Monday, 29. October 2007
PermaLink In defence of OpenDNS
OpenDNSMy main aim in writing my piece on OpenDNS the other day was actually to find an excuse to mention, in an informal way, the Wii's quaint habit of doing AAAA DNS look-ups on an IPv4 only network.

But perhaps because I agreed to allow the post to be featured on CircleID, it has met with some criticism which I would like to address.

OpenDNS

Firstly, on the matter of OpenDNS itself, my question - "why not?" - was intended to be rhetorical and was addressed to my blog readers specifically, not to CircleID readers generally. I know (because you have told me) that many of you blog readers do use OpenDNS, for reasons similar to those I have outlined below. Those who do not are absolutely free to make that choice but, like all choices, this one is best made if properly informed.

Having failed to state openly that my question was rhetorical, a number of people answered it both here and at CircleID and every response (bar David Ulevitch's - hi, David) was negative.

Some responses proceed on the basis that any interference with DNS is, ipso facto, a bad thing. We all remember Sitefinder, right? Isn't OpenDNS just Sitefinder 2? It returns results for non-existent domains, just like Sitefinder did.

Well, it does, but with a couple of very significant differences.
  1. You have a choice - you can choose not to use it. You had no such choice with Sitefinder.
  2. It is configurable - you can choose to use OpenDNS and not have it correct your typos for you or show a search page when it is unable to do so. You can also elect to have typos corrected and make exceptions so that not every non-existent domain elicits an OpenDNS response.

Public DNS, in all its unsanitised glory, contains all sorts of undesirable artefacts which at least one class of user, parents, will be glad to have an opportunity to filter. Those artefacts include domain tasting, typosquatting and phishing and, for parents especially, pointers to a huge amount of adult content - the Internet is for porn, after all.

As a parent of children whose homework assignments call for research using the Internet with increasing frequency, the fact that I can make a simple configuration change at my border router and effectively mask most of this undesirable content is hugely valuable.

If you are one of those parents who neither bothers to lock out the adult channels on cable nor ensures that your children are tucked up in bed before the said adult channels begin broadcasting each evening, then perhaps this approach to parental responsibility is foreign to you. Most parents I have met, however, are concerned by the readiness of access by their children to potentially harmful material.

And yes, I know I could implement this functionality in other ways - I could for example direct all computers on the home network to use a proxy server and implement parental controls there - but no alternative exists that does not call for additional hardware, software and power somewhere on my home network.

One response to my original piece suggests that, by using DNS other than that provided by the relevant ISP, you defeat location sensitivity whereby a content provider can serve content from a local mirror. Google is cited as an example. I have just one issue with this. I can't duplicate this particular failure mode here in the UK.

Using OpenDNS, Google still knows where I am (perhaps my IP address is a clue), it still serves me from its local cluster and I still see local links and local Google branding.

Other responses cite lengthy ping times.

I guess I should have qualified my recommendation of OpenDNS by saying that your milage may vary. If you really do see ping times of several hundred milliseconds then perhaps OpenDNS isn't for you, but my OpenDNS ping times here are no different to those for my ISP's name servers.

Both are in the range 10-20ms and traceroute reports 10 hops to my ISP's name servers (including one traversing an RFC1918 network), where there are only a couple more hops (12 to be precise) to OpenDNS.

And ping times don't tell the whole story anyway. What is important is how quickly you get a response to your DNS query, assuming you get one at all which, given the less than perfect implementation of name services by many British ISPs, is not a foregone conclusion.

So, at the risk of drawing yet more heat, I will restate my recommendation that you at least consider OpenDNS. It may not be for everyone but parents and customers of certain British ISPs at least will probably find it useful.

Wii

Is the Wii broken, in that it seems to implement IPv6 by default and try to use it even over an IPv4 only network?

I don't know and I don't have the time or the inclination to analyse the network traffic in any detail to see what is going on, but I find it hard to believe that the designers of a piece of equipment that is otherwise so well designed made such a basic error in their implementation of the network feature.

