
No more ads - philip1209
http://blog.opendns.com/2014/05/29/no-more-ads/
======
jblow
The attempt to put a positive spin on the ad-version is kind of absurd.

Translation: "We tried to serve ads in a way that broke basic functionality
for many people. But we didn't make that much money, so we are going to stop
being malicious actors, and we're going to start following the protocols we're
supposed to follow."

~~~
davidu
Except that isn't accurate. I get that's how you see it, but that's just not
true.

It's ridiculous to say we broke things for many people. Our growth numbers
tell a different story. Doesn't mean DNS nerds didn't like creating an account
to re-enable standard nxdomain behavior, but it didn't cause issues for most
people.

We made real money from ads, enough to be profitable with a decent-sized (20+)
team. But we never saw a way to go from 5m to 50m or 500m with ads though. And
we never loved the ads. I just never thought it aligned our interests with our
customers in the right way. I get that Google has figured it out, and Facebook
and Twitter sort of have, but we couldn't, and didn't want to.

Plus, at the time, you have to recall the browser landscape was wildly
different. In fact, it's very possible that we may have created the
eventuality of today by doing what we did. Chrome didn't even exist when we
started. There was no omnibus. I demo'ed our service to Sundar Pichai back in
2007.

~~~
wdr1
Hijacking NXDOMAIN for non-existent domains does not follow standards & is
definitely breaking things.

~~~
stuki
The relevant question isn't whether it is "breaking things" in the abstract,
but whether it is breaking things in a way meaningfully detrimental to end
users. Or, if you really want to stretch it, perhaps also include
externalities imposed on the "internet as a whole."

In the era before the omnibox, I personally can't see much in the way of
"breaking things" on account of OpenDNS. Doesn't mean you and others can't
disagree with that, but it's not as cut and dried as your statement seems to
imply.

~~~
growse
For something that's as fundamental to the internet as DNS, good luck
measuring the meaningful detriment to your end users.

------
mschuster91
Looks like Google's 8.8.8.8/8.8.4.4 stole them quite a bunch of traffic,
simply due to it being (often) faster and ad-free. It was e.g. impossible to
use OpenDNS on a server doing mail stuff because OpenDNS would resolve
everything and their dead mother instead of returning NXDOMAIN.

Well, now I think I'll switch over to OpenDNS as soon as they prove to deliver
un-manipulated DNS service. One way less for Google to track me.

edit: does anyone know if Cloudflare is also in the DNS business, from the
resolver side? I know they and Amazon (Route53) do DNS server hosting, but
does Cloudflare also provide public resolvers?

~~~
alec
re: "One way less for Google to track me."

Google says that they don't use Google DNS for tracking.

From the Google DNS privacy page: "We built Google Public DNS to make the web
faster and to retain as little information about usage as we could, while
still being able to detect and fix problems. Google Public DNS does not
permanently store personally identifiable information."

They go on in some detail to say how and what they log.

[https://developers.google.com/speed/public-
dns/privacy](https://developers.google.com/speed/public-dns/privacy)

~~~
mschuster91
But you can bet that at least the NSA and 3-letter-agencies around the world
do monitor anything going to or coming from these two IPs. It's just a too
convenient target.

More distributed resolvers (like with Cloudflare/Amazon datacenters directly
linked to ISPs) would make this type of spying orders of magnitude harder
(they must actively infiltrate the ISPs network instead of just tapping the
DECIX/exchange switches, which e.g. German BND is ALLOWED to do!).

Shit, I'd _pay_ for Cloudflare or any other service to build robust,
interception-secured DNS servers. Or my provider, but providers have a
shameful track record of building fast and reliable DNS servers.

~~~
davidu
We support DNSCrypt which will encrypt your DNS traffic between you and us.
That's the last mile, at least. We support DNSCurve for the other hops, but
almost nobody else does.

~~~
bodski
How about DNSCurve for traffic between you and us? (client requests). That'd
be nice!

~~~
davidu
DNSCrypt meets this need and is based on the same crypto from DJB. If you're
running a full-blown resolver, I'm not sure if DNSCurve works if you forward
to us... I'd have to find out.

------
tty
An alternative to all these popular DNS servers is the Swiss Privacy
Foundation

[http://www.privacyfoundation.ch/de/service/server.html](http://www.privacyfoundation.ch/de/service/server.html)

    
    
      77.109.138.45
      77.109.139.29
    

No blocking, no logging except for errors (the IP is not logged).

