Waht is OpenDNS?

Started May 9, 2012 | Discussions
SantaFeBill Senior Member • Posts: 2,571
Waht is OpenDNS?

I ran across a reference to OpenDNS in another post, but it was in a context that wasn't really talking about it per se .

I went to the OpenDNS site, but, for home users, all you get is a button that says 'Get Started'.

I'm not about to click on that button, with no idea what they propose to do, how it works, what changes it makes on my system, etc.

So will anyone enlighten me as to what OpenDNS does, and is it worth it?

I'm running a home network with a router, so I have both hw and sw firewalls, plus the usual anti-malware stuff. We have had few problems with infections, and those have been ably found and eliminated.

Internet access is very fast on our Comcast cable connection, so no complaints there either. (I consistently get file dl speeds in excess of 1MB - yes, cap 'M" - per second, using a 3rd-party dl manager.)

So would OpenDNS do anything that I need?

I did check their list of data sheets, all of which were for the enterprise solutions. Their technical overview was general enough that it didn't help that much either, particularly in making clear whether you had to change your ISP and e-mail provider to them to take advantage of whatever OpenDNS can do.

Thanks to all in advance.

Birk Binnard
Birk Binnard Senior Member • Posts: 1,828
Re: Waht is OpenDNS?

DNS = Domain Name Service. This is a function provided by special server systems on the Internet called DNS servers. All a DNS server does is translate a name like gm.com into it's actual IP address. The IP address is what actually gets you to the desired site.

Your ISP has its own set of DNS servers and you pay for them as part of your monthly Internet cost. But you can actually use any DNS server you want; just change the setting in your router to point to the desired ones (there are always 2, just in case the first one has a problem.)

OpenDNS is a set of free DNS servers that anyone can use. Google also provides some free ones. To find them just Google "free dns" and you should get a bunch of links for free ones you can use.
--
Birk Binnard
http://www.birkbinnard.com/photography

pocketfulladoubles Senior Member • Posts: 1,986
Re: Waht is OpenDNS?

If you for some reason need to publish hostnames to the world, such as running a web server, you can add dns entries so that the world can reach your server.

There are different types of records:

An "A" record will take something like http://www.yourdomain.com and hand back the IP address which is really what your browser is looking for.

An "MX" record will tell you what the IP addresses of the mail exchangers (mail servers) are in that domain, ordered by priority if you have multiple ones.

A "PTR" or pointer record is a reverse lookup which will take an IP address and hand back the hostname.domainname.

A "CNAME" or canonical name is just an alias.

There are more records, but these are the ones to concern yourself with if you really need to publish the DNS info publicly. If you are actually setting up your own DNS server with something like the bind daemon, then you will need to also set the SOA (start of authority).

As a final note, some VPN servers allow logins by hostname. If you are on a dynamic IP address, you can use something called Dynamic DNS in which your machine forwards it's current dynamic IP to the DNS server, and it will update the record so that the VPN server can authenticate you.

malch Forum Pro • Posts: 14,048
Re: Waht is OpenDNS?

SantaFeBill wrote:

So will anyone enlighten me as to what OpenDNS does, and is it worth it?

OpenDNS is an alternate to the DNS service normally delivered by your Internet Service Provider (ISP). On the plus side:

  • OpenDNS is a reasonably fast and reliable service. So, if your Internet provider's DNS is slow and poor, it might be attractive. OTOH, I would suggest that changing ISP is a more appropriate solution! If an ISP can't deliver decent DNS, you shouldn't be using them.

  • OpenDNS will catch/intercept requests made to host that are known to serving malware, involved in phishing scams etc. So it's one kind of anti-malware tool.

Much more detail here:

http://en.wikipedia.org/wiki/OpenDNS

OP SantaFeBill Senior Member • Posts: 2,571
Re: Waht is OpenDNS?

Thanks. You caught that I was asking about OpenDNS in particular and not DNS in general.

