Nice troll.
Joseph Jackson wrote:
Nice troll.
Nah, wasn't even entertaining.
There's a big difference, of course, between INTENTIONALLY pointing your
computers at DNS servers that do this kind of thing, and having it done for
you without your knowledge and/or consent.
a message of 16 lines which said:
There's a big difference, of course, between INTENTIONALLY pointing
your computers at DNS servers that do this kind of thing, and having
it done for you without your knowledge and/or consent.
As Steven Bellovin pointed out, most OpenDNS users will not choose it:
it will be choosen for them by their corporate IT department or by
their Internet access provider.
Yes, one way you choose who breaks your DNS, the otherway Verisign break it
for you.
Most people don't have the know-how to understand the consequences of using
such a service. So providing it without screaming huge warnings is at best
misleading.
As someone who works for a company that provides trials of a web hosting
product, we've had our share of abusive trial users inventing new ways to
abuse our service. But if you try and block this abuse at the DNS level
you'll almost certainly break access to every other site we host on that
service.
Similarly our DNS servers provide short term A records for some important
sites, blocking their IP address in the DNS server would result in a loss of
redundancy of a fairly major service (okay we use different names for the DNS
server and the webserver, but not everyone does that). In this instance it is
unlikely the loss of redundancy would be noticed, until it was needed, as by
its nature redundancy acts to hide small scale failures.
This is the basic issue with DNS changes by third parties;
"the third party can have no knowledge of the scope or scale of the issues
their changes could cause".
That is why the DNS has delegated administration, although there is probably
less need for the delegated deployment any more (computers are big and cheap
compared to the 1970's), delegated administration is still a MUST have.
Think DNS is *sensitively dependent on correct values*.
Sure they can try and guess, but it is at best a guess. I note almost all
phishing sites use IP address these days anyway, certainly all those I
reported this morning were using URLs of the form
"http://10.11.12.13/www.example.com/"
If you just want faster recursive resolvers, that is easily done without
breaking anything, and without risking your view of the DNS. More hardware,
slave ".", optimise the binaries (Rick Jones has documented this in huge
detail at HPs performance labs), optimise the IP stack etc.
If the only value add is fast recursive resolution, but from off your network,
I'd suggest this is a poor choice as well, as a key planning decision of DNS
resolver deployment is to deploy "within your network" so stuff works when
your connectivity is toast (of course that'll never happen).
I see no redeeming features of the service, or did I miss something?
Our preference system is designed around CIDR and the most specific prefix will win a lookup meaning a /32 settings are preferred over that of a /24.
A corporate network can have a policy changing that (aka, you are fired), but an ISP can't. The policies of IT departments and ISPs are not remotely comparable. This is a deliberate design choice.
As usual, ymmv.
-david
So?
DNSBLs are bad because most users won't choose it, it will be chosen for them.
PPPoE is bad because most users won't choose it, it will be chosen for them.
IP is bad because most users won't choose it, it will be chosen for them.
Choice still exists. People who abdicate their choice, either through laziness, ignorance, other willful choices (e.g. employment), etc., are still making a choice. You cannot say something is horrible because they do not check every individual computer that might in some way be affected.
Put another way, if you run a large network, I guarantee you make choices every day that affect your users. Do you check with each one of them?
I didn't think so.
Having seen a lot cons and little pros,
here is my scenario:
I am running my own root, a copy of the Cesidan Root
plus some TLDs of my own liking, some shared with
"friends" who dont want to risk cache poisoning.
I am runnings both djbdns (dnscache with tinydns and axfrdns as root)
and Bind 9.4.0.a6
I have seen that my own nameservers are always faster than my ISP's.
I like the idea of catching the phishermen before they can catch me,
although I am not running Phishermans friend (windows eXPerimental).
I have seen with my own eyes on a windowssystem OpenDNS is a MUST.
Even if I dont click on install or execute...
and I do not trust open MACs too very much either.
I do not neccessarily improove speed when using OpenDNS and I am
not shure wether I want OpenDNS decide between typos and alt. TLDs.
