This is a comment on OpenDNS and other public domain-name system (DNS) services, such as Google DNS. You should use such a service if it solves a problem for you, and not if it creates problems you don't already have. To summarize:
1. Using public DNS will probably not make your network faster, and may make it slower.
2. It will probably not stop your browser from being "redirected" when you try to connect to a valid web address.
3. It will not make you safer from malware attacks.
4. It could cause confidential information to be compromised.
5. It has other privacy implications that you should take into account.
A DNS server resolves the human-readable "domain name" of an Internet host, such as www.apple.com, to the numerical address by which that host can be reached. The process is analogous to looking up a phone number by name. There is
no chance that changing the DNS server you use will have any effect on a network problem not related to name resolution.
There are two valid reasons why you might want to use a public DNS service:
- The DNS servers provided by your ISP are misconfigured or don't perform well.
- You have a use for the filtering controls provided by OpenDNS and others.
Although some DNS services are touted as responding faster than others, there will be no noticeable difference if your ISP is delivering what you pay for. Most likely, the difference in response time among the DNS servers available to you is on the order of a hundredth of a second or less. But under some conditions, public DNS will significantly
slow down network performance.
A content-distribution network (CDN), such as the one used by Apple
to deliver software updates and iTunes content, relies on the location of the DNS server to optimize performance. If your query goes to a distant server, you may get slow downloads of Apple content, among other things. From the
report of a test carried out by a networking consultant:
We listed 9 CDNs that would benefit from supporting/using edns-client-subnet, and only two actually support edns-client-subnet: CDN77 and ChinaCache. Others, including Akamai, Internap and CDNetworks, do not currently. This really is too bad, because from the performance data we collected, it is clear these CDNs deliver (much) worse performance currently in many countries to Google DNS and OpenDNS users.
Another reason often given for using public DNS is to avoid "redirection," that is, false results from a query for a valid domain name. Ethical ISP's do not intentionally redirect valid DNS queries, though it might happen unintentionally because of a misconfiguration; for example, because the address of a network host has recently changed, or because of a "
poisoning" attack on the DNS server. If you regularly get false results from name resolution, there is some other reason for it. Note that your ISP may, and OpenDNS certainly will, redirect
invalid queries to ad sites, in violation of published standards for DNS.
Some ISP's have been known to "hijack" DNS queries to their own server, irrespective of where those queries are directed. I don't know of any large ISP that is currently doing this, but if yours is, you won't be able to use a public DNS service, even if you change the network settings on your computer or router.
The claims on the OpenDNS website that it "blocks" malware attacks such as Flashback are false advertising. A DNS service does not and cannot block anything. All it can do is to selectively refuse to answer queries. It's trivial for a malware attacker to evade such controls. It's just as easy to evade the parental controls offered by OpenDNS. Nevertheless, you may find those control features useful, despite their limitations. Here is an example of an ASC user who had undesirable results from OpenDNS content filtering.
There is one exception to the rule that OpenDNS and Google DNS don't improve performance. The "prefetching" performed by modern web browsers, including Safari, may confuse some DNS servers, with the effects described in this Apple Support article. The article suggests testing OpenDNS, Google DNS, or another third-party DNS service as a possible way to overcome the problem.
If you need to switch DNS providers because of a misconfiguration of your ISP's servers, the change will most likely only need to be temporary. The problem may be resolved automatically within a matter of hours.
If you intend to use public DNS, such as OpenDNS, on a long-term basis, you should be aware of the privacy implications. As a user of the free service, you are not an OpenDNS customer, and the service provider — a for-profit corporation — doesn't have a contract with you. The marketers to whom OpenDNS sells access and information are its customers.
OpenDNS will know, and store, the address of every Internet server you use from now on. This is from its
privacy policy:
When you use our Services, OpenDNS stores certain DNS, IP address and related information about you to improve the quality of our Service, to provide you with Services and for internal business and analysis purposes.
Concerning personal information, the policy states:
...[I]t is disclosed to entities that perform marketing services on our behalf or to other entities with whom we have joint marketing agreements...
You can't opt out of those disclosures. Read the privacy policy carefully and draw your own conclusions. The privacy policy of Google DNS seems to be somewhat more benign, but again, you should judge for yourself.
That's not the worst of it, though. The practice of hijacking nonexistent domains followed by most public DNS services could result in leaking confidential information to a hacker:
For example, consider the "same origin trust model" used for Web cookies. If you're holding a cookie for GOOGLE.COM and you can be fooled into following a link to KJHSDFKJHSKJHMJHER.GOOGLE.COM, and the resulting NXDOMAIN response is remapped into a positive answer to some advertising server, then you're going to send your cookie to that advertising server when you send your HTTP GET request there. Not such a bad thing for a GOOGLE.COM cookie, but a real problem for a BANKOFAMERICA.COM cookie.
To emphasize, NXDOMAIN remapping is not something that only happens when you randomly mistype a domain name.It can be exploited deliberately by malicious links placed on any web page. In the case of OpenDNS, the result would be that a cookie intended for another server would be sent to the OpenDNS web server instead. A rogue OpenDNS employee, or anyone who managed to break into the web server, might then be able to impersonate you on another website. If this scenario seems far-fetched, it's the stuff that network exploits are made of.
See also a brief. somewhat outdated, critique of OpenDNS on a Harvard Law School blog, with a response from the company's founder.
