One week ago, OpenDNS opened up its free DNS service for everyone to use. It’s been a fun week, with lots of feedback. It’s great to be listening to customers, rather than predicting (guessing) what the reaction will be.
We’re reading everything and responding where possible. Probably still a few dozen of you who deserve an email response… it will come! Most of our public responses have been on individual blogs, to make sure the individual sees the response. David, our CEO, has been an active member of the NANOG and dns-operators mailing lists for years, and he’s contributed in those forums, too. We’ve heard from you over the phone, via email, via blog comment, in person and over IM (our team addresses are listed).
I’ve been flagging blog and media mentions on del.icio.us, and you can see the most recent 20 items listed in the OpenDNS press center. Or you can watch the del.icio.us page directly, if you prefer. Not every reference is positive. Fine… we learn a lot from listening to our critics. If we’ve missed a worthy reference, please bring it to my attention, either via email or even via a for:pencoyd tag in del.icio.us.
So far, we’ve been adding to our FAQ to address concerns and questions which we’ve seen come up in multiple places, whether blogs, articles, email or IM. If you haven’t read the FAQ in a while, take a look. It doesn’t shrink!
It might be more helpful for us to start responding on this blog, too. In the next few days, we’ll provide more details here about our identification of phishing sites, how we’re handling DNSBL and mail servers (hint: click on the new preferences link, top right of every page), our network buildout, additional stats and more.
Note: one of our favorites, a thorough review, with actual testing of the speed for that individual.
Don
I was having some DNS problems and happened to hear the buzz out loud discussion. I redirected my DNS this morning and am delighted with the results. Thanks!
posted on July 18th, 2006 at 6:55 am
Borat Sagdiyev
Niiice, openDNS, I liike!!
posted on July 18th, 2006 at 5:38 pm
Nikolas
Do you have any servers in Europe ?
posted on July 19th, 2006 at 1:02 am
Anonymous
Terrific idea, seems to work much faster than my ISP’s DNS. Thanks!
One serious potential concern though, is how do I know that OpenDNS will never allow a man-in-the-middle attack using a substitute website either because you are a bad guy, or because your DNS server has been compromised? Do I have to trust you as much as my ISP in order to use OpenDNS when doing banking transactions, etc.? (Except for safe sites that overcome this issue by adding a signin step where they show a user selected picture and phrase in response to a username to prove to you that it is the real website before you enter your password.) Even if you are good guys with secure DNS servers, can’t a bad guy who handles the DNS network traffic alter the IP address response of your DNS server (which is not a problem if the DNS response never travels outside my ISP’s trusted network) to create a man-in-the-middle attack?
posted on July 19th, 2006 at 8:55 pm
matthew
How soon will the UK/EU servers be online - no way is a transatlatic DNS lookup going to beat my local ISP servers, the path is just too long. Besides, it goes against the grain to generate unnecessary long distance traffic.
PS. My current broadband ISP is actually NTL, and both their DNS servers and transatlantic links are cheap and nasty.
posted on July 20th, 2006 at 12:17 pm
johnon.com » Blog Archive » Do you trust these guys? OpenDNS.org
[…] One comment from Nikolas on the OpenDNS blog cuts right to the chase and asks, “Why should I trust you guys?”: One serious potential concern though, is how do I know that OpenDNS will never allow a man-in-the-middle attack using a substitute web site either because you are a bad guy, or because your DNS server has been compromised? Do I have to trust you as much as my ISP in order to use OpenDNS when doing banking transactions, etc.? (Except for safe sites that overcome this issue by adding a sign in step where they show a user selected picture and phrase in response to a username to prove to you that it is the real web site before you enter your password.) Even if you are good guys with secure DNS servers, can’t a bad guy who handles the DNS network traffic alter the IP address response of your DNS server (which is not a problem if the DNS response never travels outside my ISP’s trusted network) to create a man-in-the-middle attack? […]
posted on July 20th, 2006 at 4:52 pm
John Roberts
Matthew, a London server should be online within a week. We’ll announce it on the blog. Note: for some, a transatlantic lookup is already faster. Yes, it’s farther away, but if the local DNS server isn’t doing a good job when you get there, it still takes longer than the network latency coming to the US and back. See Tom Raftery’s post on his blog, and he’s coming from Ireland.
To the anonymous poster — you’re not at risk for such an attack. My more technical colleagues may explain why. You need to trust your DNS server to a degree… whom do you trust now? If we screw up, there is no lock-in. You just change your DNS once more. So we know we have to perform brilliantly, and that’s just what we’re going to do.
John Roberts
OpenDNS
posted on July 20th, 2006 at 10:08 pm
Glenn Fleishman
John R. and the anonymous poster, re: trusting a DNS server: There should be no necessity to trust a DNS server because no transactions should occur in which DNS is a defining event for trust. The problem with some sites which should be entirely secure today is that the allow the possibility for a man-in-the-middle attack by working around the third-party, out-of-band validation that the entire digital certificate process as described in SSL/TLS was designed to avoid.
