We don’t often take to the blog to talk about some of the more advanced OpenDNS Enterprise security features, like our malware and botnet protection, but we know a lot of organizations rely on them to keep their networks secure. Today, I’d like to talk a little more about how our malware and botnet protection works, and why we’ve started seeing so many organizations move to OpenDNS Enterprise primarily for that added layer of internet security.

As with all of the advanced functionality OpenDNS has built atop our superfast recursive DNS service for businesses and schools – like the Web content filtering, phishing protection, and stats available in OpenDNS Enterprise –  our malware and botnet protection innovates on traditional offerings, and it works on any device connected to the network (including, say, an iPad that an employee brought from home).

OpenDNS blocks malware and botnet attacks before they can infect a network. We aren’t terminating an existing malicious connection, or cleaning up a breach that’s already occurred; as soon as OpenDNS sees an attempted connection to a malicious domain or IP address, we block it. A side benefit is that if an infected device is brought on to a protected network, OpenDNS can make sure that the infection doesn’t spread to other connected devices on the network if they do so via external command and control.

OpenDNS Dashboard Malware Notice

If you’re wondering why this matters: when Vanderbilt University switched to OpenDNS Enterprise in 2010, they blocked 1.5 million malware attacks in the first four months following the deployment. That’s 1.5 million potential data leaks thwarted, and 1.5 million device cleanups avoided.

It’s certainly something to think about, as the threat of malware and botnet attacks continues to escalate.  If you don’t have any malware or botnet protection for your organization, or you’re thinking about adding another layer of protection to your network, consider trying out OpenDNS Enterprise as your first line of defense.

We take our operational excellence extremely seriously. We know that one of the reasons people choose OpenDNS is because they know they can count on us for reliable DNS resolution, something many ISPs can’t promise. And so when something happens that causes us not to be the reliable service we’ve promised to be, it’s a wake-up call for all of us at OpenDNS.

This morning, a major Internet provider had a serious routing issue in Southern California that caused some of their traffic to be lost before it reached our network. This type of failure didn’t trigger our monitoring system — because from our end, everything appeared online. Lasting approximately two hours in the early morning on the West Coast, the partial interruption in service was a localized one and did not affect the global OpenDNS service.

When issues like this happen we always like to step back and try to understand what we could do to prevent these kinds of problems from happening again. In the coming days we will determine how we can detect this type of problem more quickly and how we can respond more effectively.

To reiterate: we value our customers, and we take incidents like this exceptionally seriously. And while a disruption in service is never a good thing, we’ll take this as an opportunity to learn, and to ensure we run the most robust and globally available DNS service on the planet. I appreciate the years of support many of you have given us and hope you will continue to count on us to be the most reliable provider of DNS and security services on the planet.

The team here has been hard at work over the past few months getting a new datacenter set up, and I’m happy to report that as of today, our Singpore datacenter is online and serving production OpenDNS traffic. The Singapore server marks our 12th datacenter globally and the first of a number planned for Asia.

One of the benefits of OpenDNS is that we use a technique called Anycast routing in how we run our network. Anycast means that no matter where you are in the world, your DNS requests route through our closest datacenter. And when we do maintenance that requires us to take a site offline, our routing topology ensures you will route to our next closest datacenter. It also means that when we bring up a new datacenter that is closer to you, your DNS requests will automatically start routing to it. So for the bulk of our users in Singapore, Thailand, Vietnam, India and throughout Asia, this new Singapore datacenter promises an even faster Internet.

And here’s a photo of what our installation looks like as it was being racked:

This Singapore datacenter is only the start. We’re planning on adding a new datacenter in Frankfurt, Germany in early 2011. After that, the plan is to continue expanding our footprint from there. As always, you can take a look at our global system status on our Systems page.

PS — Internet routing is not a perfect science and requires a lot of work to get right. If you are in Asia and a traceroute doesn’t show you talking to Singapore for DNS we want to know! Please send a traceroute from your computer to 208.67.222.222 to our support department so we can see which networks in Asia aren’t seeing our new routes.

Starting today, all OpenDNS network administrators can choose whether or not they’d like to include a link to “Contact your network administrator” on the block page that pops up when users on your network try to access restricted content. Why the change? We heard from a number of you that the emails you received from the block page weren’t something you wanted to read. Based on that feedback, we decided to give you the choice of whether you wanted to receive these messages or not.

By default, we’ve left the link there, but you can turn it off by visiting the Settings tab in the Dashboard, selecting a network, and clicking on the Customization link. There, you’ll see a checkbox in the “User Feedback” section titled, “Show Contact Admin Form.”

At OpenDNS, we’re always focused on empowering our users through advanced customization options, whether it be the 50+ web content filtering categories, or incremental improvements like this one. If you have any ideas about how we can help you better personalize OpenDNS, let us know in the IdeaBank!

We’ve gotten a couple emails about trouble resolving .org domains today. There’s nothing wrong on our end but it looks like .org has been having a rough day.

Here’s a picture for you network nerds out there…

(key: more red == more bad)

As a reminder, you can always use CacheCheck to try it again. And seriously, what other DNS provider gives you this kind of control?

It’s been a long time coming, but we are now online and operational in London! We actually turned up our routing announcements about two days ago but I wanted to hold off on the blog post to make sure everything was stable. Some folks in the forums noticed we were online and beat me to the announcement.

