This hijacking (I am blanking on the technical term for it) really rubs me the wrong way. Is there a way to get around it?
2) You can create an account with us (free) and disable DNS redirection. This will get _much_ better / easier in the coming months as we continue to move away from ad revenue as a revenue stream.
3) This is a really old story. :-)
Edit: OK, found it - free users need to go to advanced settings > domain typos and disable that.
"Typo Correction is required for Web Content Filtering.
You will lose 13 categories of blocking if you disable Typo Correction."
I invite correction, if I'm wrong, but I don't believe the option requires being a paying customer of their service.
note: I had a similar on another thread on HN, weird :0
easier said than done I know... my commuter train's wifi uses "Open"DNS, and most interesting websites are blocked (reddit, anything gaming related, etc), and the block pages are filled with their obnoxious advertising.
I've been saying this for years, but I can't wait for DNSSEC to put people like OpenDNS out of business (isn't it odd they want to FUD the waters by pushing DNSCrypt?)
Don't like having NXDOMAIN redirected? Disable it.
Want to filter out and be alerted on queries that seem to be due to known malware and phising and botnets? Select that option.
Want to limit access to websites with certain content? Select what you want to filter (I only filter out the Web Spam, Parked Domain, and Typo Squatting categories). Filter out nothing, if you prefer.
Are you a public library or academic institution or a work place and you have to restrict certain content? Select the porn or social networking or adware or other sections (yeah, this might rub people the wrong way, but OpenDNS is giving the administrator of a given network the control over their network to do what they want with it).
Really hate doubleclick? Add them to the bocked domain list on opendns.
I really fail to see why anyone would have significant problems with OpenDNS. I've been using them for years and I'm a software engineer who requires things to work as expected on my network for testing and debugging -- and OpenDNS hasn't ever been a problem for me, so I'd really like to know what legitimate problems people have with it (other than the fact that, like Comcast or any other provider of a service, they could theoretically be collecting data on you and utilize it in some nefarious fashion, which I just assume of all services free or paid these days).
This is probably incorrect.
Here's one of my ISP's (full disclosure: I work for this ISP) local NS:
--- 220.127.116.11 ping statistics ---
50 packets transmitted, 50 received, 0% packet loss, time 990ms
rtt min/avg/max/mdev = 0.142/0.198/0.423/0.059 ms
--- 18.104.22.168 ping statistics ---
50 packets transmitted, 50 received, 0% packet loss, time 1156ms
rtt min/avg/max/mdev = 36.448/36.820/37.379/0.346 ms, pipe 2
There are exceptions, but ISP-provided nameservers are often problematic. My ISP is one of the two or three biggest in the nation and they intercept NXDOMAIN, their response time is rarely better than OpenDNS or Google's DNS, and they have gone down more than a few times.
I've had none of these problems with OpenDNS.
One would like to believe that address resolution is such a basic vital service that every provider in every region on the planet both emphasizes and executes it superbly. Unfortunately, they frequently do not.
I don't know why using your ISP's nameservers is an assumed thing. Do you assume that everyone uses their ISP's provided email service? Their ISP's complimentary crappy webhosting service? Their ISP's bundled McAffee anti-virus? Of course not. You shop around for the best option for yourself. DNS is the same way. My ISP provides me with it, but so do a lot of other people. Some free and some for pay. When your ISP or another service isn't cutting it for you, you shop around for alternatives.
Right. The reasoning is, given that most queries are cache hits (otherwise it's something wrong with the nameserver or environment), lookup times are really negligible if compared to network latency. On our servers cache hits are about 78% of all queries. So, even if 22% of queries are somehow slower (say, latency between ns1.google.com and my DNS is about 47ms, and I guess for OpenDNS it's less than 20ms - so it's, say, 22% of queries are 30ms slower), still it should hold that for a typical user in most cases local ISP nameserver performs better than OpenDNS one.
> they intercept NXDOMAIN
I only wrote about speed, and this is completely another point. Even if they're have faster response times, invalid responses are not worth it, so I'm with you on this. BTW, I remember why I hopped away from OpenDNS - when they introduced premium plans they started to do some NXDOMAIN hijacking and ads injections. Opt-out, but still that annoyed me.
Stability is another issue, too. Guess, OpenDNS should be a clear winner here, too, as they're supposedly having much more redundant nameserver infrastructure than average ISP out there.
