[dns-operations] Too Open (Was: OpenDNS makes your Internet work better
brad at stop.mail-abuse.org
Wed Jul 12 08:03:18 UTC 2006
At 8:52 AM +0200 2006-07-12, Stephane Bortzmeyer quoted David Ulevitch:
>> In fact, I can't imagine a reason why you wouldn't use OpenDNS.
> 1) Because it is awfully slow (160 msec, for data in the cache),
Well, let's see. The machines are in various places in the US. In
my experience, latency across "the pond" is frequently on the order
of ~70-150ms or worse, so I can see how you'd get pretty bad
performance right now.
Still, from my slow cablemodem line here in Austin, TX, I can ping
www.bbc.co.uk and get pretty reliable ~70ms RTTs. Unfortunately, it
looks I'm also getting ~70ms RTTs to the advertised IP addresses for
the OpenDNS resolvers, and I'm here in the US.
> 2) Because it decreases reliability (if I use OpenDNS and the transit
> links of my provider, Renater, goes down, I cannot even resolve ".fr"
IIRC, OpenDNS is using anycast routing tricks, right? Didn't we have
a knock-down, drag-out fight a while back over the evil that we've
seen happen with other pure-anycast TLD operators? I mean, I know
that some of the root servers are doing anycast, but there are other
root servers that are pure unicast, and that should hopefully resolve
the routing weirdness issues for them.
Or am I mis-remembering things?
Certainly, my current routing path to both advertised IP addresses
appears to be exactly the same. If they wanted to try to avoid
routing weirdnesses, wouldn't they want to set those up in two
separate ASes, so that those two machines don't appear to be
operating from the same subnet?
I also notice that the registered nameservers for OpenDNS within the
.com zone are from everydns.net (which makes sense, since David
created EveryDNS a few years back), although they are reasonably well
distributed topologically (addresses owned by PSInet, Hurricane
Electric, ProServe Networks in the Netherlands, and Defender
Technologies Group LLC). Not a real problem, but for a company that
is supposed to be selling itself as the world leader in this field,
it seems to me that this is something they'd want to have within
their own domain.
Strangely, the reverse DNS for mail.opendns.com points back to
mail.perfectemail.net. Again, that seems to be something that they'd
probably want to make sure is fixed before they start discussing the
services they're offering in forums like this. And it seems to me
that they'd want to discuss this sorts of things in forums like this
before making press releases to places like C|Net. At least we might
be able to save them a little embarrassment over things like this,
before word gets spread out too far.
> 3) Because it is broken (see the "NXDOMAIN with some types but not
> with others" bug),
One thing I'd want to see is a regression test for compatibility and
conformance, both to the published "de jure" standards, as well as
the de facto standards. Differences should be noted and explained,
So far, a few people have taken up the task of creating an
alternative authoritative-only service to compete with BIND, with
some limited success. But outside of certain commercial
alternatives, I have yet to see anything that I'd be willing to run
on the caching-only side of the house.
I'd want to know a lot more about what's going on under the hood
before I would feel comfortable about using such a service.
And I'd want to know a lot more about the people involved, the
venture capitalists who are providing them money, etc.... For all I
know, this could be something that is being secretly funded by
Microsoft or Google as a way to temporarily "give away" a loss-leader
service that they can then later cash in on once they have eliminated
all possible competition.
Or maybe they just get bought out by VeriSign, and we're right back
to where we were with SiteFinder.
Fully open-source all the software, and then run the OpenDNS service
based on the fully open-source software that they provide, and I
might feel better about what's going on. But they'd still need to
convince me that they aren't playing any games behind the scenes.
But that "reliable source of NXDOMAIN" point that Paul brings up is
pretty killer. I don't think that you can get around that one.
Brad Knowles, <brad at stop.mail-abuse.org>
"Those who would give up essential Liberty, to purchase a little
temporary Safety, deserve neither Liberty nor Safety."
-- Benjamin Franklin (1706-1790), reply of the Pennsylvania
Assembly to the Governor, November 11, 1755
Founding Individual Sponsor of LOPSA. See <http://www.lopsa.org/>.
More information about the dns-operations