New(?) Anti-Fraud DNS service

knownsense writes "A new DNS system to foil spammers, abusers, and other ills of the Internet is around the corner, reports Wired. It claims to be more user-friendly than your ISP's DNS. Among its claimed advantages . . . Faster myspace(!?), coordination with spamhaus, and typo-squatter squashing. The actual service is called OpenDNS."

Advantage?

Among its claimed advantages . . . Faster myspace

Anti-fraud or not, someone's getting lied to there.

Adverts?

[HugePedlar]

"Currently, web surfers simple(sic) get an error message when they attempt to navigate to an unused domain. OpenDNS users will instead be routed to a company server that will present a list of search engine results and paid advertisements."

No thanks.

Re:Adverts?

[kjart]

Agreed. I enjoy how users are 'protected' from phising/spam/advertising by this service by getting more ads! It's like pushing someone out of the way of a speeding car and then punching them in the face.

This must be better

[tdemark]

But it has to be better, it has "Open" in its name.

Re:Now, I am but a lowly programmer

[remembertomorrow]

He was probably referring to the fact that Internet Explorer, by default, shows "friendly" HTTP and DNS error messages, such as "This page cannot be displayed."

That part was definitely written incorrectly, but we all know what he meant (I hope).

Better how?

A broken, non standards compliant DNS isnt a better DNS, it's a crippled DNS. The phishing and scamming is more of a social problem than a technical problem. The last thing i want is for some DNS host to filter my queries. The open part of open_dns is a farce. This is a commercial venture trying to make a profit by skirting around well defined standards. OpenDNS will be plagued with problems like people who run the dns getting nice kick backs from scammers to keep domains from being filtered, etc. There will be false blocks by accident etc. OpenDNS would have the ability to push companies and personal sites around. Who knows what the OpenDNS people are catering to. What if they catered to the Christian right, and started blocking non wholesome content, etc. This is a bad idea people. -koft

DNS needs to be dumb, not smart

[Bloodwine77]

If people want to filter out bad sites and auto-correct bad URL's then that sounds like a job for a client-side application, not for DNS servers. DNS does one thing and it does it well: it acts like a phonebook for IP addresses. There is no bias in its resolutions. Keep it simple and let it do its job without red tape.

Neither new nor useful

[mxs]

This POS is neither new nor newsworthy nor useful, at least not for the reasons they try to sell it to you for.

An alternative-root DNS system will never work (since Critical Mass is impossible to attain).

Myspace will not get faster. Whoever made you believe that is selling snake oil, too.

In fact, your DNS will actually slow down by a good bit; at least if you belong to the majority of the world (unlike root DNS servers, which actually deliver geographical and network dispersion). The big cache they are so proud of will create lots of problems if they actually do it differently from regular DNS resolver caches that you have at every major (and minor) ISP -- and those will be a lot closer to you than OpenDNS ever will.

Fixing typos is a double-edged blade. Sure it's nice if slashdo.torg works. How about whitehouse.gom, though ? And who decides that microsaft.com is really typo-squatter ? (They might just make nice juices !)

Their business model is funny, too. They sell advertisement for search pages in case they can't figure out where you want to go. This is hilarious, really. The selling point is that it can send you to the right page when you make a typo, but not figuring out what a typo was supposed to mean makes them more money. Hrrm. The better they become at their game, the less money they get ! Brilliant !
(Not to mention that this is precisely what got Verizon into hot water with their SiteFinder crap).

How on earth will OpenDNS stem the tides of spam ? Even IF it had a chance doing that purely with DNS, if it was relevant at all Spammers would find a way to make it inconsequential.

Last, but not least, their company is small. There is no oversight. I don't know whether I want to trust a group of 20 people to decide who is an abuser and who is not. I'd rather have hundreds of parties involved in the process, providing a stable balance to one another. (Fun scenario : OpenDNS gets bought out by DirectRevenue.com, starts redirecting EVERY DNS request to their own servers, encasing every website with a nice adbar. Oops. (points for doing it after attaining critical mass).

