OpenDNS to Force Improved DNS Standard?


So I was reading Hanselman and came across his OpenDNS post. I’d not heard of it, but evidently it is a free service comprised of a network of ‘smart’ DNS servers that can correct spelling errors (i.e. convert craigslist.ogr to and provide warnings when users attempt to go to a phishing sites. Cool!

Reading Scott’s post also led me to a discussion on mrneutrongodeon‘s LiveJournal about OpenDNS where dr_strych9 commented (emphasis mine):

Part of your problem here is that BIND just plain sucks. I would expect similar results from djbdns, for example.

I also don’t like that “spelling correction” or “anti-phishing” feature. That doesn’t belong in the cache; it belongs at the resolver. … OpenDNS is unsuitable for use as an enterprise DNS cache. It might be a good solution for people who want to run their own personal cache on a local node.

When challenged by someone who did not understand that the term “resolver” had a defined meaning, dr_strych9 clarified (emphasis mine):

The “resolver” in the DNS protocol is the agent that sends questions and receives answers. Contrast with the other two kinds of agents in the DNS protocol, i.e. the “server” and the “cache” agents. The “server” sends answers to recursive questions, and the “cache” sends answers to non-recursive questions.

I’m saying the “resolver” agents are where this name fiddling code belongs, not in the “cache” agents where OpenDNS is doing it. Technically, OpenDNS is running an alternative “public” DNS horizon for its users. I think more than one “public” DNS horizon is a very bad idea. We only need one: the global public DNS horizon.

Also, I really hate designs that try to make the network protect the nodes from one another, particularly designs that outsource security to somebody I have no reason to trust. A much more secure and sensible approach to this problem would be to be the spelling correction in the DNS content servers (by registering multiple spellings and redirecting) and optionally the resolvers (by making them ask the right questions), and put the anti-phishing protection into just the resolvers, i.e. your web browser should protect you, not your DNS server.

And what follows are both my response and my analysis of the situation:

I agree. And I disagree. :)

What OpenDNS has done is recognize a way to improve on the DNS protocol. This could be argued to be a limitation in the vision of the DNS protocol, and OpenDNS have offered a solution that is of interest to a reasonably significant segment of users. Unfortunately, that solution violates the spirit of the existing DNS protocol. You can say that it should be in the client, but the “cost” (in the technological sense) of requiring clients to be updated to get this functionality is unrealistic when you compare it with the cost of updating a well-defined set of servers.

And whenever the spirit of a protocol is violated it causes lots of hand-wringing among the standardistas [1]. That happened a lot during the browser wars, but it forced the standards bodies to address the needs people were having as opposed to pontificating on abstracts at a glacial pace which is the nature of standards bodies when there is no market pressure to drive them. This market pressure spurs standards bodies into action to as quickly as possible reign in fragmenting yet proven technologies and codify them into a standard instead of spending years debating a hypothetical envisioned use (can you say ‘Semantic Web?’)

Yes some negative can result when market pressure is applied to force standards but I also think negative can also result when a hypothetical is standardized without a lot of proven implementations. All-in-all, I believe the accelerated pace of standards development resulting from market pressure is almost always a net positive.

Given OpenDNS has identified a way to add value to the DNS protocol I think it would make sense for the standards bodies to extend the DNS protocol in a backward compatible way to incorporate this functionality. When up-level clients and servers are paired they can use the newer functionality but when a client attaches to or server where one is down-level, the transactions would work as it always has.

And if OpenDNS were to work to update the DNS standard, they could move from being a novelty for most web users and a rouge element to the standardistas to potentially gaining a huge market share and capitalization. At the same time this newer version of the DNS protocol could provide added value across the broader Internet and provide value-appropriate revenue opportunities for a large number of people and vendors to support companies who want to update to their DNS infrastructure.

JMTCW, anyway.

In closing, I just want to remind readers that I definitely do like the idea of OpenDNS, that is unless and until someone points out some aspect of it where it really should be considered harmful that I hadn’t really considered.


  1. NOTE: I don’t mean the term ‘standardistas’ perjoratively; I actually consider myself to be one, albeit a little more pragmatic than most.

2 Replies to “OpenDNS to Force Improved DNS Standard?”

  1. There is a major down side to openDNS. It is also a web censoring system based on assumption and prejudice instead of objective consideration of what causes harm. The result is that it perpetuates myths particularly prevalent in the USA which are known to result in widespread and often serious harm. It is not coincidence that Denmark (and smiilar countries) is much less up tight over the body and nudity than the USA and also has about one tenth the teenage pregnancy rate. The pattern is similar for other body related indicators, everything from promiscuity to eating disorders and for other international comparisons. More prudish gives worse outcomes and openDNS is a significant contributor to the problem.

  2. Hi @Malcolm – Thanks for the comment. I can’t say I disagree with you; actually I agree with your premise as strongly as I can. So yes, four years later maybe OpenDNS is not such a good thing after all…

Leave a Reply

Your email address will not be published.