Form your reply and the Wikipedia article, it would seem that OpenDNS doesn't add much if anything to capabilities/protections that I already have via other means, and would add another set of possible complications.

malch Forum Pro • Posts: 14,048
Re: Waht is OpenDNS?

SantaFeBill wrote:

Form your reply and the Wikipedia article, it would seem that OpenDNS doesn't add much if anything to capabilities/protections that I already have via other means, and would add another set of possible complications.

I agree. However, I do keep the OpenDNS IP's on hand just in case my normal DNS servers suffer a catastrophe.

I like to store potentially useful info like this as comments in etc/hosts:

\# OpenDNS
\# 208.67.222.222
\# 208.67.220.220

For the cost of a 3-line comment, I have a backup DNS service ready to go

Jim Cockfield Forum Pro • Posts: 16,333
Faster Page loads vs. Comcast DNS, nothing to install...

When you load a page using your browser, any content on it is going to require a lookup of the links via your default DNS server to get the IP addresses associated with those links to connect to the servers the content is located on.

When I've tested DNS lookup speed using popular benchmarks, I usually find that one of the OpenDNS DNS Servers is in the top three fastest DNS Servers, and sometimes two of them are.

For example, I just ran this benchmark again (I haven't tried it lately) and found that the OpenDNS servers are still fastest from my location:

http://www.grc.com/dns/benchmark.htm

The easiest way to see the fastest ones is to wait until it's done and look at the conclusion tab (ignoring the popups allowing you to build a custom list using other public servers, etc., since I wouldn't trust a DNS server that wasn't hosted by a more reputable firm, since it's common to see hacked DNS servers redirecting traffic).

These were the 3 fastest DNS servers from my location (Savannah, GA, using Comcast Broadband Service via a Cable Modem:

208.67.222.222
208.67.222.220
8.26.56.26

The two fastest DNS Servers are OpenDNS Servers, and third fastest DNS Server is a Comodo SecureDNS Server.

They all update their servers frequently so that pages known to host malicious content are not loaded automatically when the DNS lookups are performed.

So, using a DNS Server like those adds another layer of protection from malicious content and you'll probably see much faster page loads.

I've seen the same thing using other similar tests, where one or two of the OpenDNS DNS Servers are usually in the top 3. For example, here's a similar test:

http://code.google.com/p/namebench/

The last time I tried it, I ran it 3 times and got slightly different results all three times. But, one of the OpenDNS servers was always one of the fastest two DNS Servers tested from my location.

Make sure you close Firefox and anything accessing the network while using these types of tests.

Personally, I keep my router setup with these DNS servers (Comodo SecureDNS as the primary and secondary DNS servers, and one of the OpenDNS servers as a third choice).

8.26.56.26
8.20.247.20
208.67.222.220

Then, I keep my PC setup to get DNS Server addresses each time they get a new network connection so it will use the same ones setup in my router. That's the way PCs will default unless you setup specific DNS Servers on it.

That way, all PCs on my network use the DNS server addresses setup in my router.

So, all you need to do to switch to something like Comodo SecureDNS or OpenDNS servers is log into your router's admin screens, and plug in different addresses.

With my Linksys, I just go to http://192.168.1.1 and the DNS Server Addresses are on the main Network Setup page (shown as Static DNS 1, Static DNS 2, Static DNS 3), where you can simply plug in different DNS server addresses there.

More about Comodo SecureDNS here:

http://www.comodo.com/secure-dns/

More about OpenDNS here:

http://www.opendns.com/

You don't need to sign up for anything or pay any fees to use them. Just use the correct IP addresses for their Public DNS servers in your router's setup (or you can setup a specific PC to use them locally instead of getting the router's defaults).

Now... OpenDNS does let you do some custom filtering if desired. That's free for home users. Basically, you create a free account, then you can tell their DNS servers the IP addresses associated with your routers and setup custom filters for various types of content (porn, violence, social networking,etc.).

