

OpenDNS says they are being blocked by Verizon - sathyabhat
http://www.dslreports.com/shownews/OpenDNS-Were-Being-Blocked-By-Verizon-Wireless-111530?nocomment=1

======
davidu
I'm the founder of OpenDNS. This article is not accurate. We are blocked by
Sprint Wireless, not Verizon Wireless. You can't change your DNS easily when
using the Verizon Wireless 3G network's provided hardware, but if you are
using your device in tethering mode or a USB-connected fashion, you certainly
can use whatever DNS service you want.

How did this happen? We have, in the past, been blocked by Verizon Wireless,
either deliberately or due to technical issues, but it is not the case today.
I've been a VW customer for a few years, and it's a great service. And today,
Verizon FIOS service requires the user to have CPE that doesn't allow the user
to change their DNS (same with ATT U-Verse). Sprint Wireless blocks us today,
and always has.

In my phone interview, done too hastily or speaking too quickly, I misspoke
when speaking about Verizon FIOS and Sprint Wireless as examples of how our
customers aren't able to use our service and mixed up the companies. That or
the reporter misheard. Either way, this is a good reminder of why it's always
better to do email-based interviews. The reporter in this case is a very good
one whom I've worked with in the past, so I'm confident the error was mine. In
fact, most of the post (it's a Q&A) doesn't really capture the entirety of our
discussion, which is unfortunate. My actual sentiments are far less anti-ISP
and pro-Google than I think they came out. (repeat, I really dislike phone
interviews)

It's unfortunate that I wasn't able to correct the story earlier, though we
did work to get the original Washington Post blog updated right after it
posted (and it was corrected). Other sites didn't quite seem to pick up the
update. I've been trying to update other blogs where I can because it's not
fair for VW to be painted in this light. It should have been Sprint Wireless.
Some folks on my staff have also worked with Verizon Wireless to make sure
that they are not blocking us, and I thank them for their efforts.

~~~
techsupporter
_And today, Verizon FIOS service requires the user to have CPE that doesn't
allow the user to change their DNS_

I'm hesitant to publicly disagree with the founder of OpenDNS, but I have a
different experience. FiOS doesn't require the use of their provided CPE for
Internet access. The ONTs installed have both Ethernet and MoCA ports, and I
use a non-Verizon device connected to the ONT's Ethernet. Using a non-MoCA CPE
will break Verizon's television boxes, but the fix for this is to simply plug
Verizon's supplied CPE into both an Ethernet port on the replacement and the
shared coax segment.

~~~
davidu
I think this is right and what we've heard from users is right. It's actually
the same complaint from Uverse customers -- swapping out the ISP-provided CPE
breaks their TV service.

It seems you've got a work-around. We'd love to update our knowledge base with
this. I can't find contact info on your user page, can you email me david at
opendns dot com as I have a few more questions.

------
trotsky
DNS redirection (and the monetization thereof) is kind of a moot point in the
mid/long term in light of DNSSEC.

Consider the example of comcast, an ISP that uses opt-out DNS redirection
advertising, but has been forced to give up the practice for its DNSSEC
resolvers:

* We believe that the web error redirection function of Comcast Domain Helper is technically incompatible with DNSSEC.

* Comcast has always known this and plans to turn off such redirection when DNSSEC is fully implemented.

* The production network DNSSEC servers do not have Comcast Domain Helper's DNS redirect functionality enabled.

* We recently updated our IETF Internet Draft on this subject, available at <http://tools.ietf.org/html/draft-livingood-dns-redirect>, to reflect this.

\-- <http://www.dnssec.comcast.net/faq.htm>

~~~
sp332
Whoa, will DNSSEC prevent all DNS-level hijacking? OpenDNS has a DNS-level
blacklist option (totally opt-in) which redirects to their own servers. Will
that still be possible with DNSSEC?

~~~
trotsky
As this amounts to A record forgery, yes DNSSEC clients will prevent this.
There is really no technical difference between this practice and the
poisoning that DNSSEC is defined to defeat.

Of course there are plenty of other ways to blacklist or redirect IPs - using
routes, RBL subscriptions in software firewalls or through browsers like the
google safe browsing subscriptions. DNSSEC won't be the place to do it,
though.

------
wladimir
Pretty dubious that they started blocking this. The availability of
alternative DNS systems makes it harder to censor domains.

------
Xuzz
Combine this with COICA and suddenly just changing your DNS provider becomes
quite a bit more difficult.

~~~
jrockway
If an "important" ISP starts blocking outbound port 53, then people will just
do their DNS lookups over HTTPS or whatever. This is irrelevant today because
nobody is censoring DNS yet. Combine documented DNS censorship with documented
blocking-of-port-53, and the problem will be fixed in hours.

(Funny story; my work laptop has some software installed that only allows ssh
connections to be made when connected to the VPN. But when connected to the
VPN, there are no routes to the Internet, so I can't check my email while
traveling with my work laptop. Change my sshd to bind port 443 in addition to
22, though, and ... the restriction is gone.

Censoring the Internet is hard, even when you control the network or client
machine!)

~~~
Xuzz
True, but each restriction just makes it that much harder to get around. For
the majority of people, the first block will stop them, but once you get into
cat-and-mouse land, you'll lose a bunch more.

~~~
jrockway
Meh, they don't seed torrents anyway :)

------
iwr
Most IPSs think that DNS is an afterthought, to be stuffed in an old box and
forgotten. Typical scenario: wait for a request, deny that request, then cache
and honor the request the second time round.

~~~
bobds
Is that why sometimes I open a webpage and it gets stuck loading with the
status bar displaying "Looking up example.com..."? If I reload the page it
then loads immediately. I've been thinking that it has something to do with
the cache, but why on earth would they deny the first request?

------
drallison
I'd like to put in a good word for openDNS. I've used them for several years
and have always found David Ulevitch and the company to be friendly, helpful,
and reliable.

~~~
nostromo
Seconded. It's faster than my own ISP's DNS. (Damn you, Speakeasy! _shakes
fist_ ) If you want to test for yourself, ping 208.67.222.222 (one of OpenDNS'
anycast DNS IPs). If it's faster than your ISP's, you should try switching.

~~~
spindritf
Network latency isn't the only factor. Use
<https://code.google.com/p/namebench/> to see which server will really be the
fastest for you.

Or roll out your own. It probably won't be the fastest option but close enough
and, more importantly, fully under your control.

------
tomjen3
while it's still bad, the article say it's only for the wireless part

------
ChristianMarks
I would not like to see ISPs block alternative DNS services. I use OpenDNS to
block distracting sites, and alias <http://block.opendns.com> to localhost,
which is then redirected to my to-do list. A web server on my machine
redirects the default page at localhost to my to-do list on
<http://rememberthemilk.com>.

In addition, my /etc/hosts file includes the hosts file from
<http://www.mvps.org/winhelp2002/>, which aliases ad and tracker site domains
to localhost.

Ad blockers suppress ads, but do not provide positive reinforcement. Site
blocking software systems filter unwanted content, but do not substitute
desired content in its place. It's not enough to slap the user's hand.

The domain name filtering service OpenDNS displays a block page at
<http://block.opendns.com> if a site meets the criteria for filtering. This is
negative reinforcement. OpenDNS might provide positive reinforcement if users
could to substitute something else, for example, an online to-do list such as
<http://rememberthemilk.com>, for the block page.

Maybe OpenDNS could provide such a service.

