Networking Notes: Boost Your 'Net Security With OpenDNS
This free service focuses on performance, security and convenience to make a little-known and occasional pain point a little less painful.
Last week, after a long bout of dooming and glooming about the dangers of operating system overconfidence, the real looming dangers for 'net security and peak oil, I tried to offer a ray of hope in the form of Phishtank.
The service, which offers a database of known phishing sites, is provided by OpenDNS, a free DNS service with performance, security and convenience in mind. This week, we're going to take a quick look at OpenDNS and see how we can use it to make a little-known and occasional pain point a little less achey.
Just to make sure we're all talking about the same thing, here's a quick refresher course on DNS:
The Domain Name System (DNS) [define] is the part of the Internet that makes life a little easier for people who don't think in IP addresses. When you type "practicallynetworked.com" into your browser's location bar, a DNS server is what handles translating that into "22.214.171.124" so your browser can connect with our Web server.
There's a lot to DNS we're just not going to get into, except to note that DNS is, as the name implies, a system. There are 13 so-called "root servers" [define] that maintain a master list of IP addresses and their corresponding names, and there are many more independent DNS servers that all communicate among themselves and with the root servers to make sure that list is always up-to-date. If you've ever heard someone talk about having to "wait for the DNS record to propagate" on a new domain, they're talking about all the DNS servers updating each other on the new IP-to-name mapping the domain requires.
Most people don't bother much with DNS. It's usually a set of numbers their ISPs tell them to set on their computers, if even that much, and then they forget all about them, as they probably should most of the time. Some people never even see the word "DNS" to connect to the Internet. In some ways, that's good because it's a bit of detail no normal user has much control over anyhow. In other ways, it's bad, because DNS settings can play a hard-to-discern but crucial part in how well a computer seems to perform when accessing, for instance, Web pages.
Consider this anecdote:
I had one of the first DSL connections in a small town in Virginia some years ago. It was a pilot roll-out of the service, so a lot of local infrastructure was missing and there wasn't much in the way of network optimization.
I started noticing an irritating bit of latency in Web page load times, though, that was hard to explain. Image files, for instance, would load very quickly. But pages took a while to draw in the browser, and there always seemed to be a hitch after clicking a link or trying to download something. Eventually I got fed up with the behavior and ran a few traceroutes on some servers. Then a friend suggested I look into the potential issue of DNS latency that is, the length of time it takes for a computer to request the IP address for a given name and get a response back from the DNS server. Browsers at the time performed DNS lookups on every page element they encountered, so a lag in DNS performance could really hit your sense of how fast the browser was drawing pages.
I ran a traceroute on my ISP's name servers and learned that they were located 500 miles away in Atlanta, with one of the last hops along the way delaying transactions by almost a second sometimes.
At the time, I solved the problem by setting up a caching name server on my Linux server at home. The caching name server simply requested DNS records once, but once it had them it would respond to requests for names from computers on my LAN by itself. No more 500 mile trail of tears for my name requests.
There are other hazards and inconveniences associated with faulty or poorly designed DNS services, ranging from simple poor performance to the inconvenience of domains that appear to disappear from the 'net thanks to slowly updated records. And when simple mistakes aren't out to get you, there's always the problem with ideas like VeriSign's Site Finder debacle, which "helpfully" redirect mistyped addresses transparently, sometimes causing mail to get lost or causing anti-spam solutions to break.
OpenDNS fits into all this by providing a free DNS service that provides three interesting features:
There have been some enthusiastic reports on OpenDNS since it launched last year, but a few caveats are in order:
And, finally, always show care when adopting any service that helps with security. Just because you're running anti-virus software, for instance, it's still a bad idea to open strange attachments. Just because you've got your DNS service routed through an anti-phishing service, you should still show care when visiting sites that want your information. Any security expert will tell you that real security is a process, not an end-point. Common sense is a key part of that process.
If you're curious, though, and if you want to give OpenDNS a spin, it provides instructions for several routers and operating systems to get you going, without any installation required.
One last thing: If you're doing like I suggested several months back and keeping a notebook, this is an ideal candidate for logging, especially noting what the IP addresses of your previous DNS servers were. If you notice your system isn't acting correctly, restore the old DNS servers. Another nice thing about OpenDNS is that if it doesn't perform as well as you hoped, you can always go back to where you started.
Add to del.icio.us | DiggThis
For more help, don't forget to try one of our PracticallyNetworked Forums.
|Home | Networking | Backgrounders | Internet Sharing | Security | HowTo | Troubleshooting | Reviews | News | About | Jobs | Tools | Forums|