Results 1 to 6 of 6

Thread: OpenDNS

  1. #1
    Senior Member chizra's Avatar
    Join Date
    Feb 2006
    Location
    west india
    Posts
    152

    OpenDNS

    hi folks,

    came across this site http://www.opendns.com/faq/ and wanted to know if this is a good way to avoid phishing and other mistakes of internet life?

    views please.
    Hindsight is an exact science.
    MudBubble

  2. #2
    Master-Jedi-Pimps0r & Moderator thehorse13's Avatar
    Join Date
    Dec 2002
    Location
    Washington D.C. area
    Posts
    2,885
    Ask yourself this. How can this tiny company validate the 10s of thousands of domains registered worldwide each day? Their "safe site" feature that picks off phishing sites runs off of a signature database. Hence, the answer is simple: they can't. They are certainly just picking up feeds from various free feeds out there on the net. While these feeds are nice, they're not fool proof.

    I'm willing to bet that you'll get just as much or better performance from the anti-phishing feature in IE7.

    Their claim of being faster is wonderful, but what they're not telling you is that this simply means that they have a giant DNS cache. To that end, there will be stale records in there more so than your normal DNS server. This means updates to domains will be slower.

    Also, If you read carefully, you'll be given advertisements for using their DNS service. I get the fly-by-night huckster feeling when reading the site, especially after looking into who they are.

    --TH13
    Last edited by thehorse13; January 2nd, 2007 at 10:42 PM.
    Our scars have the power to remind us that our past was real. -- Hannibal Lecter.
    Talent is God given. Be humble. Fame is man-given. Be grateful. Conceit is self-given. Be careful. -- John Wooden

  3. #3
    Junior Member
    Join Date
    Jan 2007
    Location
    San Francisco, California, USA
    Posts
    2
    John Roberts from OpenDNS here.

    I and my colleagues are hardly "fly-by-night huckster[s]" -- why does the website give you that impression?

    We are faster, in part due to our large caches. We never hold a domain longer than the Time To Live (TTL), so our caches are no more likely to be stale than anyone else who respects the standards. And, unlike any other DNS service I know of, we give you (the Internet user) the opportunity to look at what is in our cache, and refresh it if necessary, with CacheCheck. http://cache.opendns.com/

    We state clearly in our FAQ how we make money: when a domain does not resolve, we deliver a search results page which also includes clearly labeled advertisements. Your current experience is likely a browser error page. Take a look at http://search.opendns.com and decide for yourself.

    As to our phishing protection, it's quite solid. It's not perfect. No one's is. We use feeds from various members of the anti-abuse community, and from PhishTank, a site we operate for sharing anti-phishing data freely. PhishTank data was used by the Mozilla Corporation to test Firefox 2 against IE 7, and it's now in use by Opera 9.1.

    Each entry in the feeds OpenDNS receives is validated by an OpenDNS employee.

    OpenDNS is a choice, and I hope you'll choose to try us. There's no lock-in, so if you find it doesn't suit you, you can change back easily. I don't think you will want to.

    John Roberts
    VP of Product, OpenDNS

  4. #4
    Master-Jedi-Pimps0r & Moderator thehorse13's Avatar
    Join Date
    Dec 2002
    Location
    Washington D.C. area
    Posts
    2,885
    TH13 of Antionline here.

    Microsoft (and soon other giants will follow) are offering anti-phishing protection right in the browser (free of course) without having to muck with DNS settings (albeit easy if you have permissions to do so). Don't forget companies like ISS, Webroot, Symantec, MacAfee and others that also give you the same protection in their security suites. Your solution is free in terms of actual out of pocket money, I'll give you that, but soon your niche will dry up. Here is why.

    1) Corporations already have infrastructure to handle this so I assume you're only after the home user/soho market. Again, most users operate in the, "not broken don't fix it" mindset. Your model (free with ads) is very close to what most users associate with popup ad spam. How do you overcome this as end users today are constantly told not to do anything to their PCs unless the request comes from a trusted source.
    2) End users are barely aware of what DNS is let alone a DNS cache. Viewing it seems something that advanced users would do and those users generally have a clue already on how to avoid scammers on the net.
    3) Looking at your architecture, I'm unsure on how you can claim significant speed over standard DNS servers. I can connect up to any local DNS server and get just as speedy responses. Given that your TTL isn't larger than others and your cache can't be architected much different than others, what else is there in your design that can enhance speed? I'm drawing this directly from you FAQ on your site which lists server positioning as a reason for speed gains. Is there something else? In your previous post, you mentioned standards (I assume you're saying you're following RFCs for DNS) so what can you do differently within the standard that isn't being done now?
    4) Small (privately held) security companies looking to improve the wheel generally have a short lifespan, especially if they are several rounds deep in venture capital funding. With the giants in this sector carving up every last shred of potential revenue generators, my money says that you're going to get into trouble quickly if this is the only thing you're going to offer long term.