> I don't know why using your ISP's nameservers is an assumed thing.
It's not assumed, just a reasonable default. When you set up IP layer, you need NS address(es). You don't need a email or web hosting to participate in basic network connectivity, but you need DNS. Usually, setup is done automatically, using IPCP, DHCP or other sort of configuration protocol, where ISP supplies the client's machine with the necessary information. And obviously, most ISPs provide you with their nameservers, not some third party ones, because in case of failures they can run and fix their own infrastructure, but can only wait for a third party to solve problems on their side and hope it happens soon enough.
In most cases (i.e. unless the ISP is retarded to the extent of filtering out or redirecting DNS packets to another nameservers) you're obviously free to manually override configuration with nameservers of choice. Even encouraged if ISP-provided services are crappy. I've only argued that they should be generally faster, not the other way around.
The NXDOMAIN interception is actually why I wounded up at OpenDNS, myself. It was back during the time that Comcast started to force it on users. I work with mega-enterprise-level email servers, among other things, and having my NXDOMAIN response screwed with is unacceptable. Between that and the occasional outages I had with their DNS over the years, I decided it was time to shift away.
Regardless, I think the good takeaway is that we live in a world where we have choices and I hope we keep that (and get more). You get to dislike OpenDNS and prefer your ISP and I get to dislike my ISP and opt for OpenDNS. :D
I'm still not sure why the practise of deliberately returning spoofed garbage in response to legitimate queries is seen as an acceptable practise.
I've never experienced such an ISP, and I've been through many. The mismanagement of ISP-hosted DNS, as far as I can tell, is the most common cause of residential "internet outage."
How did they provide DNS services to their clients then? Or they bootstrapped you (via DHCP[v6], PPP's IPCP or whatever they use to set up your IP layer) with public nameserver addresses like OpenDNS or Google Public DNS?
I believe I heard somewhere desktop Windows' resolver won't work iteratively and requires a nameserver capable of recursion. Although I may be mistaken on this matter.
the government franchise agreement forces the train operating company (TOC) to provide a free WiFi service... it doesn't say it has to be useful, so the TOC reduces their data costs by blocking most of the Internet.
to add insult to injury it's a subsidised service, so I'm paying twice for something that's unusable.
and no, there is no other TOC and no other reasonable way to commute, so I'm stuck with it.
I would rather use Dj Bernstein's DNSCurve though
I point this out mainly because I gave dnscrypt a shot more than a year ago on windows and it severely borked my internet in a non-obvious way which had nothing to do with DNS. For days I was limited to ~25kbps speeds. I had disable dnscrypt at this point, and was on the verge of phoning my ISP to report a problem when I finally fully removed the windows client and the problem resolved itself. Playing with preview release software can seriously suck sometimes.
I believe this is a response to the "The free wifi on the bus hijacked my DNS" story that was on the front page earlier today.
Edit: this one https://news.ycombinator.com/item?id=7047682
The attackers already do it for so-called copyright infringement, but they could do it for any reason, if they wanted to. So, what about thoroughly decentralizing the DNS system and getting rid of the centralization of corruption at ICANN? Isn't that more urgent nowadays?
Your ISP doesn't need to see your DNS queries in order to know what sites you're visiting. They can see the IP's that you're sending packets to. They can see the HTTP "Host" header for HTTP. They can even see the hostname for HTTPS because of SNI.
Well, maybe four or five or ten. Don't forget all of the advertisements and beacons on the site you're visiting.
Well, maybe also Google, if you're using Chrome.
Oh, and maybe everybody, unless everything you're doing is always encrypted and it's through a VPN service that doesn't maintain any logging and isn't subject to government subpoena and can be thoroughly trusted.
Frankly, if your ISP can see it, then who cares who else along the chain does? Nobody else providing a service that can see your data is going to do anything with it that Comcast, Cox, Sprint, Verizon, AT&T, CenturyLink, and Frontier isn't already doing.
My point stands: If you use DNSCrypt+OpenDNS in order to try and hide your browser history from your ISP, not only will you not succeed, but you will make matters worse.
Perhaps this is an easy way to achieve that for DNS at least. Not sure how many other protocols are necessary to tunnel from a server which is only responding to HTTPS, and installing security updates.