Following yesterday’s article detailing the ins-and-outs of OpenDNS, I have also been working on providing some context about why you should consider utilizing OpenDNS. I’m not affiliated with OpenDNS in any way though I am very impressed with their product, so I tend to come off a bit like I have a sales pitch; as I was telling my wife about it last night, she asked “What do you get out of this?”. I get nothing out of it when other people to find OpenDNS, but for my own network I would get fewer support calls and happier, more productive customers. That’s the reason I recommended it to her and the same reason I, as your Friendly Neighborhood IT guy, recommend it to you.
What Are My Options?
You have two choices to make: Do nothing or do something. If you do nothing, you’re going to be stuck with your ISP’s DNS server which offers none of the features that OpenDNS does and typically has less speed than any of the alternatives. For that reason, I recommend you do something. You have choices when it comes to your DNS service and there are more features than you generically have been getting with your ISP. There are likely others that I am not aware of but here are some of those alternatives:
I can’t recommend from experience any of the last 3 alternatives listed there, but I have used both OpenDNS and Google Public DNS.
Google DNS
Since I went into the details of OpenDNS yesterday, let’s get the scoop on Google Public DNS today. We’ll pick on Google since they’re the biggest name in the pool. Google Public DNS is actually relatively new having been announced early December 2009. Since I can’t say it any better than they did, from the Introduction to Google Public DNS, here’s what Google DNS is:
Google Public DNS is a recursive DNS resolver, similar to other publicly available services. We think it provides many benefits, including improved security, fast performance, and more valid results.
…
- Performance. Many DNS service providers are not sufficiently provisioned to be able to support high-volume input/output and caching, and adequately balance load among their servers. In addition to load-balancing user traffic to ensure shared caching, Google Public DNS implements “smart” caching to increase the speed of responses. Google Public DNS independently resolves domain names and keeps the resolutions in the cache until their time-to-live (TTL) expires, at which point they are automatically refreshed. The cycle of caching and refreshing is performed offline, asynchronously with user requests, so that responses are almost always available directly from cache.
- Security. DNS is vulnerable to various kinds of spoofing attacks that can “poison” a nameserver’s cache and route its users to malicious sites. The prevalence of DNS exploits means that providers have to frequently apply server updates and patches. In addition, open DNS resolvers are vulnerable to being used to launch denial-of-service (DoS) attacks on other systems. To defend against such attacks, Google has implemented several recommended solutions to help guarantee the authenticity of the responses it receives from other nameservers, and to ensure our servers are not used for launching DoS attacks. These include adding entropy to requests, rate-limiting client traffic, and more.
And here is what Google DNS is not:
- A top-level domain (TLD) name service. Google is not an operator of top-level domain servers (generic or country-code), such as Verisign.
- A DNS hosting or failover service. Google Public DNS is not a third-party DNS application service provider, such as DynDNS, that hosts authoritative records for other domains.
- An authoritative name service. Google Public DNS servers are not authoritative for any domain. Google maintains a set of other nameservers that are authoritative for domains it has registered, hosted at ns[1-4].google.com.
- A malware-blocking service. Google Public DNS does not perform blocking or filtering of any kind.
So, Google Public DNS is a straight-up resolver much like your ISP although Google’s claims to be faster and is patched to prevent DNS Cache Poisoning. To make OpenDNS comparable we would not filter any categories and would turn off the malware/phishing protection. Google Public DNS falls in line with Google’s main over-arching privacy policy and here is their DNS-specific line:
Google Public DNS complies with Google’s main privacy policy, which you can view at our Privacy Center. With Google Public DNS, we collect IP address (only temporarily) and ISP and location information (in permanent logs) for the purpose of making our service faster, better and more secure. Specifically, we use this data to conduct debugging, to analyze abuse phenomena and to improve our prefetching feature. After 24 hours, we erase any IP information. For more information, read the Google Public DNS privacy page.
One thing that Google Public DNS really beats OpenDNS with is their IP addresses for the DNS servers: 8.8.8.8 and 8.8.4.4 Memorable and easy to type in.
Comparison
After reading and understanding the Google Public DNS feature set, I’d rather go with OpenDNS because of the features it offers since filtering malicious and phishing pages is important to me. Based off of the Google Public DNS FAQ, the OpenDNS Knowledge Base, and my experiences with AT&T and Comcast, I whipped up this little chart to diagram the features.
Google claims to offer a faster service and so does OpenDNS, but how do we benchmark them and compare them to know the truth for your area. Using a small application called NameBench, we can test a large number of domains to see which service resolves the fastest. I ran this test in three different environments: At my work which has a local DNS appliance, my parents’ house with their end-of-the-line AT&T DSL, and at my home with AT&T U-Verse Fiber-to-the-Premise.
To run NameBench, it will grab your current DNS servers and you can choose to include Global DNS services like (OpenDNS, Google Public DNS, etc.) and any known DNS services in the area (sometimes includes oddball ISP’s DNS servers). You can also choose how many domains to test; Google recommends 5000 to have a fair test.
You can find out more about NameBench through its FAQ page in Google Code.
In each case that I tested, Google Public DNS was faster. The greatest difference was actually at my work where NameBench proclaimed that Google would provide DNS resolutions at 66% faster speeds.
OpenDNS was never far behind and almost always took 2nd place with the ISP coming in 3rd of the publicly available DNS servers.
Google Public DNS may be faster, but I still think the features that OpenDNS offers over-ride the speed difference. There’s also a concern about relying too much on Google for your Internet services, not only for privacy but also for service diversification. If you were to totally rely on Google and something happened to them, your entire Internet experience could be affected as you boot up your Google Chrome OS computer, connect to Google Fiber GoogleNet, launch your Google Chrome browser to do a Google search to find a page that is displaying Google ads to you, all resolved with Google Public DNS. Along with that thought, the points made by OpenDNS Founder and CEO, Dave Ulevitch, following the launch of Google Public DNS deserve some serious consideration.
Conclusion
Soak all the data in, investigate your options, and do something to improve your Internet experience by modifying your DNS servers to one of these alternatives. If you ask me for a recommendation, I would point you straight to OpenDNS after months of solid service and making use of their provided features. Pending some time to let thoughts stew, I’ll probably be making that same recommendation to my work to investigate OpenDNS to improve our security and reduce our malware infections.