The Domain Name System was developed more than 30 years ago as a way to ensure that the brilliant network we now know as the Internet could scale and see adoption. Before the DNS existed, Internet users would need to remember the IP address for every website on the Internet. Research has shown that seven digits tends to be the capacity for human memory (think phone numbers, sans area code) and IP addresses can be twelve — more now with IPv6. The DNS is part of the Internet’s infrastructure, earning it the somewhat unflattering analogy of the plumbing of the Internet. But in truth, its primary role has traditionally been that.

Recently ICANN, the global body that oversees the Internet and authors its policies, announced a plan to make available a throng of new top-level domains. Preexisting TLDs include .com, .net, .org, .co.uk, among many others. Twenty-two in total. The new ones are seemingly designed primarily to help businesses and spur economic activity. The new domains can be grouped into two classifications:

- .xxx: Designated for websites that include pornographic content as a way to easily differentiate them from non-pornographic sites.

- Generic TLDs, or “gTLDs”: Basically turns any brand or term into its own TLD. .Pepsi, .Apple, .Football or .Money, for example.

The release of both new groups of TLDs raises interesting issues for OpenDNS. Today we are the largest recursive DNS provider in the world, with more than 30 million people using our service. (Nearly doubling our traffic in the past 1.5 years.) We’re the innovator in the DNS space, as we introduced the concept of building security directly into the Domain Name System. Phishing protection came first, followed by typo-correction that helps people route around typo-squatting. Then Conficker protection and most recently, the most game-changing malware-blocking service, available to users to OpenDNS Enterprise.

But as we’ve seen countless times, with more ground to cover comes more fraud and crime. Many critics of ICANN’s move to add more domains see the potential for more:

- Cyber squatting, which is the practice of registering a domain using a trademarked brand that doesn’t belong to you. Highly annoying to Internet users and costly to brands.

- Typo squatting, which is like cyber squatting, but using a typo’d variation of the trademarked brand. Also highly annoying to Internet users and costly to brands.

- And generally more cyber crime and confusion among Internet users created by a change to the way domains are structured.

We’ve often said that the bad guys on the Internet tend to be one step ahead of the good guys, making the task of delivering an effective security service both very challenging and in a constant state of evolution. So when supporters of ICANN’s move argue that ICANN has no intention of allowing the new domains to act as a platform for crime, we can appreciate the perspective, but have little confidence that will ultimately be the case. Cyber squatting and cyber crime account for more than $1B in revenue annually, and when that kind of money is at stake, the bad guys find a way to be effective. Scott Pinzon, director of marketing and outreach at ICANN offers the perspective that, “new gTLDs represent a platform for innovation.” And goes on to say, “no one can predict what smart people will do with them. Lots of new business models will be invented. Some will work. Some won’t.” We agree with Scott, but also have a front row seat to the counterpart, sophisticated criminal activity that follows innovation.

Some of you will remember when the country of Cameroon was opportunistically assigned the .cm TLD and wildcarded all .cm domains. The country made a nice profit, but it confused masses of Internet users who’d accidentally made a typo when trying to get to a .com. We acted swiftly and delivered a feature that automatically redirected you to .com when you typed .cm.

In relation to the recent ICANN changes, there’s a great deal we can do as your DNS service to help ensure the Internet remains a safe place for you and yours to browse. It’s unclear at this point how successful these new domains will be and how much traction they’ll see, especially because at an upfront fee of $185k, the new gTLDS are not accessible to everyone.

Have thoughts on the topics above? Agree, or passionately disagree? Predictions for what kind of repercussions the Internet will see? We’d love to hear them in the comments.

How to Block .xxx Using OpenDNS:

In the immediate term, users of OpenDNS services with content filtering that want to block all .xxx domains on their networks can follow a few simple steps. Simply locate your “always block” or blacklist and add “xxx” (without the dot). Hit save and the change will take effect.

DNS outages happen everywhere, from Italy to Illinois. And when they do, we can count on people taking to Twitter via their smart phones, to vent, find out what’s going on, and learn how they can get back online (thanks to us!).

