[dns-operations] Too Open (Was: OpenDNS makes your Internet work better

Brad Knowles brad at stop.mail-abuse.org
Wed Jul 12 08:03:18 UTC 2006

At 8:52 AM +0200 2006-07-12, Stephane Bortzmeyer quoted David Ulevitch:

>>  In fact, I can't imagine a reason why you wouldn't use OpenDNS.
>  1) Because it is awfully slow (160 msec, for data in the cache),

Well, let's see.  The machines are in various places in the US.  In 
my experience, latency across "the pond" is frequently on the order 
of ~70-150ms or worse, so I can see how you'd get pretty bad 
performance right now.

Still, from my slow cablemodem line here in Austin, TX, I can ping 
www.bbc.co.uk and get pretty reliable ~70ms RTTs.  Unfortunately, it 
looks I'm also getting ~70ms RTTs to the advertised IP addresses for 
the OpenDNS resolvers, and I'm here in the US.

>  2) Because it decreases reliability (if I use OpenDNS and the transit
>  links of my provider, Renater, goes down, I cannot even resolve ".fr"
>  domains),

IIRC, OpenDNS is using anycast routing tricks, right?  Didn't we have 
a knock-down, drag-out fight a while back over the evil that we've 
seen happen with other pure-anycast TLD operators?  I mean, I know 
that some of the root servers are doing anycast, but there are other 
root servers that are pure unicast, and that should hopefully resolve 
the routing weirdness issues for them.

Or am I mis-remembering things?

Certainly, my current routing path to both advertised IP addresses 
appears to be exactly the same.  If they wanted to try to avoid 
routing weirdnesses, wouldn't they want to set those up in two 
separate ASes, so that those two machines don't appear to be 
operating from the same subnet?

I also notice that the registered nameservers for OpenDNS within the 
.com zone are from everydns.net (which makes sense, since David 
created EveryDNS a few years back), although they are reasonably well 
distributed topologically (addresses owned by PSInet, Hurricane 
Electric, ProServe Networks in the Netherlands, and Defender 
Technologies Group LLC).  Not a real problem, but for a company that 
is supposed to be selling itself as the world leader in this field, 
it seems to me that this is something they'd want to have within 
their own domain.

Strangely, the reverse DNS for mail.opendns.com points back to 
mail.perfectemail.net.  Again, that seems to be something that they'd 
probably want to make sure is fixed before they start discussing the 
services they're offering in forums like this.  And it seems to me 
that they'd want to discuss this sorts of things in forums like this 
before making press releases to places like C|Net.  At least we might 
be able to save them a little embarrassment over things like this, 
before word gets spread out too far.

>  3) Because it is broken (see the "NXDOMAIN with some types but not
>  with others" bug),

One thing I'd want to see is a regression test for compatibility and 
conformance, both to the published "de jure" standards, as well as 
the de facto standards.  Differences should be noted and explained, 
or fixed.

So far, a few people have taken up the task of creating an 
alternative authoritative-only service to compete with BIND, with 
some limited success.  But outside of certain commercial 
alternatives, I have yet to see anything that I'd be willing to run 
on the caching-only side of the house.

I'd want to know a lot more about what's going on under the hood 
before I would feel comfortable about using such a service.

And I'd want to know a lot more about the people involved, the 
venture capitalists who are providing them money, etc....  For all I 
know, this could be something that is being secretly funded by 
Microsoft or Google as a way to temporarily "give away" a loss-leader 
service that they can then later cash in on once they have eliminated 
all possible competition.

Or maybe they just get bought out by VeriSign, and we're right back 
to where we were with SiteFinder.

Fully open-source all the software, and then run the OpenDNS service 
based on the fully open-source software that they provide, and I 
might feel better about what's going on.  But they'd still need to 
convince me that they aren't playing any games behind the scenes.

But that "reliable source of NXDOMAIN" point that Paul brings up is 
pretty killer.  I don't think that you can get around that one.

Brad Knowles, <brad at stop.mail-abuse.org>

"Those who would give up essential Liberty, to purchase a little
temporary Safety, deserve neither Liberty nor Safety."

     -- Benjamin Franklin (1706-1790), reply of the Pennsylvania
     Assembly to the Governor, November 11, 1755

  Founding Individual Sponsor of LOPSA.  See <http://www.lopsa.org/>.

More information about the dns-operations mailing list