6 comments

[ 3.6 ms ] story [ 38.4 ms ] thread
Well, in Turkey, it's used for accessing (most of)the censored sites
So, could one really do this OpenDNS thing behind a pay-for-internet-service?

Yes but it requires the pay-for-internet provider to think about their real usage scenarios and plan for them appropriately. I'm involved in the engineering of a similar system that has nearly a million users, and we've chosen to leave port 53 wide open, even though it can theoretically be used for DNS tunneling or other nefarious use.

Also, I disagree with the comments on the post that claim that ISP DNS is the #1 cause of slowdowns -- DNS on an ISP scale is surprisingly easy to dimension and support in the common case. The important aspects of DNS administration center around debugging misbehaving authoritative servers and management of Denial of Service attacks.

I used to find that I'd get slow downs when performing requests because the ISP wasn't answering the DNS query in a timely fashion. This would usually resolve itself in half-an-hour or so, possibly a load issue. But with OpenDNS I've not had those problems, my ISP nameservers are there as backup however if I should need them.

Also OpenDNS optionally does filtering and allows reporting of lookups made. As my kids grow and explore for themselves I think this will be useful.

Primarily because client side software that serves a similar function is bulky, harder to configure, and almost never free. If your browser becomes compromised there's a fine chance its built-in phishing/malware filter will be broken or disabled. It's unlikely a browser exploit could change your DNS settings -- if it could you've got much bigger problems.

From a performance point of view many ISP name servers are either oversubscribed or simply not fine tuned. There are many tricks to DNS configuration on busy servers and OpenDNS does a good job keeping their servers fast and responsive. Additionally your ISP may not be giving you the best possible DNS servers. Many ISPs are getting involved in the ISP sponsored custom redirect game. While OpenDNS does indulge in this to a degree their service doesn't seem to take a hit from it which is something I cannot say about other custom redirects.

I used OpenDNS while at Defcon to avoid my DNS servers being spoofed. The minor configuration change was totally worth it.