~~~
marquis
I've been using this for about 6 months in various parts of the globe and have
been very happy. If there is a donate button on their site (my Deutsch
language is lacking) I would like to know.

~~~
grmarcil
It seems you could become a member for 35 Swiss Francs (~40 USD) per year.
[http://www.privacyfoundation.ch/en/association/membership.ht...](http://www.privacyfoundation.ch/en/association/membership.html)

~~~
marquis
Given it costs at least $25 to send, and more fees to receive, a bank wire
transfer it seems strange to only offer this method. Perhaps it is easier if
you have a European bank.

------
jacquesm
> Text ads and banners alike, they’re all vectors for the spread of malware.

That's an excellent argument pro-ad blockers. Typically ad-blocker users are
berated because they're 'stealing from the publishers' or something to that
effect, but it makes good sense from a security point of view too. And it
rationalizes so much better than 'the web is faster this way' (assuming that's
even the case).

~~~
eli
I guess it's good for security... but if your computer can be hijacked by
loading a website, you're going to have a bad day even if you're blocking ads.
For example, I would bet hacked websites are a much more common malware vector
than ads.

~~~
davidu
With the proliferation of real-time auction and backfill ad networks, the
ability for a bad user to inject javascript or malicious Flash ads into the ad
creative space carried on major sites has grown dramatically over the last few
years.

It's hard to even tell who is serving up your ads sometimes without pulling
out wireshark or some kind of HTTP proxy to look at the request chain.

~~~
eli
Again, though, if an ad blocker is the only thing standing between you and a
zero-day, you need to immediately stop what you're doing and patch your
browser.

It's true there are bad actors taking advantage of ad networks. There are bad
actors hacking Wordpress installs too.

~~~
belorn
Google search and most browsers will protect users against known malicious
websites that has been hacked. They can't do that with malicious adds.

~~~
eli
They can and do. If a site runs a malicious ad, Google will flag the whole
site.

------
enscr
Search "opendns vs google dns"
[https://www.google.com/webhp?q=opendns+vs+google+dns#q=opend...](https://www.google.com/webhp?q=opendns+vs+google+dns#q=opendns+vs+google+dns)

One of the top links is titled "OpenDNS vs. Google Public DNS" and points to :
[http://www.opendns.com/about/global-dns-
infrastructure](http://www.opendns.com/about/global-dns-infrastructure)

There's no mention of Google on that page. How do I trust a company that's
tricking users with misleading titles?

~~~
sumedh
That is actually a good point, not sure why you got downvoted.

------
DanBlake
Its nice to say "we stopped doing it because we love our users" but I always
feel like there is something more behind the scenes that makes these things
happen.

Did chrome or Firefox recently change the way they handle nonexistent DNS
answers so that opendns '404 pages' would no longer work? If the writing was
on the wall it might make sense for opendns to get ahead of it, since there
wouldn't be much they could do to combat browser level changes.

Or:

Did google/yahoo not renew their search feed agreement with them to be the
search provider and/or significantly change the rates? I know google has been
coming down very hard on toolbar makers so perhaps this is googles way of
getting out of that biz (And forcing opendns's hand)

~~~
ChuckMcM
My guess is that a) the ads on the page don't monetize well, b) the ad
networks willing to pay to advertise there are sketchy, and c) users complain.

~~~
davidu
You should see my other response in this thread. Maximizing ad revenue put us
in an arms race for a cause we don't even believe in. So why continue it? Our
time is far better spent elsewhere.

~~~
bigbugbag
Then again why engage in this practice in the first place ?

------
nly
So I guess an analogy for this move would be like if Google announced Gmail
was going ad-free for freeloaders because their Google Apps platform was now
their sole money-spinner. Though, I imagine, vastly different cost structure
and conversion rates.

I find it hard to be too cynical when OpenDNS were one of the few companies to
give DNSCurve a whirl.

~~~
davidu
Your analogy is right. Thanks for the note on DNSCurve. Expect more work here
and with DNSCrypt in the future.

------
bluedino
We used OpenDNS until we sent out an email that linked to SurveyMonkey - the
URL was wrong, it said surveymonkye.com

The problem was our QA never caught it, since OpenDNS 'fixed' the request
during testing. 24,000 emails later, we were instantly alerted to the bad
link.

~~~
mjolk
You pay a QA to read outgoing emails to customers and they don't even click
links?

Are you hiring?

~~~
bluedino
They clicked the links. But OpenDNS 'fixes' the request from the browser,
sending you to the right URL even if you enter the wrong one. That's why QA
didn't catch it.

~~~
mjolk
Oh weird. It searches for the most relevant thing and flows through? I thought
their nxdomain stuff was just to serve ads, not provide redirects to existing
sites.

------
mahouse
The amount of users they have lost to Google and other DNS providers without
ads and that follow the standards (i.e. NXDOMAIN, etc.) must be big.

------
joshfraser
Props to davidu for skating to where the puck is going and not where it's
been.

------
fataliss
I've always hated ads. Because most of the time products use it without
embracing it and integrating it fully. Anywhoo, I'm happy to see OpenDNS
getting out of this revenue model, I hope it's gonna work so other might be
inspired! Who knows.

------
blueskin_
Very nice, I might give OpenDNs another try as my backup DNS server now. I
hate NXDOMAIN hijacking with a passion.

>This experience is one of the only reasons people cite to not use OpenDNS.

Yep, because people care about their privacy. I'm surprised OpenDNS didn't
notice this before. I will probably start recommending them again now; after
all, almost anyone is better to trust with something like DNS than google.

~~~
bigbugbag
They obviously noticed and knew but did not care, as stated in the post
OpenDNS is a revenue oriented company as such they're going after the money
which for a service nobody's going to pay money for means going the "make them
pay with their privacy " way a.k.a. ads.

------
wtallis
I wonder if they're planning on implementing DNSSEC, given that this change is
a prerequisite for full DNSSEC support. They would also have to be willing to
use a less user-friendly method of blocking phishing domains (like return an
unsigned NXDOMAIN that doesn't validate).

------
melville_X
A good free alternative is Comodo (8.26.56.26), I trust them slightly more
than Google and they have security features such as malware detection.

[http://www.comodo.com/secure-dns/](http://www.comodo.com/secure-dns/)

~~~
higherpurpose
Comodo? _This_ Comodo?

[https://www.schneier.com/blog/archives/2011/03/comodo_group_...](https://www.schneier.com/blog/archives/2011/03/comodo_group_is.html)

[http://youtu.be/pDmj_xe7EIQ?t=4m59s](http://youtu.be/pDmj_xe7EIQ?t=4m59s)

------
bigbugbag
For those of you who prefer to use a different DNS server from of the one
provided by your ISP, thanks to the work of Chris Hill you can make good use
of this resolv.conf:

[http://www.chaz6.com/files/resolv.conf](http://www.chaz6.com/files/resolv.conf)

WARNING: Not to be used as is, be smart and only activate a handful of those
DNS servers.

------
unreal37
Congrats davidu and opendns on making bold choices and thinking about users
despite millions in revenue you could have made.

------
kolev
I either use Google Public DNS or DNSCrypt with one of these here
([https://github.com/jedisct1/dnscrypt-
proxy/blob/master/dnscr...](https://github.com/jedisct1/dnscrypt-
proxy/blob/master/dnscrypt-resolvers.csv)). Some providers even support
Namecoin and DNSSEC validation.

------
brokentone
This is only partially related, but ad quality is just so bad, that it's
becoming nearly a moral issue (as essentially is here) making ads the business
model.

I wonder if there isn't a business case for highly QA'd ads? Or is there too
little visibility into that for the average consumer to appreciate the value?

------
fiatjaf
Well, I remember not even knowing what was DNS, and having the bad luck of
having a computer with OpenDNS set as its primary DNS, I don't know why.

I only know I thought it was a malware and the first thing I did when I
learned it was a DNS server was to change it.

------
zobzu
I stopped using opendns when they added ads. I might use it again then.

------
ing33k
just trying to figure out this, won't the people who bother changing their DNS
also use an Ad-blocker ?

~~~
mcpherrinm
OpenDNS is used in a lot of places like coffee shop wifi where your users
aren't the same as the savvier people who set up the internet. At least that's
the only place I encounter (and then curse) their "guide".

Lots of people not using adblocking there.

