Avoid OpenDNS Free DNS Service Like The Plague [ Updated ]

by on September 8, 2008 · 31 comments· LAST UPDATED November 5, 2010

in , ,

I was a big fan of OpenDNS dns service, but recently I found few bad things about their offerings. I strongly recommend to stay away from OpenDNS service.

All your search queries belongs to OpenDNS

OpenDNS redirects all your Google search queries though their servers. They captures your search query data and they forwards to real google.com domain. Here is a quick DNS lookup:
$ host www.google.co.in 208.67.220.220
Sample output:

Using domain server:
Name: 208.67.220.220
Address: 208.67.220.220#53
Aliases:
www.google.co.in is an alias for www.google.com.
www.google.com is an alias for google.navigation.opendns.com.
google.navigation.opendns.com has address 208.67.219.230
google.navigation.opendns.com has address 208.67.219.231

They may also do same for your email and other search engine.

Update: Dave has pointed out the reason why OpenDNS forwards google through their server. You can also turn on or off this feature from OpenDNS control panel.

OpenDNS is bad for server

Don't use them on your colocated server or vps server. They redirect web browser users or scripts accessing nonexistent domains to a page containing sponsored search results, ads, and a search form. The DNS protocol requires that a query for a nonexistent domain must return the "NXDOMAIN" error response. Here is a sample output:
$ host abcabcxyzxyz.com 208.67.220.220
Sample output:

Using domain server:
Name: 208.67.220.220
Address: 208.67.220.220#53
Aliases:
abcabcxyzxyz.com has address 208.67.219.132
Host abcabcxyzxyz.com not found: 3(NXDOMAIN)

This encourages spam as you will not able to filter out spam queries using their dns servers.

OpenDNS caching sucks

I contacted their support about my problem but never got any reply. Their server always returns two IP address for my nameserver:
$ host ns2.nixcraft.net 208.67.220.220
Sample output:

Using domain server:
Name: 208.67.220.220
Address: 208.67.220.220#53
Aliases:
ns2.nixcraft.net has address 74.86.48.98
ns2.nixcraft.net has address 74.86.48.98

I don't have 2 IP address for ns2.nixcraft.net.

I strongly recommend running your own dns cache server along with your ISP forwarding nameservers.

Thanks to ricko for pointing out OpenDNS issue in a chat room and elsewhere on the Internet.

Update: Fri Nov 5, 2010 by Vivek: OpenDNS no longer redirects Google search queries though their servers:

$ host www.google.co.in 208.67.220.220
Using domain server:
Name: 208.67.220.220
Address: 208.67.220.220#53
Aliases:
www.google.co.in is an alias for www.google.com.
www.google.com is an alias for www.l.google.com.
www.l.google.com has address 173.194.33.104

Updated for accuracy.

TwitterFacebookGoogle+PDF versionFound an error/typo on this page? Help us!

{ 31 comments… read them below or add one }

1 Andrew September 8, 2008 at 3:40 pm

The Google search redirection is a feature (which they used to advertise very clearly – not so anymore) that you can turn on and off in the OpenDNS dashboard. It’s meant to be a proxy so that OpenDNS shortcuts entered into the address bar won’t be caught by Google toolbar’s “Search from the address bar” feature. Essentially, they still are, but OpenDNS recognizes the search request and takes you to your shortcut anyway.

To change it, log in to your OpenDNS dashboard and click the Settings tab. Then, on the left, click Advanced Settings. Scroll to the bottom and uncheck Enable OpenDNS Proxy and click Apply.

As far as using it for servers, I would agree for a server doing any sort of security tasks that involve verifying domains (like a spam filter). Other than that, I don’t see the harm.

Reply

2 Dave September 8, 2008 at 4:25 pm

I agree with you on one point – you should not use OpenDNS for web, email, or other servers. Traditional DNS is best for that.

OpenDNS can/should be used for consumer DNS services.

If you want to see the reason why OpenDNS forwards google through their server, see this.

I’ve never had a caching problem with OpenDNS nor have I heard of any widespread issues with it. I don’t think this would impact resolution.

