, but may be problematic for some.

It's an open recursive nameserver, which means it can most likely be used to launch certain kinds of DoS attacks. The designer of OpenDNS claims to have a variey of countermeasures in place to defend against these attacks. But we don't know really know what they are or whether they actually work.

The "much faster" claims have already been refuted. I'm sure it might be faster in some cases. But the speed of the service depends on where you are and what type of connectivity you have to their nearest DNS server. And on how large your own ISP's nameserver cache is.

I'm omitting a few other more esoteric issues...

Opt-out anti-phishing measures will be built into the next version of Firefox. Seems like a feature desirable to users that DNS doesn't need to provide.
posted by Blazecock Pileon at 10:15 AM on July 19, 2006 [2 favorites]

jinx, tumble!
posted by shoepal at 10:15 AM on July 19, 2006

I don't see a difference between their 'spell checking' and Verisign's SiteFinder about which everyone screamed bloody murder. Maybe they won't be spell checking for the highest bidder, but right now i'm skeptical.
posted by kaytwo at 10:17 AM on July 19, 2006

so, matt. Is metafilter pointing to these guys now?
posted by TechnoLustLuddite at 10:17 AM on July 19, 2006

Its the "phishing blacklist" feature that would possibly make me set this up on say my parents computer, maybe. I saw this on the Laughing Squid blog and there's some good discussion in the comments.

I'm unlikely to use it for myself since I'm on VPN and/or using private DNS most of the time. Regardless, I'd like someone to explain what would make this a compelling switch for your average user.
posted by vacapinta at 10:21 AM on July 19, 2006

kaytwo, I'm not convinced something like this is good either, but the major difference is that OpenDNS doesn't own the .com/.net root; you have to choose to use them. VeriSign's devil-spawn was rammed down your throat.
posted by lowlife at 10:21 AM on July 19, 2006

hmmm... not yet...... metafilter.cmo
posted by TechnoLustLuddite at 10:22 AM on July 19, 2006

I don't see a difference between their 'spell checking' and Verisign's SiteFinder about which everyone screamed bloody murder.

Opt-in vs not even opt-out. SiteFinder basically put a wildcard record into the root DNS servers that pointed every query that failed to Verisign. This caused all sorts of problems, the least of which was that every DNS lookup would be successful.

To get this feature from OpenDNS, you have to explicitly use their servers, so if you don't want this, you can use the regular DNS service.
posted by eriko at 10:22 AM on July 19, 2006

Thanks lowlife, I just caught that in the FAQ :). That is definitely a fundamental difference, but the "here's where we make money off of it" part is the same. I think for the time being I'll still stick with my dns servers.
posted by kaytwo at 10:23 AM on July 19, 2006

DNS works the way it does for a reason. Changes like this are dangerous, particularly when backed by a profit motive. It's not as evil as Verisign since OpenDNS is opt-in, but it still smells like a bad idea to me.
posted by Nelson at 10:28 AM on July 19, 2006

oh, sorry, guess i should have read more.. i thought this was done server side, not user side...
posted by TechnoLustLuddite at 10:29 AM on July 19, 2006

Blazecock Pileon writes "The web isn't the only application in the world. Although unfortunately many people seem to think so. Optimizing a name resolver service for a specific application is not a good
"idea."

How the heck do you optimise for a specific application? Namespace is orthogonal to what is served from the IP.
posted by Mitheral at 10:31 AM on July 19, 2006

meh.

better: opennic.
posted by dorian at 10:32 AM on July 19, 2006

It tries to fix known typos for you, in exchange for redirecting you through a website that subjects you to targeted advertising.

Nope, you guys should try it first. A true typo (like http://metafilter.co/) goes right to the site, without any advertising.

Is metafilter pointing to these guys now?

