How OpenDNS Works and Why it Can Benefit Your Customers

opendns

Your customers likely have little to no idea what goes on behind the scenes to make the internet a pleasant place for the non-geek. One of these important supporting factors is the technology behind DNS (Domain Name System) which acts as the invisible address book for any and every website they choose to visit. To the normal user, it’s Microsoft.com; but we all know that in reality, 65.55.58.201 is where they’re truly going.

Not to get too technical, but it’s important to understand the workings of DNS if you are going to recommend services such as OpenDNS to customers (which I’ll get to in a little bit.) The Domain Name System is indeed a clever invention, because it affords for easy navigation of the web by end users and works globally between domain authorities of all walks. If you want to place the concept of DNS in a nutshell, think of it as the webbing that ties IP namespace (xxx.xxx.xxx.xxx) to easily recognizable domain name addresses (xxx.com). Without it, we would have to do all of our own legwork to get to any publicly available website on the internet.

How DNS works at a glance


The problem with how DNS is configured for most users is that it’s usually set up by the respective ISP for a customer’s home or office. While this used to be a non-issue back in the days of dial up and the budding of broadband, now DNS can truly have a negative impact on web browsing. In general, these problems stem from one or a combination of two issues:

Geographic location of DNS servers: This is becoming less of a problem on today’s mega-sized web backbones, but still poses a relative conundrum especially when end users are making DNS requests over slower speed links. Not all DNS servers are in prime locations; this is a bigger issue for customers who are in rural areas being served by smaller regional ISPs.

Over-burdened DNS servers: Again, this is more likely to happen with DNS servers hosted by smaller ISPs or similar DNS authorities, but I’ve seen it with Comcast and ATT systems too. If an end user’s router or home PC is pointing to DNS servers that can’t handle their request load effectively, overall response performance suffers and this equates directly to what we know as “slow internet.”

If you think all DNS servers are equal, run some of your own tests. The networking & security guru Steve Gibson has a wonderful free tool available called Domain Name Server Benchmark. It is preloaded with a number of popular DNS servers in use today, but you can fully customize it to include servers from OpenDNS, Google DNS, and any other provider you may wish. If you’re purely looking for the fastest possible response on DNS queries, DNS Benchmark is truly your best bet.

Changing DNS server settings is fairly easy for any computer repair technician that has ever touched the IP settings in Windows (or MAC). But keep in mind that how you adjust DNS for a customer will impact everyone who uses a particular machine or set of systems that share connection from a common router. There are benefits to making DNS changes on the router level because:

  • Everyone will not have to adjust their systems; only the common router will need the adjustment.
  • It will speed up (and clean up) web browsing for all users on a given connection.
  • You can even offer further browsing redundancy by choosing primary and secondary DNS servers that span different providers (say, Google DNS and OpenDNS, which I recommend doing.)

Changing DNS settings on a customer’s router is my preferred method because of all of the above, but namely, time savings in configuration. If any guests come to the home or office and use the internet connection, they too will be given the benefits of utilizing custom DNS settings. Every router handles DNS settings configuration differently; I highly suggest you visit the support section on your router manufacturer’s website before making any mistakes.

Some techs may claim that ISP-provided DNS settings work just fine, and I won’t necessarily disagree. Everyone’s needs from DNS and relative performance on a given pair of DNS servers will be wildly different. Much of this stems from what I mentioned above regarding location, burden, and other factors. But it’s what you don’t know about alternative DNS solutions (especially my favorite OpenDNS) that will get you interested.

The benefits of OpenDNS technology

While Google DNS merely exists to provide a speedy alternative to what ISPs offer, OpenDNS takes this concept one step further. The company employs specialized technology that actually spans DNS requests to datacenters that are closest to your location geographically without any intervention. In addition, because they handle so many requests from different parts of the world, they have arguably the most up-to-date single repository for where everything is on the web. This significantly reduces the need for them to “ask” other DNS servers where a website or file may be located.

Another key benefit is how they provide malware blocking at the network level by literally sifting out known-infected websites and files before you can even get to them. This is beneficial because, by default, ISP provided DNS servers never filter out the responses they provide. Even if you mistakenly type in the address of a completely known and virulent malware site, chances are your ISP will take you there – without hesitation.

One of the biggest contributors to the spread of malware today is the fact that end users who truly can’t recognize bad links or search results are visiting pages on the web where they’d likely prefer not to be. OpenDNS takes the guesswork out of the process because it maintains a centralized blacklist of these sites that is in effect for all users of the service (free and paid.) For customers of mine that have bad histories with such links, OpenDNS is always a recommendation behind solid anti-malware software like NOD32.

For those that need it, OpenDNS even offers paid levels of their service for home and business customers. Home users can benefit from the parental control functionality via custom block lists and category-powered filtering of their home internet connection. I’ve recommended the service to numerous residential clients in lieu of something like NetNanny (which is installed per-PC; needs updates delivered; etc.) There’s no client software to install, no signature updates to worry about, and it affects EVERY device that wants to use internet in a home – which means any young visitors won’t be able to bypass filters merely by bringing their own computers.

