OpenDNS - no thanks.
OpenDNS is a project with incredibly noble intentions, but it is badly implemented.
Fundamentally, the service is a huge altered dns cache. You use OpenDNS’s Open Resolvers as your own desktop recursion servers. You therefore see the ‘view’ of the internet naming system that OpenDNS give you. The idea is that if you typo this site as ‘www.andyd.nt’ it’ll figure out what you really mean and send you here. Ace.
The service doesn’t stop here. It implements a Verisign Sitefinder style service - try to visit the page ‘iwanttobuyaponyplease.com’, and should it not resolve, you get a page of useful ads pointing you in the right direction. Fine in principal. We’ll talk about the merits of doing this in dns later, but it’s not a horrible ambition.
OpenDNS then aims to make the internet a safer place. OpenDNS will alter your view of DNS and point you instead to a page saying ’site blocked’, should you stumble upon a site which is deemed untrustworthy.
The service is financed through clicks to the ads you see when you mistype a url, and will probably also be financed by reporting, if enough people use it.
The problems start when you consider that you are trusting a view of what is safe and what is not to a company who think forcing a redirect from ‘goggle.com’ to ‘google.com’ because “This site is lame” is acceptable. It is not.
The next problem is the implementation. The internet is not the web will always ring true. Changing the way DNS works changes the way mail and every other network service that relies on dns works. Dropping a wildcard dns entry in every top level zone means mail works unpredictably if you typo an address.
If OpenDNS is received with open arms, it will also put a nail in the coffin of DNSSEC, which is a real attempt at improving security online. DNSSEC relies on offering resource records that identify the next (alphabetically) resource record name (and in recent protocol revision, a hash of the next record name.) If every single resource record is valid, we can’t rely on these checks when we want to perform a secure zone transfer.
On the upside, OpenDNS is not sitefinder. Unless your employers force it down your neck, you can simply avoid this dns bending by not using the service.
As I have tried to point out, the ambitions here are noble. If we want to protect users of the web (a layer 7 protocol), then the security has to be written into layer 7. I can see a strong use for a firefox plugin which does the ‘good’ things that opendns does (but the plugin would respond to a valid dns NXDOMAIN, and silently redirect to a helper page.) DNSBLs for abusive content will appear if browser plugins that understood them appeared and were largely supported by the userbase.
If someone wants to write this plugin, I’ll definitely help beta test. :-)
Comments
2 Responses to “OpenDNS - no thanks.”
Leave a Reply
You must be logged in to post a comment.
January 15th, 2007 at 4:19 pm
Original comments on this article - one from the founder of Ultra DNS :
by David Ulevitch on Sun 06 Aug 2006 10:48 PM BST
Hi!
Your comments and some of your concerns about what we’re doing are not at all new and we’re certainly well aware of them. In fact we’ve addressed nearly all of them.
The important thing you decided to ignore is that for people who just want straight DNS that benefits from a larger DNS network and more robust and reliable service, we provide that too, at no cost. You can say we’re going to sell your data to highest bidder but that just means you haven’t read my privacy policy. :-)
Everything we do is to give users and networks choice. For far too long ISPs have just eeked by with a mediocre DNS service that offers you zero choice. Just like you have a firewall and anti-spam system, this is the same. We’ve built the platform and tools on top of a reliable network run by people who are pretty clueful. If you just want DNS, that’s cool. If you want your mom or neighbor or brother or sister to have some phishing and malware protection, that’s fine too. You might know there is more to the net than the web but for 99% of most surfers out there, that’s just not true and for them we’re a great solution.
As to you trusting me, well, I can’t tell you to trust me but I’ll say that people have trusted me for years at EveryDNS and I’ve never let them down. I don’t think I’m going to be letting anyone down here either.
Have a good Sunday. :-)
-david
January 15th, 2007 at 4:20 pm
My responses :
Hi, David - Thanks for replying.
Of course I understand that choice is a good thing. If 99% of internet users only use the web, why are my email servers so busy ? Why are services like Skype being touted as the next killer apps ?
I have already said your motives are fine, but please respond to my claims that layer 7 protection should stay in layer 7. Protection for ‘the web’ shouldn’t pollute our view of DNS. Lastly, I don’t want you to think this claim about trustworthyness is a personal slur - I’m just raising questions about whether an independent third party asking for trust should claim a website should be blocked because the site is ‘lame’…
Oh - and the privacy policy does not prevent you from selling or making use of aggregated (non-personally identifiable) data. Such as most popular sites, etc..