I was a big fan of OpenDNS dns service, but recently I found few bad things about their offerings. I strongly recommend to stay away from OpenDNS service.
All your search queries belongs to OpenDNS
OpenDNS redirects all your Google search queries though their servers. They captures your search query data and they forwards to real google.com domain. Here is a quick DNS lookup:
$ host www.google.co.in 208.67.220.220
Sample output:
Using domain server: Name: 208.67.220.220 Address: 208.67.220.220#53 Aliases: www.google.co.in is an alias for www.google.com. www.google.com is an alias for google.navigation.opendns.com. google.navigation.opendns.com has address 208.67.219.230 google.navigation.opendns.com has address 208.67.219.231
They may also do same for your email and other search engine.
Update: Dave has pointed out the reason why OpenDNS forwards google through their server. You can also turn on or off this feature from OpenDNS control panel.
OpenDNS is bad for server
Don't use them on your colocated server or vps server. They redirect web browser users or scripts accessing nonexistent domains to a page containing sponsored search results, ads, and a search form. The DNS protocol requires that a query for a nonexistent domain must return the "NXDOMAIN" error response. Here is a sample output:
$ host abcabcxyzxyz.com 208.67.220.220
Sample output:
Using domain server: Name: 208.67.220.220 Address: 208.67.220.220#53 Aliases: abcabcxyzxyz.com has address 208.67.219.132 Host abcabcxyzxyz.com not found: 3(NXDOMAIN)
This encourages spam as you will not able to filter out spam queries using their dns servers.
OpenDNS caching sucks
I contacted their support about my problem but never got any reply. Their server always returns two IP address for my nameserver:
$ host ns2.nixcraft.net 208.67.220.220
Sample output:
Using domain server: Name: 208.67.220.220 Address: 208.67.220.220#53 Aliases: ns2.nixcraft.net has address 74.86.48.98 ns2.nixcraft.net has address 74.86.48.98
I don't have 2 IP address for ns2.nixcraft.net.
I strongly recommend running your own dns cache server along with your ISP forwarding nameservers.
Thanks to ricko for pointing out OpenDNS issue in a chat room and elsewhere on the Internet.
Update: Fri Nov 5, 2010 by Vivek: OpenDNS no longer redirects Google search queries though their servers:
$ host www.google.co.in 208.67.220.220 Using domain server: Name: 208.67.220.220 Address: 208.67.220.220#53 Aliases: www.google.co.in is an alias for www.google.com. www.google.com is an alias for www.l.google.com. www.l.google.com has address 173.194.33.104
Updated for accuracy.
- 30 Handy Bash Shell Aliases For Linux / Unix / Mac OS X
- Top 30 Nmap Command Examples For Sys/Network Admins
- 25 PHP Security Best Practices For Sys Admins
- 20 Linux System Monitoring Tools Every SysAdmin Should Know
- 20 Linux Server Hardening Security Tips
- Linux: 20 Iptables Examples For New SysAdmins
- Top 20 OpenSSH Server Best Security Practices
- Top 20 Nginx WebServer Best Security Practices
- 20 Examples: Make Sure Unix / Linux Configuration Files Are Free From Syntax Errors
- 15 Greatest Open Source Terminal Applications Of 2012
- My 10 UNIX Command Line Mistakes
- Top 10 Open Source Web-Based Project Management Software
- Top 5 Email Client For Linux, Mac OS X, and Windows Users
- The Novice Guide To Buying A Linux Laptop
{ 26 comments… read them below or add one }
The Google search redirection is a feature (which they used to advertise very clearly – not so anymore) that you can turn on and off in the OpenDNS dashboard. It’s meant to be a proxy so that OpenDNS shortcuts entered into the address bar won’t be caught by Google toolbar’s “Search from the address bar” feature. Essentially, they still are, but OpenDNS recognizes the search request and takes you to your shortcut anyway.
To change it, log in to your OpenDNS dashboard and click the Settings tab. Then, on the left, click Advanced Settings. Scroll to the bottom and uncheck Enable OpenDNS Proxy and click Apply.
As far as using it for servers, I would agree for a server doing any sort of security tasks that involve verifying domains (like a spam filter). Other than that, I don’t see the harm.
I agree with you on one point – you should not use OpenDNS for web, email, or other servers. Traditional DNS is best for that.