The business level subscription to OpenDNS goes even further by providing advanced logs, web access control for workers, strict malware and botnet prevention options, and website blocking. One of the greatest reasons that OpenDNS is truly a remarkable product is because you can gain access to the speed and malware prevention benefits without paying a single cent – merely by configuring your router to point to OpenDNS.

If you want to switch to OpenDNS on your own router or on a customer’s setup, here are the two DNS servers that they publish (follow their instructions page for generic guidance; consult your router’s documentation for in-depth steps):

  • PRIMARY: 208.67.222.222
  • SECONDARY: 208.67.220.220

I tend to take a balanced approach in my own setup for customers which uses a hybrid combination of OpenDNS as the primary server, and Google DNS as the secondary server. You don’t have to do this, but I feel that if for some reason OpenDNS has outages across both of their systems, at least your router can then tunnel DNS requests to a complete third party. For redundancy, this is a great approach. My preferred router configuration happens to look like this:

  • PRIMARY (OpenDNS): 208.67.222.222 or 208.67.220.220
  • SECONDARY (Google DNS): 8.8.8.8 or 8.8.4.4

How you configure your router is up to you, but give the above combination a try to see if your website browsing speed is improved. You will also gain the transparent malware blocking and phishing protection that OpenDNS advertises. My own experiences have found that OpenDNS alone will not block all malware – but it does cut down on “easy entry” for about 70% of mistaken search result clicks by mistaken customers. Any extra bit helps, and I think OpenDNS has a great product for the price tag of free.

What do you think of OpenDNS? Do you prefer some other DNS service other than OpenDNS or Google DNS? Let us know in the comments section!



Derrick Wlodarz

About the Author

Derrick Wlodarz
More articles by me...
Derrick Wlodarz is an IT Specialist that owns Park Ridge, IL (USA) based technology consulting & service company FireLogic, with over 8+ years of IT experience in the private and public sectors. He holds numerous technical credentials from Microsoft, Google, and CompTIA and specializes in consulting customers on growing hot technologies such as Office 365, Google Apps, cloud hosted VoIP, among others. Derrick is an active member of CompTIA's Subject Matter Expert Technical Advisory Council that shapes the future of CompTIA exams across the world. You can reach him directly at derrick@wlodarz.net.

Comments (27)

  • Jon Bennell says:

    Thanks Derrick, a good and concise article. One thing to note about these distant DNS servers is the adverse affect on download speed of media content from sources such as iTunes. Content servers often mistake your real location based on where the DNS query lands, which means the source server is much further away than intended. In the real world, this often constricts content delivery by a factor of 10 or more.

    • Nuwy says:

      This is a really good point. A lot of site acceleration and content delivery services utilize DNS queries to route requests to nearest servers. So while DNS resolution may work really well, your ultimate experience will be far from ideal and may even perform worse.

  • Michael M says:

    I have used open DNS for a few years at a local fire department whose network I maintain. I have has comments on increased website load times from men techie people. I also have seen a reduced impact from malware do to the filtering. They have a great service and definitely recommend.

  • computergeek says:

    These two DNS services are the most common.

    But other companies like Symantec offer a public DNS service too but I have never used any of them. I have only read reviews about OpenDNS and Google DNS

    Would be interesting to see how symantec’s service performs.. I would imagine slow, and blocks all sites like the old Norton internet security suite

    Nice topic to bring up though

    Cheers

  • Mike Wilson says:

    I have setup opendns for several clients. In fact I have an appointment to set it up for a client this afternoon so your article is great timing so me and thanks!

    I would be cautious about this statement though:

    ” which means any young visitors won’t be able to bypass filters merely by bringing their own computers.”

    If you setup opendns in the router as you mention, then all those young visitors need to know how to do is go to their ip settings and hard code their own dns settings which will bypass opendns.

    • TheNomadSoul says:

      Have you ever met a child/teenager that knows how to change DNS settings, cause I sure haven’t.

      • Mike Wilson says:

        Are you kidding? YES. It is a lot more likely the kids will figure it out than the the parents that are just trusting me and what they paid me to setup for them. I always tell the parents this is not foolproof.

        Kids talk about this stuff with each other at school. It is a challenge to them to beat it.

        • TheNomadSoul says:

          I don’t know, I’ve been doing residential work for about 5-6 years and set up things like Net Nanny and eventually Opendns. I’ve never had a parent contact me saying their kid got around it.

          Now, either they are just not getting caught when they figure out how to change it or it’s really not happened to me. Has a customer actually called you back complaining that their child figured out how to reset the router to get past the password, then set up the ssid, encryption exactly the way it was when you left and changed the dns servers back. I have honestly NEVER seen this.

          I’m sure there might be a few who have but they would probably also be smart enough to not let their parents know about it, so how would you know?

          • tech says:

            I think he was implying to simply change the windows dns settings, which one could do with ease and the parents would never know. No need to get into the router and reset everything.

        • TekSquad says:

          It is “fool proof” with the right equipment as I have stated.