I’ve been using a server in Amsterdam, hosted by my friend Peter, to test how latency changed when London came online. It should be obvious, but the results are very good and show just how important it is for us to be online in Europe.

From Amsterdam to OpenDNS before London goes online:
bash$ ping 208.67.222.222
64 bytes from 208.67.222.222: icmp_seq=0 ttl=57 time=145.077 ms
64 bytes from 208.67.222.222: icmp_seq=1 ttl=57 time=152.962 ms
From Amsterdam to OpenDNS after London goes online:
bash$ ping 208.67.222.222
64 bytes from 208.67.222.222: icmp_seq=0 ttl=58 time=9.814 ms
64 bytes from 208.67.222.222: icmp_seq=1 ttl=58 time=9.528 ms

The ping test above is a measurement of how long it takes one “packet” of Internet data to reach another host on the Internet. Bringing London online dramatically increases our reliability, speed and performance for our European users. Additionally, it decreases load in New York and Washington DC providing a win for our users in the US as well. Finally, the more sites we have, the more reliable our network becomes and that is a win for everyone.

We are online in London thanks to the efforts of a few really superb technologists and friends. I’d like to thank James Rice for his on-site help as well as his excellent guidance and advice along with Nick Waterman who fixed a minor issue we were having with our IBM BladeCenter chassis. Nick did this on December 29th, when he could have been at home with family or out partying; we really appreciate it Nick. James and Nick run Jump Networks, a high-quality, technically-savvy service provider in London.

I’d also like to give a big thanks to Chris Orme and Philip Baker from Datahop, a metropolitan fiber network in London which provides all kinds of really convenient network services. Chris worked tirelessly to make sure we could be online with our transit provider, NTT Europe in a timely fashion. It’s hard work getting folks to do things during the holidays and Chris made sure it happened. Even more impressive, Philip spent time late at night with our routers and switches making sure they were in good shape to turn up a BGP session with NTT Europe. James, Nick, Chris and Philip all went way above and beyond the call of duty and we appreciate it. I highly recommend both Jump and Datahop to anyone looking for transit and colo in London. Thanks guys!

We’re proud to be in London and look forward to peering with networks currently connected to LoNAP, a growing peering point in London. We are also considering a peering session at LINX, one of the largest exchange points in the world.

Happy New Year from everyone here at OpenDNS and we’ll see you in 2007!

As of Dec 31, 2006, London is online.

On our network map, we show our four current network nodes in the United States, and provide insight into our future locations. The map, dated July 7, is still accurate as I type this.

The first location online from our “Coming soon” contingent will be London, England. Our hardware is racked and powered in the London facility. But we’ve been held up by bandwidth discussions, as we have some specific network requirements that complicate the matter beyond just the cost of connectivity.

The delay is frustrating to us, too. My apologies to the several folks who have inquired and been told (by me personally, or by my colleagues) that London would be online by this time. I’m not going to promise a new date right now, but we’re working on this, and will announce more details on our blog as we have them. Once the London location is online, we’ll focus more attention on our next locations.

Fortunately, many customers are finding that OpenDNS is faster for them in the UK already, despite any network latency. That’s proof positive that DNS speed is the combination of two factors: network latency and software speed/cache size. Even when we’re “farther” away on the network, OpenDNS often delivers results back to the end user faster. We want to accelerate the experience again, by removing the network latency concern — which is the whole point of London.

Is it only me, or does this post beg for The Clash’s London Calling? Or is that just too much of a cliché?

A week ago, The New York Times published an entertaining article by John Markoff and Saul Hansell about Google’s new data centers in Oregon, “Hiding in Plain Sight, Google Seeks More Power.” Since the link soon may lead to TimesSelect (read: $), I’ll pull one sentence to show the larger point of the article:

Google, Microsoft and Yahoo are spending vast sums of capital to build out their computing capabilities to run both search engines and a variety of Web services that encompass e-mail, video and music downloads and online commerce.

Google’s reticence on the subject makes for some amusing anecdotes in the article, but mostly the article serves as a useful reminder that the Internet still obeys the laws of physics. Heat, energy, and physical space still matter, just in different ways.

Why do Google and others distribute their datacenters around the world?

Google has found that for search engines, every millisecond longer it takes to give users their results leads to lower satisfaction. So the speed of light ends up being a constraint, and the company wants to put significant processing power close to all of its users.

It’s not just search engines who need to deliver at (ahem) light speed. You can’t load google.com or yahoo.com or any other website without first making a DNS request (or several). That’s one reason (there are others, like redundancy & reliability) that OpenDNS runs its service from four geographically distributed locations, with more to come.

OpenDNS isn’t building datacenters, but we’re running our service from some of the best ones in the world. Also, we’re not so secretive that folks need to invoke Voldemort when referring to our company! From the article:

“No one says the ‘G’ word,” said Diane Sherwood, executive director of the Port of Klickitat, Wash., directly across the river from The Dalles, who is not bound by such agreements. “It’s a little bit like He-Who-Must-Not-Be-Named in Harry Potter.”

A note on being global

We know our coverage of the world beyond the United States can improve. London, England will be the next location online, probably in mid-July. Fortunately, in the short term, connectivity to the United States is quite good, and many Internet users outside the United States are relying on U.S.-based servers for much of their Internet experience already. That’s not ideal, of course. We want to be as fast for someone in Singapore as we are for someone in Seattle, but the speed of light will be a factor for now.

Let us know where in the world you are, as we make our future plans.