OpenDNS can/should be used for consumer DNS services.
If you want to see the reason why OpenDNS forwards google through their server, see this.
I’ve never had a caching problem with OpenDNS nor have I heard of any widespread issues with it. I don’t think this would impact resolution.
Mmmm… damn.. I was in love with their service. I guess that by redirecting the queries to any ad service will be a way for them to make some profit. In your opinion, can this lead to an ip spoofing?
Thanks for pointing out. I’ve just changed my dns to airtel that respect my privacy without configuration and software installation.
They redirect web browser users or scripts accessing nonexistent domains to a page containing sponsored search results, ads, and a search form. The DNS protocol requires that a query for a nonexistent domain must return the “NXDOMAIN” error response.
You can disable the “OpenDNS Guide” in the OpenDNS website. Also, the NXDOMAIN response is only obligatory for authoritative DNS servers, which OpenDNS isn’t.
Interesting points. I’ll have to look into this further. But for the moment, I have been using OpenDNS for quite a while and have been generally quite pleased with all they do. I hope to hear their response to this. In the mean time I think it is important to use alternate dns servers other than AT&T’s. AT&T has cooperated so fully with government easedropping requests that they have lost my respect and trust. I would love it if DNS providers like OpenDNS.com would provide an ssl wrapper for their DNS queries. I am trying to bring an end to the Federal Reserve act so I am somewhat concerned about being snooped on by an organization which makes over a trillion dollars a year in profit and pays no taxes on it. Nor is it accountable to any government agency – it has never been audited.
URL http://google.navigation.opendns.com/ opens google home page but IP address belongs to opendns:
whois 208.67.219.231Is there a reason you keep deleting my comments from this post?
-David Ulevitch (CEO of OpenDNS)
No,
This is only comment I see in queue and it is approved. Comment is only get deleted if it is offtopic or spam. Some time comment may be placed in Akismet spam queue and I might have missed them. I see only this comment from your IP…
This isn’t true. You even replied to my email when I was telling you the CAPTCHA was broken. I notice you’ve now removed the CAPTCHA.
Can you put back my deleted posts or just make your article accurate?
I’m sorry for CAPTCHA issue but you’ve to write your post again. I never deleted your comment as it was never stored in a queue due to technical problem. When you post reply I will update post to point out your comment.
@Dave:
My comment regarding the relevant post on /. that this page is almost a complete copy of got deleted too. Search recent /. entries for an Ask Slashdot title similar to “Why is the internet so slow?”. I suppose that the spam filter automatically drops anything with a url, as opposed to the admin deliberately removing unfavorable comments.
Dotan,
I’ve not delete any comment but there was a problem with capatcha and wp-cache. Also I’ve already pointed out:
If you google for the same you will get 100 of other posts with almost same info and same commands.
It was unfortunate that I had upgrade to WP 2.6.2 which was released almost same time. It was causing some problem so I had to disable plugin.
HTH.
I figured that it was a filter and not deliberate, that’s why I mentioned it. Thanks!
They showed your IP address twice because when you query the main server it checks it against the secondary , which shows up the same entry twice. If it had two different entries for you they would have to be different, but as you posted them they are identical, which can only mean that they are showing the query from both the primary and secondary dns servers.
Recently i have found that my ISP does the same… somehow it is working only on Windows machines so the only one suffering from that rude behavior is my wife using an 8 years old OS called windows XP. The rest of the machines at home run modern OS such as Fedora 9, Ubuntu and CentOS so they are protected 8-)
Nahum,
You can use 4.2.2.1,4.2.2.2,4.2.2.3 and 4.2.2.4 on Windows Xp. They seems to doing okay and not capturing data.
When you use an external DNS service you are often making money for them… either paying them (paid service) or letting them collect from advertisers on mistyped URL’s (free service). The latter is far more lucrative. Nothing wrong with any of this, but let’s not obscure the facts. The “reliability” (uptime) statement of the DNS service providers are misleading. And “Open” does not really mean anything in this context. If users knew how easy this whole business of DNS lookups is, they would undoubtedly not let someone else process their DNS lookups (i.e. telling someone else what sites you want to visit). Users are privacy conscious.
Neither option, whether paid DNs or “free” DNS gives you more reliability. Your computer is quite capable of performing lookups by querying the DNS on its own. It does not need a “middle-man”.
