The primary job of the DNS is to convert domain names to IP addresses, which is how people navigate the Internet. DNS does a lot more than that, but that’s the basic concept. As you can imagine, employees at a DNS company spend a good amount of time explaining this function. Everyone has their favorite analogy. I’ve found the best to be “DNS is like the phone book for the Internet. You type in a name and it figures out the number.”

If DNS is the phone book, domain names are the listings. To that point, today is the 25th anniversary of the first ever registered domain in .com, the top-level domain that accounts for the vast majority of Web sites on the Internet. In particular, the Web sites that receive the most traffic.

As we reflect today on the unprecedented growth the Internet has seen, and think about that first-ever registered domain - Symbolics.com - here’s some background on .com domains from a San Francisco Chronicle article published today.

• In 1985, only six entities registered a .com, one of six top-level domain names created a year earlier in a reorganization of the early Internet’s naming bureaucracy. At the time, .cor (short for corporate) almost beat .com as the designation for commercial Internet addresses.
• By 1992, fewer than 15,000 .com domains were registered, but the number would flourish after Web browsers brought mainstream consumers onto the Web.
• Today there are 84 million domain names, including 11.9 million e-commerce and online business sites, 4.3 million entertainment sites, 3.1 million finance-related sites and 1.8 million sports sites.

The first ten registered .com domains:
Symbolics.com - March 15, 1985
BBN.com - April 24, 1985
Think.com - May 24, 1985
MCC.com - July 11, 1985
DEC.com - Sept. 30, 1985
Northrop.com - Nov. 7, 1985
Xerox.com - Jan. 9, 1986
SRI.com - Jan. 17, 1986
HP.com - March 3, 1986
Bellcore.com - March 5, 1986


Editor’s note: Below is a fairly technical post from OpenDNS engineer and noted security researcher Matthew Dempsky introducing DNSCurve and sharing some thoughts on DNSSEC. Readers of this blog know Matthew has been credited with finding vulnerabilities in both Adobe Flash Player and djbdns.

Everyone in the DNS community agrees that DNS’s security model is woefully outdated. Conceived at a time when there were fewer computers on the Internet than are housed by even today’s smallest data centers, DNS unfortunately has no strong protection against malicious parties hoping to exploit web users. What little protection it does offer is mostly derived from novel uses of non-security features (e.g., UDP source port and transaction ID randomization).

For more than 15 years, the IETF has been working on DNSSEC, a set of extensions to apply digital signatures to DNS. Millions of dollars in government grants and several reboots from scratch later, DNSSEC is just starting to see real world testing. And that testing is minimal — only about 400 of the more than 85,000,000 .com domains support DNSSEC, fewer than 20% of US government agencies met their mandated December 31, 2009 deadline for DNSSEC deployment, and only two of the thirteen root zone name servers is testing with even dummy DNSSEC data.

Aside from its lack of adoption, DNSSEC isn’t even a very satisfactory solution. It adds tremendous complexity to an already fragile protocol, significantly increases DNS traffic in size, encourages questionable security practices, and hamstrings many modern uses of DNS.

Details

• Complexity: DNSSEC has many options for enabling/disabling DNSSEC validation, with conflicting interpretations of how to handle different bits; considering people still disagree about how to handle features of DNS that have been present since its inception, I foresee these won’t be resolved anytime soon.
• DNS traffic: Responses right now are usually limited to 512 bytes, sometimes a little more. DNSSEC enabled responses regularly exceed 1500 bytes, requiring IP fragmentation or fallback to TCP. IP fragmentation frequently fails with misconfigured firewalls and using TCP is much slower than the default UDP transport.
• Questionable security practices: Most users are encouraged to use 512-bit or 1024-bit RSA keys. A group of hobbyists recently worked together to break all of the 512-bit keys used by Texas Instruments for signing their calculator firmware and they did so quickly and easily. The RSA company and NIST have been recommending users switch to 2048-bit keys since 2003 and 2007, respectively. Again, unfortunately, the DNSSEC standards developers are hesitant because bigger crypto is slower, and it will further push the traffic size issue.
• Hamstrings modern uses: High traffic DNS servers can’t handle signing every response packet, so they need to pre-compute signatures. This limits how companies like Akamai and Google or projects like the NTP Pool can use DNS for global load balancing and routing users to their nearest servers. It also fundamentally hampers services like OpenDNS, which use DNS to provide content filtering and search services.
• Efficiency: RSA is a very slow crypto standard; its only benefit is that everyone knows about it. DNSSEC can theoretically support other crypto standards, but the IETF has largely ignored efforts from interested parties to add support for faster and stronger algorithms.

