Forgot your password?
typodupeerror

New(?) Anti-Fraud DNS service 186

Posted by Hemos
from the does-it-actually-work dept.
knownsense writes "A new DNS system to foil spammers, abusers, and other ills of the Internet is around the corner, reports Wired. It claims to be more user-friendly than your ISP's DNS. Among its claimed advantages . . . Faster myspace(!?), coordination with spamhaus, and typo-squatter squashing. The actual service is called OpenDNS."
This discussion has been archived. No new comments can be posted.

New(?) Anti-Fraud DNS service

Comments Filter:
  • Not going to work (Score:3, Informative)

    by andrewman327 (635952) on Monday July 10, 2006 @09:11AM (#15690459) Homepage Journal
    From TFA: "The OpenDNS system, which will open its servers to the public Monday, wants to be a more user-friendly name resolution service than those provided by ISPs, with technology to keep fraudulent sites out of its listings, correct some typos and help browsers look up web pages faster.


    These are such lofty claims that I doubt they will be able to live up to them. I like the idea that competitive services will appear, but if that happens I believe that OpenDNS will be a big loser.

  • by mpetnuch (717102) <michael @ p e t n u c h . com> on Monday July 10, 2006 @09:13AM (#15690472)
    Service is pretty cool for people who can't run Bind (or something similiar). However for those that can, I am guessing its probably just as effective as running a caching only DNS server and maybe Squid to emulate their phishing blocking (assuming you have access to known phishing sites). As a matter of fact, the local version should be even faster (although the cache will obviously be smaller so there is a tradeoff). Off the top of my head, I am not sure how you could do the spell checking. Does Bind have a similiar option?
  • by Anonymous Coward on Monday July 10, 2006 @09:13AM (#15690475)
    The way it must work then is no DNS request fails.

    Instead domains that dont exist are resolved to OpenDNS's own web server which redirects them with a 301 response.

    It stikes me they are potentially very susceptable to a DDOS attack.
  • by Tim C (15259) on Monday July 10, 2006 @09:16AM (#15690492)
    I assume that that's what was meant, but even that isn't a 404 error. Just because the pages that IE use for lookup failure and 404s look similar doesn't mean that they're the same error condition.

    I was under the impression that Wired was relatively technical; perhaps I was wrong. (I've never actually read it, so I could well be)
  • by Anonymous Coward on Monday July 10, 2006 @09:24AM (#15690538)
    I'm surprised at how many people don't actually know what a 404 is. 404 is an HTTP error code, so it is not generated by the browser or the DNS server. It is an error returned by a web server if a request is sent for a document that does not exist. A 404 CANNOT be returned from a DNS lookup failure, because no server was found to give one.
  • faster? (Score:5, Informative)

    by mtenhagen (450608) on Monday July 10, 2006 @09:26AM (#15690549) Homepage
    I did a quick test:

    - DNS query -

    - dutch hosted .org -

    opendns
      Query time: 1228 msec - they have to query upstream
      Query time: 261 msec
      Query time: 192 msec
      Query time: 192 msec
      Query time: 193 msec

    my isp
      Query time: 74 msec - they have to query upstream
      Query time: 29 msec
      Query time: 30 msec
      Query time: 29 msec
      Query time: 29 msec

    - us hosted .net -

    opendns
      Query time: 380 msec - they have to query upstream
      Query time: 192 msec
      Query time: 193 msec
      Query time: 193 msec
      Query time: 193 msec

    my isp
      Query time: 184 msec - they have to query upstream
      Query time: 29 msec
      Query time: 30 msec
      Query time: 29 msec
      Query time: 29 msec