Then, each time their DNS servers see a lookup request from that IP address, it uses the filters you have setup. That can be handy if you want to block access to some types of content from kids, and since it's done at the DNS lookup level, you don't have to worry about trying to use custom browsers and local programs to block the content that require constant updates (since the DNS servers are updated all the time and you benefit from those updates without the need to install any software on a PC).

But, for simple DNS lookups, you don't need to do that kind of thing. Just plug in the DNS Server Addresses into your router for them, and you'll probably get faster page loads compared to the Comcast DNS Servers (thanks to faster lookups of IP addresses associated with content on the web pages), as well as filtering of sites hosting malicious content.

If you wanted to use OpenDNS as your primary DNS server for those types of lookups, with Comodo SecureDNS as a third choice (which will probably never be used anyway), just plug in these addresses into your router's admin screens for the DNS servers it uses (or leave the third one blank or reuse one of the OpenDNS server choices again to prevent any other DNS servers from being used):

208.67.222.222
208.67.222.220
8.26.56.26

Or, if you wanted to use Comodo SecureDNS as your primary and secondary options with OpenDNS as a third choice, just plug in these 3 DNS Server Addresses into your router's Admin screen for Network Setup:

8.26.56.26
8.20.247.20
208.67.222.220

That's the way I keep my router setup, as I've found that Comodo SecureDNS is pretty good about blacklisting sites with malicious content so that I'll get a warning screen when a browser attempts to access them.

By default, unless you've changed their local configurations to use specific DNS servers instead, your PCs are going to use the same DNS servers setup in your router (it polls the router for them the next time one gets a new connection, setting the local IP Addresses at the same time if the router is setup to act as a DHCP server (which is the way they are usually setup by default).

So, it would only take you a minute or two to switch to different DNS servers via your router's setup screens.
--
JimC

ggeinec Contributing Member • Posts: 507
Re: Faster Page loads vs. Comcast DNS, nothing to install...

Outstanding reply, Jim. Thanks!

Jim Cockfield Forum Pro • Posts: 16,333
P.S. - local versus router setup...

By default, unless you've changed their local configurations to use specific DNS servers instead, your PCs are going to use the same DNS servers setup in your router (it polls the router for them the next time one gets a new connection, setting the local IP Addresses at the same time if the router is setup to act as a DHCP server (which is the way they are usually setup by default).

Again, by default, your PCs are going to be setup to poll the router's DNS Servers by default (so setting up your router to use different DNS servers is the easiest way to approach it, so that all of your computers use the same DNS servers).

But, you can setup an individual PC locally to use different DNS servers, too.

With Win 7, if you right click on the icon for your network connection in your system tray and select Open Network Sharing Center, then right click on your network and select Properties, then right click on the adapter and select Properties for it, check your IPV 4 settings (you'll see that option in the list of items under the adapter), you can see how a local network connection is setup for DNS servers (or you can get to the same screens via Control Panel directly). Note that both Comodo and OpenDNS have IPV6 DNS servers available, too. But, I'd stick with IPV4, as your router may not support IPV6 anyway, and your Comcast Service may not support it either.

IOW, you can drill down to a screen like this one. Note how the bottom section is set to "Obtain DNS Server Automatically". I keep my router setup to use Comodo SecureDNS so that the PC gets the IP addresses for Comodo SecureDNS whenever it's restarted.

But, you can check the box to "Use the following DNS Servers" and plug in the addresses for something like Comodo SecureDNS or OpenDNS instead there. See my previous post for some of those DNS Server Addresses.

They're both probably a lot faster than your default Comcast DNS servers, too.

The OpenDNS and Comodo SecureDNS servers are both very fast from my location using different benchmarking tests to find out the DNS servers that provide the fastest lookup times (with OpenDNS testing as the two fastest DNS servers, and a Comodo SecureDNS server testing as the third fastest from my location, compared to a lot of other DNS servers

You'll probably find that results for the fastest DNS servers will vary (due to varying server load at different times of day, etc.) when you rerun the tests periodically.

