[Infowarrior] - Faster, safer Internet with OpenDNS

[Richard Forno]

NewsForge
The Online Newspaper for Linux and Open Source
http://internet.newsforge.com/
Title            Faster, safer Internet with OpenDNS
Date            2007.01.31 4:02
Author            Mayank Sharma
Topic            
http://internet.newsforge.com/article.pl?sid=07/01/23/1712221

The domain name system (DNS) maps human-understandable Web site addresses
into numeric IP addresses. Launched in July 2006, OpenDNS adds a few free
services on top of the traditional DNS to block phishing Web sites and
auto-correct common misspelled URLs. And thanks to some clever traffic
routing and load-balancing technology, OpenDNS can also deliver Web pages
faster.

"OpenDNS runs a really big, smart cache, so every OpenDNS user benefits from
the activities of the broader OpenDNS user base," says Allison Rhodes,
community manager of OpenDNS. She says OpenDNS runs a high-performance
network that is geographically distributed and serviced by several redundant
connections. Currently, OpenDNS has four servers in the US and one in the
UK. Live system statistics are available for all the servers. You can also
view the current status of the servers and daily DNS requests for the past
30 days. One a typical day last month, Rhodes says OpenDNS responded to half
a billion DNS queries.

"We have large clusters of servers in each of our five locations," says
David Ulevitch, founder and CEO of OpenDNS. "We not only distribute our load
locally within each cluster, but we distribute our load globally using the
border gateway protocol. Every OpenDNS user always reaches our closest
datacenter automatically, no matter where he is on the planet. This means
that each time we bring up a new location we increase our reliability,
decrease latency, and increase performance for our users."

But with servers only in the US and UK, what about users in, for instance,
Asia? Ulevitch explains that users in Asia are serviced through the Seattle
and Palo Alto datacenters and get a better performance from OpenDNS than
their local nameserver, because latency is not the only determinant in
nameserver resolution performance. "We operate a high performance nameserver
with a large cache on our widely deployed network, which means we are also
very close to other nameservers on the Internet."

I tested that claim from my home base in India. After switching to OpenDNS,
content-laden Web sites like news.com, cnn.com, bbcworld.com, and
myspace.com loaded a lot more quickly, ping times were considerably lower,
and query response times (measured with dig -x site ) to news.com, lxer.com,
osnews.com, distrowatch.org, and bbcworld.com were lower by 10 to 25%
compared to times when I was using my ISP's DNS.

Users see benefits

My tests confirmed what other OpenDNS customers have found. Robert Grabowsky
is the vice president of Ra Security Systems, which provides managed
security services for companies, universities, and government agencies with
between 30 and 10,000 users. "With so many users to satisfy," Grabowsky
says, "it's important to tune security devices to balance the greatest
protection with the best possible performance. Many aspects of Web browsing
performance have been easily controllable, except for DNS." He believes that
administrators don't fully appreciate the benefits of DNS. "Once they get it
to work, they set it and forget it without much further thought about
performance or anything else for that matter."

Grabowsky chose OpenDNS primarily for its speed. "For Web pages that
reference multiple domains, browser page rendering can be the difference
between a couple of seconds and 10, 15, or 20 seconds. That is pretty
significant reduction in time, which translates to an increase in user
satisfaction."

More than just a fast resolver

Apart from loading Web pages faster, OpenDNS warns naive users when they try
to visit a phishing site. "Not only are their DNS responses quick,"
Grabowsky says, "but they give back even more by protecting users against
known active phishing sites."

OpenDNS uses PhishTank, which is an online collaborative anti-phishing
database. The PhishTank data, when tied to OpenDNS, protects users by
blocking DNS lookup queries that match an entry in the database. "The
PhishTank data," says Ulevitch, "comes from the community. Members of
PhishTank submit suspected phishing sites via the Web, email, or API. Other
members of the community verify whether a submission is or is not a phish.
Each member's accuracy over time affects the influence of their vote. Those
members who have contributed the most, and been the most accurate, have the
most weight in the community decision about whether a site is phishing or
not."

Another benefit of using OpenDNS is convenience. OpenDNS corrects common
spelling mistakes on the fly, so if you accidentally type ".cm" or ".cmo"
instead of ".com," you'll still get to the site you intended to visit. If
the site doesn't exist, you'll end up on a search results page with
advertisements. That's where OpenDNS makes money. "OpenDNS makes money by
serving clearly labeled advertisements on search results pages where we
cannot resolve the URL you're trying to get to," Rhodes says.