No, they don't do hosted DNS for domains, they're just doing general internet DNS for users. In the past few hours I've been using it, it's been completely transparent and I only see an opendns page when I try to break it with typos and domain name guesses. I suspect I won't see OpenDNS very often but at least once a day I mistype a url, adding or forgetting the last letter in the .com/.org/.net
posted by mathowie at 10:33 AM on July 19, 2006

How the heck do you optimise for a specific application?

The application layer in this case is http. OpenDNS aims, on the surface, to append non-standard specifications to the DNS application to solve specific problems with the http application layer. This approach to optimization is counter to the design and purpose of the DNS protocol, and is better solved with the http-layer specific approach I referred to, which Mozilla will implement in future releases of Firefox.
posted by Blazecock Pileon at 10:38 AM on July 19, 2006

I'd rather that people just learn how to type the URL right the first time.
posted by drstein at 10:39 AM on July 19, 2006

Just stopping by to say, I have no idea what any of you people are talking about.
Please carry on.
posted by Outlawyr at 10:39 AM on July 19, 2006

what about sites like fat-pie.com and fatpie.com?
I'm afraid to try. NotSafeForAnyone warning on the non-hyphenated version.
posted by TechnoLustLuddite at 10:39 AM on July 19, 2006

Please note that OpenDNS also only offers two servers, both of which are on the same or adjacent networks, with no geographical or network redundancy. That's not an especially encouraging sign for an infrastructure service.

On the other hand, some of us don't take DNS best practices very seriously, so I guess it can't be as bad as all that.
posted by majick at 10:49 AM on July 19, 2006

Here's what I would like from DNS - a special feature where if you fuck up, and, say, accidentally change your authoritative nameserver, it will give you the chance to revert back to your old authoritative nameserver without having to wait the requisite 1-3 days. Not that I've, like, ever done that or anything.
posted by Afroblanco at 10:59 AM on July 19, 2006

On the other hand, some of us don't take DNS best practices very seriously, so I guess it can't be as bad as all that.

The address bar in browsers has a lot of usability issues, which this company tries to solve. I don't know if I'll use it forever, but I'll definitely watch them to see how they grow. And since it takes five seconds to "install" and "uninstall" it's really not like I abandoned the protocol of http and banished port 21 to the depths of hell for some new bizarro universe.
posted by mathowie at 11:20 AM on July 19, 2006

(Actually, I was referring to the fact that metafilter.com DNS is shall we say, not exactly optimally configured. I actually set up a client machine here to try out OpenDNS -- you're right in that it's trivial to "install" --and see how I like it.)
posted by majick at 11:45 AM on July 19, 2006

Didn't people throw a hissy fit when VeriSign tried to do something like that with the real registry? Yes, and with good reason. Something like a phishing blacklist and spellchecker should be implemented as browser plugins, not DNS hacks.
posted by delmoi at 12:00 PM on July 19, 2006

And since it takes five seconds to "install" and "uninstall" it's really not like I abandoned the protocol of http and banished port 21 to the depths of hell for some new bizarro universe.

Well, there's some good arguments for dumping FTP in a land of NAT and firewalls.
posted by eriko at 12:00 PM on July 19, 2006

Thanks Matt. I installed it; I'll see how it works-- not that I'm sophisticated enough to know one way or the other, of course. I'll also see whether I dream my father is still alive tonight...
posted by jamjam at 12:03 PM on July 19, 2006

"Please note that OpenDNS also only offers two servers, both of which are on the same or adjacent networks, with no geographical or network redundancy. That's not an especially encouraging sign for an infrastructure service"

Perhaps they're using a geographically distributed load balancing setup of some sort on the back end. You can do fun stuff like that with a Foundry ServerIron.

I highly doubt that they're just using 2 boxes.. 1 primary and 1 secondary. I'd imagine that there's at least some redundancy on the back end. I've set up similar deals.
posted by drstein at 12:23 PM on July 19, 2006

The address bar in browsers has a lot of usability issues, which this company tries to solve.