But, both OpenDNS and Comodo SecureDNS servers are setup to provide very fast lookups compared to most similar DNS servers, strategically located so that access is fast from virtually anywhere, and I'd trust them a lot more than some of the others around, since DNS Servers are often hacked to redirect traffic.

So, using them gives me faster page loads compared to the Comcast DNS servers, and gives me another layer of protection against malware, since they maintain blacklists of sites hosting malicious content so that your browser doesn't attempt to load that content.

IOW, you could just plug in the desired DNS Server Addresses on this screen for your network adapter (under the IPV4 settings in the list using the addresses in my last post for your Primary and Secondary DNS servers) by checking the box to "Use the following DNS Servers" and plugging in the Comodo or OpenDNS server addresses there.

But, it's easier just to use your router's Admin screens for Network Setup, plugging in different DNS Server Addresses there, and leave your PCs set to their defaults so that they're obtaining DNS servers automatically (as in the below screen capture), so that they'll use the DNS server addresses setup in your router.

Click Expand All to see the entire screen capture:

-- hide signature --

JimC

malch Forum Pro • Posts: 14,048
Re: Faster Page loads vs. Comcast DNS, nothing to install...

Jim Cockfield wrote:

The two fastest DNS Servers are OpenDNS Servers, and third fastest DNS Server is a Comodo SecureDNS Server.

I tried running namebench here. I haven't used that one before but I have used some other similar programs.

As expected, my ISP's primary name server was easily the fastest. That's the way it should be since all traffic goes over circuits that my ISP controls (not via the public network).

My service provider really does care about DNS and I trust them to administer their servers in an exemplary manner. I have some doubts about using other third parties. We've all seen the temptation for vendors to use failed DNS lookups as a means to generate revenue by displaying adverts. Network Solutions anyone?

Jim Cockfield Forum Pro • Posts: 16,333
faster using Namebench, too.

malch wrote:

Jim Cockfield wrote:

The two fastest DNS Servers are OpenDNS Servers, and third fastest DNS Server is a Comodo SecureDNS Server.

I tried running namebench here. I haven't used that one before but I have used some other similar programs.

OpenDNS tests faster using Namebench from here, too (see my notes about other tests in my previous post to this thread that included a link to Namebench -- I just didn't mention that Namebench was what the other test I linked to was named.

Here's what it showed the last time I tested with namebench. I saved the html page with the results on it:

http://dl.dropbox.com/u/4536228/namebench_2012-02-05_1846.html

Note that it recommended using 208.67.222.220 (one of the OpenDNS server IP addresses shown in my previous post to this thread for it), and if you look at the tables, the alternate of 208.67.222.222 shown in my previous post for OpenDNS is almost as fast from here (and I've noticed slightly different results when rerunning it anyway, as server and network load will impact the results).

As expected, my ISP's primary name server was easily the fastest. That's the way it should be since all traffic goes over circuits that my ISP controls (not via the public network).

That's not the case with Comcast's DNS servers (and the OP is using Comcast), at least not from Savannah, GA. OpenDNS and Comodo SecureDNS are both faster.

You also get filtering of sites hosting malicious content with DNS Servers like OpenDNS or Comodo SecureDNS (which wasn't included in the last Namebench test I ran, but was in the last test I used today with the GRC program, ranking third behind the two main OpenDNS servers).

I think Namebench may be including Comodo in the newer tests now. But, I haven't ran it lately.

-- hide signature --

JimC

kelpdiver Veteran Member • Posts: 3,145
Re: faster using Namebench, too.

Jim Cockfield wrote:

That's not the case with Comcast's DNS servers (and the OP is using Comcast), at least not from Savannah, GA. OpenDNS and Comodo SecureDNS are both faster.

just say no to Comcast...this would be yet another reason why.

