OpenDNS is a new service available to web surfers, which promises to “make your Internet work better”. Safer. Faster. Smarter. All for FREE!
“The OpenDNS team is improving the safety and speed of the Domain Name System, a fundamental building block of the Internet.” They claim to be “making the Internet a better place.”
So would you trust these guys more than you trust your ISP?
Forgive me, but Google lives under a mantra of “Don’t be Evil” so I am a little skeptical of such pitches. What exactly, is under the hood of this OpenDNS?
DNS is the system that translates domain names (such as www.johnon.com) into IP addresses (such as 220.127.116.11) which are then used to retrieve web pages and such. The data is passed around by IP number, not domain name. So every single computer on the web has to translate those domain names into IP numbers on-the-fly, and we all use the DNS system to do that for us. You may not have heard about DNS because your ISP usually provides a few servers dedicated to DNS name serving. The typical Internet configuration includes setting the DNS name server addresses for you.
So why is DNS worthy of such attention? Well, think about what would happen if you asked for www.johnon.com, and your DNS server tricked you by telling your PC that www.johnon.com was at 18.104.22.168 (a Google IP address). Your browser would obediently accept that answer and fetch a page from Google, thinking it was from johnon.com. Not too sinister, until you ask for Citibank.com and a compromised DNS system gives you not to the real citibank but a fake citibank web site designed to collect your login details. A compromised DNS system can be used to steal all sorts of secret data, by substituting fake web sites (phishing sites) for real ones. it doesn’t happen all the time.
Maybe you didn’t know you were being so trustful of your DNS services. Actually, you are being trustful of your Internet Service Provider (ISP: Verizon, Comcast, RoadRunner, Earthlink, or whomever).
So the OpenDNS guys are saying “hey, don’t just accept whatever DNS service your ISP gave you. Use our free OpenDNS service instead, and we will make sure you don’t fall victim to DNS-based phishing attacks”.
I’m not sure. Of course I know my ISP is a competitive commercial entity. But I trust them largely because they are a large commercial entity. I figure that if they do something negligent or super obnoxious, they would be found out and possibly held liable. They have a lot to lose. Then again, I thought that about Worldcom even as I triple-checked my Worldcom T1 line billings over and over and kept finding the same apparent over billing month after month. That didn’t work out.
As a competitive webmaster, I see how OpenDNS could monetize their service offerings over time. They admit that they will be serving up parked pages with advertisements, when a user mistypes your URL:
“OpenDNS makes money by offering clearly labeled advertisements alongside search results on error pages. OpenDNS will provide additional services on top of its enhanced DNS service.”
So if you are using OpenDNS as your DNS service, and you mistakenly ask for johnon.cm (a typo) instead of johnon.com, OpenDNS will give you an error page with advertisements on it. I can only assume that in the future, for a fee, they might offer me the chance to buy that typo, so that they automatically send it to johnon.com where it was meant to go. I also have to assume that they would price that domain typo so that the revenue I provide in exchange for the traffic equals or exceeds the potential revenue generated by the parked page with ads. Otherwise, why would they sell it to me instead of leaving their parked advertisements page? And then I consider the impact of the middleman… Google or whomever might be serving the ads. in short, I am volunteering to give OpenDNS an opportunity to monetize my own typos. Why would I do that?
I am a web user and a web publisher, and this all smells bad to me. No matter how I view it, OpenDNS seems to want to monetize the typo traffic that I feel the Internet really should be sending my way for free. And it sounds to me like they offer it as a benevolent opportunity to improve the world. In this case, I’m not so sure the world of DNS needing improvement. I’m not so sure I hold typo squatters in high regard, and I’m not so sure I want to trust a group of entrepreneurial competitive webmasters banking on revenue from typo squatting more than I trust a deep-pocket ISP that has much, much better things to do than monetize the DNS errors. In fact, the large ISPs probably have a very strong desire to maintain a simple, secure, and efficient DNS setup just to avoid headaches.
One serious potential concern though, is how do I know that OpenDNS will never allow a man-in-the-middle attack using a substitute web site either because you are a bad guy, or because your DNS server has been compromised? Do I have to trust you as much as my ISP in order to use OpenDNS when doing banking transactions, etc.? (Except for safe sites that overcome this issue by adding a sign in step where they show a user selected picture and phrase in response to a username to prove to you that it is the real web site before you enter your password.) Even if you are good guys with secure DNS servers, can’t a bad guy who handles the DNS network traffic alter the IP address response of your DNS server (which is not a problem if the DNS response never travels outside my ISP’s trusted network) to create a man-in-the-middle attack?
There was no answer posted at the time I wrote this post.
Now OpenDNS has the opportunity to provide other value as well, and they promote that. By deploying a large cache, they can serve pages out of the cache so your browser gets them faster than a slow web site might send them directly. Think MySpace… if you want the Christine Dolce (ForbiddenXO) MySpace page, it currently loads in something like 4 minutes direct from MySpace. Were you an OpenDNS user, that page should load instantaneously from the OpenDNS cache. that is very, very nice for the Christine Dolce MySpace fans.
I have a lot of questions about this service idea. If I make a typo, I get an error page which tell sme I made a mistake. I hate it when I get a parked page from some typo squatter (especially when it redirects.. argh!). Why is this better than nothing?
What happens to a domain like johnon.ca that may exists as a separate site in Canada? Will US-based OpenDNS users get sent to my site (johnon.com), or the Canadian site? On the regular Internet, you get what you type in. That was a big part of the hullabaloo when Verisign hijacked the DNS with Site Finder. Right now if there is such a conflict there are rules for mediating that conflict. What will OpenDNS do? I would guess they would leave it alone, in which case they aren’t adding any value. And what about hyphenated domains I might buy or not buy yet? Will OpenDNS parse john-on.com (which doesn’t exist) to johnon.com? And if it does, what happens when I someone else registers john-on.com? Would they ever know if OpenDNS was serving john-on.com customers to johnon.com? I doubt it.
The jury is still out on whether or not this is good for the Internet, but I don’t see enough value to expend the effort and trust these guys over the other guys. When you add in my cynical side and the “making the Internet a better place” claim they make while scheming up ways to monetize the traffic you should probably be getting anyway, I have to pass. Now I can see the OpenDNS guys taking their monetization schemes to the big ISPs and partnering to capture and monetize the typos as a B2B endeavor… but please don’t do that while pitching me on how good it is for the Internet.