Open DNS vs TWC DNS (Dallas)
Should I use an open DNS or stay with TWC DNS (Dallas, TX)?
Are there really benefits to speak of as a second year Computer Engineering student?
Thanks all.
iMac, OS X Mavericks (10.9.1)
Should I use an open DNS or stay with TWC DNS (Dallas, TX)?
Are there really benefits to speak of as a second year Computer Engineering student?
Thanks all.
iMac, OS X Mavericks (10.9.1)
This is a comment on OpenDNS and other public domain-name system (DNS) services, such as Google DNS. You should use such a service if it solves a problem for you, and not if it creates problems you don't already have. To summarize:
1. Using public DNS will probably not make your network faster, and may make it slower.
2. It will probably not stop your browser from being redirected when you try to connect to a valid web address.
3. It will not make you safer from malware attacks.
4. It could cause confidential information to be compromised.
5. It has other privacy implications that you should take into account.
There are two valid reasons why you might want to use a public DNS service:
We listed 9 CDNs that would benefit from supporting/using edns-client-subnet, and only two actually support edns-client-subnet: CDN77 and ChinaCache. Others, including Akamai, Internap and CDNetworks, do not currently. This really is too bad, because from the performance data we collected, it is clear these CDNs deliver (much) worse performance currently in many countries to Google DNS and OpenDNS users.
Some ISP's have been said to re-route all DNS queries to their own name servers, regardless of where the queries were directed. This is another intolerable practice. I don't know of any commercial ISP that is currently doing this, but if yours is, you won't be able to use a public DNS service, even if you change the network settings on your computer or router.
If your Internet access is provided by an employer or institution, rather than a commercial ISP, then you have to take what is dished out.
The claims on the OpenDNS website that it blocks malware attacks such as "Flashback" are false advertising. A DNS service does not and cannot block anything. All it can do is to selectively refuse to answer queries. It's trivial for a malware attacker to evade such controls. It's just as easy to evade the parental controls offered by OpenDNS. Nevertheless, you may find those control features useful, despite their limitations. Here is an example of an ASC user who had undesirable results from OpenDNS content filtering.
There is one exception to the rule that OpenDNS and Google DNS don't improve performance. The "prefetching" performed by modern web browsers, including Safari, may confuse some DNS servers, with the effects described in this Apple Support article. The article suggests testing OpenDNS, Google DNS, or another third-party DNS service as a possible way to overcome the problem.
If you need to switch DNS providers because of a misconfiguration of your ISP's servers, the change will most likely only need to be temporary. The problem may be resolved automatically within a matter of hours.
When you use our Services, OpenDNS stores certain DNS, IP address and related information about you to improve the quality of our Service, to provide you with Services and for internal business and analysis purposes.
Concerning personal information, the policy states:
...[I]t is disclosed to entities that perform marketing services on our behalf or to other entities with whom we have joint marketing agreements...
You can't opt out of those disclosures. Read the privacy policy carefully and draw your own conclusions. The privacy policy of Google DNS seems to be somewhat more benign, but again, you should judge for yourself.
That's not the worst of it, though. The practice of hijacking nonexistent domains followed by most public DNS services could result in leaking confidential information to a hacker:
For example, consider the "same origin trust model" used for Web cookies. If you're holding a cookie for GOOGLE.COM and you can be fooled into following a link to KJHSDFKJHSKJHMJHER.GOOGLE.COM, and the resulting NXDOMAIN response is remapped into a positive answer to some advertising server, then you're going to send your cookie to that advertising server when you send your HTTP GET request there. Not such a bad thing for a GOOGLE.COM cookie, but a real problem for a BANKOFAMERICA.COM cookie.
To emphasize, NXDOMAIN remapping is not something that only happens when you randomly mistype a domain name. It can be exploited deliberately by malicious links placed on any web page. In the case of OpenDNS, the result would be that a cookie intended for another server would be sent to the OpenDNS web server instead. A rogue OpenDNS employee, or anyone who managed to break into the web server, might then be able to impersonate you on another website. If this scenario seems far-fetched, it's the stuff that network exploits are made of.
See also a brief. somewhat outdated, critique of OpenDNS on a Harvard Law School blog, with a response from the company's founder.
This is a comment on OpenDNS and other public domain-name system (DNS) services, such as Google DNS. You should use such a service if it solves a problem for you, and not if it creates problems you don't already have. To summarize:
1. Using public DNS will probably not make your network faster, and may make it slower.
2. It will probably not stop your browser from being redirected when you try to connect to a valid web address.
3. It will not make you safer from malware attacks.
4. It could cause confidential information to be compromised.
5. It has other privacy implications that you should take into account.
There are two valid reasons why you might want to use a public DNS service:
We listed 9 CDNs that would benefit from supporting/using edns-client-subnet, and only two actually support edns-client-subnet: CDN77 and ChinaCache. Others, including Akamai, Internap and CDNetworks, do not currently. This really is too bad, because from the performance data we collected, it is clear these CDNs deliver (much) worse performance currently in many countries to Google DNS and OpenDNS users.
Some ISP's have been said to re-route all DNS queries to their own name servers, regardless of where the queries were directed. This is another intolerable practice. I don't know of any commercial ISP that is currently doing this, but if yours is, you won't be able to use a public DNS service, even if you change the network settings on your computer or router.
If your Internet access is provided by an employer or institution, rather than a commercial ISP, then you have to take what is dished out.
The claims on the OpenDNS website that it blocks malware attacks such as "Flashback" are false advertising. A DNS service does not and cannot block anything. All it can do is to selectively refuse to answer queries. It's trivial for a malware attacker to evade such controls. It's just as easy to evade the parental controls offered by OpenDNS. Nevertheless, you may find those control features useful, despite their limitations. Here is an example of an ASC user who had undesirable results from OpenDNS content filtering.
There is one exception to the rule that OpenDNS and Google DNS don't improve performance. The "prefetching" performed by modern web browsers, including Safari, may confuse some DNS servers, with the effects described in this Apple Support article. The article suggests testing OpenDNS, Google DNS, or another third-party DNS service as a possible way to overcome the problem.
If you need to switch DNS providers because of a misconfiguration of your ISP's servers, the change will most likely only need to be temporary. The problem may be resolved automatically within a matter of hours.
When you use our Services, OpenDNS stores certain DNS, IP address and related information about you to improve the quality of our Service, to provide you with Services and for internal business and analysis purposes.
Concerning personal information, the policy states:
...[I]t is disclosed to entities that perform marketing services on our behalf or to other entities with whom we have joint marketing agreements...
You can't opt out of those disclosures. Read the privacy policy carefully and draw your own conclusions. The privacy policy of Google DNS seems to be somewhat more benign, but again, you should judge for yourself.
That's not the worst of it, though. The practice of hijacking nonexistent domains followed by most public DNS services could result in leaking confidential information to a hacker:
For example, consider the "same origin trust model" used for Web cookies. If you're holding a cookie for GOOGLE.COM and you can be fooled into following a link to KJHSDFKJHSKJHMJHER.GOOGLE.COM, and the resulting NXDOMAIN response is remapped into a positive answer to some advertising server, then you're going to send your cookie to that advertising server when you send your HTTP GET request there. Not such a bad thing for a GOOGLE.COM cookie, but a real problem for a BANKOFAMERICA.COM cookie.
To emphasize, NXDOMAIN remapping is not something that only happens when you randomly mistype a domain name. It can be exploited deliberately by malicious links placed on any web page. In the case of OpenDNS, the result would be that a cookie intended for another server would be sent to the OpenDNS web server instead. A rogue OpenDNS employee, or anyone who managed to break into the web server, might then be able to impersonate you on another website. If this scenario seems far-fetched, it's the stuff that network exploits are made of.
See also a brief. somewhat outdated, critique of OpenDNS on a Harvard Law School blog, with a response from the company's founder.
Thank you for the response, Linc Davis. I consider your provided information to be the most useful and trustworthy on this forum.
Thank You,
Ryan
Thanks for the kind words.
HELLO! guys, if you’re looking for a method to help find a faster DNS server for your system, Namebench is a cool free utility to help you out:
you can download NameBench for Windows, Mac, and Linux from Google Code
After it’s complete you’ll get a report of the results. Based on its findings, it will show you what DNS server is fastest for your system.
It also displays different types of graphs so you can get a better feel for the different results.
You can export the results to a .csv file as well so you can present the results in Excel.
Open DNS vs TWC DNS (Dallas)