We love helping frustrated people set up OpenDNS during these DNS outages. But one thing we discovered is that for the less-than-technical people amongst us, simply saying “use 208.67.222.222 & 208.67.220.220″ isn’t enough. People don’t know what those numbers are, or where to look on their computer or router to change them. That’s why we’ve created a new mini-site; you can find it at use.opendns.com or http://208.69.38.205/.

Why are we making it accessible via both an IP and a URL? Because if your DNS is down, we want you to be able to access the instructions via your computer’s browser. Having an IP address means no matter what’s happening with your DNS, you can get to the site.

The next time there’s a DNS outage, we’ll head to Twitter as we normally do, to act as a resource and problem solver for those without DNS. And, thanks to this new page, it will be easier than ever to get OpenDNS set up, even for those who’ve never heard the term DNS before.

But our hope is that we won’t be the only ones. Our hope is that you’ll bookmark http://208.69.38.205/ and that the next time you hear that there’s a DNS outage, you can be a resource for your friends. Text them, call them, tweet at them — let them know it’s easy to get back online and it’s simple to get safer, faster, smarter and more reliable Internet — all that’s needed is to set up OpenDNS.

It’s hard for me to be sympathetic to the entertainment industry and its frustration with online piracy. For the last decade industry executives have consistently focused on using the legal system to protect their aging business models rather than focusing on the innovations necessary to deliver the products and services consumers want.

The entertainment industry’s newest legal tactic, the “Combating Online Infringements and Counterfeits Act,” (COICA), sponsored by Senator Patrick Leahy, has been approved by the Senate Judiciary Committee. While Senator Ron Wyden exercised his right to place a hold on pending legislation — which will stop the bill from traveling to the Senate floor immediately — proponents of COICA can (and most assuredly will) reintroduce the measure the next time Congress convenes in 2011.

This bill is short but significant. For the first time, it will give the government the power to censor the Domain Name System (DNS), one of the most critical pieces of infrastructure for the Internet.

The DNS is like a global phonebook for the Internet: always running in the background and used anytime you do anything on the Internet, including sending email and browsing websites. It’s been running without government interference for the last 25 years and it has helped enable the tremendous economic growth and innovation the Internet has provided to the U.S. and the World over the last two decades.

My company provides DNS services, and in fact one of the many features of our service gives our customers the ability to block sites on their Internet connections. Parents and school administrators block sites they deem unsafe or inappropriate for their children, and business managers block sites they deem inappropriate for a work environment. Ironically, our existence and our technical innovations in the market helped to spawn the idea for the legislation in the first place by showing that blocking sites through the DNS is technically possible. While the technology being proposed is similar, the implementation couldn’t be more different from ours.
(more…)

Last night, millions of people across the eastern seaboard found themselves unable to go online and access the Internet. The culprit? A Comcast DNS outage that lasted more than three hours and affected customers from Boston to Baltimore. These kinds of attacks can hit anyone, including us. And it’s likely that if an attack was large enough to disrupt Comcast, it could be large enough to disrupt us. That’s scary.

When we launched introduced OpenDNS more than four years ago, our promise was this: the fastest, most reliable DNS service available. Since then we’ve added features and built out enhancements including malware protection, Web content filtering and SmartCache. That said, offering ultra-reliable DNS service is still at the core of what we do. This is part of the reason why we added a new datacenter in Singapore recently.

Over the past four+ years, we have been fortunate to have a perfect, 100 percent uptime record and we will work hard to maintain that. As we saw with Comcast last night, even great ISPs have outages when attacked with massive amounts of malicious traffic. This is why we will continue to add capacity, far in excess of what we actually need. The real solution to this is better security for end-users so they don’t get infected and become vehicles for DDoS attacks.

So, if you just got set up with OpenDNS last night, welcome! Hopefully last night was the last time you’ll ever be without Internet due to a DNS issue. We’ll work hard to make sure it was. If you’ve been set up with OpenDNS for a while now, you probably didn’t notice there was any issue at all.