Any site that offers any secured transactions or information display should require first a connection via SSL/TLS to their system *before* any authentication information is entered by you. This effectively allows the pre-installed certificate authority information on your browser (also found in certain other software) to create an anonymous, but very strong tunnel between your browser or client software and the destination server. As long as the destination server has an SSL/TLS certificate signed by a major certificate authority, that tunnel is an effective defense against man-in-the-middle attacks because the preinstalled CA information on your sister validates the certificate provided in the SSL/TLS session initiation.
In other words, you start an SSL/TLS tunnel *first* and halt the process if you receive any certificate errors. With no cert errors, you proceed to a page that is already fully, strongly encrypted, and enter your user name and password or other details.
Where some banks and other sites fail–including a credit union that I belong to in Washington State–is that they allow a page to be displayed without an SSL/TLS session on which you enter your user name and password. That opens the door to an MitM attack in which a poisoned DNS server or an evil twin–a fake hotspot that hijacks legitimate sessions in a public location–could intercept that login information and then display an error so that you would be able to log in directly, but your login details would have been stolen during that window.
For any other Web site in which SSL/TLS is not being used, you should have no expectation that the information presented or used is protected in any fashion, and thus a DNS hijack or evil DNS server offers no inferior protection against that.
Any other service relying on DNS is either insecure by nature (POP email without an SSL/TLS overlay), and if you’re using it, you’re already insecure; or is secured using an anonymous key exchange process with out-of-band confirmation (SSL/TLS, SSH, etc.), which obviates DNS poisoning.
posted on July 21st, 2006 at 4:13 pm
OffBeatMammal
I’m a big fan of OpenDNS - using it for the home network and for my travelling laptop and I’ve found it reliable and speedy (even from down here in Aus)
One suggestion / comment though… when you take me to a page you think it a phisher… once you’ve warned me, let me through… I may want to review/report with another phishing tool, or just see how clever/stupid they were… but let me choose to make that call (don’t make me change my DNS settings just to look at the ugly side of the web!)
posted on July 22nd, 2006 at 12:54 am
ubuntumatthew
I’m using the service from Morocco and it is faster than my local ISP’s dns server! Wow. Great job, guys.
posted on July 22nd, 2006 at 7:03 am
Ian Halliday
Hey guys, this is a fantastic service! I live in the UK, and although my ISP’s DNS servers are only a short hop away in London, my service has improved imensely since I switched to your DNS servers stateside. I can’t wait to see the improvement when your London server comes online.
Great work!
posted on July 22nd, 2006 at 7:34 am
Mark b
Definitely need that London server. My ISP’s DNS servers respond within 24ms whereas OpenDNS is 101ms from my location. You have something to beat there!
posted on July 23rd, 2006 at 10:13 am
Scott
I’ve been recommending OpenDNS to all my friends and family. As a long time administrator and programmer I am delighted with the speed and quality of service OpenDNS provides. The occasional mistype at the keyboard when I’m in a hurry is often corrected and always perfectly. Thank you, keep up the good work!
posted on July 23rd, 2006 at 8:35 pm
Andrew
You guys rock! I can’t wait till the Hong Kong server is established!
posted on July 23rd, 2006 at 10:10 pm
Daniel Escasa
/etc/resolv.conf ?!?! Real Unix users install their own caching-only DNS.
forwarders {
208.67.222.222;
208.67.220.220;
};
But you knew that
posted on July 23rd, 2006 at 11:52 pm
Nikolas
Well, unfortunately after a week of trying this service I must say that I just changed my dns servers back to my IPS’s.
Main reason was that if I typed for example e-one.gr (without the “www” in firefox address bar I would get the opendns search page.
Thats not acceptable since many sites dont use “www” anymore (http://no-www.org/) and if the server isnt setup to redirect correctly the dnd server should always try both cases before displaying the search($) page.
Too bad because your dns resolving was faster than mine.
But we cant have it all, can we ?
posted on July 28th, 2006 at 3:45 am
William Tan
I sent an email to David after he responded to my blog post. Not sure if he didn’t get it or too busy to respond. Anyways, David, if you’re seeing this drop me a note.
Thanks.
posted on August 1st, 2006 at 9:53 am
David Ulevitch
William, I got it. Thanks for pinging me.
I’ve got a ton of email in the inbox but yours is flagged for followup. Hang tight — I’ll try to hit it tonight or tomorrow morning.
-david
posted on August 1st, 2006 at 5:28 pm
OpenDNS Blog » How would you like your DNS today?
[…] use its free, reliable DNS service for the first time on July 10, 2006. Less than a week later, we introduced preferences for OpenDNS, which gave the individual user the opportunity to manage their DNS in a […]
posted on April 12th, 2007 at 5:31 pm