But I still want to catch the phishermen.
Does it make sense for me and the mine?
Kind regards
Peter and Karin
That's absolutely ridiculous. Enterprise IT organizations make decisions on
behalf of their userbase all day. Frankly, I'd be shocked if many tried this
out - most enterprises run their own DNS servers as part of an Active
Directory scheme. In any case, those workstations belong to the enterprise
and they can point them to whatever DNS servers they want.
For most end-users, their Internet access provider already selects their DNS
caching server. ISPs are within their rights to do this - I'm surprised most
broadband ISPs haven't done exactly what OpenDNS is doing to generate
revenue.
I'm sure if you look really hard, you can find something else to be outraged
about. OpenDNS isn't it. I'm at a loss to explain why people are trying so
hard to condemn something like this.
- Daniel Golding
>
> There's a big difference, of course, between INTENTIONALLY pointing your
> computers at DNS servers that do this kind of thing, and having it done for
> you without your knowledge and/or consent.Yes, one way you choose who breaks your DNS, the otherway Verisign break it
for you.
Agreed!
If you break your own stuff, that's your own problem and does not raise
any of SiteFinder's issues. Even if an ISP uses this service, people can
still usually find another ISP or point their computers at other DNS
servers.
I see no redeeming features of the service, or did I miss something?
I'm not arguing it's a good idea. I'm just saying it's not evil like
SiteFinder.
Experience?
Please explain to me what experience anyone on this list, or any other, which would induce people to try "so hard to condemn something like this"?
It's a great answer, but like many answers given here with zero support, it is worth every electron it's written on. And not much more.
People have never created a platform to manage recursive DNS, so it's surprising you have experience here. I don't think we've ever talked either, though I'd be happy to and learn more about what you think and how it compares to other things you've used.
Have you seen this: http://www.opendns.com/prefs/
People that make a comparison to Site Finder still are showing a substantive lack of clue, at this point it should be clear that such a comparison is inappropriate. That said, I'm still working on messaging -- going from someone who talks about DNS to someone who talks about DNS and gets some press about it is new to me. Cool, but new. 
Best,
David Ulevitch
That somewhat depends on what you mean by "platform".
If by "platform" you mean a remote managed service for recursive DNS, no one I
know in the DNS business ever tried to sell that (although arguably the ISPs
generally supply something similar free to every customer), that doesn't
necessarily negate their experience.
Most of those I know try to deploy recursive services as close as possible to
the client, avoiding where possible alternative views of the DNS, and
forwarding.
Perhaps time to ask Brad, Paul and Cricket what they think, and have answers
to their comments.
I commend your enterprise, but have you considered trying to sell the "data
feed" via firewall channels, where the restrictions could be applied more
specifically than via a different view of the DNS.
With automated responses to "bad things", it is usually best to minimise the
scope of the change. Similarly typo correction makes sense for URLs, but not
for most other uses of the DNS (hence the proviso you make to switch it off
if you use RBL, although I'd say switch it off for all email servers less you
start correcting spambot crud, our email servers make a DNS check on the
senders domain, that doesn't want correcting either), so the answer is
probably browser plug-in (although most browsers already try to guess what
you meant to some extent).
Most of those I know try to deploy recursive services as close as possible to
the client, avoiding where possible alternative views of the DNS, and
forwarding.
Would that everyone did what the people you know do.
Unfortunately, there are a few providers doing things like outsourcing their recursive service to, say, their upstream, or having one "node" of recursive servers anywhere in the world for all their end users. These providers violate the first part of your sentence.
The second part doesn't make any sense to me. It seems that having multiple, geographically disparate recursive name servers would be more likely to present an "alternative [view] of the DNS". (In fact, I can prove that's true in at least some cases. 
So you are actually arguing -against- your first point.
That said, no one has yet said why it is necessary, or even desirable, to have a completely homogenous view of the world.
Perhaps time to ask Brad, Paul and Cricket what they think, and have answers
to their comments.
