Slashdot Mirror
New(?) Anti-Fraud DNS service
knownsense writes "A new DNS system to foil spammers, abusers, and other ills of the Internet is around the corner, reports Wired. It claims to be more user-friendly than your ISP's DNS. Among its claimed advantages . . . Faster myspace(!?), coordination with spamhaus, and typo-squatter squashing. The actual service is called OpenDNS."
Anti-fraud or not, someone's getting lied to there.
"Currently, web surfers simple(sic) get an error message when they attempt to navigate to an unused domain. OpenDNS users will instead be routed to a company server that will present a list of search engine results and paid advertisements."
No thanks.
Argh.
Since when were DNS lookup failures responded to with HTTP error codes?
It's official. Most of you are morons.
But it has to be better, it has "Open" in its name.
Your ISP probably does the same thing already. These guys claim to have a much bigger cache, so they're more likely to have cache hits than misses.
They also offer ads & search results for non-existent domains, and they claim they will filter out phishing sites.
Not really a big deal though even on a cache miss, a DNS query doesn't take that long.
A broken, non standards compliant DNS isnt a better DNS, it's a crippled DNS. The phishing and scamming is more of a social problem than a technical problem. The last thing i want is for some DNS host to filter my queries. The open part of open_dns is a farce. This is a commercial venture trying to make a profit by skirting around well defined standards. OpenDNS will be plagued with problems like people who run the dns getting nice kick backs from scammers to keep domains from being filtered, etc. There will be false blocks by accident etc. OpenDNS would have the ability to push companies and personal sites around. Who knows what the OpenDNS people are catering to. What if they catered to the Christian right, and started blocking non wholesome content, etc. This is a bad idea people. -koft
Ahh, yes - Yet Another Root Domain Name System, like AlterNic.
One that also does redirection in the case of an invalid domain name, thus breaking code (like mail servers) that rely upon being able to detect bogus domains.
One that requires users to change their DNS settings, with all the attendant breakage and difficulties for troubleshooting.
One that will ALSO load down the upstream DNS servers, since the users won't be using their ISP's name servers.
And I am sure their policy of blocking spammy sites' resolution will sit very well with the Slashdot Zeitgeist.
Yes, I am sure this will be a spectacular success, just like AlterNIC is.
www.eFax.com are spammers
If people want to filter out bad sites and auto-correct bad URL's then that sounds like a job for a client-side application, not for DNS servers. DNS does one thing and it does it well: it acts like a phonebook for IP addresses. There is no bias in its resolutions. Keep it simple and let it do its job without red tape.
Service is pretty cool for people who can't run Bind (or something similiar). However for those that can, I am guessing its probably just as effective as running a caching only DNS server and maybe Squid to emulate their phishing blocking (assuming you have access to known phishing sites). As a matter of fact, the local version should be even faster (although the cache will obviously be smaller so there is a tradeoff). Off the top of my head, I am not sure how you could do the spell checking. Does Bind have a similiar option?
Its one thing to supply facts, but this service is editorializing DNS. I think they are leaving themselves open to attack based on their choices.
Intron: the portion of DNA which expresses nothing useful.
So using DNS servers that are 23 hops and 170ms away from me is meant to be faster than using ones 4 hops and 5ms away? Think they need some sort of distributed system with servers in every country, and some good peering.
This is nothing more than another attempt to make some money off of the basic infrastructure of the Internet. DNS is free right now. And to some people, that means that there is a chance to "monetize" that service.
But how to turn a profit from something that's being given away for free right now?
You'd have to offer some additional incentives. Like "phishing blocking" or claiming that a popular website would "load faster".
As far as I know, the DNS resolution has never been the problem for MySpace loading slowly. It's slow because so many other people are hitting their servers and bandwidth. And since Win2K, Microsoft has included a caching DNS app so once you do hit MySpace, you've cached the address on your workstation. You can't get much faster than that.
This POS is neither new nor newsworthy nor useful, at least not for the reasons they try to sell it to you for.
An alternative-root DNS system will never work (since Critical Mass is impossible to attain).
Myspace will not get faster. Whoever made you believe that is selling snake oil, too.
In fact, your DNS will actually slow down by a good bit; at least if you belong to the majority of the world (unlike root DNS servers, which actually deliver geographical and network dispersion). The big cache they are so proud of will create lots of problems if they actually do it differently from regular DNS resolver caches that you have at every major (and minor) ISP -- and those will be a lot closer to you than OpenDNS ever will.
Fixing typos is a double-edged blade. Sure it's nice if slashdo.torg works. How about whitehouse.gom, though ? And who decides that microsaft.com is really typo-squatter ? (They might just make nice juices !)
Their business model is funny, too. They sell advertisement for search pages in case they can't figure out where you want to go. This is hilarious, really. The selling point is that it can send you to the right page when you make a typo, but not figuring out what a typo was supposed to mean makes them more money. Hrrm. The better they become at their game, the less money they get ! Brilliant !