Aye, but in a real way they're solving problems in one application by creating others. I wouldn't use this.
posted by i_am_joe's_spleen at 12:32 PM on July 19, 2006

DNS with censorship. Amazing. So they go up against the people who fill typo domains with ads by filling typo domains with their own ads. Double amazing!

OpenDNS makes money by offering clearly labeled advertisements alongside search results on error pages

So some top-drive organization will be telling me whats good or bad. Triple amazing.

Worst of all, most phishing scams use standard IP addresses not domains in the fake ebay/paypal/egold emails. I also dont like the use of the "open" prefix for non open-source projects.
posted by skallas at 12:40 PM on July 19, 2006

OpenDNS does what for me again?, another skeptic on 'OpenDNS'.
posted by jepler at 12:41 PM on July 19, 2006

I've never considered anything like this because I figured it would be completely ridiculous to ask anyone to use off-the-grid (so to speak) DNS. It instead turns out that thousands of people are downloading their little tool to change what they're using to resolve domain names. Weird. My inner internet architect is frowning sternly. (What would Vint Cerf think?!!) (I just wanted to be able to type 'Vint Cerf', really.)

Interesting discussion it's created, at least.
posted by blacklite at 1:19 PM on July 19, 2006

DNS is fundamentally pretty broken, in that the original protocol, which virtually everyone runs, doesn't do much checking that answers are actually valid. Open DNS servers like, well, OpenDNS, are at least in theory MORE vulnerable to a kind of attack called "DNS cache poisoning" than are ordinary ones.

Cache poisoning, if I remember how it works correctly, involves sending a query to an open nameserver, and a tiny fraction of a second later, sending forged answers to the sequence of queries that the DNS server will have sent out. The DNS server gets the initial request, and starts trying to figure out the answer, recursing its way down the DNS hierarchy. If one of the malicious packets gets in at the right time, which isn't that hard to do, the DNS server can believe that the wrong IP address is authoritative for a given domain. So, suddenly, that DNS server will now ask Joe Badguy's servers for DNS answers for a given domain, instead of the real ones.

This lets Joe Badguy invisibly hijack your connection to pretty much any website he chooses.

This isn't necessarily that bad if the hijack is, say, Bank of America, because they won't have the proper certificate to talk in HTTPS with you. But they could easily convince you that a site you trust is offering you a cool new utility or screensaver or something, and once they have code running on your computer, your security is totally compromised.

The more people are using a given DNS host, in other words, the more attractive a target it becomes for cache poisoning attempts. The safest possible DNS is one that only you are using, behind a firewall. Many of the small routers, like the Linksys WRT54G, are able to offer DNS resolution.

Even this isn't a 100% solution, but it's pretty good, and probably the safest DNS available. Use the anti-phishing plugins for Firefox instead of replying on any DNS server for that function.
posted by Malor at 1:42 PM on July 19, 2006

One thing I like quite a bit about this is that the entire reason for existence of the company is to provide DNS servers, and that I can use it for free. Once a month or so RCN's DNS servers go tits up and I get to try and remember Google's IP address from memory (its in my /etc/hosts now though) to go find a working DNS server. Having a set that is pretty much guaranteed not to change/go down as long as the company is in business will be a nice change.
posted by Skorgu at 2:18 PM on July 19, 2006

FWIW, if you ever don't have a working recursive DNS server to point your machine at, and you need on, the GTE/Verizon/BBN servers are at 4.2.2.1 through 4.2.2.6, which have to be some of the coolest IP addresses on the network (you might be a geek if), and they're often accessible from other people's networks. (I use them as my default test-ping to see if something's working, because they're easy to remember, and type.)

