OpenDNS: Should you make the switch?
There’s a new public DNS service called OpenDNS that a lot of people are buzzing about. According to the OpenDNS site, the benefits of using OpenDNS are that it is safer, faster, smarter and free. It is definitely free but what about the other claims? Let’s take a look at each of them and find out more.
Free
I start with this because it is absolutely true. There isn’t any software to install but you will have to change some settings on your computer and/or router. The OpenDNS developers have a great page explaining the setup procedures for Windows, Mac OS X, Linux and many different home routers.
Smarter
The FAQ states that Open DNS will “fix typos in the URLs you enter whenever we can”. Unfortunately, they don’t state that only the top level domains names (.com, .net, .org, etc.) are corrected. For example, try to go to wyckedone.nt and you will be redirected to wyckedone.net. If you try to go to wcykedone.net, you are redirected to the OpenDNS search page.
I don’t really see a need for this implementation. All that normally happens is that you would just get an error page, notice you mispelled the TLD and make the change manually. Implementing this on the DNS server might save you a couple of seconds but not much else.
Implementing domain name correction would be useful guarding against typosquatting. This would be tricky to implement considering some websites are just one letter off from another site and both are legitimate.
Safer
The OpenDNS developers have implemented anti-phishing into their service. If you try to go to a site that has been flagged as a phishing site, you will be redirected to an OpenDNS warning page instead. This is really helpful in blocking sites that not only spoof content but also try to spoof the URL.
The list of phishing sites is based on information from other networks and from an analysis ran by the OpenDNS developers. I couldn’t find anything describing the process but there has to be a way to verify reported phishing sites. If there wasn’t, a malicious person on another network could report a legitimate website as a phishing site thereby getting OpenDNS to block request for those sites.
Faster
When a resolution request is made, your request is transferred to what is determined to be the closest OpenDNS server based on your IP address. OpenDNS servers are configured with a larger cache than what is found on most DNS servers. A larger cache means that they can store more name resolutions instead of having to query the root name servers after a resolution has been bumped. The four servers are also located at major network intersections so that they are spread out geographically in the U.S.
I tested the speed at which domain names are resolved to their respective IP address using my Ubuntu 6.06 laptop. The command I ran was:
time dig @[DNS IP] [Domain Name]
The test utilized one DNS server from Charter and one from OpenDNS. The websites I used for the test were eBay, Fark and CNet News. The test was run three times per site per DNS server in order to allow for name resolution caching.
The results are as follows (time is in seconds):
| Charter DNS | OpenDNS | |||||
|---|---|---|---|---|---|---|
| 1st | 2nd | 3rd | 1st | 2nd | 3rd | |
| eBay | 0.604 | 0.090 | 0.091 | 0.047 | 0.047 | 0.052 |
| Fark | 0.090 | 0.090 | 0.090 | 0.121 | 0.046 | 0.046 |
| CNet News | 0.151 | 0.090 | 0.092 | 0.047 | 0.046 | 0.045 |
The test proves that the OpenDNS servers were faster, overall, in resolving the domain names. I did not run these tests while connected to my Charter service. Instead, I was connected to another ISP. The reason was that I wanted to see how fast name resolution was when connected to a DNS server not on the ISP network.
Name resolution times for the Charter DNS were on par with OpenDNS when the test was ran while connected to the Charter cable modem. This can be attributed to lower network latency time. There were fewer connections (hops) between my home connection and Charter’s DNS server versus the OpenDNS server.
Note that using OpenDNS servers could be faster for you if there are fewer hops between you and them versus your ISP’s DNS servers.
Opt-out preferences
OpenDNS allows you to opt-out of allowing phishing and typo correction. Visit the preferences page to disable these features. This isn’t something you have to sign up for because it is based on your IP address. It is recommended that you only use this feature if you have a static IP address. If you have a dynamic IP address, the preferences will be lost if your IP address changes.
Conclusion
Should you switch to the OpenDNS servers? It won’t really hurt but I don’t see on overwhelming need to implement it on your system/network. The name resolution speed wasn’t really noticeable considering that it was only about 0.05 seconds faster. The only real advantage I can see is the anti-phishing measures. As long as that is kept current, and correct, it is a very effective tool against identity theft online.
If they are able to add more servers in the future, the service will be able to handle more requests faster for anyone located near those locations. They are looking for ISP’s wanting to peer DNS servers with their own. Peering would create a direct tunnel between the ISP’s DNS servers and the OpenDNS servers, creating a faster name resolution time.
Some people have written that OpenDNS operates much like a service VeriSign tried to start back in 2003, Site Finder, that was shut down only months later. The developers of OpenDNS have addressed that issue.
You’re probably wondering, “If it’s free, how do they keep running?”. The service is paid for by investors and soon to be added advertisement revenue. The ads will not be sent to your computer via pop-ups or embedded into web pages you visit. Instead, ads are displayed on the search page when an invalid or unknown URL is accessed. The ads will be targeted, much like what Google does with the ads on their search page.
Will OpenDNS suffer the same fate as Site Finder? Only time will tell.
17.Jul.06 
Articles, Internet, Technology
You can leave a response, or trackback from your own site.