      • JustinDS says:

        No offense to this, but I am baffled how you think teenagers can’t figure that out. Truth being that most teenagers in this technology age we are in can easily figure things out on their own and/or using Google search. It really isn’t to complicated.

        That being said I was running my own computer repair service that was quite successful before I ever graduated high school.

  • TekSquad says:

    Just started using OpenDns Enterprise at my full time. With the Enterprise version you can filter multiple networks (ip’s) and you also get a Blocked Access Bypass option for people with unrestricted access. OpenDns, like most large DNS services uses AnyCast (similar to multicast) to redirect clients to the closest dns server available. Dont assume just because OpenDns just has 2 ip’s for its dns servers that there are only 2 servers. Their dns farms are huge and they share those addresses via AnyCast.

  • Chris Moroz says:

    OpenDNS can be a great service, but only the PAID business version provides Malware protection (free only provides phishing protection).
    http://info.opendns.com/rs/opendns/images/OpenDNS_FeatureMatrix.pdf

  • TekSquad says:

    “If you setup opendns in the router as you mention, then all those young visitors need to know how to do is go to their ip settings and hard code their own dns settings which will bypass opendns.”

    This can easily be blocked with only allowing dns requests outbound to OpenDns servers on your firewall. This is how I configure it on our ASA’s and Routers.

    • Mike Wilson says:

      “This can easily be blocked with only allowing dns requests outbound to OpenDns servers on your firewall. This is how I configure it on our ASA’s and Routers.”

      Good idea, but this is going to be different according to every brand of router which makes it more complicated and some routers may not even be capable of blocking/redirecting outbound port 53 or you might have to flash them with dd-wrt or similar IF the router is compatible. This is not always easy.

  • Derrick Wlodarz says:

    Chris Moroz: Thank you for the clarification! I guess I was looking at an outdated portion of their site describing features.

    Glad to see so much interest in OpenDNS!

  • TekSquad says:

    Derrick I believe the “free” services you get depend on when you signed up. OpenDns just recently started the paid service. If you signed up awhile ago you may get all the services for free. I had the malware and botnet protection on my free account since I signed up last year. We just moved to the paid version a month ago.

  • Xander says:

    For those who deal with residentials like myself, I explain to them that a DNS server is like the old-time telephone operators where you would pick up the phone and tell them with whom you would like to speak. Now, Myrtle (ISP DNS) doesn’t think twice about it and will just connect you but Mildred (OpenDNS) is quicker at her job -and- more street-savvy and will help you avoid accidentally calling bad people.

    /I like OpenDNS so much I bought the t-shirt (https://community.opendns.com/merch/index.php?_=view&ProductID=16283)
    //Mildred and Myrtle were my mom and her twin

  • East Coast Computer Services says:

    I have been using Comodo’s DNS servers for ages with no problem. More information on their site here http://www.comodo.com/secure-dns/

  • Big B Managed Services says:

    It seems the balanced approach of using Google DNS as a secondary is opening up the very problem the primary OpenDNS is attempting to resolve. Sure, I concur that it is best practice to use multiple providers. I am wondering if this is akin to locking the front door and leaving the back door open. Is there a better solution such as a Secondary by http://www.comodo.com/secure-dns/

    As for kids / other end users changing settings, don’t let them have permissions. At least on the devices where this is possible, then for the BYOD crowd, they’re on their own for damage control and block the MAC addresses of unknown devices or limit who gets DHCP connectivity.

  • DSep says:

    I’ve been using opendns for years. Back in high school, I actually convinced the systems administrator to switch to opendns for their filtering options instead of using a white-list approach to web access.

  • Pete says:

    Looking at OpenDNS I tried to sign up but got the impression that I was being dragged into something that has to be paid for when signing up for an account. A lot of US companies use this tactic to suck you in without being upfornt about the costs. Is it free for home use?

    • Bob Stromberg says:

      Yes it does give the impression that a fee will be charged but there is indeed a free option.

  • Bob Stromberg says:

    I have the free OpenDNS account, which I use for my home. It’s set on my home router and on ALL the computing devices that might travel from the home and connect via other networks (laptops, tables).

    From the Security setting on my OpenDNS dashboard:

    “When certain Internet-scale botnets are discovered or particularly malicious malware hits, we offer protection to all our users so that as many people as possible can be protected from the threat. At this time, this feature blocks the Conficker virus and the Internet Explorer Zero Day Exploit, and is continually expanded to include other types of malicious sites.”

    It’s not clear just how extensive this protection is.

    HTH — Bob Stromberg

  • Mike Tanis says:

    Great article! Thanks Derrick!

    I just had a lot of fun with Steve Gibson’s DNS Benchmarking utility. It was new to me and I learned a lot about DNS resolution here on my little home network.

    Probably the most surprising thing was the relative slowness of Google’s public resolvers. I have used those for years. But they are slower than nearly any other server on Gibson’s default name server list. I’ll start using OpenDNS rather than Google as an alternative to ISP servers.

    -Mike

  • Rob says:

    There is new promising service in this field, SafeDNS: http://www.safedns.com