(Not to mention that this is precisely what got Verizon into hot water with their SiteFinder crap).
How on earth will OpenDNS stem the tides of spam ? Even IF it had a chance doing that purely with DNS, if it was relevant at all Spammers would find a way to make it inconsequential.
Last, but not least, their company is small. There is no oversight. I don't know whether I want to trust a group of 20 people to decide who is an abuser and who is not. I'd rather have hundreds of parties involved in the process, providing a stable balance to one another. (Fun scenario : OpenDNS gets bought out by DirectRevenue.com, starts redirecting EVERY DNS request to their own servers, encasing every website with a nice adbar. Oops. (points for doing it after attaining critical mass).
I did a quick test:
.org -
.net -
- DNS query -
- dutch hosted
opendns
Query time: 1228 msec - they have to query upstream
Query time: 261 msec
Query time: 192 msec
Query time: 192 msec
Query time: 193 msec
my isp
Query time: 74 msec - they have to query upstream
Query time: 29 msec
Query time: 30 msec
Query time: 29 msec
Query time: 29 msec
- us hosted
opendns
Query time: 380 msec - they have to query upstream
Query time: 192 msec
Query time: 193 msec
Query time: 193 msec
Query time: 193 msec
my isp
Query time: 184 msec - they have to query upstream
Query time: 29 msec
Query time: 30 msec
Query time: 29 msec
Query time: 29 msec
- Ping test -
Ping to open dns: 192ms
Ping to my isp: 29ms
- Conclusion -
The dns repsonse is the same as the ping so they will never get faster then my isp.
200GB/2TB $7.95 Coupon: SAVE90DOLLAR
Here is how the faster claim works. Say there is a 150ms round trip between you and your ISP's name server. You computer requests the IP for www.slashdot.org. If you are lucky then www.slashdot.org is in the name server's RAM cache, and you get a fast response in just a little over 150ms. If not (and for the majority of websites, its not) then the name server has to search its disk cache (this is where it is most likely to be. If its still not found, then your ISP's server has to look up slashdot.org with the root servers, and get the name server for that domain, and next it has query the dns server for slashdot.org to find the machine named www. each of these taking more time.
I presume what they do is have machines with loads of RAM (how many dns entries could you keep in say 4GB anyway?) and try to serve as many requests as possible from a RAM cache rather than disk cache. Thats my guess anyway.
Slashdot is an anagram for Has Dolts, and I am Dolt number 468543
OpenDNS has been around for YEARS. The original reason it was made had nothing to do with any of this, it was so that members could vote to add new root domains that would have never been added to the "official" DNS servers. It was an end run around ICANN, basically. There are very few restrictions on OpenDNS on what can be added, and it's all voted on by the members. I actually tried using OpenDNS for awhile, but I had problems with it. There just weren't enough servers, and those that were there went down frequently. They acted as a relay to the "real" DNS as well, so you could resolve .com, .net, .org, etc. But after the 5th DNS outage in a month, I finally set BIND on my server to hit the root servers again instead of OpenDNS. The service just wasn't reliable enough. These goals that are being mentioned in this article have absolutely nothing to do with what OpenDNS was supposed to be about. Either TFA is BS written by a media drone who has no clue what's going on, or OpenDNS has radically changed its goals since I last used it a year ago. I hope for their sake that it's the former.
I can understand why slashdot geeks wouldn't want their DNS servers messed with, I'm among you, however most of the internet users out there aren't nearly as computer literate as we are, and this service I believe would be really good for them.
Most internet users don't know or care what a DNS server is. For this to succeed you need to capture the hearts and minds of the ISPs. Luckily for them, ISPs are very concerned about DNS right now as it is critical, somewhat vulnerable, and they are lacking visibility into it. Unluckily for them, the entrenched players have all started jumping on this and providing real solutions. Why block all requests to a DNS name when legitimate researchers and security people might need to get there? What about when a cracked server that still hosts legitimate content as well? what about when the FQD is a forum with 99% legitimate traffic and 1% worms and phishing?
This solution is a shotgun where a scalpel is needed. Block worm traffic as detected by the DNS request, not all traffic to that domain. Also, contrary to what people seem to be thinking here, the main DNS issue is not worms or phishing (ISPs don't care that much) but they do care about large chunks of their traffic to the DNS servers coming from misconfigured servers repeatedly querying them. Since, in many cases, these servers are their own, blocking them with a fancy, broken DNS server is not the best plan. Redirecting other ISPs' server to an ad a million times a day will not yield any long-term profit (since no person sees them) Rather, fixing their own servers and notifying others/filtering at the peering edge is the way to go. Since ISPs are now able to do that, I foresee a large yawn when operators see OpenDNS (what a misleading name, kind of like OpenXML).
OpenNIC is a totally different organization. They are an alternate root. We're (OpenDNS.com) not anything close.
We're about giving you control over your recursive DNS, something you should want. If you don't want us catching typos for you, that's fine. Just check out our FAQ and learn a bit more.
-david
# Hack the planet, it's important.