What server they actually point to depends where you are, because they're IP Anycast addresses.
posted by baylink at 2:54 PM on July 19, 2006

With dns caching, and enough of us using it, wouldn't that mean that our surfing will go faster, at least with the sites we're all visiting off the front page?
posted by crunchland at 2:56 PM on July 19, 2006

What's so open about this?
posted by cellphone at 3:16 PM on July 19, 2006

crunchland: No. seems folks have already timed it, and OpenDNS is quite a bit *slower* than their own ISP DNS servers.
posted by drstein at 3:31 PM on July 19, 2006

The fundamental paradox in this offering is that anyone savvy enough to even know what a DNS server is - doesnt need this service.
posted by vacapinta at 4:15 PM on July 19, 2006

"I also dont like the use of the "open" prefix"

Seconded. This is wilfully misleading.
posted by i_am_joe's_spleen at 7:03 PM on July 19, 2006

majick wrote: Please note that OpenDNS also only offers two servers, both of which are on the same or adjacent networks, with no geographical or network redundancy. That's not an especially encouraging sign for an infrastructure service.

I don't work for opendns, but this is almost certainly not the case. OpenDNS appears to use anycast dns (^) via two /24 bgp advertisments. You could, with sufficient research, get a reasonable understanding of just how many servers they have and how widespread they are, but my guess is they have at least two pairs of dns servers in at least two seperate datacenters.

That said, i still wouldn't use their service for the same facts others have brought up in this thread. Some quick tests show DNS queries from my local dns server to be 2-20x times as fast as their service - perhaps they'll have a wider market selling outsourced dns services to ISP's and network gear vendors with some sort of revenue share built in.
posted by jba at 7:07 PM on July 19, 2006

Wow. The OpenDNS guys are really out there circling the wagons against criticism.

Pitting "experts" against "experts" seems like a waste of time. The tech community will make up its own mind.
posted by vacapinta at 10:32 PM on July 19, 2006

My internets has just been mediated.
posted by runkelfinker at 6:21 AM on July 20, 2006

IPv6

With the advent of IPv6 this service becomes a non-starter anyways. DNS as we know it will be gone forever so there's little point even discussing who's eveil and who's good in the current address space system.

Things will be so much cooler with IPv6 since the major telcos will own all IP address spaces and everyone knows how much goodness comes from that fount!

Not familiar with IPv6? Time to bone up!
posted by nofundy at 6:44 AM on July 20, 2006

eveil = evil
must start doing better previews!
posted by nofundy at 6:46 AM on July 20, 2006

Hi, just dropping by again to say, what the huh?
Ok.

No, but honestly, if anyone feels the urge to explain what any of this means (feel free to refer to tubes and trucks) that would be nice.
posted by Outlawyr at 3:08 PM on July 20, 2006

Ok. DNS or Domain Name Servers kick in when you type a url in your browser. Behind the scenes, they collect and translate the easy to remember URLs into the complicated and unique IP addresses that computers prefer. Every server on the internet has an IP address. You type in the name, your computer polls the DNS, gets the IP, and then knows what webserver you're trying to reach.

You probably rely on your ISP or IT department to assign you to a domain name server, and that's usually fine. But OpenDNS claims to be more than just an ordinary domain name server ... they add more to the mix -- like correcting rudimentary typos in the url that a normal DNS server would puke at, and caching the IP addresses of frequently served up urls to make the look up go even faster. (As it is, it happens so quickly anyway, you probably won't notice any difference.)
posted by crunchland at 3:19 PM on July 20, 2006

Think of it like one of those cell phones that allow you to say "Call Joe" and it dials his number automatically. That's how DNS works.
posted by crunchland at 3:23 PM on July 20, 2006

(feel free to refer to tubes and trucks) that would be nice.

It's the plumber who makes sure the pipes don't send your internets to the wrong shithole.
posted by nofundy at 8:39 AM on July 21, 2006

Thanks Crunch (and nofundy too I guess). It all makes sense to me now.
posted by Outlawyr at 1:29 PM on July 21, 2006

This is just a service website and I can not say it offers something unique even some poeple may find it useful.
posted by aeromit at 6:19 PM on August 6, 2006