Could there be some tunnelling going on, perhaps?

IPv6

Finally, on the matter of IPv6 by January 2012, regular readers of this blog would know that my tongue was firmly in my cheek when I wrote that.

Of course I do not expect the switch to IPv6 to have been completed by then, or in fact to have made very much progress at all. Instead, I expect to see more ISPs implementing services using RFC1918 private address space with NAT at their borders. Some already do this to a limited extent and it is a great deal easier to do than to switch to IPv6 when, as a carrier, you have little or no control over applications using your network. It is, after all, application compatibility which is the major stumbling block for IPv6 deployment. Does this worry me? Yes, but a lot more people need to be a lot more worried before the global switch to IPv6 gains enough momemtum.

Gordon Cook has written a useful blog piece on this very subject, which is also quoted at CircleID.

I did a 2 hour interview on October 23rd with John Curran, Board Chair of ARIN the North American Regional Internet Routing Registry for the last decade.

I now understand what is at stake with IP v6. Outside of a key core group of network engineers I think darn few people do understand. And not all of them agree on how the scenario plays out though virtually all say the situation is very serious.

John believes that it is huge. It is as big as Y2K except no one knows a precise date by which everything has to be done. And because the onset of the crisis is 3 to 4 years away, there is no real incentive for people to be first movers. Why should I start spending money now in a low margin industry when, until my competitors also spend, my investment does no good? We have had years of procrastination.

To say it's like Y2K, but without the benefit of an immovable and very tangible deadline, seems about right to me in that the consequences of not fixing it will be dire, but no-one quite knows when those consequences will bite us.

But it may be worth remembering that Y2K itself was overhyped by people wanting to sell software, and a lot of money was spent on fixing Y2K with major software upgrades when it could probably have been done more cheaply in many instances. So even if the Y2K analogy were to gain currency among influencers and decision makers, it would probably not be enough.

The IT industry is widely percieved to have cried wolf with Y2K and the IPv6 wolf, while real, will not be generally perceived as such.

Category: OpenDNS
Technorati:

Comments :

1. fsteinel29/10/2007 20:18:58


...
IPv6 just makes me let out a sigh
But I spose we'd better give it a try
...
Hilarious
http://youtube.com/watch?v=_y36fG2Oba0
via
http://richi.co.uk/blog/2007/10/ipv4-inaction-danger-danger-will.html



2. JP Electron30/10/2007 16:15:59
Homepage: http://www.jpelectron.com


Many mobile/handheld devices like HP iPaqs, Dell's PDAs, and Symbol scanners also send IPv6 queries first, wait for them to time out or the DNS server respond "no AAAA records" before trying to resolve the same thing using a typical IPv4 "A record" I agree it's dumb, and a waste of resources. (I first noticed this back in 2002 on iPaq's)



3. Gerco Wolfswinkel31/10/2007 19:50:00
Homepage: http://www.domino-weblog.nl


Agreed op OpenDNS. I know my kids are at least a bit protected, and that's a good thing. Haven't noticed any drawbacks, either. Ping times are good, under 22 ms.



Unable to post a comment? Please read this for a possible explanation...
Add Manual Trackback
Please enter the details of the trackback post. Your trackback will not appear on the site until it has been verified. This won't be immediate, as trackbacks are validated on a scheduled basis. Be patient.











Search
Hot Categories
Domains
IPv6
Internet
Malware
Monthly Archive
2009
2009
2009
2009
2009
2008
Full Archive
Links
Chris' Posterous
CircleID
Anti-Spam Tools
Misc Links
Land banking information
LDV Blog
Landscape Gardener in Birmingham
Contact Me
email - Chris Linfoot
Subscribe
Subscribe to articlesArticles

Subscribe to commentsComments

Visitor Locations
Locations of visitors to this page
Hosted by


logicspot.com