So while debate about DNSSEC wears on, we’re excited to announce that OpenDNS has fully adopted another proposed DNS security solution: DNSCurve.

DNSCurve is a recent DNS extension proposal that is fully backwards compatible with the existing DNS protocol, uses much stronger cryptography than DNSSEC, and most importantly, is much simpler and much easier to implement and manage. The most significant technical distinction is that DNSSEC uses large and slow per-recordset signatures while DNSCurve uses small and fast per-packet encryption and authentication.

OpenDNS’s DNS resolvers already fully support DNSCurve today and use it whenever possible. Of course, authoritative servers need to be upgraded to support DNSCurve as well, but it’s our hope that this announcement will help to get the ball rolling on DNSCurve adoption. If you’re an authoritative DNS provider and are interested in deploying DNSCurve, we’re interested in hearing from you.

Editor’s note: Our support for DNSCurve doesn’t prevent our adoption of DNSSEC — they are not mutually exclusive. While we have reservations about DNSSEC, we can and will implement it when we see more demand and traction, but in the meantime, when we see a viable technology that can be quickly implemented to improve security for DNS users, that’s a no-brainer in our book.

Today we’ve announced the immediate availability of Block Page Bypass, an innovative feature that allows the granting of special permissions to bypass OpenDNS filtering without the use of any software or any appliance. The announcement is significant because it makes OpenDNS Web content filtering a fitting service for a much wider group of companies and organizations.

Since our Web content filtering began growing in popularity years ago, we’ve heard from potential customers that one of the only hurdles to adoption is the lack of a Block Page Bypass feature. The cost savings and ease-of-use of our service make a very compelling switch-from-Websense or Blue Coat-argument, but for some potential customers, the inability to assign different people the permission to bypass specific categories or websites made our solution unusable in their organization. For those customers, we’re proud to have a solution available today that will liberate them from the high cost and frustrating experience of managing on-premise filtering appliances.

In building this feature we looked at how the appliance vendors perform this function today and realized right away that their approach is highly inefficient. In order to allow you to bypass one site, they often have to proxy all traffic through their appliance. Anyone who has run a network or managed a filtering box knows this slows down the network significantly and introduces a single point of failure. The approach we’ve developed is no less intelligent than what you’ve come to expect from OpenDNS. We proxy only the sites being bypassed, so in effect we give you more granular filtering without decreasing overall performance. The idea that better security should not impact performance is a theme we talk about a lot internally and is something we think about with everything we do.

Right out of the gate this feature is available to all OpenDNS Enterprise customers, but later this year will be available in Deluxe as an add-on.

Read more about Block Page Bypass here and here.

OpenDNS is excited to report that we’ve achieved TRUSTe certification, a stamp of approval from a trusted third party that aims to give you more confidence in our company and service. As a part of the TRUSTe certification process, we made some changes to our Privacy Policy, all designed to be more transparent about how your information is handled by OpenDNS. We take nothing more seriously than your privacy and encourage everyone to read the changes here.

To those in the United States lucky enough to get Monday off, happy three-day weekend. To everyone else, happy Valentine’s Day.

Congrats are in order today for OpenDNS engineer and security researcher Matthew Dempsky. Though he uncovered a vulnerability in Adobe Flash Player way, way back on Sept. 22, 2008, Adobe has this week acknowledged the bug and committed to fixing it. Much of the attention given to the bug recently was because Adobe had claimed they don’t ship any known crash bugs in Flash and Matthew proved them wrong with his proof-of-concept site: http://flashcrash.dempsky.org/ (This will almost certainly kill any browser not released in the last few months).

