What’s Wrong With OpenDNS?

OpenDNS is surely going to prove to be a useful tool for those not intimately familiar with the internet. OpenDNS, provides some unique functionality compared with other DNS servers in that it detects typos and prevents phishing. For example, say you type http://www.longren.og into your browser. That URL obviously doesn’t exist, notice the .og at the end? OpenDNS will recognize the typo and will redirect the user to http://www.longren.org.

Smart huh? Yes, but it could have it’s drawbacks. This post highlights what could be a potential security risk in OpenDNS. It has to deal with intrusion detection systems (IDS) not realizing which URL is actually being requested. That post uses the mod_speling apache httpd module as an example.

If I send a request for indexh.tml, mod_speling detects the mistake and will serve back index.html. The problem is any security products like an IDS/IPS won’t have this intelligence to try and “fix” the request before they analyze it. The IDS/IPS simply sees and logs a request for indexh.tml Modspelling, like this feature in OpenDNS, allows an attacker to side step the attack signatures on a IDS/IPS to exploit a site because the web server will “fix” the attack once it reaches its target.


I disagree with the logic behind the authors claims. Why? Simply because I have a feeling OpenDNS was built with that taken into consideration. I’m betting there’s some sort of database internally that lets every piece of the network know exactly what is being served when a typo is detected. Everything from the IDS boxes to the DNS servers themselves. Maybe I totally missed the point of what that post was trying to get across.

Another thing OpenDNS should work on ASAP is transparency. I’d really like to know the false positive rate on phishing sites. How many legitimate sites get flagged as a phishing site? A publicly available reporting system would also be nice. Something to show DNS changes in particular would be nice for helping to maintain the integrity of the database.

But, I’m sure these questions will be answered in the near future, after all, today is the company’s first day with exposure to the “public”. There’s already mention of a new feature on the most recent post at the OpenDNS blog.

One important feature which is not yet available, but will be soon, is self-service control over the DNS settings. Ryan’s article, understandably, doesn’t mention this capability, since it’s not yet live.

The point? We’re going to put more control in your hands, so if you want to turn off features like typo correction or phishing prevention, you’ll be able to. Account management is the top priority now, to help demonstrate the power of control over your DNS. We think transparency and control will show you (not just tell) that we’re making the right choices.

Ryan’s article is of course the article that was in Wired this morning. See, they’re already taking steps to provide more transparency, hopefully it will continue.

Harper Reed is also a bit skiddish with OpenDNS still, like me. I think OpenDNS has great intentions though, so I’m not too worried. Founder of OpenDNS, David Ulevitch, already has a pretty outstanding reputation in the internet community, probably due mostly to the success of EveryDNS. OpenDNS is out to do good on the internet, just like EveryDNS. That doesn’t mean they can’t do harm, as we saw with Blue Security.

I’m pretty sold on OpenDNS overall. I put their DNS servers in my DHCP server config tonight after I got home from work. And the Nevada office as well as a couple servers in Ankeny are using OpenDNS now too.

OpenDNS: Better DNS

Wired is running an interesting story on OpenDNS. What is OpenDNS you ask? “OpenDNS makes the Internet experience safer, faster and smarter for you and everyone using your network.” Here’s a peice from the article:

The OpenDNS system, which will open its servers to the public Monday, wants to be a more user-friendly name resolution service than those provided by ISPs, with technology to keep fraudulent sites out of its listings, correct some typos and help browsers look up web pages faster.

The man behind OpenDNS, David Ulevitch, isn’t new to DNS by any means. He’s also the founder of EveryDNS, which I used to use to host this site. It’s a great, free service.

OpenDNS is also free. I just updated our DHCP server to serve the OpenDNS IP addresses as DNS servers instead of the ones provided by Midiowa Net. So far, all seems to be working very well. Hopefully they’re ready for a huge influx of users, I don’t wanna have to swtich my DNS servers back.

David Ulevitch has a post in the OpenDNS Blog titled “Why I Started OpenDNS“, it’s really interesting.

I’m a little late to the blogging phenomenon, but here we go. I started working on OpenDNS last November to create a new kind of DNS service that can be used by anyone to make their Internet experience better. Since then I’ve been working hard to bring this to fruition by assembling a fantastic team, developing some really great software and deploying a world-class network. Now I’m thrilled to introduce the free service we’ve been building. It’s ready, and I want you to try it. You will love it.

All in all, the service looks very promising. I think a “smarter” DNS system will prove to be very beneficial. Thanks to Venture Geek for reminding me where I’ve seen the name “David Ulevitch” before, at EveryDNS!

Remember, you have a choice in who provides you with DNS services.