My router kicked everyone's ass - and it's a WRT54G rev 1.1. My ISP, no surprise, isn't a cable ISP, came next, with Level 3 beating down OpenDNS and their error spamming.

CAcreeks
CAcreeks Forum Pro • Posts: 11,057
Very interesting Namebench results

I had never heard of ComodoDNS - thanks Jim.

Looks like there might be faster DNS servers than OpenDNS, but OpenDNS "feels" faster than our DSL provider's DNS. Scroll down to see namebench response graphs:

http://code.google.com/p/namebench/

malch Forum Pro • Posts: 14,048
Re: Integrity

CAcreeks wrote:

Looks like there might be faster DNS servers than OpenDNS, but OpenDNS "feels" faster than our DSL provider's DNS. Scroll down to see namebench response graphs:

Speed and availability are important considerations when selecting a DNS service/provider. However, integrity is important also. Keep in mind that:

1. A rouge DNS server can reroute your https://yourbank.com/ requests to a completely fake server operated by organized criminals! This isn't hypothetical -- it really happens.

2. A poorly managed DNS server can be vulnerable to attack such that bad guys can hack it resulting in https://yourbank.com/ being directed to a completely fake server operated by organized criminals! This isn't hypothetical -- it really happens.

3. Some DNS providers are tempted to direct failed lookups to one of their own servers which displays a "helpful" search page. This is basically an opportunity for them to make advertizing revenue off the back of your typos. This isn't hypothetical -- it really happens. In 2003, even Verisign/Network Solutions as the trusted keepers of the root of the DNS system were so tempted. They were forced to back off after a struggle:

http://bcn.boulder.co.us/~neal/ietf/verisign-abuse.html

Keep these facts in mind when you configure your DNS settings.

AxelR Senior Member • Posts: 1,169
Re: Integrity

malch wrote:

CAcreeks wrote:

Looks like there might be faster DNS servers than OpenDNS, but OpenDNS "feels" faster than our DSL provider's DNS. Scroll down to see namebench response graphs:

Speed and availability are important considerations when selecting a DNS service/provider. However, integrity is important also. Keep in mind that:

1. A rouge DNS server can reroute your https://yourbank.com/ requests to a completely fake server operated by organized criminals! This isn't hypothetical -- it really happens.

2. A poorly managed DNS server can be vulnerable to attack such that bad guys can hack it resulting in https://yourbank.com/ being directed to a completely fake server operated by organized criminals! This isn't hypothetical -- it really happens.

3. Some DNS providers are tempted to direct failed lookups to one of their own servers which displays a "helpful" search page. This is basically an opportunity for them to make advertizing revenue off the back of your typos. This isn't hypothetical -- it really happens. In 2003, even Verisign/Network Solutions as the trusted keepers of the root of the DNS system were so tempted. They were forced to back off after a struggle:

http://bcn.boulder.co.us/~neal/ietf/verisign-abuse.html

Keep these facts in mind when you configure your DNS settings.

Not counting that the DNS service you are connected to knows exactly what sites you visited, in which order, how often etc etc.

-- hide signature --
Jim Cockfield Forum Pro • Posts: 16,333
So what (advert supports suggestions for mistyped URLs)

malch wrote:

3. Some DNS providers are tempted to direct failed lookups to one of their own servers which displays a "helpful" search page. This is basically an opportunity for them to make advertizing revenue off the back of your typos.

Sure they do that (OpenDNS, Comodo SecureDNS, etc.). They have to pay for the free DNS services somehow.

So, if you're using a third party DNS service and type a URL that's not in their database, you'll usually see an error page about the URL being invalid, with advert based links to sites with similar URLs (often including the same site that you misspelled in the address bar, too)

That's not a big deal from my perspective, as rather than get an error page that the URL was mistyped with nothing else on it, you get an error page with suggestions that may include the site you're trying to reach to begin with that you can just link on a link for.