Perhaps. However, in the last DNS related thread, Paul made a pretty strong claim (violating a protocol) and showed exactly _ZERO_ facts to back it up, despite being asked at least five times (by my count).
With automated responses to "bad things", it is usually best to minimise the
scope of the change. Similarly typo correction makes sense for URLs, but not
for most other uses of the DNS (hence the proviso you make to switch it off
if you use RBL, although I'd say switch it off for all email servers less you
start correcting spambot crud, our email servers make a DNS check on the
senders domain, that doesn't want correcting either), so the answer is
probably browser plug-in (although most browsers already try to guess what
you meant to some extent).
Perhaps something as simple as a preference only 'correcting' queries that begin with "www"?
Going off on something of a tangent, I'd be really curious what sort of efforts OpenDNS are making/will need to make in order to limit their servers' utility as a relay for amplification attacks (which I'm listening to a discussion on at IETF as I type).
http://www.ietf.org/internet-drafts/draft-ietf-dnsop-reflectors-are-evil-01.txt
I'd use one example reason of why: "Customer Service issues"
So If grandma Jane goes to fobar.com (which gets
corrected/redirected/blah) to foobar.com and sees some content she really
likes she may tell grandma June. Grandma June goes to fobar.com and gets
the IE error message saying 'site does not exist. She calls her ISP to
find out why the site is down.
This is a very oversimplified example, I admit. It does show a simple
example though of inconsistency and why that could be 'bad' or atleast
problematic. (It might also argue for universal adoption of this
technology, which I still 'just dont like', which also might be the crazy
pills)
In general inconsistency is troubling to folks, I think, and in recursive
DNS it's especially difficult to see as 'good' since that 'service' is not
universal (not all owned/operated by one entity). In the case of
authoritative DNS though, you are (or anyone, not just Patrick) free to
goof with responses as you (or anyone) see's fit... you are afterall
'authoritative' for the record. In the recursive land it may be viewed as
'rude' or 'out of spec' (perhaps this is paul's issue?) to fake answers
to questions.
I wonder about performance and impact and the legittimacy of replying to a
'typo' that isn't really a 'typo' ? The claims to 'fix phishing' (phishing
protection) that is doing things like knowing what a phishing name is,
I presume this works on some list of names currently in use (from
antiphishing.org for example) Is there a timeout on these entries? What
about names that are the shared host for lots of users? (members.aol.com
for instance) There are a host if issues here, simple typo correction
isn't going to find/solve/know about most of them.
At the right level of the hierarchy this service certainly could be 'nice'
(or not objectionable) the choice part is a big 'nice' for the service, I
admit. I find it hard to believe an enterprise or MSO would offer this
as a blanket answer though, again crazy-pills might be acting up again
though.
-chris
That said, no one has yet said why it is necessary, or even
desirable, to have a completely homogenous view of the world.I'd use one example reason of why: "Customer Service issues"
Thanx, Chris, I was waiting for someone to give this answer. (And I couldn't figure out why no one had!
I don't really have a good answer. I'm not sure it's a HUUUUUUGE problem, but I can see the argument.
Perhaps someone associated with the service can give a better answer?
In general inconsistency is troubling to folks, I think, and in recursive
DNS it's especially difficult to see as 'good' since that 'service' is not
universal (not all owned/operated by one entity). In the case of
authoritative DNS though, you are (or anyone, not just Patrick) free to
goof with responses as you (or anyone) see's fit... you are afterall
'authoritative' for the record. In the recursive land it may be viewed as
'rude' or 'out of spec' (perhaps this is paul's issue?) to fake answers
to questions.
Is it? If you type "fobar" and the domain does not exist, is it rude to return foobar? Or is it helpful?
As a purist, I can see saying that's wrong. As a user, they like easy. Hell, most of them us Windows & Outlook, so they clearly don't care about things like "standards". Since they pay our bills, should we listen to them?
Can someone show the Internet is going to collapse, or at least be harmed, by being "rude" in this way?
>> That said, no one has yet said why it is necessary, or even
>> desirable, to have a completely homogenous view of the world.
>
> I'd use one example reason of why: "Customer Service issues"Thanx, Chris, I was waiting for someone to give this answer. (And I
couldn't figure out why no one had!I don't really have a good answer. I'm not sure it's a HUUUUUUGE
problem, but I can see the argument.Perhaps someone associated with the service can give a better answer?
> In general inconsistency is troubling to folks, I think, and in
> recursive
> DNS it's especially difficult to see as 'good' since that 'service'
> is not
> universal (not all owned/operated by one entity). In the case of
> authoritative DNS though, you are (or anyone, not just Patrick)
> free to
> goof with responses as you (or anyone) see's fit... you are afterall
> 'authoritative' for the record. In the recursive land it may be
> viewed as
> 'rude' or 'out of spec' (perhaps this is paul's issue?) to fake
> answers
> to questions.Is it? If you type "fobar" and the domain does not exist, is it rude
to return foobar? Or is it helpful?
Hmmm, while a "good" question - how about another example,
someone mistypes whitehouse.gov - do you return the "real" whitehouse.gov or
the whitehouse.com site ???
As a purist, I can see saying that's wrong. As a user, they like
easy. Hell, most of them us Windows & Outlook, so they clearly don't
care about things like "standards". Since they pay our bills, should
we listen to them?
Also true, and while I agree in "principle", if you transpose only two numbers
on your next deposit ticket - is it the banks responsibility to put the money
in the correct account - or is it simply your mistake??
Can someone show the Internet is going to collapse, or at least be
harmed, by being "rude" in this way?
I don't think the "net" is going to collapse, but I do think that many of the
"things" being done are simply "making" (allowing/enabling/supporting) end
users to be more and more lazy or what-ever term you want to apply. In
school if you spell the word tree as tre - hopefully your teacher corrects
this. What we seem to be doing is saying it is ok to not know how to spell
or even know what or where you want to go on the net - and I am not certain
that in the long term we are not doing more "harm" than good - just as your
teacher would by allowing you to mis-spell words instead of learning the
correct way....
Larry Smith wrote:
In school if you spell the word tree as tre - hopefully your teacher corrects this.
Yes, hopefully a correction is made in a safe manner. As opposed to the teacher smothering your face with a pornographic magazine or shoving a lit firecracker up your ass.
Cause when you spell a word incorrectly on the internet, that's what frequently occurs.
-mark
Is it? If you type "fobar" and the domain does not exist, is it rude
to return foobar? Or is it helpful?Hmmm, while a "good" question - how about another example,
someone mistypes whitehouse.gov - do you return the "real" whitehouse.gov or
the whitehouse.com site ???
Note: "and the domain does not exist". Whitehouse.gov absolutely exists.
As a purist, I can see saying that's wrong. As a user, they like
easy. Hell, most of them us Windows & Outlook, so they clearly don't
care about things like "standards". Since they pay our bills, should
we listen to them?Also true, and while I agree in "principle", if you transpose only two numbers
on your next deposit ticket - is it the banks responsibility to put the money
in the correct account - or is it simply your mistake??
Does the other account exist? And should the bank be checking the name <-> account # association? I would argue they should. (But know they do not.)
Either way, not really the same thing, IMHO.
Can someone show the Internet is going to collapse, or at least be
harmed, by being "rude" in this way?I don't think the "net" is going to collapse, but I do think that many of the
"things" being done are simply "making" (allowing/enabling/supporting) end
users to be more and more lazy or what-ever term you want to apply. In
school if you spell the word tree as tre - hopefully your teacher corrects
this. What we seem to be doing is saying it is ok to not know how to spell
or even know what or where you want to go on the net - and I am not certain
that in the long term we are not doing more "harm" than good - just as your
teacher would by allowing you to mis-spell words instead of learning the
correct way....
I think that's going a bit far.
By that token, we should lobby Microsoft to take spel chickers out of MS Word.