22 Responses to “OpenDNS: Should you make the switch?”
Leave a Reply
- wyckedone.net
F/OSS
Free Antivirus
Free Firewall
Free Utilities
Links
Tech Articles
Tech Boards
This site runs on
For what it’s worth. I am trying it since Geekboy posted he was using it. I seem to be a bit faster. I am on the very end of the dsl service commitment line here. I have a slower connection than most dsl customers . I am not complaining it beats dial up. So I think it dose some good for me speed wise . I noticed a better connection response during high usage times . So for me it’s a good experience…..
:mrgreen:No testing for me to lazy
It will vary by ISP and ISP location. The DNS servers for your ISP may be slower or have a higher latency time than the OpenDNS servers. That’s why I made sure to point out that it can/will vary.
I tried to find the city/state where the OpenDNS servers are located and use a DNS server from another ISP in that location. The lookups I used to find the city based on IP number didn’t find the location so I only used one of the DNS servers for my ISP (Charter).
Wyckedone,
That was a great and very complete review! Well done in researching all the aspects. As for dealing with typosquatters, all I can say is that it’s our number one user request.
Best,
David Ulevitch
Thank you very much for the compliment. If typosquatting correction is implemented, the OpenDNS service will be a great addition for online security.
Good luck with the venture. I look forward to seeing how it develops.
[...] Follow responses to this post through the RSS 2.0 feed.Leave a response below, or send a trackback from your ownsite. [...]
Awesome, man, you got mentioned on the OpenDNS blog! w00t! Yeah, you guys on the OpenDNS team have made a great service. Keep up the great work!
Hmm… I’m starting to think that I started something among the CHF’ers
Congrats on the blog mention! Hey OpenDNS crew… Great work!
I had a good proof reader. Without his insight, it probably wouldn’t have been this good.
Thanks to everyone for the compliments and for the OpenDNS team linking to the article.
I don’t really see a big need for OpenDNS. DNS is fine the way it is, and I don’t think it needs to be tampered with via some middle-ware service that plans to impliment ads and whatever else. They might say they will only do ads on typo or non-existant hostnames, yet they also claim that they do typo-correction?
How much time do we REALLY spend waiting for DNS queries? Not a heck of a lot. Our machines cache names locally, browsers cache names, and your local ISP DNS server caches names (or your own DNS server does.)
Then there’s the mysterious way the anti-phishing stuff is handled. If they had a public method of adding and removing phishing entries, it would be better. It would certainly be a real pain if it were handled like SpamCop, where you can get your whole domain banned and you have to jump through hoops to get it unbanned.
Maybe if this were some huge crazy web proxy with all sorts of neat features (a button to view yesterday’s page would be real neat!) then I could see a use for it. But a DNS cache?
With both IE7 and FireFox supporting sorts of “phishing” catchers and at least FireFox doing basic typo-fixing, what do we need OpenDNS for?
Joe:
The OpenDNS team has recently posted how they build the phishing site list. The information can be located here. In a nutshell, they use 3 other services as well as their own analytical program. You can use their contact page to inform them if a site is mistakenly marked as a phishing site. According to the FAQ:
[...] Not convinced? If you like charts and numbers, this dude measured the speed difference with OpenDNS and published the results. (ok, no charts, just numbers.) [...]
[...] – OpenDNS: Should you make the switch? [...]
:evil::evil::evil::evil::evil::evil::evil:
This stuff was awesome it work like a charm
adsl…
referenced…
hey wanna know something curious when i acces know valid urls example i go to this website i know it works: its a forum
saltydogsproductions.com
and i click on one of the forum treads it displays me the search page also and the site its not down because i am talking in irc with people in it some otehr times it show me a serach page when i try to go to the site. so you just found out how they pay themselves
annerajb:
Works fine for me. I also had a friend, that also uses OpenDNS, try it and it worked for him.
Have you tried submitting it to the OpenDNS team to see if it may be a cache problem?
The problem I have with his as that they are just one step in front of the typosquatters. Isn’t the definition of a typosquatter somebody that makes money off of misspelled dns names? Isn’t that exactly what they will be doing? Also somebody had a good point, you will get much less hits on your ads if you fix dns resolution names anyway.
I don’t expect this to be around for very long, there’s no money in it.
Here at work we use it as a proxy server, which they offer now, and it’s still free. I think they are going to have to start charging people for it soon.
[...] Here’s a good article about OpenDNS on wyckedone.net. [...]
cautious user:
This is a business plan very similar to what Google does. There are several other companies that make there money off other legit forms of advertising too. It’s proven, it’s profitable and the more people that use their service, the more income it generates (more users mean more misspelled URLs and the equals more adds displayed). What you won’t find with OpenDNS’ style of ‘typosquatting’ is the malware that goes with your typical mistyped URL.
The biggest perk at this point to switch to OpenDNS is it blocks the Conficka infection. I’ve been doing some research on different alternate DNS and this seems to be the best option available. I’ve made my decision and I’ll be migrating my work over to OpenDNS by this weekend to prevent getting that nasty PITA virus.
yes it is very like what google dose