
In a CDN'd world, OpenDNS is the enemy - johnx123-up
http://www.sajalkayan.com/in-a-cdnd-world-opendns-is-the-enemy.html
======
sirn
This issue will be (is?) solved with the "Client IP information in DNS
requests " DNS extension[1]. A year ago, David Ulevitch (OpenDNS's owner)
mentions in HN post that he already got it working for all Google properties
and few other CDNs ( _except_ Akamai).[2]

[1]: [http://tools.ietf.org/html/draft-vandergaast-edns-client-
ip-...](http://tools.ietf.org/html/draft-vandergaast-edns-client-ip-01)

[2]: <http://news.ycombinator.com/item?id=2941948>

~~~
omh
Is there a technical reason why Akamai don't support this yet?

It seems that it would be in their interests to improve this. Both for a
better experience for users and lower latencies from their point of view.

Or is it just that they're big, and it's a complex change?

~~~
acdha
My guess is that they're not receiving strong demand from their major
customers - since they have so many massive users and a long-term code-base it
makes sense that they'd be rather conservative.

------
vld
This article is from 2010, back when the edns-client-subnet [1] draft wasn't
even published. I believe most CDN's are now whitelisted with Google's and
OpenDNS's edns list, so you'll much better results. also see edns-client-
subnet demo [2]

[1] [http://tools.ietf.org/html/draft-vandergaast-edns-client-
sub...](http://tools.ietf.org/html/draft-vandergaast-edns-client-subnet-00)
[2] <http://news.ycombinator.com/item?id=4174512>

~~~
josephcooney
I don't know how many do, but Apple digital media purchases don't. OpenDNS
causes movie download times to blow out to weeks for me on itunes.

~~~
elithrar
Apple use Akamai, who are the exception here; which explains your problem.

~~~
le
Apple has a long running relationship with Akamai, but they also use Limelight
and Level 3 for content delivery as well.

------
mrcharles
This article misses one of the main reasons for people to use OpenDNS/Google
DNS, which is to prevent ISP hijacking of domain names or redirection of
unresolved domains.

I personally use it because I am extremely uncomfortable with my ISP catching
mistyped URLs and redirecting me to a page filled with ads, searches, and
other bogus things.

~~~
nyellin
What country do you live in?

I have never seen an Israeli ISP do that. (Although, there were reports a few
years ago that Bezeq intercepted .torrent files to _add_ their own trackers to
the file.)

~~~
polyfractal
I live in the US and have had Comcast do this to me before. I routinely use
GoogleDNS because of that.

Also because Comcast DNS sucks horribly and times out with upsetting
regularity.

~~~
mikeash
Note that you can opt out of Comcast's DNS hijacking, although the fact that
it's on by default is still pretty bad.

There is, as far as I know, no switch to make their DNS more reliable, though.

~~~
X-Istence
Comcast has disabled all DNS hijacking, and has since they implemented their
DNSSEC validating servers.

~~~
AjithAntony
Yeah, I think you are right. The "Domain Helper" options no longer appear in
my accounts page:

<http://dns-opt-out.comcast.net/help-index.php>

------
Piskvorrr
"Fairly simple to set up BIND" - well yes, for someone with access to the
local gateway and the ability to install a caching DNS resolver, this is a
good option.

Unfortunately, most crappy DNS servers are with residential ISPs - and most
residential users don't run anything near an usable distro on their gateways.
For a user who's _just_ competent enough to change the DNS settings, the "slow
CDN access" versus "spotty DNS" tradeoff will be heavily weighted towards the
first option.

~~~
icebraining
Why not just install the DNS resolver on the client machine? Sure, you'd miss
out on the shared cache, but I doubt it'd make much of a difference.

~~~
sanxiyn
This is what I do. Caching DNS resolver needs no configuration whatsoever. It
is literally "apt-get install pdns-recursor" and edit /etc/resolv.conf to
point to 127.0.0.1.

~~~
Macha
And on Windows? Or a Ubuntu user who only knows how to use the GUI? Or OS X?