Yesterday, the DNS servers of Alice.it, one of Italy’s largest ISPs, went down for several hours. People who rely on Alice.it for their Internet waited. And waited. And then waited some more for their Internet to come back. Outages like these highlight the importance of a reliable DNS service; when it’s working, you don’t think much about it, but when it’s down, essentially so is your ability to access the Web.

As with similar outages in the past, like ones experienced in Germany and by Time Warner customers in 2008, users of OpenDNS didn’t notice any downtime at all. In fact, in all four plus years we’ve been around, OpenDNS has a perfect, 100 percent uptime record.

Because of the outage, we experienced a surge in traffic from Italy — not surprising, since word spread via Twitter and other methods that using OpenDNS was one of the only ways to regain access to the Web. We’d like to take the opportunity to welcome our new Italian users — benvenuto! We’re happy you’re here, and look forward to helping you enjoy a safer, faster, smarter and more reliable Internet.

Just a quick blog post to recognize another OpenDNS milestone. On Tuesday and Wednesday we served over 7 billion queries in a single 24-hour period. That’s the first time we’ve hit 7 billion requests, and we’re happy to say we handled it with ease.

Lots of good came out of Dan Kaminsky’s discovery of a major vulnerability in most of the Internet’s recursive DNS servers. First and foremost, his responsible disclosures and efforts to work with every major vendor have saved us all from some serious headaches.

Since OpenDNS’s servers are not vulnerable – never were vulnerable, actually – lots of you switched to OpenDNS. That’s the second good thing. OpenDNS is absolutely the most secure DNS service available and the more SysAdmins who choose to use the service, the safer and more secure the entire Internet will be. We want to welcome all of you new OpenDNS users and say thanks for making the switch. You’ve made a good call and we’ll continue to work hard to ensure you enjoy our great service for years to come.

Since you’ve now seen the benefits of OpenDNS, we’d like to invite you to pay it forward by telling other SysAdmins and Internet users about OpenDNS. Please take a minute and use this form to tell your friends and colleagues about the benefits of making the switch. They’ll think you’re super smart for knowing about such a great service, and surely thank you.

Now, all of you new users: Check out this Getting Started task list. OpenDNS is a powerful service will all sorts of awesome features. Have you done all of the items below yet?

– Add a logo and custom message. We let you put your logo and message on the OpenDNS Guide and block pages. You can switch it up and put different messages in different places, where appropriate.

– Set up Shortcuts. No matter if you’re at home or at a large corporation, you can put Shortcuts to great use. They’re like AOL Keywords, but you control them, they’ll work across your entire network and they’re browser-independent.

– Set up Web content filtering. You’ll see in your account that OpenDNS has more than 50 categories to choose from. No appliance necessary and your filtering preferences will take effect in just a few minutes.

There are several more advanced features, too. Poke around in your Dashboard to see all that OpenDNS has to offer.

Again, welcome from the entire OpenDNS team.

A number of our users have written in today asking if OpenDNS is vulnerable to the recent multi-vendor DNS security issue disclosed today by my good friend and security researcher Dan Kaminsky.

I’m very proud to announce that we are one of the only DNS vendor / service providers that was not vulnerable when this issue was first discovered by Dan. During Dan’s testing he confirmed (and we later confirmed) that our DNS implementation is not susceptible to the attack that was discovered. In other words, if you used OpenDNS then you were already protected long before this attack was even discovered.

In fact, for those of you who were listening in on the Microsoft press call this morning, you’ll note that OpenDNS was suggested as the easy and simple solution for anyone who can’t upgrade their DNS infrastructure today. Pointing your DNS servers to forward requests to OpenDNS and firewalling all other DNS traffic off at your server will help mitigate this risk.

We’re going to write more about this issue in the next 24 hours to address the vulnerability in detail and explain why we aren’t affected but I wanted to get the word out now so that you know you are safe using OpenDNS.

Thanks and happy resolving…

Update: Bert Hubert, author of PowerDNS, alerted me to the fact that PowerDNS was also not vulnerable when this issue was discovered. That’s not surprising considering Bert is one of the authors of the wonderful DNS forgery resilience Internet Draft that has recently been published. I updated the statement in bold appropriately.