    - Ping test -
    Ping to open dns: 192ms
    Ping to my isp: 29ms

    - Conclusion -
    The dns repsonse is the same as the ping so they will never get faster then my isp.
  • Re:Adverts? (Score:3, Informative)

    by Freexe (717562) * <serrkr@tznvy.pbz> on Monday July 10, 2006 @09:33AM (#15690604) Homepage
    I would prefer to be hit in the face than hit by a speeding car... although I'm not stupid enough to walk out in front of a speeding car.
  • Re:Didn't RTFA... (Score:5, Informative)

    by Akaihiryuu (786040) on Monday July 10, 2006 @09:40AM (#15690631)
    OpenDNS has been around for YEARS. The original reason it was made had nothing to do with any of this, it was so that members could vote to add new root domains that would have never been added to the "official" DNS servers. It was an end run around ICANN, basically. There are very few restrictions on OpenDNS on what can be added, and it's all voted on by the members. I actually tried using OpenDNS for awhile, but I had problems with it. There just weren't enough servers, and those that were there went down frequently. They acted as a relay to the "real" DNS as well, so you could resolve .com, .net, .org, etc. But after the 5th DNS outage in a month, I finally set BIND on my server to hit the root servers again instead of OpenDNS. The service just wasn't reliable enough. These goals that are being mentioned in this article have absolutely nothing to do with what OpenDNS was supposed to be about. Either TFA is BS written by a media drone who has no clue what's going on, or OpenDNS has radically changed its goals since I last used it a year ago. I hope for their sake that it's the former.
  • by 99BottlesOfBeerInMyF (813746) on Monday July 10, 2006 @09:47AM (#15690666)

    I can understand why slashdot geeks wouldn't want their DNS servers messed with, I'm among you, however most of the internet users out there aren't nearly as computer literate as we are, and this service I believe would be really good for them.

    Most internet users don't know or care what a DNS server is. For this to succeed you need to capture the hearts and minds of the ISPs. Luckily for them, ISPs are very concerned about DNS right now as it is critical, somewhat vulnerable, and they are lacking visibility into it. Unluckily for them, the entrenched players have all started jumping on this and providing real solutions. Why block all requests to a DNS name when legitimate researchers and security people might need to get there? What about when a cracked server that still hosts legitimate content as well? what about when the FQD is a forum with 99% legitimate traffic and 1% worms and phishing?

    This solution is a shotgun where a scalpel is needed. Block worm traffic as detected by the DNS request, not all traffic to that domain. Also, contrary to what people seem to be thinking here, the main DNS issue is not worms or phishing (ISPs don't care that much) but they do care about large chunks of their traffic to the DNS servers coming from misconfigured servers repeatedly querying them. Since, in many cases, these servers are their own, blocking them with a fancy, broken DNS server is not the best plan. Redirecting other ISPs' server to an ad a million times a day will not yield any long-term profit (since no person sees them) Rather, fixing their own servers and notifying others/filtering at the peering edge is the way to go. Since ISPs are now able to do that, I foresee a large yawn when operators see OpenDNS (what a misleading name, kind of like OpenXML).

  • by Bogtha (906264) on Monday July 10, 2006 @09:55AM (#15690713)

    What we really need is a DNS system that can return multiple IP addresses and a code to indicate how to use them (ie, randomly select one or use the first unless it fails then fallback to the next one).

    RFC 2782 [ietf.org]. I quote:

    The SRV RR allows administrators to use several servers for a single domain, to move services from host to host with little fuss, and to designate some hosts as primary servers for a service and others as backups.

    It doesn't require any DNS infrastructure changes, but clients need to support it. For example, Firefox and Mozilla don't support it [mozilla.org].

  • by The Cisco Kid (31490) * on Monday July 10, 2006 @10:49AM (#15691126)
    *All* recursive DNS servers/resolvers do caching. They also obey something called 'TTL' for records when doing so, and dynamic-IP services such as those you refer to set a suitably short TTL so as to cause caching to expire appropriately.

    That they cache data isn't really that noteworthy, its more them calling attention to it in their marketing more than anything else. Perhaps they have configured their servers to support a very large cache, so that it doesnt have to delete anything until the TTL does call for it to expire.

    Really the more useful part of this (for the average used) would be the blocking of known phish sites and/or typo correction, than the caching. And to be honest, I don't see that greate a value in it. For myself, I run my own DNS servers (both authoritative for my personal domains, and recursive for my workstation[s])
  • Re:Adverts? (Score:5, Informative)

    by bigpat (158134) on Monday July 10, 2006 @11:05AM (#15691250)
    Plus trying to get the entire internet to change one of its key components is a rather ambitious attempt.

