New(?) Anti-Fraud DNS service

knownsense writes "A new DNS system to foil spammers, abusers, and other ills of the Internet is around the corner, reports Wired. It claims to be more user-friendly than your ISP's DNS. Among its claimed advantages . . . Faster myspace(!?), coordination with spamhaus, and typo-squatter squashing. The actual service is called OpenDNS."

Adverts?

[HugePedlar]

"Currently, web surfers simple(sic) get an error message when they attempt to navigate to an unused domain. OpenDNS users will instead be routed to a company server that will present a list of search engine results and paid advertisements."

No thanks.

Now, I am but a lowly programmer

[Tim C]

And know little of networking and other sysadmin type subjects, but:

Users who type "wordpres.sorg" or "craigslist.or" into their browser's address field are automatically routed to the correct address, instead of getting a 404 error page.

Since when were DNS lookup failures responded to with HTTP error codes?

Interesting

[kjart]

The main advantage appears to be that they will prevent you from opening known phising sites. In terms of being faster, I'm not sure how they would be faster than my ISP since my ISP's DNS servers are presumably much closer to my machine than theirs. Any idea how they could make claims like that? Also, though the summary mentions foiling spammers, I saw nothing about that in the article. From the sound of the post, I thought this was something like SPF [openspf.org] even though that doesnt seem to be the case at all.

It's just a cacheing DNS service...

[Anonymous Coward]

Your ISP probably does the same thing already. These guys claim to have a much bigger cache, so they're more likely to have cache hits than misses.

They also offer ads & search results for non-existent domains, and they claim they will filter out phishing sites.

Not really a big deal though even on a cache miss, a DNS query doesn't take that long.

Re:Now, I am but a lowly programmer

[remembertomorrow]

He was probably referring to the fact that Internet Explorer, by default, shows "friendly" HTTP and DNS error messages, such as "This page cannot be displayed."

That part was definitely written incorrectly, but we all know what he meant (I hope).

Better how?

[Anonymous Coward]

A broken, non standards compliant DNS isnt a better DNS, it's a crippled DNS. The phishing and scamming is more of a social problem than a technical problem. The last thing i want is for some DNS host to filter my queries. The open part of open_dns is a farce. This is a commercial venture trying to make a profit by skirting around well defined standards. OpenDNS will be plagued with problems like people who run the dns getting nice kick backs from scammers to keep domains from being filtered, etc. There will be false blocks by accident etc. OpenDNS would have the ability to push companies and personal sites around. Who knows what the OpenDNS people are catering to. What if they catered to the Christian right, and started blocking non wholesome content, etc. This is a bad idea people. -koft

Ahh, yes, YARDNS

[wowbagger]

Ahh, yes - Yet Another Root Domain Name System, like AlterNic.

One that also does redirection in the case of an invalid domain name, thus breaking code (like mail servers) that rely upon being able to detect bogus domains.

One that requires users to change their DNS settings, with all the attendant breakage and difficulties for troubleshooting.

One that will ALSO load down the upstream DNS servers, since the users won't be using their ISP's name servers.

And I am sure their policy of blocking spammy sites' resolution will sit very well with the Slashdot Zeitgeist.

Yes, I am sure this will be a spectacular success, just like AlterNIC is.

Re:Adverts?

[trezor]

Second that.

Plus trying to get the entire internet to change one of its key components is a rather ambitious attempt.

The guy even admits that the current phishing and scamming attempts are a social problem, not a technological one. Who's to say this new system won't be abused?

I'll save my enthusiasm for something else.

DNS needs to be dumb, not smart

[Bloodwine77]

If people want to filter out bad sites and auto-correct bad URL's then that sounds like a job for a client-side application, not for DNS servers. DNS does one thing and it does it well: it acts like a phonebook for IP addresses. There is no bias in its resolutions. Keep it simple and let it do its job without red tape.

Until it's available...

[Cocoa Radix]

Until it's available, I'm going to have an "I'll believe it when I see it" attitude, which, surprisingly, is normally the right thing to do with news like this.

Re:Adverts?

[KiloByte]

Who's to say this new system won't be abused?

Suspecting abuse in a SiteFinder-like system? You must be joking...

Two words: censorship and advertising. Isn't this everything we want?

servers too far away!

