Re: OpenDNS Users

[Brian J Smith-Sweeney <bsmithsweeney () NYU EDU>]

On Fri, May 24, 2013 at 9:48 AM, Greg Schmalhofer
<Greg.Schmalhofer () millersville edu> wrote:
> Does anyone use the DNS service OpenDNS, either the free version or the
> purchased product called Umbrella, for their campus DNS service? If so I’d
> appreciate it if you could provide your thoughts on service. Or info if you
> are using another similar product.
>
>
>
> -           How long have you used OpenDNS?
We actually used them as a fall-back when we had some DNS issues a few
months ago, and have since converted back (not due to any significant
issues with OpenDNS, mostly because we like running our own
infrastructure). Our original backup plan had always been to use
Google's DNS, but it turns out they rate-limit per ip, which can be a
real bear when you're behind a large NAT boundary.

> -           Have you seen a reduction in phishing attempts and/or malware on
> your campus network?
We were not specifically tracking this in a way that would allow me to
correlate with the DNS change, so I can't comment.

> -           Have you seen any difference with performance?
Nope, which is saying something; we have a fairly robust localized DNS
infrstrastructure, and I don't believe there were any performance
issues reported when we switched out externally.

> -           Are you using the free or purchased version?
Enterprise, not Umbrella.

> -           Any other thoughts or comments?
The OpenDNS folks were a *huge* help to us,taking on the sudden load
from a fairly large campus without incident and with no forwarning.
They were also extremely competent and responsive; the entire initial
conversation regarding whether or not we were ok to point
tens-of-thousands of hosts their way took about an hour, during which
time they took the load anyway (apparently, we were just a drop in the
buckey).  The only two technical things we ran into after that were
resolved in roughly the same amount of time.   I had a chance to meet
David Ulevitch at Educause SPC this year to thank him, and he showed
off their new predictive graph analysis stuff, which looks
interesting.

There were a few technical hiccups during the switch that are entirely
solvable problems but worth being aware of, including:
* RFC1918 reverse name resolutions are a problem, for obvious reasons.
 We have plenty of hosts registered internally in private space.
* Internal-only DNS domains are similarly problematic; if you have DNS
servers - Active Directory servers, perhaps - which are authoritative
for domains that you *only* expect to be queried from internal hosts,
and they suddenly have to allow queries from an outside provider like
OpenDNS, then you can have a problem.
* You need to have an "Enterprise" account setup to get access to all
the settings you might want

There were others not confined solely to the initial turn-up or
cutover.  I think generally the miscellaneous issues we had increased
the ongoing support burden on our Help Desk and Network Operations
Team by a small but persistent percentage (vs our internal recursive
DNS service).  It also required us to more closely detail service
dependencies on DNS.

All that in mind, our experience with OpenDNS as a company - brief as
it was - was really excellent.

Long story short: we're not looking to move away from our internal
infrastructure for a variety of reasons, but if we were, they'd be my
first call.

Cheers,
Brian