To some this might bring back memories of VeriSign's highly unpopular Site
Finder service. Verisign used Site Finder to display information about
products by redirecting users who tried to access unregistered domains.
OpenDNS says that unlike VeriSign, OpenDNS is an opt-in service.

In December OpenDNS added another free service called CacheCheck to assist
domain owners. Rhodes says, "If you are moving a domain from one DNS host to
another, CacheCheck can help you make that transition smoother. In effect,
you tell OpenDNS to 'refresh now,' ahead of Time-To-Live (TTL) expiration."
This will refresh the OpenDNS cache, flushing the old entry, and will direct
visitors to the new location of a domain. CacheCheck can also be used by
people trying to visit a domain that isn't resolving. It helps explain the
reasons for a domain's non-availability (for example, non-responsive
nameservers) and in some cases can help fix the problems themselves by
refreshing the cache.

Appeals to ISPs

With its speed, phishing protection, typo correction, and control, OpenDNS
naturally appeals to ISPs, who can use OpenDNS for free. Jeffrey A. Campbell
is the general manager of Express High Speed Internet, a broadband ISP in
the Turks & Caicos Islands, British West Indies. "Our connectivity is via
sub-sea fiber to the US Internet backbone. Our upstream provider has poor US
connectivity, and as a result DNS lookups were taking a very long time to
complete," Campbell says.

He says that since Express High-Speed started using OpenDNS, it has saved
80ms+ in lookup time. "As we do about 3,400 Web requests a minute, and move
approximately 65GB a day of Web data, this can make a huge difference in
perceived end user response time. Overall, unscientifically, users noticed a
1-3sec improvement in loading a complex Web page like www.news.com."

Campbell says, "We added OpenDNS to our network as our primary forward
resolvers on both of our large Web caches (2TB and 400GB), which handle our
Web load 80/20. We run Bind9 locally on both of the machines to cache
responses so that we don't introduce extra latency when the cache confirms
each IP."

Campbell says his users appreciate other features of OpenDNS as well, such
as typo correction and phishing protection. "I've been in the ISP business
since 1994 and I think [OpenDNS] is one of the most dramatic and easily
implemented performance enhancements available."

Using OpenDNS

Setting up OpenDNS is fairly simple. There's no software to download. All it
requires is changing your default DNS nameservers to those of OpenDNS. If
you know where to specify the DNS nameservers, simply replace your existing
ones with OpenDNS's 208.67.222.222 and 208.67.220.220. If you aren't sure,
use OpenDNS's detailed instructions with screenshots for several popular
routers, operating systems, and mobile phones.

You can also register a free account with OpenDNS that will allow you to
control the DNS features provided by OpenDNS. You can, for example, disable
typo correction and phishing protection on your IP address or enable dynamic
DNS update if you want to use OpenDNS and don't have a static IP address. In
addition to this, users also get a couple of graphs showing traffic details
on their IP address for the last 30 days.

"There is no other service," Ulevitch says, "that delivers different DNS
preferences to different users in real-time, giving the user management of
network preferences at the DNS level." He says that this transfer of control
of DNS settings to users signifies the "open" in the company name.

As to the future of OpenDNS, Rhodes says, "We're seeing that ISPs and
enterprises have found tremendous value in the service we provide. So as we
continue to improve OpenDNS for our current customers, we're also working on
features that will be useful to ISPs and enterprises."

Links

   1. "OpenDNS" - http://www.opendns.com/
   2. "Live system statistics" - https://www.opendns.com/stats/
   3. "current status of the servers and daily DNS requests for the past 30
days" - http://system.opendns.com/
   4. "border gateway protocol" - http://en.wikipedia.org/wiki/BGP
   5. "Ra Security Systems" - http://www.rasecurity.com/
   6. "PhishTank API" - http://www.phishtank.com/api_documentation.php
   7. "PhishTank" - http://www.phishtank.com/
   8. "Site Finder service" - http://en.wikipedia.org/wiki/Site_Finder
   9. "CacheCheck" - http://www.opendns.com/cache/index.php
  10. "appeals to ISPs" - http://www.opendns.com/isp/
  11. "Express High Speed Internet" - http://www.express.tc/
  12. "detailed instructions" - http://www.opendns.com/start/
  13. "register a free account" - https://www.opendns.com/account/
  14. "dynamic DNS" - http://www.opendns.com/account/dynamic_dns.php

© Copyright 2007 - NewsForge, All Rights Reserved