~~~
sanxiyn
What I wrote is actually possible to do on Ubuntu without ever opening a
terminal.

~~~
Piskvorrr
Not to mention that the NetworkManager version shipping with 12.04 does this
by default.

------
nl
It's worth noting that ISP-run DNS services aren't entirely free of these
issues either.

In Australia, both Vodaphone and (to a lesser extent) Optus resolve all DNS
queries from a server farm in a single location. It is unfortunate, because
mobile clients are the perfect use-case for highly localized CDNs.

------
mcbridematt
This has long been an issue; particularly for Australian users where using a
foreign DNS server will cause CDN requests to travel across the Pacific Ocean.
This is one example (from 2010): [http://apcmag.com/why-using-google-dns-
opendns-is-a-bad-idea...](http://apcmag.com/why-using-google-dns-opendns-is-a-
bad-idea.htm)

From my location Google DNS terminates within the country - so no issue there.
Not sure about OpenDNS, however.

------
michaelcampbell
Network neophyte here. Am I wrong in that CDN's ultimate goal is geolocation
of the requestor, and they're using DNS to do that? And if the user uses a DNS
that isn't "near" him, this scheme fails?

If that's correct, is there no better way to do user geolocation than the
nameserver they choose to use? That seems weird to me.

------
igrigorik
Instead of relying on a few pings, run the test for yourself:
<http://code.google.com/p/namebench/>

The Google DNS team built the tool above, and it allows you to test your
current setup against a number of DNS vendors + allows you to share the data,
etc.

~~~
lftl
If I understand correctly, these are addressing two different issues.
Namebench seems to be interested in finding out which DNS server will return a
look up request the fastest. The OP though is saying that because global DNS
providers don't currently pass along information about my local IP address,
I'll get a suboptimal response that points to an IP address that may not be
the fastest for me.

Or does namebench actually test the IP addresses you get in response to test
their response time?

------
djbender
The main reason I use an alternative DNS is because my ISP's DNS service goes
down constantly.

------
darkhorn
The biggest Turkish ISP blockes all porn sites. Thus the users need to use
GoogleDNS.

------
gte910h
You should actually be using a free, fast DNS near you, with at least one not
on your ISP. Here is a program to help find them:

<http://www.grc.com/dns/benchmark.htm>

------
gdamjan
CDNs could solve this by using BGP anycast routing.

~~~
jemfinch
CDNs are typically used for transferring large objects, for whom the anycast
routing instability is a real concern. If a client's anycast endpoint changes
in the middle of a connect, the client will receive an immediate RST from the
new server.

------
gte910h
I find putting the primary DNS on my router to by my ISPs, and the second to
be a 8.8.4.4, etc, type one to be a nice compromise.

~~~
amalcon
This is actually a pretty good idea if you've noticed some sort of systemic
problem with your ISP's DNS. If the secondary is likely to be down at the same
times as the primary, it's a good way to avoid that dependency.

------
bashzor
Funny, I was wondering about this exact thing yesterday. Trying Google though
(hadn't thought about other DNS providers), the traceroute went to somewhere
within Europe or maybe even Amsterdam. Being from the Netherlands, that'd be
very close, there just is no way 13ms is a ping from America.

So I guess 8.8.8.8 is multihomed or however they call it. Still, the geoIP
databases claim it to be in Mountain View where Google is, so I wasn't not
sure exactly how this affected 'split horizon' (on which, as far as I know,
the DNS decides which IP(s) to return for the requested hostname).

~~~
gorset
According to the compute engine talks from this year's google IO, they have
their own private network covering most of the world and uses anycast for
external Internet Addresses. This basically means that a connection from you
will be routed to the nearest google data center, and from there to the final
server using google's private network.

Google DNS uses both anycast and multihoming, so you will both be routed to
the nearest google data center and then to the closest DNS server inside
google's private network.

