Avoid OpenDNS Free DNS Service Like The Plague [ Updated ]

I was a big fan of OpenDNS dns service, but recently I found few bad things about their offerings. I strongly recommend to stay away from OpenDNS service.

Advertisement

All your search queries belongs to OpenDNS

OpenDNS redirects all your Google search queries though their servers. They captures your search query data and they forwards to real google.com domain. Here is a quick DNS lookup:
$ host www.google.co.in 208.67.220.220
Sample output:

Using domain server:
Name: 208.67.220.220
Address: 208.67.220.220#53
Aliases:

www.google.co.in is an alias for www.google.com.
www.google.com is an alias for google.navigation.opendns.com.
google.navigation.opendns.com has address 208.67.219.230
google.navigation.opendns.com has address 208.67.219.231

They may also do same for your email and other search engine.

Update: Dave has pointed out the reason why OpenDNS forwards google through their server. You can also turn on or off this feature from OpenDNS control panel.

OpenDNS is bad for server

Don’t use them on your colocated server or vps server. They redirect web browser users or scripts accessing nonexistent domains to a page containing sponsored search results, ads, and a search form. The DNS protocol requires that a query for a nonexistent domain must return the “NXDOMAIN” error response. Here is a sample output:
$ host abcabcxyzxyz.com 208.67.220.220
Sample output:

Using domain server:
Name: 208.67.220.220
Address: 208.67.220.220#53
Aliases:

abcabcxyzxyz.com has address 208.67.219.132
Host abcabcxyzxyz.com not found: 3(NXDOMAIN)

This encourages spam as you will not able to filter out spam queries using their dns servers.

OpenDNS caching sucks

I contacted their support about my problem but never got any reply. Their server always returns two IP address for my nameserver:
$ host ns2.nixcraft.net 208.67.220.220
Sample output:

Using domain server:
Name: 208.67.220.220
Address: 208.67.220.220#53
Aliases:

ns2.nixcraft.net has address 74.86.48.98
ns2.nixcraft.net has address 74.86.48.98

I don’t have 2 IP address for ns2.nixcraft.net.

I strongly recommend running your own dns cache server along with your ISP forwarding nameservers.

Thanks to ricko for pointing out OpenDNS issue in a chat room and elsewhere on the Internet.

Update: Fri Nov 5, 2010 by Vivek: OpenDNS no longer redirects Google search queries though their servers:

$ host www.google.co.in 208.67.220.220
Using domain server:
Name: 208.67.220.220
Address: 208.67.220.220#53
Aliases:

www.google.co.in is an alias for www.google.com.
www.google.com is an alias for www.l.google.com.
www.l.google.com has address 173.194.33.104

Updated for accuracy.

🥺 Was this helpful? Please add a comment to show your appreciation or feedback.

nixCrat Tux Pixel Penguin
Hi! 🤠
I'm Vivek Gite, and I write about Linux, macOS, Unix, IT, programming, infosec, and open source. Subscribe to my RSS feed or email newsletter for updates.

35 comments… add one
  • Roger Jun 14, 2011 @ 2:06

    OpenDns’s technical team and support team is terrible. I am a basic user and have referred them to many other people but just recently I tried to use their parental controls on a recommended Netgear router, that they recommended behind a U-Verse router so that we could isolate traffic control on specific terminals. At first I tested the setup at my residence before moving it to the site of service. Worked great until I moved it and then it wouldn’t let me reassign the router to a different account, they didn’t help with that issue. And then I went and purchased the same router again thinking that the new router would be “open”. Not at all, still came up as being registered to my account, they still didn’t help. Went as far as requesting that my account be closed completely thinking that it would release the router, and at first it was still showing as being registered to my account which doesn’t even exist anymore, then it did something crazy and said that a new device had been detected and started to go through the registration process again, got the client’s registration installed up to the point of actually signing in to the OpenDns page and then it defaults and say’s the device is already registered to a different account. What account? My account is dead and the it doesn’t accept the client’s account. OpenDns support has stopped responding to the inquiries and I’m stuck with 2 routers and an angry client because their terminals are still not being controlled as I promised.
    Time to focus this client and all my other clients to a more supportive service. Thankfully we did not start using the deluxe version this time yet. But you can bet the other 17 client’s that I have using their paid version will be transferring with me.

  • David Ulevitch Jun 14, 2011 @ 14:03

    Roger — That sounds like a problem, and one that’s easy to fix. Support knows how to deal with that issue quite easily, so I am sorry your issue wasn’t resolved quickly. Just shoot me an email, my email address is on our management page and I’ll get it sorted out.

