This free service focuses on performance, security and convenience to make a little-known and occasional pain point a little less painful.

Last week, after a long bout of dooming and glooming about the dangers of operating system overconfidence, the real looming dangers for ‘net security and peak oil, I tried to offer a ray of hope in the form of Phishtank.

The service, which offers a database of known phishing sites, is provided by OpenDNS, a free DNS service with performance, security and convenience in mind. This week, we’re going to take a quick look at OpenDNS and see how we can use it to make a little-known and occasional pain point a little less achey.

Just to make sure we’re all talking about the same thing, here’s a quick refresher course on DNS:

The Domain Name System (DNS) is the part of the Internet that makes life a little easier for people who don’t think in IP addresses. When you type “” into your browser’s location bar, a DNS server is what handles translating that into “” so your browser can connect with our Web server.

There’s a lot to DNS we’re just not going to get into, except to note that DNS is, as the name implies, a system. There are 13 so-called “root servers” that maintain a master list of IP addresses and their corresponding names, and there are many more independent DNS servers that all communicate among themselves and with the root servers to make sure that list is always up-to-date. If you’ve ever heard someone talk about having to “wait for the DNS record to propagate” on a new domain, they’re talking about all the DNS servers updating each other on the new IP-to-name mapping the domain requires.

Most people don’t bother much with DNS. It’s usually a set of numbers their ISPs tell them to set on their computers, if even that much, and then they forget all about them, as they probably should most of the time. Some people never even see the word “DNS” to connect to the Internet.

In some ways, that’s good because it’s a bit of detail no normal user has much control over anyhow. In other ways, it’s bad, because DNS settings can play a hard-to-discern but crucial part in how well a computer seems to perform when accessing, for instance, Web pages.

Consider this anecdote:

I had one of the first DSL connections in a small town in Virginia some years ago. It was a pilot roll-out of the service, so a lot of local infrastructure was missing and there wasn’t much in the way of network optimization.

I started noticing an irritating bit of latency in Web page load times, though, that was hard to explain. Image files, for instance, would load very quickly. But pages took a while to draw in the browser, and there always seemed to be a hitch after clicking a link or trying to download something. Eventually I got fed up with the behavior and ran a few traceroutes on some servers.

Then a friend suggested I look into the potential issue of DNS latency — that is, the length of time it takes for a computer to request the IP address for a given name and get a response back from the DNS server. Browsers at the time performed DNS lookups on every page element they encountered, so a lag in DNS performance could really hit your sense of how fast the browser was drawing pages.

I ran a traceroute on my ISP’s name servers and learned that they were located 500 miles away in Atlanta, with one of the last hops along the way delaying transactions by almost a second sometimes.

At the time, I solved the problem by setting up a caching name server on my Linux server at home. The caching name server simply requested DNS records once, but once it had them it would respond to requests for names from computers on my LAN by itself. No more 500 mile trail of tears for my name requests.

There are other hazards and inconveniences associated with faulty or poorly designed DNS services, ranging from simple poor performance to the inconvenience of domains that appear to disappear from the ‘net thanks to slowly updated records. And when simple mistakes aren’t out to get you, there’s always the problem with ideas like VeriSign’s Site Finder debacle, which “helpfully” redirect mistyped addresses transparently, sometimes causing mail to get lost or causing anti-spam solutions to break.

OpenDNS fits into all this by providing a free DNS service that provides three interesting features:

  1. It’s optimized for speed through intensive caching. When you ask for a page in your browser, OpenDNS’ service takes advantage of the many other OpenDNS users to make sure it doesn’t have a copy of that record already. If it does, it replies to your browser right away and off you go. OpenDNS points, in particular, to tardy sites like MySpace as being the recipients of a big speed boost.
  2. It provides a bit of “spelling correction” for mistyped domains. For instance, with OpenDNS, you can try to visit “practicallynetworked.cmo” and still end up on these pages. And if you really bungle the spelling, you get a directory page from OpenDNS that offers some likely alternatives.
  3. OpenDNS works in conjunction with the company’s PhishTank service, so if you try to go to a known phishing site, it will block your attempt.

There have been some enthusiastic reports on OpenDNS since it launched last year, but a few caveats are in order:

  1. Sometimes, applications need to know that a given address doesn’t really exist. OpenDNS doesn’t allow that to happen, which could break those applications.
  2. The speed gains OpenDNS touts aren’t a given. Some ISPs have well-maintained and engineered DNS setups, so you might not gain as much performance as you’d like.
  3. Also, those speed increases aren’t going to matter at all for things like lengthy downloads: The only thing being sped up is how quickly your computer gets an address back from a nameserver.

And, finally, always show care when adopting any service that helps with security. Just because you’re running anti-virus software, for instance, it’s still a bad idea to open strange attachments. Just because you’ve got your DNS service routed through an anti-phishing service, you should still show care when visiting sites that want your information. Any security expert will tell you that real security is a process, not an end-point. Common sense is a key part of that process.

If you’re curious, though, and if you want to give OpenDNS a spin, it provides instructions for several routers and operating systems to get you going, without any installation required.

One last thing: If you’re doing like I suggested several months back and keeping a notebook, this is an ideal candidate for logging, especially noting what the IP addresses of your previous DNS servers were. If you notice your system isn’t acting correctly, restore the old DNS servers. Another nice thing about OpenDNS is that if it doesn’t perform as well as you hoped, you can always go back to where you started.