A number of our users have written in today asking if OpenDNS is vulnerable to the recent multi-vendor DNS security issue disclosed today by my good friend and security researcher Dan Kaminsky.

I’m very proud to announce that we are one of the only DNS vendor / service providers that was not vulnerable when this issue was first discovered by Dan. During Dan’s testing he confirmed (and we later confirmed) that our DNS implementation is not susceptible to the attack that was discovered. In other words, if you used OpenDNS then you were already protected long before this attack was even discovered.

In fact, for those of you who were listening in on the Microsoft press call this morning, you’ll note that OpenDNS was suggested as the easy and simple solution for anyone who can’t upgrade their DNS infrastructure today. Pointing your DNS servers to forward requests to OpenDNS and firewalling all other DNS traffic off at your server will help mitigate this risk.

We’re going to write more about this issue in the next 24 hours to address the vulnerability in detail and explain why we aren’t affected but I wanted to get the word out now so that you know you are safe using OpenDNS.

Thanks and happy resolving…

Update: Bert Hubert, author of PowerDNS, alerted me to the fact that PowerDNS was also not vulnerable when this issue was discovered. That’s not surprising considering Bert is one of the authors of the wonderful DNS forgery resilience Internet Draft that has recently been published. I updated the statement in bold appropriately.

How do you understand big numbers?

OpenDNS does ~3 billion DNS requests daily, with around 450 billion all-time so far. Big numbers, but tough to comprehend.

Recently, we changed the stats number at the top of every page of our website from the all-time number to requests/per second. This number moves around, but recently has swung between 37,000 - 41,000 requests per second.

OK… sounds impressive, but again, what should you compare the number to?

How about the volume of transactions on the New York Stock Exchange (NYSE)?

Tuesday’s Wall Street Journal ran “After Crash, NYSE Got the Message(s)” on the front page of the Money & Investing section (C1 in print).

In reading the article (in case it’s not available when you click… WSJ.com requires payment at some point), we learn:

On Feb. 27, 2007, messages flowed in at a rate of 15,000 per second. The exchange quickly thereafter doubled its capacity to 38,000 messages a second. As markets fell in August when credit markets seized up, the NYSE was getting as many as 28,000 messages per second. This time, systems held up without a major hitch, but the volume of messages prompted [NYSE CEO]Mr. Thain to call for an increase in capacity to 64,000 by year’s end. [Emphasis added]

So, even at its top volume in August, the NYSE volume of messages wasn’t matching the volume of DNS requests our customers make each day. And its capacity currently falls short of ours.

Maybe I’m comparing apples and oranges, but we like to think that your DNS requests are as important (almost?!) as those buy-sell messages.

OpenDNS has plenty of headroom, and we’re adding more to support our growing customer base… and to stay ahead of the NYSE!

BroadbandReports.com tells us Comcast’s DNS servers had a rough weekend. According to reports from Comcast customers, instead of being able to surf freely they were confronted with this page when they attempted to visit any Web site:

It’s not clear if the problem continues today, but one thing is certain: OpenDNS fixed the problem.

Welcome to OpenDNS, Comcast customers!

We’ve gotten a couple emails about trouble resolving .org domains today. There’s nothing wrong on our end but it looks like .org has been having a rough day.

Here’s a picture for you network nerds out there…

(key: more red == more bad)

As a reminder, you can always use CacheCheck to try it again. And seriously, what other DNS provider gives you this kind of control?

We added two usability improvements to OpenDNS CacheCheck today.

1. When you refresh the cache for a domain, CacheCheck now automatically refreshes the records for that domain’s zone. For example, if you refresh www.opendns.com, CacheCheck also refreshes opendns.com.

2. This new bookmarklet makes it easier to check a domain. It grabs the hostname of the website you’re viewing and adds it to the CacheCheck form, replacing the need to add the domain manually. Just drag this link to your bookmarks toolbar: OpenDNS CacheCheck.

Screenshot of the CacheCheck bookmarklet: