Today I was working at a customer site and using their guest wireless network and was having DNS problems, and not for the first time this week. It could be the router, it could be the provider. I thought about it for a bit and went searching other DNS servers and found OpenDNS.
OpenDNS seems like a brilliant idea, providing free and open public access DNS services, the question I am wondering – is it ready for the enterprise ?
I was reading this article about how huge numbers of DNS server are open to attack, and we are soon to expect a massive fraud that will cause problems.
So the security risk is that your ISP / Service Provider is not up to speed with securing their DNS servers. Given that
- many Service Providers run on tight profit margins
- and outages cause bad press, happens reasonably often
- DNS is not a profit generator but more of a cost or an overhead
- DNS skills are not that common (and I mean good DNS skills)
then DNS is probably not high on Service Provider programs. This might be a reasonable assumption. (Note: not all providers are are problem, but how can you tell which ISP’s are doing a proper job on their DNS ? Feel feel to comment!)
Because the OpenDNS system has more people using it, the DNS cache will be substantially larger, thus it should take less time for commonly used sites to get a name resolution.
I am always surprised by how much faster a good DNS can make a network. Microsoft have demonstrated this with their DNS server which is much improved in performance and caching since it became a key part of the Active Directory strategy. I suspect the engineers realised the performance of the DNS would be vital to AD success and spent quite a bit of time ensuring that MS DNS was a worthy product.
I often read about the heavy load on the DNS root servers. If the root server nearest you is struggling, OpenDNS offers an alternative. Also, OpenDNS seem to honour caching intervals so I am happy that they will respond to GLB changes.
Because OpenDNS is focussed on this single activity, I can feel more confident that they are taking the correct actions to keep their DNS service secure. Their web site certainly suggests that they are careful in terms of service availability and security.
Web and Content Filtering
I like the web and content filtering feature. I can see that especially for small business this is a great idea. Simply configure your Internet router to use the OpenDNS server, register your IP address or configure a DynDNS account and you have a quite good content filtering solution. DNS requests from the IP address that you register will then have the content filtering applied.
It isn’t perfect, but you can certainly make it harder to access NSFW content. It will certainly stop the accidental surfing. Also, many people are submitting Spam / Phishing URL’s and these are also being blocked. If enough home users were on this, then we could be taking steps to reduce these types of problems.
How do they make money ?
In short they are ad supported. They take mistyped URls and then offer you pages of ads. However this is done in a ‘not evil’ way as they clearly show you that they are redirecting. Check this screenshot for a mistyped URL:
Other people review OpenDNS
I am not the only person to pick on the service although most reviews are from more than a year ago when the service was first announced.
I believe that OpenDNS is good option for medium enterprises to use instead of root servers. It will reduce load on the underlying Internet infrastructure and offers an improved service. For enterprises that want to improve their security and provide some content filtering, you should sign up and register your IP addresses.