The most reliable way to query DNS is to query the system yourself and keep your own cache. Dump the cache to /etc/hosts periodically.
Then you will only be dependent on the root servers and TLD servers, and only for sites you’ve never visited (see below).
Needless to say, the root and TLD servers are the most important servers on the internet. They are looked after with great care. If they fail, “the internet fails”… for *everyone*. They are the authoritative source for lookups. If a DNS provider such as OpenDNS fails, then only it users suffer.
By doing your own lookups, then for sites you have visited, you will have your own cache; so you don’t need DNS for those sites. The whole DNS system could fail and you’d still be able to work using those sites. Because you already have the IP’s in your cache. If you visit the same sites repeatedly, this will also be faster than any “DNS service”. If your computer is reading the local file /etc/hosts for IP’s this is always faster than sending out a query over the wire and waiting for a response.
Run pdns_recursor listening on 127.0.0.1 port 53. Run rec_control to dump the cache to /etc/hosts periodically. These are two very easy to use, small command line programs.
The DNS is similar to a telephone book. And there is nothing stopping any user from keeping his own copy… just in case “directory assistance” (DNS) is not available, or just too slow.
How do I get rid of them ..one day openDNS just started coming up onto my screen and they are a pain.. how do i diactivate them would someone give me some instructions on how to do it ??
Edit your /etc/resolv.conf and replace OpenDNS ip with ISP dns.
It’s worth pointing out that we discontinued proxying requests to Google quite some time ago. Please update the article. :-)
OpenDns’s technical team and support team is terrible. I am a basic user and have referred them to many other people but just recently I tried to use their parental controls on a recommended Netgear router, that they recommended behind a U-Verse router so that we could isolate traffic control on specific terminals. At first I tested the setup at my residence before moving it to the site of service. Worked great until I moved it and then it wouldn’t let me reassign the router to a different account, they didn’t help with that issue. And then I went and purchased the same router again thinking that the new router would be “open”. Not at all, still came up as being registered to my account, they still didn’t help. Went as far as requesting that my account be closed completely thinking that it would release the router, and at first it was still showing as being registered to my account which doesn’t even exist anymore, then it did something crazy and said that a new device had been detected and started to go through the registration process again, got the client’s registration installed up to the point of actually signing in to the OpenDns page and then it defaults and say’s the device is already registered to a different account. What account? My account is dead and the it doesn’t accept the client’s account. OpenDns support has stopped responding to the inquiries and I’m stuck with 2 routers and an angry client because their terminals are still not being controlled as I promised.
Time to focus this client and all my other clients to a more supportive service. Thankfully we did not start using the deluxe version this time yet. But you can bet the other 17 client’s that I have using their paid version will be transferring with me.
Roger — That sounds like a problem, and one that’s easy to fix. Support knows how to deal with that issue quite easily, so I am sorry your issue wasn’t resolved quickly. Just shoot me an email, my email address is on our management page and I’ll get it sorted out.
Well I have to say, that despite the somewhat disinterested support team as a whole, Mr. Ulevitch responded very quickly to my post and took the necessary steps to resolve our issue.
I can only guess that the rest of the team must be on some type of commission structure or they just didn’t find our problem as important as one of their large accounts.
Nonetheless, I definitely retract any negative thoughts I had exhibited towards this company. The product is exceptional for what we are using it for and I will continue to use their services.
After having read articles on how much better OpenDNS was than Verizon’s, I switched, in part because I’m not in love with Verizon. The article offered little more information than “Verizon DNS sucks”.
If Verizon DNS sucks, OpenDNS is a black hole.
I’d really like to find a reliable DNS and I’m willing to pay for the services but OpenDNS is one of the worst experiments I’ve every undertaken. I agree, at least with the topic of this article, “OpenDNS sucks”!!!
Now I expect some responses which are both vile and inane. I don’t care. I would advise anyone that wants to try OpenDNS for any reason to do so with caution and if you can’t reach a site, trace it down. If it ends up at an IP that belongs to OpenDNS, then lose OpenDNS, unless that’s exactly the response you’re looking for, in which case you’ll be in censorship heaven.
Good luck!
John
Hi there!
Thanks so much for the article…
I’ve got a problem, I can’t go into some social networks in my computer or in my kindle because I think there’s parent’s control on it… can you help me?
Thanks so much… I really need it.