Educause Security Discussion mailing list archives
Re: OpenDNS Users
From: Brian J Smith-Sweeney <bsmithsweeney () NYU EDU>
Date: Fri, 31 May 2013 13:09:26 -0400
On Fri, May 24, 2013 at 9:48 AM, Greg Schmalhofer <Greg.Schmalhofer () millersville edu> wrote:
Does anyone use the DNS service OpenDNS, either the free version or the purchased product called Umbrella, for their campus DNS service? If so I’d appreciate it if you could provide your thoughts on service. Or info if you are using another similar product. - How long have you used OpenDNS?
We actually used them as a fall-back when we had some DNS issues a few months ago, and have since converted back (not due to any significant issues with OpenDNS, mostly because we like running our own infrastructure). Our original backup plan had always been to use Google's DNS, but it turns out they rate-limit per ip, which can be a real bear when you're behind a large NAT boundary.
- Have you seen a reduction in phishing attempts and/or malware on your campus network?
We were not specifically tracking this in a way that would allow me to correlate with the DNS change, so I can't comment.
- Have you seen any difference with performance?
Nope, which is saying something; we have a fairly robust localized DNS infrstrastructure, and I don't believe there were any performance issues reported when we switched out externally.
- Are you using the free or purchased version?
Enterprise, not Umbrella.
- Any other thoughts or comments?
The OpenDNS folks were a *huge* help to us,taking on the sudden load from a fairly large campus without incident and with no forwarning. They were also extremely competent and responsive; the entire initial conversation regarding whether or not we were ok to point tens-of-thousands of hosts their way took about an hour, during which time they took the load anyway (apparently, we were just a drop in the buckey). The only two technical things we ran into after that were resolved in roughly the same amount of time. I had a chance to meet David Ulevitch at Educause SPC this year to thank him, and he showed off their new predictive graph analysis stuff, which looks interesting. There were a few technical hiccups during the switch that are entirely solvable problems but worth being aware of, including: * RFC1918 reverse name resolutions are a problem, for obvious reasons. We have plenty of hosts registered internally in private space. * Internal-only DNS domains are similarly problematic; if you have DNS servers - Active Directory servers, perhaps - which are authoritative for domains that you *only* expect to be queried from internal hosts, and they suddenly have to allow queries from an outside provider like OpenDNS, then you can have a problem. * You need to have an "Enterprise" account setup to get access to all the settings you might want There were others not confined solely to the initial turn-up or cutover. I think generally the miscellaneous issues we had increased the ongoing support burden on our Help Desk and Network Operations Team by a small but persistent percentage (vs our internal recursive DNS service). It also required us to more closely detail service dependencies on DNS. All that in mind, our experience with OpenDNS as a company - brief as it was - was really excellent. Long story short: we're not looking to move away from our internal infrastructure for a variety of reasons, but if we were, they'd be my first call. Cheers, Brian
Current thread:
- Re: OpenDNS Users, (continued)
- Re: OpenDNS Users Kevin Wilcox (May 24)
- Re: OpenDNS Users Santabarbara, Angelo (May 24)
- Re: OpenDNS Users Patrick Ouellette (May 24)
- Re: OpenDNS Users John Kristoff (May 24)
- Re: OpenDNS Users Mike Caudill (May 24)
- Message not available
- Re: OpenDNS Users Jesse Safran (May 24)
- Re: OpenDNS Users McClenon, Brady (May 24)
- Re: OpenDNS Users Greg Schmalhofer (May 24)
- Re: OpenDNS Users Santabarbara, Angelo (May 24)
- Re: OpenDNS Users Michael Benedetto (May 24)
- Re: OpenDNS Users Greg Schmalhofer (May 24)