This isn’t the first major vulnerability Matthew’s found. Back in February, he uncovered a vulnerability in djbdns and even wrote a patch. Needless to say, OpenDNS is lucky to have him.

Want to work with skilled people like Matthew? We’re hiring in all departments.

A short update — Last week we served a record 22 billion queries in a single day. We also served over 145 billion queries across the entire week, another record for us. We’re growing like a weed and with an average of nearly 250,000 queries per second we’re investing in our infrastructure in 2010 and are adding more capacity all the time. And for those who don’t know, 250,000 queries per second makes us one of the largest DNS providers in the world, much larger than most ISP’s DNS installations. The fact that we’ve done all of this without downtime is an even greater testament to our engineering and operations teams.

We have a some great new features we’re excited to share with you over the next couple months that will apply to all users of our service, free and paid.

Last, but certainly not least, we’re hiring. And we have even more positions to post on our careers page in the coming weeks, particularly as we look to grow our engineering team.

Over the years, OpenDNS engineers have spoken far and wide about the virtues of our DNS infrastructure and our customers have enjoyed the many features we provide on top of the DNS. We’d like to connect the dots.

We’ll give an overview of the OpenDNS architecture that allows us to answer more than 21 billion DNS queries each day with zero downtime.  We’ll show where each of our features fit into this architecture and why the DNS is the best medium for providing content filtering, typo correction, stats, SmartCache, and more.

David Ulevitch, our founder and a seasoned network engineer will be covering much of the network and DNS infrastructure.  I am an engineer at OpenDNS and designed the stats system.  I’ll be talking about many of our features and how they use the DNS to their advantage.

This webinar will be more technical than usual.  It starts February 4^th at 10:00 AM Pacific time and lasts just 30 minutes.  Register now and don’t forget to tell your friends!

It’s a new year, a fresh start, and the perfect time to take a look at all of the functionality your OpenDNS account offers.

Many of you use OpenDNS primarily for faster, more reliable DNS resolution. DNS is the foundation, the core of our service and we take great pride in the fact that OpenDNS is the safest, fastest, smartest and most reliable recursive DNS service in the world — and also the choice of more than 15 million users. But today I encourage you to take a look at the other features in your OpenDNS account that you might not be using yet.

• First off, check out our Web Content Filtering. We provide award-winning filtering with more than 50 content categories, manageable entirely through your Dashboard. It can be as simple as choosing the level of filtering you want (high, moderate, low or minimal) or as powerful as selecting individual sites you want blocked.
• Next, enable Stats and Logs. OpenDNS is the only way to see at a domain level what’s actually happening on your network. We show you things like the most popular sites visited from your network, and also alert you when we see Internet-scale malware. OpenDNS Stats let you spot trends before they become problems, and you can manually purge your data at any time.
• Also, Customize with an image and messages on the Guide and block pages. We let you swap out the OpenDNS logo on the Guide with your own logo or photo, and let you customize the text there and on the page your users see when they try to get to a site that’s been blocked.
• Last, peruse our Advanced Settings. Here you’ll find features like SmartCache, which makes Web sites that are down for the rest of the Internet load for you, and Basic Malware/Botnet protection, which will keep your network safe from certain types of malware and viruses, like Conficker.

These are all features provided in our Basic, free version, and OpenDNS Deluxe and Enterprise offer lots more. From more robust Web content filtering and enterprise-class Malware protection, to reporting and more comprehensive Stats, to an Audit Log and Delegated Administration, and the ability to turn off advertisements on the Guide, OpenDNS subscription services are worth a look. Particularly if you manage the network for a school, small business or enterprise and are currently using a filtering appliance, I also encourage you to talk to our sales team about how much money we can save you, and how much more ease and functionality, we can provide you.

Happy New Year everyone!