Re:Neither new nor useful

[davidu]

This POS is neither new nor newsworthy nor useful, at least not for the reasons they try to sell it to you for.

Well, to be fair, you're responding to the article and not the service. But I'm going to go through and answer each of your points because this post seems to cover a lot of the really important topics.

An alternative-root DNS system will never work (since Critical Mass is impossible to attain).

I couldn't agree with you more and we are *NOT* an alternate root. If you are using our service, you are using the real ICANN assigned roots. Period. Full Stop.

OpenDNS is new particularly because of how we do what we do. We have built a recursive nameservice. That means that we are making the changes only for a client and not for the entire Internet. The article, while good at trying to cover a hard topic, fails to mention that not only are we opt-in but we can set preferences for different users.

So if you don't want us catching typos, we won't. If you just want straight, normal DNS that's just using a bigger and faster cache, that's just fine by us. We aren't going to mess with you later for deciding that you just want a more reliable DNS. But when you setup your neighbor or mom or brother or friend you might decide they are better off with an added layer of security. The choice is, of course, yours and always will be.

Myspace will not get faster. Whoever made you believe that is selling snake oil, too.

First, MySpace is just an example, of course. It does like 10 DNS requests on the homepage loading web,ad,image server FQDNs. But to respond, empirical evidence thus far (from really smart people) would disagree with that statement. Hopefully we'll have some good and more scientifically grounded data soon. If you want to help out with that, let me know.

In fact, your DNS will actually slow down by a good bit; at least if you belong to the majority of the world (unlike root DNS servers, which actually deliver geographical and network dispersion). The big cache they are so proud of will create lots of problems if they actually do it differently from regular DNS resolver caches that you have at every major (and minor) ISP -- and those will be a lot closer to you than OpenDNS ever will.

Most resolvers tend to churn through their cache long before TTLs expire so what you're saying isn't exactly true. In many instances most recursive DNS servers toss out a bunch of glue that is consistently being re-fetched. While it's important to respect TTLs (and we absolutely do), it's also important to keep stuff in your cache to get the benefit of the TTL that was set by the zone owner. That's not happening and that's making your DNS not perform well. And it's more than just adding more ram to the system. DNS is 20 years old and it's now a quite critical piece of infrastructure. It's beautiful in many ways, but one way in which it isn't is with how resolvers work. Really, nobody has ever spent much time working on making a killer resolver until recently.

Fixing typos is a double-edged blade. Sure it's nice if slashdo.torg works. How about whitehouse.gom, though ? And who decides that microsaft.com is really typo-squatter ? (They might just make nice juices !)

We don't redirect typos like that. We have a ton of requests to do that, but we don't yet for exactly the reason you point out. It's a tough road to go down, and if we do it, it'll be a preference you set with a little checkbox or something. Not a choice I should be making for you. Our goal is to empower you to control what used to be this black box of a memory structure in a DNS server and add some transparency to it for you. That was lost a bit in the article as it focused mostly on the security aspects of our service but there's more; much more.

Their business model is funny, too.

faster?

[mtenhagen]

I did a quick test:

- DNS query -

- dutch hosted .org -

opendns
  Query time: 1228 msec - they have to query upstream
  Query time: 261 msec
  Query time: 192 msec
  Query time: 192 msec
  Query time: 193 msec

my isp
  Query time: 74 msec - they have to query upstream
  Query time: 29 msec
  Query time: 30 msec
  Query time: 29 msec
  Query time: 29 msec

- us hosted .net -

opendns
  Query time: 380 msec - they have to query upstream
  Query time: 192 msec
  Query time: 193 msec
  Query time: 193 msec
  Query time: 193 msec

my isp
  Query time: 184 msec - they have to query upstream
  Query time: 29 msec
  Query time: 30 msec
  Query time: 29 msec
  Query time: 29 msec

- Ping test -
Ping to open dns: 192ms
Ping to my isp: 29ms

- Conclusion -
The dns repsonse is the same as the ping so they will never get faster then my isp.