    • Roger Jun 15, 2011 @ 0:44

      Well I have to say, that despite the somewhat disinterested support team as a whole, Mr. Ulevitch responded very quickly to my post and took the necessary steps to resolve our issue.
      I can only guess that the rest of the team must be on some type of commission structure or they just didn’t find our problem as important as one of their large accounts.
      Nonetheless, I definitely retract any negative thoughts I had exhibited towards this company. The product is exceptional for what we are using it for and I will continue to use their services.

  • John Dodrill Jun 16, 2011 @ 16:40

    After having read articles on how much better OpenDNS was than Verizon’s, I switched, in part because I’m not in love with Verizon. The article offered little more information than “Verizon DNS sucks”.

    If Verizon DNS sucks, OpenDNS is a black hole.

    I’d really like to find a reliable DNS and I’m willing to pay for the services but OpenDNS is one of the worst experiments I’ve every undertaken. I agree, at least with the topic of this article, “OpenDNS sucks”!!!

    Now I expect some responses which are both vile and inane. I don’t care. I would advise anyone that wants to try OpenDNS for any reason to do so with caution and if you can’t reach a site, trace it down. If it ends up at an IP that belongs to OpenDNS, then lose OpenDNS, unless that’s exactly the response you’re looking for, in which case you’ll be in censorship heaven.

    Good luck!

    John

    • M. Alexander Jun 23, 2013 @ 8:42

      I had problem after problem with OpenDNS’ cache, and their replacing a website’s SSL certificate with their open, etc. Support kept telling me “that’s the way it’ supposed to work”, which obviously is complete garbage. A few years ago I switched to Google DNS, and haven’t had one single issue, period. I hate sounding like a Google shill, and have in fact been moving away from using most of their other services, but their DNS rocks.

      I certainly hope the DNS service they provide to users is configured better than their own (I assume for the website only) DNS: http://www.intodns.com/opendns.com If there’s recently been a DNS records change then the serial number mismatch will clear in time. But only 2 nameservers? (3, but 2 point to the same IP…)

    • roflsnake Jan 31, 2014 @ 19:19

      As someone that does tech support for an isp, verizon’s dns does indeed suck, they are extremely slow to update their dns cache servers so if at any point the ip address of one of your servers changing, say hello to people on verizon’s network not able to access it for a goddamn month /rant

  • Irene Jan 13, 2012 @ 9:49

    Hi there!

    Thanks so much for the article…
    I’ve got a problem, I can’t go into some social networks in my computer or in my kindle because I think there’s parent’s control on it… can you help me?

    Thanks so much… I really need it.

  • Mirth Aug 27, 2013 @ 18:40

    I like to use openDNS becuase it works great with dnscrypt. dnscrypt helps fight off MITM attacks by encrypting your dns quries. Sure if a government wanted the info id bet they could just go get the info from openDNS. This works good against regular criminals that would sniff your traffic and dont have access to openDNS servers. Chooses what you want to use. I choose encryption.

  • Lars Jan 25, 2014 @ 3:25

    I have an issue and I think it’s openDNS related. After adding openDNS I can’t seem to get to certain websites like Google, Netflix, and Yahoo. They will eventually load but it takes forever. I took off all of the parental blocks and it still continues to happen. It’s the worst on my MAC and not such an issues on my PC or mobile devices. Has anyone else had this happen? Any advice?

  • zaki Jun 9, 2014 @ 17:16

    can I create one domain name in different services provider and use it,

  • Rich Mar 24, 2016 @ 17:04

    OpenDNS is also blocking websites which it says aren’t ‘safe’ for me to visit.
    It literally will not allow me to access the website.
    A f**king DNS server (one with the word “Open” in its name no less) is deciding for me which sites I should and shouldn’t be allowed to visit.
    And it gets worse: The websites it’s blocking aren’t unsafe; they’re just known for being in the grey area when it comes to copyright compliance.
    The warning page provides an option for disputing the blockage but the button for submitting the dispute is broken and always has been.

  • bandoozled Sep 1, 2016 @ 9:11

    Although Google’s service is fast and without issue I would not ever use them. I understand that most people are fine with censorship and queries being hoarded and processed for all sorts of revenue generating reasons, but I’m not. OpenDNS seems to be following along the same trend. I was thinking about going for something like OpenNIC… it would need some scripting sorting through states and latencies and updating hosts, but they don’t provide any api or even plain text list of servers. They’ve only got some terrible js table which I don’t even want to spend time hacking. So it looks like PowerDNS recursor is the way to go… get this stuff directly from the root. Can the roots be trusted? Probably not.

    • bandoozled Sep 1, 2016 @ 9:20

      Sorry, OpenNIC! There is an API!

Leave a Reply

Your email address will not be published. Required fields are marked *

Use HTML <pre>...</pre> for code samples. Your comment will appear only after approval by the site admin.