If the DNS service providers make a few bucks on those advert supported links on the error page when I mistype a site's address, I could care less.

-- hide signature --

JimC

Jim Cockfield Forum Pro • Posts: 16,333
make that click on a link. ;-)

Jim Cockfield wrote:

So, if you're using a third party DNS service and type a URL that's not in their database, you'll usually see an error page about the URL being invalid, with advert based links to sites with similar URLs (often including the same site that you misspelled in the address bar, too)

That's not a big deal from my perspective, as rather than get an error page that the URL was mistyped with nothing else on it, you get an error page with suggestions that may include the site you're trying to reach to begin with that you can just link on a link for.

Make that "click on a link " versus "link on a link".

No big deal, as the site I misspelled is often on the error page that comes up when using third party DNS servers anyway.

Also, for many common misspellings, you're probably going to hit a site that has that misspelled name registered so that it's in the databases used by DNS Servers, no matter what DNS Server provider you're using; so that you end up on a web site using that misspelled name. That has nothing to do with the DNS provider you're using.

But, for misspelled addresses that are not registered, I could care less if the DNS Server Provider gives me an error page about it that includes suggested sites with similar spellings that is based on advert supported suggestions.

If the DNS service providers make a few bucks on those advert supported links on the error page when I mistype a site's address, I could care less.

-- hide signature --

JimC
------

-- hide signature --

JimC

malch Forum Pro • Posts: 14,048
Re: So what (advert supports suggestions for mistyped URLs)

Jim Cockfield wrote:

That's not a big deal from my perspective, as rather than get an error page that the URL was mistyped with nothing else on it, you get an error page with suggestions that may include the site you're trying to reach to begin with that you can just link on a link for.

It's a big deal for website developers and QA folks. And for those that develop website QA tools and similar applications! You need to know when a hostname does not resolve! Hiding that information with an ad-laden web page is major problem!

kelpdiver Veteran Member • Posts: 3,145
Re: Integrity

AxelR wrote:

Not counting that the DNS service you are connected to knows exactly what sites you visited, in which order, how often etc etc.

Not entirely. Results are cached locally, potentially by your router and windows is notoriously bad for caching data forever, so the DNS server knows you asked once, but they're not going to have good data on how frequently. You can also create local entries for any domains if you wanted to conceal that from them.

Jim Cockfield Forum Pro • Posts: 16,333
they're not trying to hide it

malch wrote:

Jim Cockfield wrote:

That's not a big deal from my perspective, as rather than get an error page that the URL was mistyped with nothing else on it, you get an error page with suggestions that may include the site you're trying to reach to begin with that you can just link on a link for.

It's a big deal for website developers and QA folks. And for those that develop website QA tools and similar applications! You need to know when a hostname does not resolve! Hiding that information with an ad-laden web page is major problem!

They're not hiding anything. For example, if I type in http://www.malche.com versus http://www.malch.com using Comodo SecureDNS, I get an error screen with an obvious "Sorry, " http://www.malche.com " does not exist or could not be found" error on it.

It's got some advert links under that error. But, the error is very obvious. Also, when I misspell a site name like bhphotovideo.com, I usually see a paid advert for them in the adverts list anyway that links to them.

When I try the same thing with OpenDNS, I see " http://www.malche.com is not loading" at the top of the screen, with a link labeled "why am I here" on the right side of the page with more info about what may be wrong.

That text is not as obvious as the larger error code text you see with Comodo Secure DNS. But, the page is more helpful, in that it tries to guess the site I may have wanted to type in (similar to the way a google search behaves if you type in the wrong spelling for a common search), asking you "did you mean xxxxx" instead, with more realistic suggested links versus just advert links.

But, I don't have any issues with the way either service handles it versus a "plain jane" error screen with nothing else on it other than the address you typed in couldn't be reached.

-- hide signature --

JimC

Keyboard shortcuts:
FForum MMy threads