    This is not to replace the "entire internet" with a new DNS system. From my read of their website, it is a individual choice to set up your computer using their DNS servers. And they are being very clear about how their servers will behave and what they will do with incorrectly typed addresses. This is from the same guys who have been running one of the most reliable free DNS services, everydns [everydns.net].

  • by bigpat (158134) on Monday July 10, 2006 @11:19AM (#15691354)
    And on top of this, let's all congratulate these guys on breaking the RFCs by "helping" shovel us to the address we "meant" to type in.. Let's not report back an error and help the end user correct their mistake, but transparently forward them so they never know.

    Google does this with the "I'm feeling lucky" button. A lot of people use this or use google to type in addresses instead of the url bar, beacause it is far more user freindly. Errors are not always good user interface design.

    And what happens when someone registers wordpres.org? Then where are we? Well, I meant wordpres, not wordpress.. Thanks for sending me where I don't want to be.. A haven for phishers?

    Sure the challenge in running this service would be keeping your list of legitamite mispellings up to date, but to call this a haven for phishers misses their main selling point which is the blocking phishing sites at the DNS level.

    There service is probably not going to see great adoption because it really seems aimed at internet novices, but requires them to change their own DNS settings. But I could definately see using their DNS servers for Grandma's PC.

    As for breaking RFCs... How is this any worse than most firewall products out there? They allow all sorts of blocking of selected content based on matched patterns, and often block particular web sites without explanantion. At least they are saying for some redirected or blocked content they are going to tell you what just happened and give you some option to go somewhere else.

    Though I might think just running your urls through google is preferable, since they will still give you the option of going to the url you intended. But with a site blocked at the DNS level, then the only option might be to type in the IP address and even then that wouldn't allow you to access name based virtual hosts.

  • Re:Didn't RTFA... (Score:4, Informative)

    by davidu (18) on Monday July 10, 2006 @11:58AM (#15691639) Homepage Journal
    OpenNIC is a totally different organization. They are an alternate root. We're (OpenDNS.com) not anything close.

    We're about giving you control over your recursive DNS, something you should want. If you don't want us catching typos for you, that's fine. Just check out our FAQ [opendns.com] and learn a bit more.

    -david
  • Improved system? (Score:3, Informative)

    by sgt scrub (869860) <saintium@@@yahoo...com> on Monday July 10, 2006 @12:31PM (#15691878)
    I'm sorry. When I think of system I think of daemons. Improvements to the DNS system would be appreciated. Someone to provide me with commercialized redirections and pay per use DNS service doesn't equate to improvement.

    Sites providing free email without protecting their URIz with spf protection is what needs to be fixed. This would help to kill spammers pretending to be google, yahoo, aol, et al.

    For a real improvement in DNS use spf http://www.openspf.org/ [openspf.org] and urge others to use it too.
  • by davidu (18) on Monday July 10, 2006 @02:42PM (#15692816) Homepage Journal
    So true.

    What happens is nobody has tried the service that's posting this stuff. There's so much misinformation it's hard to know where to start. But I think the best thing I can say is this:

    People at EveryDNS have been using my services for years. We're one of the largest and most free services on the Internet. We've stood up to lawsuits from assholes like Diebold and others in the past in the name of our users. I wouldn't ever scam or do that nasty stuff this thread is saying I would. I have an open email, open door, and open phone policy. I am me, and there's a good amount of clue behind me, and even smarter people around me.

    So when I say this service is not going to spy on you or tell your parent that you look at porn, I'm serious. Read our privacy policy and know that we use the service too.

    Here's the last thing, These can all be preferences. People that don't want typo's caught or other things can have a preference set that gives them just a better and more optimized DNS. When people ask us about our privacy policies I ask you, what does your ISP do? I mean, ATT just said they own all your data and they're being accused of working with the government to spy on you. We don't do that.

    Check it out,
    David Ulevitch
  • Re:Adverts? (Score:3, Informative)

    by davidu (18) on Tuesday July 11, 2006 @03:51PM (#15700658) Homepage Journal
    I own EveryDNS 100%. EveryDNS has never been funded by anything other than my checkbook.

    Today, our users cover our OPEX and almost all our CAPEX.

    -david

Machines certainly can solve problems, store information, correlate, and play games -- but not with pleasure. -- Leo Rosten

Working...