    What will you do when secure DNS makes a foot hold and most modern browsers (which use the same feeds as you and then some already) are common place? You must have one hell of a 5 year strategic plan.

    Anyway, I don't see much (if any) benefit from your service.

    VP of nothing.
    --TH13
    Last edited by thehorse13; January 5th, 2007 at 04:57 PM.
    Our scars have the power to remind us that our past was real. -- Hannibal Lecter.
    Talent is God given. Be humble. Fame is man-given. Be grateful. Conceit is self-given. Be careful. -- John Wooden

  5. #5
    Junior Member
    Join Date
    Jan 2007
    Location
    San Francisco, California, USA
    Posts
    2
    TH13,

    You are grouping OpenDNS as a security company, which is understandable because of how this thread started, and the board this is taking place on.

    However, we are a DNS company. Security is just one application on top of our DNS platform. Stopping phishing is not our business: it's a feature. And we have more features in this arena to offer... we don't treat security lightly... just saying it's not the heart of our business.

    Delivering a better Internet experience is our business. Speed is a large part of that.

    DNS speed is the combination, broadly, of two things:

    1. Network latency, which comes from bandwidth, geography, and peering policies. Ping time can measure this part of DNS speed, but it's not actually representative of DNS speed as a whole.

    That's why our geographic distribution matters, our network architecture matters, our peering policies matter, and our location _within_ the data centers matter.

    2. Software speed, which comes from cache, and well-written software.

    We wrote our own DNS server and cache.

    If you can truly "can connect up to any local DNS server and get just as speedy responses" then, well, I'll be truly surprised. Shocked, even. Our experience, and the reports of our users, says that OpenDNS is notably faster for most everyone. (There are some folks who do a great job with DNS. They are rarer than you might think.)

    Might I suggest trying OpenDNS? You're clearly savvy enough to use our nameservers, and switch right back if you're dissatisifed. There's no software to install, as you know, and no lock-in.

    John Roberts
    VP of Product, OpenDNS

  6. #6
    Master-Jedi-Pimps0r & Moderator thehorse13's Avatar
    Join Date
    Dec 2002
    Location
    Washington D.C. area
    Posts
    2,885
    DNS speed is the combination, broadly, of two things:

    1. Network latency, which comes from bandwidth, geography, and peering policies. Ping time can measure this part of DNS speed, but it's not actually representative of DNS speed as a whole.

    That's why our geographic distribution matters, our network architecture matters, our peering policies matter, and our location _within_ the data centers matter.

    2. Software speed, which comes from cache, and well-written software.

    We wrote our own DNS server and cache.
    Yep, I'm aware of how DNS works which is why I asked the questions above related to architecture and standards. I've also seen many well run DNS shops (as well as bad per your point). Finding a well run shop isn't difficult in my experience, then again, finding a bad one isn't difficult either.

    Has anyone blackbox tested your home grown DNS server? The greatest risk of all is the unknown. If you have a custom solution, I would assume that you would want to be sure that it is secure, given that DNS is heavily abused as an attack vector. Moreover, I'd be especially interested in vulnerabilities related to cache poisoning attacks against your infrastructure.

    OpenDNS makes the Internet experience safer, faster and smarter for you and everyone using your network.
    From your, "What we do" page. I get the impression by this statement that security is a major offering, especially with the anti-phishing screen shot right under item #1.

    As for speed, your example assumes that recursion has to take place, which is misleading. Not all DNS servers have to do a recursive lookup as you are aware.

    Other than speed, anti-phishing and what looks like an attempt to correct mistyped URLs, I don't see any other offerings. If I'm missing nothing, then is it safe to assume that your primary offering is target marketing via the advertisements in your search results page? I'm certainly not saying that I fault you for attempting to carve out a niche but from what I've seen on your site and from reading your privacy policy, it leads me to assume two things. The first is that you're selling heavy on the security aspect (which is why it ended up here in the first place) and after reading the privacy policy, it seems that you guys are simply using target marketing as a cash flow for your business. Again, no problem with making a buck, I just can't see additional offerings or benefits.

    --TH13
    VP of nothing.
    Our scars have the power to remind us that our past was real. -- Hannibal Lecter.
    Talent is God given. Be humble. Fame is man-given. Be grateful. Conceit is self-given. Be careful. -- John Wooden

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •