Odds & Sods

Public DNS space getting crowded

An Internet colleague of mine recently wrote about Internet conglomerate Google’s entry into the public DNS space with the launch of Google Public DNS as a standards-compliant alternative to OpenDNS and the DNS services provided by your ISP. While it’s true that Google Public DNS returns standard DNS results and doesn’t use NXDOMAIN substitution, it wasn’t the first public DNS server by any means. Another colleague instant messaged me that he uses free DNS servers provided by Internet backbone provider Level 3 Communications because of their even easier to remember IP addresses. Both the free public DNS services provided by Google Public DNS and Level 3 Communications do return traditional DNS results and do provide a reasonably fast service, they don’t take advantage of recent enhancements in the DNS space, pioneered by OpenDNS and VeriSign Registry’s ill-fated SiteFinder attempt at wildcarding the “.com” and “.net” space at the root-zone level in 2003.

Now, I was an ardent opponent of SiteFinder in 2003, as various Google Web searches will attest, but that’s because it was done at the root-zone level and forced upon Internet users with no net benefit other than to provide an added revenue stream for VeriSign by filling an error page with lots of advertisements when someone hit a non-existent domain. However, what SiteFinder did do was introduce NXDOMAIN substitution to the world.

OpenDNS picked that up, ran with it and pioneered a free DNS service which combines Internet security protection from such threats as malware and phishing to optional content filtering with parental control-type features, domain name typo correction and increased speed by building up huge caches of DNS entries with real-time updates which effectively eliminates the concept of the dreaded TTL (Time to Live), common among “old school standards-compliant” DNS providers. They have effectively pioneered a new global standard in security and speed at the DNS level.

Since OpenDNS’ public launch in 2006, a multitude of competitors have come on board with their own products. They are outlined below (along with the aforementioned), with a logo, brief description and Web link highlighting each. Some of the providers use the new DNS standard featuring NXDOMAIN substitution and within that set, some provide excellent control features like OpenDNS while others strictly rely on speed and security as their main selling features. Others use the traditional standard DNS.

It is very important to reiterate the point that NXDOMAIN substitution can be used properly and with user choice, unlike the failed SiteFinder episode. The services below that use it all make good use of this, although I’ve personally only used OpenDNS.

Comodo Secure DNS offers a security-enhanced, typo-correcting public, recursive DNS service which uses the UltraDNS backbone and protects the end-user at the DNS level from certain malicious circumstances. It can be used on a standalone basis or with Comodo’s completely free Internet security software. As well, since VeriSign’s Thawte subsidiary stopped offering free personal e-mail certificates, Comodo is the only commercial provider of free e-mail certificates for personal use.

Internet addressing and Top-Level Domain registry services company NeuStar and its managed DNS provider UltraDNS began offering up a security-enhanced, typo-correcting public, recursive DNS service in the fall of 2007, approximately 18 months after OpenDNS launched its service. Like Comodo Secure DNS above, it boasts one of the fastest DNS resolving services combined with end user security protection and typo correction. Neither service offers a customizable dashboard but that feature is said to be in the works.

Dyn Internet Guide, from DNS hosting provider DynDNS.com parent company Dyn Inc., is a relative newcomer to the public, recursive DNS service provider space. It launched in October 2009, shortly before the newest entrant, Google Public DNS, and offers all of the features of the aforementioned Comodo Secure DNS and DNS Advantage; however, it offers the ability to control your security protection and adds optional content filtering. If you prefer traditional DNS resolving, you can even turn off NXDOMAIN substitution via your administrative dashboard. Dyn Inc. has been providing DNS services since 1998, the same year Stanford graduate students Sergey Brin and Larry Page were cooking up Google’s predecessor BackRub in their dorm room. So, Dyn Inc. certainly knows DNS and offers a speedy service enhanced with optional security and content protection if you are so inclined.

Google Public DNS offers a fast, traditional standard DNS resolving service with no NXDOMAIN substitution and no advanced technologies like security protection or optional content filtering. On top of speed, they also tout easy-to-remember DNS server IP addresses. Their belief is that the DNS space is sacrosanct and should not be changed without years of consultation and study. While they don’t offer features like phishing protection or typo correction, bear in mind that Google does have a vested interest in you using their so-called “naked” DNS resolving servers. They gain valuable knowledge into your Web surfing patterns even when you’re not using the Google Toolbar, Google Chrome and have “cookies” disabled.

Like Google Public DNS, Level 3 Communications has offered free, fast standard DNS resolving servers with even easier to remember IP addresses and they’ve been doing so for many years. Unlike Google, they don’t need to issue press releases, write blog entries, host a public website on the service and generally take credit for such a service, they just provide the IP addresses for the public to use and share with friends, family and coworkers. They do benefit from researching Internet surfing patterns in the aggregate and building up a large DNS cache to continuously improve the speed of their service. Nonetheless, as it is a “naked” traditional standard DNS service, it doesn’t offer enhanced security protection and optional content filtering through NXDOMAIN substitution. Since there is no service website for Level 3’s public DNS service, their IP addresses are:
4.2.2.1
4.2.2.2
4.2.2.3
4.2.2.4
4.2.2.5
4.2.2.6

OpenDNS is a service that I’ve been using since 2007 and thoroughly enjoy. I love their company philosophy, the approachability of their company founder and executives, the elegance and simplicity of the website and the abundance of free features they offer. It’s a super-fast, free, public recursive DNS service that uses the newer NXDOMAIN substitution standard and offers security protection, optional content filtering, Web guide and error page customization, proprietary SmartCache technology, the DNS real-time directory in collaboration with NeuStar’s UltraDNS and the fact it can all be customized through what is arguably the easiest to use and most advanced web-based dashboard.

Like OpenDNS and Dyn Internet Guide, ScrubIT offers a web-based dashboard for its free, public recursive DNS service that utilizes the newer NXDOMAIN substitution standard to offer security protection, optional content filtering, Web guide and error page customization.

All things being equal, there are a lot more options for DNS resolving. Companies are increasingly realizing the importance of fast, safe and secure DNS resolution and its importance at the bottom of the Internet technology stack. Consumers, too, with advertisements touting the benefits of their DNS service are also learning more and more about DNS resolution. I think both of those are only good things. I also think you’ll only see more companies, specifically DNS infrastructure companies, major Web portals and Web hosting companies, realize the importance of DNS and rush to launch their own services or branded versions of the above services. It should be quite interesting to watch.

Update (Feb. 26th, 2010) - A quasi-anonymous commenter identifying himself only as “Rich” wrote about another pure-play, naked authoritative DNS service. It has the DNS security enhancements like Google Public DNS and Level 3’s public DNS servers but nothing more, no NXDOMAIN substitution, etc. It’s offered up for free by managed DNS provider, domain registrar and Web hosting company easyDNS Technologies Inc., based out of Toronto, ON, Canada. Thanks, Rich! :)