[muftak]

So using DNS servers that are 23 hops and 170ms away from me is meant to be faster than using ones 4 hops and 5ms away? Think they need some sort of distributed system with servers in every country, and some good peering.

The word is "monetization".

[khasim]

This is nothing more than another attempt to make some money off of the basic infrastructure of the Internet. DNS is free right now. And to some people, that means that there is a chance to "monetize" that service.

But how to turn a profit from something that's being given away for free right now?

You'd have to offer some additional incentives. Like "phishing blocking" or claiming that a popular website would "load faster".

As far as I know, the DNS resolution has never been the problem for MySpace loading slowly. It's slow because so many other people are hitting their servers and bandwidth. And since Win2K, Microsoft has included a caching DNS app so once you do hit MySpace, you've cached the address on your workstation. You can't get much faster than that.

Neither new nor useful

[mxs]

This POS is neither new nor newsworthy nor useful, at least not for the reasons they try to sell it to you for.

An alternative-root DNS system will never work (since Critical Mass is impossible to attain).

Myspace will not get faster. Whoever made you believe that is selling snake oil, too.

In fact, your DNS will actually slow down by a good bit; at least if you belong to the majority of the world (unlike root DNS servers, which actually deliver geographical and network dispersion). The big cache they are so proud of will create lots of problems if they actually do it differently from regular DNS resolver caches that you have at every major (and minor) ISP -- and those will be a lot closer to you than OpenDNS ever will.

Fixing typos is a double-edged blade. Sure it's nice if slashdo.torg works. How about whitehouse.gom, though ? And who decides that microsaft.com is really typo-squatter ? (They might just make nice juices !)

Their business model is funny, too. They sell advertisement for search pages in case they can't figure out where you want to go. This is hilarious, really. The selling point is that it can send you to the right page when you make a typo, but not figuring out what a typo was supposed to mean makes them more money. Hrrm. The better they become at their game, the less money they get ! Brilliant !
(Not to mention that this is precisely what got Verizon into hot water with their SiteFinder crap).

How on earth will OpenDNS stem the tides of spam ? Even IF it had a chance doing that purely with DNS, if it was relevant at all Spammers would find a way to make it inconsequential.

Last, but not least, their company is small. There is no oversight. I don't know whether I want to trust a group of 20 people to decide who is an abuser and who is not. I'd rather have hundreds of parties involved in the process, providing a stable balance to one another. (Fun scenario : OpenDNS gets bought out by DirectRevenue.com, starts redirecting EVERY DNS request to their own servers, encasing every website with a nice adbar. Oops. (points for doing it after attaining critical mass).

So much negativity!

[daitengu]

I can understand why slashdot geeks wouldn't want their DNS servers messed with, I'm among you, however most of the internet users out there aren't nearly as computer literate as we are, and this service I believe would be really good for them. Netcraft has been trying to fight the good fight against phishing and scamming sites for a long time, and here's a group of guys who are really blocking them at the source.

I applaud their efforts, while it may not be for me, I think a lot of people are going to find it very useful.

Re:Interesting

[vtechpilot]

Here is how the faster claim works. Say there is a 150ms round trip between you and your ISP's name server. You computer requests the IP for www.slashdot.org. If you are lucky then www.slashdot.org is in the name server's RAM cache, and you get a fast response in just a little over 150ms. If not (and for the majority of websites, its not) then the name server has to search its disk cache (this is where it is most likely to be. If its still not found, then your ISP's server has to look up slashdot.org with the root servers, and get the name server for that domain, and next it has query the dns server for slashdot.org to find the machine named www. each of these taking more time.

I presume what they do is have machines with loads of RAM (how many dns entries could you keep in say 4GB anyway?) and try to serve as many requests as possible from a RAM cache rather than disk cache. Thats my guess anyway.

Re:Now, I am but a lowly programmer

[M. Baranczak]

I was under the impression that Wired was relatively technical; perhaps I was wrong. (I've never actually read it, so I could well be)

In a nutshell: yes, you are wrong. And you haven't really missed much.

Wired occasionally has something worth reading, but most of it is just fluff and ads for expensive toys. I stopped taking it seriously years ago. Articles like this remind me why.

Re:Adverts?