Reply

3 Maski September 8, 2008 at 5:16 pm

Mmmm… damn.. I was in love with their service. I guess that by redirecting the queries to any ad service will be a way for them to make some profit. In your opinion, can this lead to an ip spoofing?

Reply

4 Raj September 8, 2008 at 6:32 pm

Thanks for pointing out. I’ve just changed my dns to airtel that respect my privacy without configuration and software installation.

Reply

5 Anonymous Visitor September 8, 2008 at 6:37 pm

They redirect web browser users or scripts accessing nonexistent domains to a page containing sponsored search results, ads, and a search form. The DNS protocol requires that a query for a nonexistent domain must return the “NXDOMAIN” error response.

You can disable the “OpenDNS Guide” in the OpenDNS website. Also, the NXDOMAIN response is only obligatory for authoritative DNS servers, which OpenDNS isn’t.

Reply

6 Joe Baker September 9, 2008 at 4:28 pm

Interesting points. I’ll have to look into this further. But for the moment, I have been using OpenDNS for quite a while and have been generally quite pleased with all they do. I hope to hear their response to this. In the mean time I think it is important to use alternate dns servers other than AT&T’s. AT&T has cooperated so fully with government easedropping requests that they have lost my respect and trust. I would love it if DNS providers like OpenDNS.com would provide an ssl wrapper for their DNS queries. I am trying to bring an end to the Federal Reserve act so I am somewhat concerned about being snooped on by an organization which makes over a trillion dollars a year in profit and pays no taxes on it. Nor is it accountable to any government agency – it has never been audited.

Reply

7 Sweta September 9, 2008 at 6:14 pm

URL http://google.navigation.opendns.com/ opens google home page but IP address belongs to opendns:
whois 208.67.219.231

Reply

8 David Ulevitch September 10, 2008 at 11:59 pm

Is there a reason you keep deleting my comments from this post?

-David Ulevitch (CEO of OpenDNS)

Reply

9 nixCraft September 11, 2008 at 4:46 am

No,

This is only comment I see in queue and it is approved. Comment is only get deleted if it is offtopic or spam. Some time comment may be placed in Akismet spam queue and I might have missed them. I see only this comment from your IP…

Reply

10 David Ulevitch September 11, 2008 at 11:49 pm

This isn’t true. You even replied to my email when I was telling you the CAPTCHA was broken. I notice you’ve now removed the CAPTCHA.

Can you put back my deleted posts or just make your article accurate?

Reply

11 nixCraft September 12, 2008 at 4:08 am

I’m sorry for CAPTCHA issue but you’ve to write your post again. I never deleted your comment as it was never stored in a queue due to technical problem. When you post reply I will update post to point out your comment.

Reply

12 Dotan Cohen September 12, 2008 at 4:31 am

@Dave:
My comment regarding the relevant post on /. that this page is almost a complete copy of got deleted too. Search recent /. entries for an Ask Slashdot title similar to “Why is the internet so slow?”. I suppose that the spam filter automatically drops anything with a url, as opposed to the admin deliberately removing unfavorable comments.

Reply

13 nixCraft September 12, 2008 at 4:49 am

Dotan,

I’ve not delete any comment but there was a problem with capatcha and wp-cache. Also I’ve already pointed out:

Thanks to ricko for pointing out OpenDNS issue in a chat room and elsewhere on the Internet.

If you google for the same you will get 100 of other posts with almost same info and same commands.

It was unfortunate that I had upgrade to WP 2.6.2 which was released almost same time. It was causing some problem so I had to disable plugin.

HTH.

Reply

14 Dotan Cohen September 12, 2008 at 6:05 pm

I figured that it was a filter and not deliberate, that’s why I mentioned it. Thanks!

Reply

15 Anon September 12, 2008 at 8:29 pm

They showed your IP address twice because when you query the main server it checks it against the secondary , which shows up the same entry twice. If it had two different entries for you they would have to be different, but as you posted them they are identical, which can only mean that they are showing the query from both the primary and secondary dns servers.

