> This kind of filtering can be done in multiple locations
(firewall/proxy, antivirus, etc)
The primary reason I prefer OpenDNS is the human community who
maintains the categories. I've been subjected to corporate,
authoritarian filters and they are ineffective and inaccurate.
Plus, I have moral objections against the corporate and religious
bias that appears in those products:http://www.csriu.org/onlinedocs/documents/religious2.html
Do you know of an alternate site-categorization system that is
maintained by a peer-reviewed community? (And free?) I'd be very
> Don't want employees surfing porn? You should have that
written in the policy handbook and periodically check the logs and
punish the offenders.
I have a funny story about that.
I was at a client's office, working on a Samba error in the
logs. I hopped onto one of their empty workstations and googled the
error message -- it was some random, esoteric, highly technical
thing, something like "protocol.c: error 53". I do this type of
thing all the time, so within a few seconds I had several Firefox
tabs open with search results in them.
One of the tabs was a mailing list web-mirror of samba-users.
The poster had the exact same symptoms as me, so I was sitting
there, intently focused on the logs he had posted. I'm sitting
there, staring intently at the screen... and then one of the
employees comes up behind me and says "What the __HECK__ are you
I was a little confused, so I gave him a weird sneer and said
"I'm just looking up this error message..." -- and then I saw it.
The mailing list mirror was not a simple Mhonarc or Mailman web
archive. It was one of those annoying mailing list mirrors that are
basically parked domains. They mirror Open Source mailing lists,
but also include a bunch of large, flashy ads. I've trained myself
to skip ads altogether, especially when hunting down tech info, so I
saw nothing but the post. But right there on the screen -- in an
embarrassingly large pixel size -- was a totally NSFW ad for a porn
site (or something similar). Skimpy lingerie, suggestive pose, ...
Just _try_ talking yourself out of that situation. It doesn't
(I wonder what my wife would say... is it worse that I had a
NSFW girl on the screen... or that I skipped over her completely in
favor of some Samba logs? lol )
Anywayz, for my clients at least, porn isn't really the issue.
(Open cubicles + porn = totally impractical.) It's the clueless
Outlook users who'll click on any infected PDF link that lands in
their Inbox. OpenDNS helps by filtering many of them, and also by
(optionally) maintaining a log of which IP addresses tried to
resolve known virus domains.
>> This behavior is very annoying if you're expecting a
"no such host" error.
> You say that as if expecting an NXDOMAIN is a bad thing, as
if the DNS RFCs were misguided or something.
Not at all... it's the one thing I don't like about using the
free version of OpenDNS.
OpenDNS does have a paid version with no advertisements, so if I
coughed up the $5 per year I wouldn't need to tolerate it.
> > In the example above, Microsoft Windows took your
requested DNS name, "www-files.opendns.com", and decided that what
you really meant was "www-files.opendns.com.YOURDOMAIN".
> This isn't window's fault.
Responding to a non-existent host is OpenDNS (free version),
agreed, and yes it's annoying, agreed, see above. But appending
YOURDOMAIN to a hostname like "www-files.opendns.com" at the
command line? Is that okay? I'm just glad Linux doesn't do that.
(Windows doesn't always do this, but I've have had to fight this
problem for clients, and it's a major PITA.)
> [OpenDNS] possibly intercepts
and proxies your traffic
... hijacked legitimate third party sites like Google in the past,
for reasons that many find dubious... provides you a compromised
view of the Internet.
Ye gods... "Intercepts"? "Hijacked"? "Reasons that many find
dubious"? "Compromised"? Puh-leeze. OpenDNS is an Open-Source
friendly company, founded and run by engineers, supported by a
vibrant community, and it has one of the better privacy policies on
the web. They're not perfect, but they're certainly not the
demon-corporation that you make them out to be.
The "hijack" issue to which you refer is not "legitimate
third party sites like Google"... it was exactly Google, and
only Google. They provide a full explanation of what they do, and
why they do it, here:http://blog.opendns.com/2007/05/22/google-turns-the-page/
And an independent assesment of the situation:http://searchengineland.com/google-dells-revenue-generating-url-error-pages-drawing-fire-11283
I don't like what OpenDNS does with Google, but I also don't
like what Google does with Dell. In the end, Google is my homepage,
OpenDNS is my DNS, and my Dell laptop runs just fine.
OpenDNS has never, to my knowledge, done anything that could
rightfully be called "intercepting" or "compromising". They do some
hackery with the DNS protocol, yes, but their web site explains
exactly what they do, why they do it, and how it works. You are
free to not use them... but I, for one, welcome our new DNS
On 04/03/2011 04:12 PM, Bri Hatch wrote:
Close to Sun, Apr 3, 2011 at 2:24 PM, Derek Simkowiak
<dereks <at> realloc.net> mentioned:
When you ask OpenDNS to resolve a non-existent host name, it replies
with the fake, not-really-resolved IP address that you see above.
This behavior is very annoying if you're expecting a "no such host"
You say that as if expecting an NXDOMAIN is a bad thing, as if
the DNS RFCs were misguided or something.
But it's really useful for businesses because OpenDNS filters out
known phishing, adware, porn, virus, and various other liability domains for
your average Outlook user.
This kind of filtering can be done in multiple locations (firewall/proxy,
antivirus, etc) and in some cases is a technological solution to a
non-technical problem. Don't want employees surfing porn? You
should have that written in the policy handbook and periodically
check the logs and punish the offenders.
Sorry, but I prefer NXDOMAIN when I type a URL that's wrong.
I certainly don't think it's appropriate for them to hijack
other people's traffic as they have done with Google in the past.
Do they still do it? Not sure. But I don't see that as a valid
offering of a DNS provider.
Here are the breakdowns of your DNS setup as I see them:
You want: ultimate control and a 100% accurate Internet experience
* run your own bind/djbdns/etc server.
* unless attackers can hijack UDP packets to the roots and all
other required nameservers, you're probably pretty secure.
You want: fast results and don't care about accuracy
* use your ISPs domain name server
* they're closest
* they probably have a lot of cached records
* they may be intercepting non existant domains to monetize via ads
* they may have bad security, and could be returning results that
were crafted by attackers to send you to or through their sites,
re-writing pages or sniffing your passwords.
Yes, various ISPs have had their DNS servers compromised.
You want: fast results and care about accuracy
* use Google Public DNS
* 220.127.116.11, 18.104.22.168
* doesn't hijack any records, will return NXDOMAIN when you
typo a domain
* often faster than your ISPs name servers
* no known dns security problems to date
* doesn't offer phishing protection/content filtering, etc
* phishing/malware protection most likely already in your browser
You want: fast results and need content filtering/phishing protection
* use OpenDNS
* has blocking features, e.g. whitelists, blacklists, etc
* performs typo squatting to serve you ads
* possibly intercepts and proxies your traffic to other
* excellent security track record
* you specifically want to be blocked from some things on the
* you don't mind that the service has hijacked legitimate third
party sites like Google in the past, for reasons that many find
If you need the content filtering protections that OpenDNS provides,
then it makes sense to use them. If not, I don't know why you'd
use a service that provides you a compromised view of the Internet.
In the example above, Microsoft Windows took your requested DNS name,
"www-files.opendns.com", and decided that what you really meant was
"www-files.opendns.com.YOURDOMAIN". (Notice that the line above your arrow
says "www-files.opendns.com.FTRDHCPUSER.NET", which does not exist, and
thus, resolved to hit-nxdomain.opendns.com.) This "feature" of Windows is
supposed to let you do things like "ping www-files" and have that correctly
resolve to "www-files.YOURDOMAIN", but alas, LOL <at> Windows. It's basically a
broken version of the "search" line in /etc/resolv.conf. Switch to Linux,
This isn't window's fault. It's caused by using a DNS provider
that hijacks NXDOMAIN. Don't use OpenDNS and you can use any
operating system you want that supports the DNS standards.
Gslug-general mailing listhttp://www.gslug.org/wiki/index.php/Mailing_Lists