[nstlgc]

I'd say mod parent up but it's already modded through the roof. That comment pretty much says it all. Remember what VeriSign pulled just a couple of years ago? This is exactly the same thing, just with some extra beef wrapped around.

Re:Now, I am but a lowly programmer

[XenoPhage]

And on top of this, let's all congratulate these guys on breaking the RFCs by "helping" shovel us to the address we "meant" to type in.. Let's not report back an error and help the end user correct their mistake, but transparently forward them so they never know.

And what happens when someone registers wordpres.org? Then where are we? Well, I meant wordpres, not wordpress.. Thanks for sending me where I don't want to be.. A haven for phishers?

Re:DNS currently sucks...

[CoolVibe]

If I'm using DNS to distrbute load its going to screw things up. What if I simply want to change a website to a different server? What if my primary connection goes down so I have point the DNS to a differnt IP?

The zone serial number takes care of that. I tested if they mess with the round-robin nature of looking up A records, but that still seems to work just dandy.

Re:Adverts?

[KiloByte]

Oh, wait. I would forget: add gathering marketing data. They'll learn what are the most commonly mistyped domain names, so they can typosquat them for some extra dough.

Re:ISP's will start port blocking 53

[winkydink]

It's only an issue for a very small number of people. How big was the revolt when port 25 blocking began?

False sense of security

[fishbot]

FTFA: "Those who click on a link in a phishing e-mail that attempts to take them to a fake site and con them into entering their credit card number won't even make it to the website, if OpenDNS knows about it."

A false sense of security is worse than no security at all. "if OpenDNS knows about it" indeed ... so when can the user trust that OpenDNS has successfully caught the phishing attempt, and when should they check that it has failed? The answer is simple; they should perform the same checks WITH OpenDNS as without, except now there will be a whole raft of users who don't know that and the phishing will get worse.

The road to Hell is paved with good intentions ...

Re:Adverts?

[jafiwam]

It doesn't matter. NXDOMAIN response needs to exist for a lot of other reasons that makes the 14 year old myspace user getting an ugly error message over a spammer's search page irrelevant.

I don't care if he's the queen mother pope jesus vishnu all in one. What the guy is proposing is fucking stupid.

Stop fucking with DNS. Gimme a friggin IP when I query with a hostname. Gimmie a hostname when I query an IP. STOP THERE. THAT'S IT. NOTHING MORE TO SEE.

If something more "friendly" needs to happen, it needs to happen at the application layer instead.

Re:Now, I am but a lowly programmer

[cain]

Yes, that make sense. So you query slashdolt.ogr and get back an ip which points to opendns.org/some_customized_web_page. So this will break any non-web-based query. So if you use this service and ssh into slashdolt.ogr, it will not fail correctly, but fail to fail correctly. Annoying.

Re:Adverts?

[shrtcircuit]

No kidding, seems like Verisign tried something along those lines a while ago - redirecting users who typed in bad domain names to corporate-sponsored pages. Kinda defeats the purpose of running the unbiased systems which arguably control the Internet, eh?

I *WANT* users to see a "oops, you fucked up" page when they mistype a URL. That is what tells them they screwed up. What I don't want to happen is for them to go to some domain-park search display with ads and crap that have nothing to do with my site, because then they won't "get it". They will think they typed it right, and my domain name is now defunct. There is serious potential for damage to companies across the Web, far beyond annoying people.

As much as we need users to browse our company sites for whatever it is that we do, the fact is that many users are just dim. I run one site where we accept event registrations online, and we actually get people that can't spell their own name properly. We've had to resort to registering several variants of our domain name, because of people just screwing it up. Do you *really* think they're gonna get it when they are sent to an actual, but incorrect, web page?

Re:Ahh, yes, YARDNS

[Russ Nelson]

Ahh, yes - Yet Another Root Domain Name System, like AlterNic.

From their FAQ: Is OpenDNS a root nameserver? [opendns.com]: "No. OpenDNS is a recursive nameserver. OpenDNS software talks to the root nameservers when necessary."

Only on slashdot could you be completely wrong and Insightful at the same time.

Re:Neither new nor useful

[Russ Nelson]

Verisign, not Verizon, but please, rant on. Don't let BEING COMPLETELY WRONG slow you down.