Reply

16 Nahum September 14, 2008 at 10:45 pm

Recently i have found that my ISP does the same… somehow it is working only on Windows machines so the only one suffering from that rude behavior is my wife using an 8 years old OS called windows XP. The rest of the machines at home run modern OS such as Fedora 9, Ubuntu and CentOS so they are protected 8-)

Reply

17 nixCraft September 15, 2008 at 8:04 am

Nahum,

You can use 4.2.2.1,4.2.2.2,4.2.2.3 and 4.2.2.4 on Windows Xp. They seems to doing okay and not capturing data.

Reply

18 commonsense April 6, 2010 at 9:01 am

When you use an external DNS service you are often making money for them… either paying them (paid service) or letting them collect from advertisers on mistyped URL’s (free service). The latter is far more lucrative. Nothing wrong with any of this, but let’s not obscure the facts. The “reliability” (uptime) statement of the DNS service providers are misleading. And “Open” does not really mean anything in this context. If users knew how easy this whole business of DNS lookups is, they would undoubtedly not let someone else process their DNS lookups (i.e. telling someone else what sites you want to visit). Users are privacy conscious.

Neither option, whether paid DNs or “free” DNS gives you more reliability. Your computer is quite capable of performing lookups by querying the DNS on its own. It does not need a “middle-man”.

The most reliable way to query DNS is to query the system yourself and keep your own cache. Dump the cache to /etc/hosts periodically.

Then you will only be dependent on the root servers and TLD servers, and only for sites you’ve never visited (see below).

Needless to say, the root and TLD servers are the most important servers on the internet. They are looked after with great care. If they fail, “the internet fails”… for *everyone*. They are the authoritative source for lookups. If a DNS provider such as OpenDNS fails, then only it users suffer.

By doing your own lookups, then for sites you have visited, you will have your own cache; so you don’t need DNS for those sites. The whole DNS system could fail and you’d still be able to work using those sites. Because you already have the IP’s in your cache. If you visit the same sites repeatedly, this will also be faster than any “DNS service”. If your computer is reading the local file /etc/hosts for IP’s this is always faster than sending out a query over the wire and waiting for a response.

Run pdns_recursor listening on 127.0.0.1 port 53. Run rec_control to dump the cache to /etc/hosts periodically. These are two very easy to use, small command line programs.

The DNS is similar to a telephone book. And there is nothing stopping any user from keeping his own copy… just in case “directory assistance” (DNS) is not available, or just too slow.

Reply

19 Hermes Machado April 11, 2010 at 1:43 am

How do I get rid of them ..one day openDNS just started coming up onto my screen and they are a pain.. how do i diactivate them would someone give me some instructions on how to do it ??

Reply

20 nixCraft April 11, 2010 at 7:07 am

Edit your /etc/resolv.conf and replace OpenDNS ip with ISP dns.

Reply

21 David Ulevitch November 4, 2010 at 4:48 pm

It’s worth pointing out that we discontinued proxying requests to Google quite some time ago. Please update the article. :-)

Reply

22 Roger June 14, 2011 at 2:06 am

OpenDns’s technical team and support team is terrible. I am a basic user and have referred them to many other people but just recently I tried to use their parental controls on a recommended Netgear router, that they recommended behind a U-Verse router so that we could isolate traffic control on specific terminals. At first I tested the setup at my residence before moving it to the site of service. Worked great until I moved it and then it wouldn’t let me reassign the router to a different account, they didn’t help with that issue. And then I went and purchased the same router again thinking that the new router would be “open”. Not at all, still came up as being registered to my account, they still didn’t help. Went as far as requesting that my account be closed completely thinking that it would release the router, and at first it was still showing as being registered to my account which doesn’t even exist anymore, then it did something crazy and said that a new device had been detected and started to go through the registration process again, got the client’s registration installed up to the point of actually signing in to the OpenDns page and then it defaults and say’s the device is already registered to a different account. What account? My account is dead and the it doesn’t accept the client’s account. OpenDns support has stopped responding to the inquiries and I’m stuck with 2 routers and an angry client because their terminals are still not being controlled as I promised.
Time to focus this client and all my other clients to a more supportive service. Thankfully we did not start using the deluxe version this time yet. But you can bet the other 17 client’s that I have using their paid version will be transferring with me.

