OpenDNS - thoughts?
I'm trying to get opinions on using OpenDNS (OpenDNS | Providing A Safer And Faster Internet) to filter web content for K-12 schools. I've tested it in a small sample and it seems decent, so long as we can prevent users from changing DNS settings.
Saves our district ~ $7,000 USD a year for filtering license
Uses a category database that another pay-for product uses (I want to say it's the iGuard database that the iPrism uses, but I've looked at some many recently I could be wrong).
Allows for black/white list URL's similar to our currently filtering (Fortinet)
Doesn't provide deep packet inspection and dynamic proxy blocking like other pay-for sources (DeepNines as an example)
If anyone's using this, I'd love their take on it. We're converting from a Novell network to Microsoft and expect to use group policy to prevent changes to DNS - if anyone knows why that won't work, please give me a shout, too. (I'm new to GP but am learning quickly).
Hope everyone's doing well. Thanks as always.
Louisa County Schools, VA, USA
I use it at home on my router, its got the updater that tracks the IP and so I find it a dream to use.
Clamp down the DNS settings via group policy and you should be sorted.
The options allow tracking what URL's are visited and you can blacklist or whitelist sites easily.
Not really sure why our authority have not used it, since I fond it quite fast in use, but I guess it would do the IT guys out of a job or they prefer to have complete control over the filtering.
It's very good considering it's free. I use it just as my DNS at home. I don't use the available filtering options (which just requires you to create an account).
It would be perfect if it was made impossible to enter numbers (IP addresses) into the address bar in Internet Explorer. This may be possible by creating a custom plugin, or something along those lines; however if it was, I would be surprised why it hasn't already been done.
Galway: My boss will be excited that it will track the IP address used to log sites. We pay extra for a tracking software that we may also not need with that. ...now if it would just map with AD (not likely as it's outside our network, technically ;)
Originally Posted by Michael
Michael: Just so I'm following you, OpenDNS will allow IP addresses into the address bar, but does it still block those IP's of sites that are in its blacklist or "bad" category lists? Or is entering IP address of sites a workaround to its filtering? (Seems like a large hole, but something good to know).
I'll also change over my DNS settings here on my laptop and test it as well..but just curious if you've already done the same.
This is the main problem with DNS filtering. DNS converts web addresses we as humans type into IP addresses and retrieves the website you've requested.
Typing an IP address directly into Internet Explorer bypasses the need for DNS, so the page is retrieved automatically. So in theory, a pupil could work out the IP for an adult website and enter it within school. Open DNS wouldn't filter this and pupils would be required to have lists of IPs instead of web addresses.
What a great point (and a polite explanation of DNS ;). I'll research a way to block this - it now makes sense some of the help documentation I've seen on our Fortigate box that has a wildcard mask for blocking IP addresses of this type.
Awesome. I'll let you know what I come up with.
No, it doesn't. DNS filtering is all or nothing for a given domain (example.com), so you can't differentiate between example.com/goodstuff and example.com/badstuff.
Originally Posted by LCPSWolf
You still need an URL- or content-based filter in place.
Seems a bit.... well... how is it funded? Bit too good to be true.
Good point. We typically are blocking total domains, but there may be cases we want to only block a portion....hmm. Have to wonder if that's worth it.
Originally Posted by powdarrmonkey
It's worth it as part of your arsenal, just don't throw out the gun cupboard for a mouse trap.
Originally Posted by LCPSWolf
I love that analogy!
Going back to the not blocking by IP, I just changed by DNS settings on my laptop to OpenDNS servers (22.214.171.124 and 126.96.36.199) and attempted to browse to 188.8.131.52. (I'm running IE7, for what that's worth). It was blocked as a site not allowed on our network (gambling).
I had not visited this site previously.
Am I missing something or is this working better than expected?
:o I just saw that OpenDNS uses St. Bernard's iGuard data for its category filtering.
OpenDNS rocks and the reason it is disliked by many on this forum is because it make their expensive filtering systems look like the rip off they have become!
Open DNS still filters IP addresses only.
Yes, the lack of granular control can be an issue for some but in those sites we have worked around this with multiple gateways and configured proxies.
What I like most about it is that as more people find ways to migrate to it and make it work for them the commercial products have to stop charging ridiculous rates for their services:D
If you can save $000's of dollars this year when budgets are cut to the bone and your job is on the line why not.
Hey, it's not going to cost you a penny to try it!
I use it at home, and yeah it's pretty good stuff! faster then waiting for virgin's DNS Records to update :)
and best of all it's FREE :D well done to those guys
OpenDNS had a huge cash injection put into it, as they have DNS servers strategically positioned over most parts of the world. Not only does this speed things up, it also adds redundancy too. Rumour has it also that their DNS servers speed up access, but I believe this to be false.
However, another advantage to its service is they're using DNS to block the sources of Conflicker. Again this is all free and no doubt they'll introduce other services based around DNS.
As for making money, they are in partnership with Yahoo and generate $20,000 a day from viewing/clicking on adverts. A typical example is if you mis-typed a URL you'll be redirected to their customised Yahoo search. It's as simple as that.