OpenDNS no panacea

The entire technical community needs to be a great deal more careful and cautious about promoting OpenDNS as a cure-all for security concerns in DNS. I used their service in the States for quite some time, and, while there were several major problems, it actually would have been an adequate solution for the security concerns we face today.

Not here, though: I, and probably most people in the third world, now have no choice but to use my ISP’s DNS servers for the bulk of my DNS requests, due to NATing and, more importantly, transparent proxies hardwired to keep DNS requests local. Even if I were able to use it, though, I’d be caught by parental filters that have configured so aggressively by other customers that it would prevent me from hitting many legitimate sites (this includes multiple news sites). OpenDNS authenticates users and saves preferences by IP address (often dynamically updated via ddclient or something of the sort), making it very, very easy for one ignorant sumbitch on a network like this to greatly limit the network’s utility to all users.

In other words, even without the proxy/even if we could reliably use 3rd party DNS servers for the bulk of our DNS requests, it still wouldn’t do the user much good on a small NAT’d ISP like this one.

As long as they’re secure, we’re probably much better off supporting the use of publicly accessible DNS servers like 4.2.2.2 and 4.2.2.3, as long as they remain as such and reasonably secure, or going straight to the root with secure, locally hosted DNS. That said, this is still only an option for users that aren’t trapped in this very, very common predicament. This hits numerous coffee shops, universities, 3rd world ISPs, 1st world free ISPs, anyone using ISP-side “accelerators” (ie caching proxies – can’t believe some ISPs have the gaul to make you pay for this), etc.

Death to the transparent proxy!