At home I run a virtual machine as a nameserver for my network (and my VPN). Technically it runs two DNS servers; BIND for local queries (.haven.network) and djbdns (specifically dnscache) on a separate IP address for everything else. Previously, I have always used my ISP’s (BT) nameservers for forwarding, and since using dnscache I have been querying the root servers directly (dnscache by default seems to recommend this, even though I’m pretty sure it’s bad practice).

Recently, a very significant DNS threat has come to light, and one of the recommendations was to use OpenDNS as your forwarder if you cannot patch yourself. As I was using dnscache, I wasn’t vulnerable to the threat, however it did make me take a closer look at OpenDNS than I had when it was first launched. And now I’ve been using them as my primary forwarders for a week, I thought I’d talk about how I’ve got on.

OpenDNS is a company providing free nameservers for the general public to use. Normally, people use their ISPs nameservers, or corporate ones if they are at work, and these are fine, but it is not the only thing your ISP does – it is just something they ‘have’ to provide. With OpenDNS – it’s all they do, and as such they do it well.

What are the advantages to using OpenDNS? Firstly: reliability – if your ISP has nameservers that go down sometimes, I strongly recommend switching to OpenDNS as they will have significantly better uptime. Also, they’re fast. OpenDNS takes 33msec to respond to my query of google.com, my ISP takes 22msec – that’s not much difference considering my ISP’s DNS servers should theoretically be very close to me ‘tube’-wise (doing a traceroute I see BT’s DNS are 13 hops away and OpenDNS are 21+ away.

If these two things aren’t enough reason to switch – then take a look at the plethora of features they provide. Some are catered to corporate networks (blocking specific domains, customising the OpenDNS guide, blocking time-wasting websites, statistics), but some everyone can benefit from (built in phishing protection, shortcuts, typo-correction, CacheCheck). Granted these things can be provided by your web browser (Firefox for example, using similar phishing data), but it’s nice to have it running at a DNS level – where chances are it’s going to be more thorough. Also, if you like using Safari (or WebKit), which doesn’t have phishing protection built in, it’s a useful way to get phishing protection on your Mac. And for a small business I can imagine being able to block websites based on category and also specifically is a great way of having content-filtering without paying for it and managing it yourself!

All in all, I’m pleased with OpenDNS so far, and I’m going to continue to use them for the foreseeable future. If anyone has any comments about OpenDNS, please leave one!

Edit: Chris Northwood pointed out that OpenDNS isn’t very useful if you want accurate DNS information, as they never return NXDOMAIN, instead returning an A record for their search pages. While these are very useful, some applications (such as email spam filtering) rely on NXDOMAIN for filtering spam. It’s something I had heard about, but forgotten about, thanks Chris for pointing this out. I run SpamBayes on my mail server at home, so I’m going to look into whether it needs NXDOMAIN responses, and if so, I will tell my mail server to use a separate DNS server (I’ll update this post with how I get on)