Want CNET to notify you of price drops and the latest stories?

DNS service promises safer, faster browsing

OpenDNS to look up Web sites and block dangerous URLs, but it'll display ads if you enter a nonexistent Web address.

Joris Evers Staff Writer, CNET News.com
Joris Evers covers security.
Joris Evers
4 min read
A San Francisco start-up is promising faster, safer and smarter Web surfing--but there's a catch.

OpenDNS says its free address-lookup service makes Web sites load faster, and that it blocks malicious, data-thieving phishing schemes and other threats. Furthermore, the service corrects obvious typos in URLs, sending people to the site they intended to visit, it says.

To pay for it, though, the company serves up ads and a search page, instead of an error page, if the user enters a Web address that doesn't exist or can't be corrected. The approach is similar one used in an unpopular VeriSign service called Site Finder, which was pulled soon after its launch in 2003.

"I like the idea of improving performance, but the business model is the issue," said John Pescatore, an analyst at research firm Gartner. "Advertising on mistypes is a very iffy thing. VeriSign got a very negative reception, and I think the same is true here."

OpenDNS offers public Domain Name System, or DNS, service. DNS functions as the "phonebook" of the Internet, mapping text-based domain names such as www.cnet.com to the numerical IP addresses used by computers. Internet users typically use the DNS service run by their service provider. OpenDNS offers an alternative "phonebook," with extras.

"We are adding an element of choice, which does not exist for DNS today," said David Ulevitch, chief executive of OpenDNS. "People don't know that there are different DNS servers available. The benefit is a faster, safer and smarter DNS."

OpenDNS says its DNS service outpaces rivals because of its speedy Net connections and intelligent caching. It claims to be safer because it blocks access to known phishing Web sites and known channels that hackers use to control compromised computers. The smarts come from correcting mistypes, turning craigslist.og into craigslist.org, for example.

Experts see OpenDNS as a possible alternative to the spotty DNS service offered by some Internet service providers.

"Many ISPs have frequent DNS brownouts, where DNS response time is slow," Pescatore said. For example, last year broadband access provider Comcast had several DNS outages, effectively knocking its customers offline, he said. "There is a lot of room for improvement in DNS performance."

However, a speed increase depends on geography--the closer you are to an OpenDNS server, the quicker the response, experts said.

A DNS request will have to traverse the Net to one of OpenDNS' servers, currently located on the east and west coasts of the U.S. and planned for Chicago, London and Hong Kong. A local service may be faster and more reliable, said Cricket Liu, a DNS expert and vice president of architecture at DNS appliance maker Infoblox.

"A local, well-managed name server with a decent-sized cache will provide better performance, on average, than a remote name server with a huge cache," Liu said. "I also don't want to depend on the networks between me and the remote name server being up all the time."

Filtering phishers
The safe-surfing and typo correction features could also have their stumbling blocks, experts said.

Phishing is a major problem. In May, just over 20,000 phishing Web sites--a new record--were reported to the Anti-Phishing Working Group. Protecting users against scams is important. However, providers must strive to make sure they offer complete protection, as inaccurate and incomplete shields could be worse than none at all, experts said.

"If users begin to trust the service and assume that sites they get to have been vetted, what happens when a heretofore unknown phishing site slips past?" Liu asked.

OpenDNS uses blacklists to block access to known phishing sites, the company said. It gets phishing data from a number of unnamed partners and constantly updates the information, it said. The company does not, however, have a partnership with the Anti-Phishing Working Group, a cross-industry group that also works with law enforcement agencies.

Though OpenDNS is the first to offer a phishing shield at the DNS level, there is plenty of competition in the antiphishing area from toolbar and Web browser makers. Upcoming Internet Explorer and Firefox updates will both include phishing protection, rendering other protection means largely redundant, Pescatore said.

Correcting a user's errors in typing Web addresses might be helpful, but only if it is limited to rewriting the most popular domain extensions--for example, "cmo" to "com" and "og" to "org", Liu said. More could cause problems. A typo could be a genuine attempt to reach a Web site with a name similar to a better-known site, he said.

To use OpenDNS, people have to change their DNS settings, which are not always obvious to find. The change should be done either in an Internet browser or on a home-networking router. OpenDNS has step-by-step instructions on its Web site.

Paul Mockapetris, the inventor of DNS and chief scientist at secure DNS provider Nominum, said DNS is like the water of the Internet. In that analogy, OpenDNS is like bottled water. If you use it, you don't have to trust the local water, which may be polluted or diseased, Mockapetris said.

"Of course, you have to trust the OpenDNS folks, and I suspect they are looking forward to showing you advertising. So maybe it is more like Gatorade, and maybe they will fluoridate their DNS and add stuff that will kill your prized fish in the aquarium as well as the phish they are looking for," he said.

(Editor's note: OpenDNS is funded in part by Minor Ventures, a venture capital firm founded by Halsey Minor, also founder of CNET News.com parent CNET Networks.)