Reply

23 David Ulevitch June 14, 2011 at 2:03 pm

Roger — That sounds like a problem, and one that’s easy to fix. Support knows how to deal with that issue quite easily, so I am sorry your issue wasn’t resolved quickly. Just shoot me an email, my email address is on our management page and I’ll get it sorted out.

Reply

24 Roger June 15, 2011 at 12:44 am

Well I have to say, that despite the somewhat disinterested support team as a whole, Mr. Ulevitch responded very quickly to my post and took the necessary steps to resolve our issue.
I can only guess that the rest of the team must be on some type of commission structure or they just didn’t find our problem as important as one of their large accounts.
Nonetheless, I definitely retract any negative thoughts I had exhibited towards this company. The product is exceptional for what we are using it for and I will continue to use their services.

Reply

25 John Dodrill June 16, 2011 at 4:40 pm

After having read articles on how much better OpenDNS was than Verizon’s, I switched, in part because I’m not in love with Verizon. The article offered little more information than “Verizon DNS sucks”.

If Verizon DNS sucks, OpenDNS is a black hole.

I’d really like to find a reliable DNS and I’m willing to pay for the services but OpenDNS is one of the worst experiments I’ve every undertaken. I agree, at least with the topic of this article, “OpenDNS sucks”!!!

Now I expect some responses which are both vile and inane. I don’t care. I would advise anyone that wants to try OpenDNS for any reason to do so with caution and if you can’t reach a site, trace it down. If it ends up at an IP that belongs to OpenDNS, then lose OpenDNS, unless that’s exactly the response you’re looking for, in which case you’ll be in censorship heaven.

Good luck!

John

Reply

26 M. Alexander June 23, 2013 at 8:42 am

I had problem after problem with OpenDNS’ cache, and their replacing a website’s SSL certificate with their open, etc. Support kept telling me “that’s the way it’ supposed to work”, which obviously is complete garbage. A few years ago I switched to Google DNS, and haven’t had one single issue, period. I hate sounding like a Google shill, and have in fact been moving away from using most of their other services, but their DNS rocks.

I certainly hope the DNS service they provide to users is configured better than their own (I assume for the website only) DNS: http://www.intodns.com/opendns.com If there’s recently been a DNS records change then the serial number mismatch will clear in time. But only 2 nameservers? (3, but 2 point to the same IP…)

Reply

27 roflsnake January 31, 2014 at 7:19 pm

As someone that does tech support for an isp, verizon’s dns does indeed suck, they are extremely slow to update their dns cache servers so if at any point the ip address of one of your servers changing, say hello to people on verizon’s network not able to access it for a goddamn month /rant

Reply

28 Irene January 13, 2012 at 9:49 am

Hi there!

Thanks so much for the article…
I’ve got a problem, I can’t go into some social networks in my computer or in my kindle because I think there’s parent’s control on it… can you help me?

Thanks so much… I really need it.

Reply

29 Mirth August 27, 2013 at 6:40 pm

I like to use openDNS becuase it works great with dnscrypt. dnscrypt helps fight off MITM attacks by encrypting your dns quries. Sure if a government wanted the info id bet they could just go get the info from openDNS. This works good against regular criminals that would sniff your traffic and dont have access to openDNS servers. Chooses what you want to use. I choose encryption.

Reply

30 Lars January 25, 2014 at 3:25 am

I have an issue and I think it’s openDNS related. After adding openDNS I can’t seem to get to certain websites like Google, Netflix, and Yahoo. They will eventually load but it takes forever. I took off all of the parental blocks and it still continues to happen. It’s the worst on my MAC and not such an issues on my PC or mobile devices. Has anyone else had this happen? Any advice?

Reply

31 NIX Craft January 25, 2014 at 10:44 am

Leave a Comment

Tagged as: , , , , , , , , , ,

Previous post:

Next post: