Skip to content

Do you trust these guys?

OpenDNS is a new service available to web surfers, which promises to “make your Internet work better”. Safer. Faster. Smarter. All for FREE!

“The OpenDNS team is improving the safety and speed of the Domain Name System, a fundamental building block of the Internet.” They claim to be “making the Internet a better place.”

So would you trust these guys more than you trust your ISP?

Forgive me, but Google lives under a mantra of “Don’t be Evil” so I am a little skeptical of such pitches. What exactly, is under the hood of this OpenDNS?

DNS is the system that translates domain names (such as into IP addresses (such as which are then used to retrieve web pages and such. The data is passed around by IP number, not domain name. So every single computer on the web has to translate those domain names into IP numbers on-the-fly, and we all use the DNS system to do that for us. You may not have heard about DNS because your ISP usually provides a few servers dedicated to DNS name serving. The typical Internet configuration includes setting the DNS name server addresses for you.

So why is DNS worthy of such attention? Well, think about what would happen if you asked for, and your DNS server tricked you by telling your PC that was at (a Google IP address). Your browser would obediently accept that answer and fetch a page from Google, thinking it was from Not too sinister, until you ask for and a compromised DNS system gives you not to the real citibank but a fake citibank web site designed to collect your login details. A compromised DNS system can be used to steal all sorts of secret data, by substituting fake web sites (phishing sites) for real ones. it doesn’t happen all the time.

Maybe you didn’t know you were being so trustful of your DNS services. Actually, you are being trustful of your Internet Service Provider (ISP: Verizon, Comcast, RoadRunner, Earthlink, or whomever).

So the OpenDNS guys are saying “hey, don’t just accept whatever DNS service your ISP gave you. Use our free OpenDNS service instead, and we will make sure you don’t fall victim to DNS-based phishing attacks”.

I’m not sure. Of course I know my ISP is a competitive commercial entity. But I trust them largely because they are a large commercial entity. I figure that if they do something negligent or super obnoxious, they would be found out and possibly held liable. They have a lot to lose. Then again, I thought that about Worldcom even as I triple-checked my Worldcom T1 line billings over and over and kept finding the same apparent over billing month after month. That didn’t work out.

As a competitive webmaster, I see how OpenDNS could monetize their service offerings over time. They admit that they will be serving up parked pages with advertisements, when a user mistypes your URL:

“OpenDNS makes money by offering clearly labeled advertisements alongside search results on error pages. OpenDNS will provide additional services on top of its enhanced DNS service.”

So if you are using OpenDNS as your DNS service, and you mistakenly ask for (a typo) instead of, OpenDNS will give you an error page with advertisements on it. I can only assume that in the future, for a fee, they might offer me the chance to buy that typo, so that they automatically send it to where it was meant to go. I also have to assume that they would price that domain typo so that the revenue I provide in exchange for the traffic equals or exceeds the potential revenue generated by the parked page with ads. Otherwise, why would they sell it to me instead of leaving their parked advertisements page? And then I consider the impact of the middleman… Google or whomever might be serving the ads. in short, I am volunteering to give OpenDNS an opportunity to monetize my own typos. Why would I do that?

I am a web user and a web publisher, and this all smells bad to me. No matter how I view it, OpenDNS seems to want to monetize the typo traffic that I feel the Internet really should be sending my way for free. And it sounds to me like they offer it as a benevolent opportunity to improve the world. In this case, I’m not so sure the world of DNS needing improvement. I’m not so sure I hold typo squatters in high regard, and I’m not so sure I want to trust a group of entrepreneurial competitive webmasters banking on revenue from typo squatting more than I trust a deep-pocket ISP that has much, much better things to do than monetize the DNS errors. In fact, the large ISPs probably have a very strong desire to maintain a simple, secure, and efficient DNS setup just to avoid headaches.

One comment from Nikolas on the OpenDNS blog cuts right to the chase and asks, “Why should I trust you guys?”:

One serious potential concern though, is how do I know that OpenDNS will never allow a man-in-the-middle attack using a substitute web site either because you are a bad guy, or because your DNS server has been compromised? Do I have to trust you as much as my ISP in order to use OpenDNS when doing banking transactions, etc.? (Except for safe sites that overcome this issue by adding a sign in step where they show a user selected picture and phrase in response to a username to prove to you that it is the real web site before you enter your password.) Even if you are good guys with secure DNS servers, can’t a bad guy who handles the DNS network traffic alter the IP address response of your DNS server (which is not a problem if the DNS response never travels outside my ISP’s trusted network) to create a man-in-the-middle attack?

There was no answer posted at the time I wrote this post.

Now OpenDNS has the opportunity to provide other value as well, and they promote that. By deploying a large cache, they can serve pages out of the cache so your browser gets them faster than a slow web site might send them directly. Think MySpace… if you want the Christine Dolce (ForbiddenXO) MySpace page, it currently loads in something like 4 minutes direct from MySpace. Were you an OpenDNS user, that page should load instantaneously from the OpenDNS cache. that is very, very nice for the Christine Dolce MySpace fans.

I have a lot of questions about this service idea. If I make a typo, I get an error page which tell sme I made a mistake. I hate it when I get a parked page from some typo squatter (especially when it redirects.. argh!). Why is this better than nothing?

What happens to a domain like that may exists as a separate site in Canada? Will US-based OpenDNS users get sent to my site (, or the Canadian site? On the regular Internet, you get what you type in. That was a big part of the hullabaloo when Verisign hijacked the DNS with Site Finder. Right now if there is such a conflict there are rules for mediating that conflict. What will OpenDNS do? I would guess they would leave it alone, in which case they aren’t adding any value. And what about hyphenated domains I might buy or not buy yet? Will OpenDNS parse (which doesn’t exist) to And if it does, what happens when I someone else registers Would they ever know if OpenDNS was serving customers to I doubt it.

The jury is still out on whether or not this is good for the Internet, but I don’t see enough value to expend the effort and trust these guys over the other guys. When you add in my cynical side and the “making the Internet a better place” claim they make while scheming up ways to monetize the traffic you should probably be getting anyway, I have to pass. Now I can see the OpenDNS guys taking their monetization schemes to the big ISPs and partnering to capture and monetize the typos as a B2B endeavor… but please don’t do that while pitching me on how good it is for the Internet.


  1. John Roberts wrote:

    [Editor’s Note: this commentary on the business model and whether or not it should be trusted is old now, and there has been much discussion on the web of OpenDNS, their monetization model, and how they and others are battling to control aspects of your desktop. Be sure to read more up to date information. We all know more now than we did then, so we should be in an even better position to understand OpenDNS and whether or not we can “trust” them].

    Thanks for paying attention, even if I disagree with your analysis almost completely.

    I’m not sure why you think your “large commercial entity” is more trustworthy than we are, but that’s your choice to make. At OpenDNS, we’re advocating you _choose_ OpenDNS. If we do the right thing for customers, you will continue to choose OpenDNS. If not, you leave — there shouldn’t be any lock-in with DNS.

    You wrote:
    “So if you are using OpenDNS as your DNS service, and you mistakenly ask for (a typo) instead of, OpenDNS will give you and [sic] error page with advertisements on it.”

    That’s actually not correct.. our typo correction changes the .cm to .com and someone gets straight to where they wanted to go.

    Actions speak louder than words. Watch us.

    John Roberts

    Thursday, July 20, 2006 at 5:27 pm | Permalink
  2. john andrews wrote:

    Thanks for clarifying some of that, John. It’s ok to disagree with me. I’ve been wrong plenty of times before. But I do believe I have a valid perspective.

    I guess my .cm typo is not the right kind of typo to trigger ads? Does that mean you serve ads in place of 404’s? What about 4xx’s or 5xx? Your FAQ says you

    “fix typos in the URLs you enter whenever we can. For example, if you’re using OpenDNS craigslist.og will lead directly to”

    and yet you also acknowledge that you monetize the free service by placing ads in the search results:

    “If we’re not sure what to do with an error, we provide search results for you to choose from…..OpenDNS makes money by offering clearly labeled advertisements alongside search results on error pages.”

    I’m not sure how you manage that potential conflict of interest. If you do a perfect job, you have no revenue (?)

    Thursday, July 20, 2006 at 5:40 pm | Permalink
  3. Users want the best experience possible and we strive to deliver the best experience possible. There’s no conflict in that. People need a reliable DNS service that puts them in control. They don’t have that now. Try and tell me how we can improve.

    Oh and:

    “No matter how I view it, OpenDNS seems to want to monetize the typo traffic that I feel the Internet really should be sending my way for free.”

    This is exactly what we do! We send typo traffic your way for free from our users who mistyped your website!


    Thursday, July 20, 2006 at 8:49 pm | Permalink
  4. Al wrote:

    Frankly, I have found OpenDNSs service quite usefu. I have no problem with them seeing an opportunity to eventually monetize the idea by returning a page with suggested links and paid for links from non resolveable URLs. Certainly you have to acknowledge that this is EXACTLY what Google and Yahoo search does and they have monetized search BIG TIME!

    As to trusting the big corporation?? I think you may be deluded that big means honest. Take ATT… Turns out that they are in a bit of a bind now because they are allowing or allowed the government to spy on us. In my book I don’t want them to make that decision. Big does not mean righteous.

    Friday, July 21, 2006 at 7:51 am | Permalink
  5. john andrews wrote:

    That’s great, Al. It’s been out a week or so and you have found it quite useful. Could you explain that a bit? What exactly has been useful? Do you make alot of typos? Has the caching made a big difference for you in that short period of time? I’d love to understand how this might be used, since it is free and all.

    Friday, July 21, 2006 at 12:03 pm | Permalink
  6. anonimo wrote:

    If the guy from openDNS realy responded to the author, how come he didn’t mention anything about the security related question?(man in the middle attack, pishing, malicious DNS redirecting) . I just started using OpenDNS(like 15 minutes ago) and yes, web browsing is a lot faster, and its amazing when using a 400mhz P2 pc, COOL, but what about security? I check(almost daily) 3 different online bank accounts and lots of email, so I guess i’m gonna have to either make a desktop shorcut to the DNS settings and changed it to my ISP’s evrytime before checking important stuff like bank accounts, but thinking about it…maybe there is some security related info on the OpenDNS website, I’ll go look ….and there is also the hope that maybe maybe maybe any connection, secured via SSL,(encrypted)from anywhere to who knows where, trru OpenDNS’s servers, remains SECURED. What would we all do w/out hope!!?

    John adds: Right.  That’s why I titled it “would you trust these guys?”. I can’t speak for them (why the security questions were passed over). I can only ask the questions, and wonder about what is left unanswered.

    Wednesday, May 23, 2007 at 11:32 pm | Permalink
  7. Pennywigeon wrote:

    I am currently trying for one simple reason. My ISP (Roadrunner) has initiated a new “service” without telling me nor asking my permission and has turned this new “service” on by default.

    The new service? DNS hijacking. You type in a typo DNS and Road Runner sends you the SPAM error page very much like Open DNS. But the problem is many users are finding out that even when you type in something CORRECTLY at times your DNS is “hijacked” and you get what ROad Runner feels you should receive. Some users have typed in and instead of getting Google they are receiving (Road Runner Sponsor).

    Of Course Road Runner is claiming this is a “bug” but it is funny that a “bug” works in favor of ROad Runner’s sponsors…..

    How are users becoming aware of this fiasco? Because the new DNS service that Road Runner rolled out (February I think) is causing massive delays when retrieving DNS information. You type in a URL and the browser “hangs” for a bit (sometimes up to a few minutes) then “retrieves” the sometimes correct page and other times it retrieves a SPAM error page.

    My question is this. Is there anyway or any tool used that can VERIFY that a DNS is retrieving the correct information all the time or is DNS Hijacking becoming the new method of corporate spam and unsolicited services?

    @penny:  if you have control of some DNS records somewhere, you could periodically change them and check your workstation’s DNS resolution to make sure it tracks the changes and shows the correct IP addresses. Otherwise, no.. it is very difficult to test for and detect low level DNS maniupulation without getting very technically involved. That is why it works so well. When considering OpenDNS, you are considering trusting them instead of your own ISP.

    Wednesday, March 19, 2008 at 6:58 am | Permalink
  8. jenn wrote:

    i just tried loggin into myspace this morning… i cant get in because of opendns blocked that page… i dont have open dns… i never signed up.. and now cant log into my myspace… how the heck do i get this off my computer now?

    Saturday, March 22, 2008 at 12:44 pm | Permalink
  9. lcappelli wrote:

    OpenDNS offers web filtering for free, along with the DNS. Set your wireless router to use the DNS servers they provide (overriding your ISP) and you have a very effective web-filter. I have young kids and this free service is easy to use. Much easier than setting up DansGuardian etc etc etc. It also does not rely on the desktop having the software, so visitors to your house are also filtered. Of course, you can probably get around it, but my 12 year old will no longer get tainted results in a simple search.

    Sunday, July 27, 2008 at 8:12 pm | Permalink
  10. Keith Gallagher wrote:

    Sod OpenDNS, I dont want/need/desire their service but many sites I used to like, such as have been “taken” by OpenDNS. I begin to wonder if they have permission to take over these sites or whether they have just “plonked” themselves. Perhaps a lot of sight owners out there are scratching their heads and wondering what happened to their traffic.

    Saturday, September 27, 2008 at 6:44 am | Permalink

2 Trackbacks/Pingbacks

  1. […] Personally I don’t see Network Solutions behavior as offensive as some others playing in the space, because they are merely attaching themselves to a domain that was initially checked through their interface, and offering it at their regular (inflated) price. They could say they are assisting the customer by reserving it temporarily on behalf of the Network Solutions customer who has expressed interest. If they allow it to drop in 4 days or so, the behavior is more of a shame than criminal. Bill shows evidence of Network Solutions allegedly engaging in this kiting practice, but I assure you professional domainers are equally on the watch, buying ISP data to scan for unresolved domains they too can snap up with hopes of selling them to interested parties at auction prices. Some time ago I asked “Would you trust these guys” when OpenDNS launched. This domain kiting activity revelaed by Bill is just one of many facets of information brokerage available to the infrastructure guys like OpenDNS and registars, who are in the business of monetizing opportunities created by the availability of your Internet activity data. […]

  2. » Managed DNS Services - John Andrews - on Monday, March 3, 2008 at 11:23 pm

    […] (I last discussed here) […]