Use OpenDNS to block winzipices.cn

[fhpuqrgrpgvirzhpujbj]

Really useful to have OpenDNS when sites get updated. I had to wait a week with my ISP for sites to update. you can type in a domain and opendns will refresh it!

[franzon]

just add winzipices.cn and kisswow.com.cn in IE7's Restricted sites zone :D

Tools -> Internet options -> Security (tab) -> Restricted sites -> Sites -> winzipices.cn -> add

kisswow.com.cn -> add

Edited May 10, 2008 by franzon

[+Mystic MVC]

Just looking at the two world maps people have been putting up and they have servers no where near Nebraska, so I think the only way it will change my connection would be for the slower, like I mentioned before. The technology still interests me though.

[Guest]

I haven't noticed a speed difference. However OpenDNS is still a great tool. I moved alot of my customers onto it. It's the quickest and cheapest way of implementing content filtering.

[frogger]

Would i notice a difference even if my ISP's DNS servers ping faster than the opendns one?

The malware blocking and the faster speeds are tempting, but i don't want to take a speed decrease.

[Jonathan Yaniv]

Would i notice a difference even if my ISP's DNS servers ping faster than the opendns one?

The malware blocking and the faster speeds are tempting, but i don't want to take a speed decrease.

Yes, because of the large caches.

[Jonathan Yaniv]

Maybe, but that doesn't change the fact that they're way faster than OpenDNS (for me). I'm quite surprised that despite being around for so many years, they have such few servers (5, 1 upcoming), while DNS Advantage has so many (14, 3 upcoming).

--

Also, I fail to see how OpenDNS's servers are "situated strategically", considering the fact that most of them ('cept one) are located in the US -_-

In any case, a little bit of competition never harmed anyone :)

Ill talk with David about that.

[Jonathan Yaniv]

Would i notice a difference even if my ISP's DNS servers ping faster than the opendns one?

The malware blocking and the faster speeds are tempting, but i don't want to take a speed decrease.

There isnt any Malware blocking "yet", but i know its coming.

However, there is a fully functional adware blocking category.

[MMaster23]

I know it's for the better good but I don't like the idea of a group of people selecting the internet for me.

I know multiple people need to mark an address for spam/adware but look at google-bombs or Digg .. find enough people like you and you'll can block pretty much any website...

The internet and it's DNS as it is, is good enough.. If your ISP is really slow, switch ISPs.

Also there are plenty of DNS servers out there .. just regular DNS servers.

OpenDNS' website makes it look like DNS caching is a bad thing .. but basically .. they are doing the EXACT same thing.

Prob. implemented a bit different but other than that .. it's EXACTLY the same.

[[deXter]]

^

The filtering isn't forced on you; you can apply a category IF you choose to sign up and register your IP (or use their client). Otherwise, if you just use the DNS servers without registering, OpenDNS or anything else work as regular servers. Even *if* you register, you don't have to block servers if you don't want to.

This isn't about your ISP being slow, this is about resolving URLs faster. No ISP (afaik) maintains a cache as large OpenDNS / DNS Advantage / etc, so there are plenty of chances that your DNS request is propogated across many secondary DNS servers. What this affects is not the loading speed of particular objects, rather, the pause (gap) between loading objects on a page from different domains.

The speed results will vary from site to site. Forums usually have a chance of seeing speed improvements as avatars and signatures tend to be hosted on a variety of different servers. Once again, this *won't* affect the loading speed of the forum itself, so it's easy to say that you didn't notice any improvements.

Finally, it all depends on your ISP's DNS cache/speed. If you are sceptical about performance benefits, why not compare your ISP's DNS performance with other public servers?

[hosebeast]

There isnt any Malware blocking "yet", but i know its coming.

Malware is blocked automatically for all registered users, as part of the "Phishing" category. Management of the Phishing category is handled separately by PhishTank (just like the adult categories are managed by St. Bernard instead of OpenDNS user voting).

"Registered" simply means that you signed up at OpenDNS and specified your IP address(es), as opposed to simply pointing to their DNS servers (which you can do without registering).

At this time, however, PhishTank doesn't yet have winzipices.cn listed.

[funkymunky]

Thanks for this guys :)

Just set it up on my router :)

[Jonathan Yaniv]

Malware is blocked automatically for all registered users, as part of the "Phishing" category. Management of the Phishing category is handled separately by PhishTank (just like the adult categories are managed by St. Bernard instead of OpenDNS user voting).

"Registered" simply means that you signed up at OpenDNS and specified your IP address(es), as opposed to simply pointing to their DNS servers (which you can do without registering).

At this time, however, PhishTank doesn't yet have winzipices.cn listed.

Not exactly.. I cant discuss this in greater detail sorry. :-(

[hosebeast]

OpenDNS caches are going to expire at the same time as my ISP's caches, unless OpenDNS is ignoring the TTL.

Ahh, but with OpenDNS's larger user base, there's a higher probability that expired entries will get recached by somebody else's queries before the next time you need to resolve them.

The other aspect which is poorly misunderstood (because OpenDNS has been evasive about explaining it, due to privacy concerns) is that OpenDNS is actually running two different types of caching:

1. Caching of DNS. Nothing terribly special here. TTL is honored per RFC.

2. Web Proxy (HTTP caching) in certain situations. Here's where the privacy issue comes in. When this feature was quietly introduced, OpenDNS made it the default for all existing users without notifying them, and they didn't update their posted privacy policy (although the existing policy did not exclude the possibility, it also did not make it clear that they might do this). After a user raised the issue, they updated their policy and also disabled it in the default settings. To enable it, you must go to the "Network Shortcuts" section of the Settings tab in your Dashboard and check the box labelled "Enable OpenDNS proxy." Don't bother reading their explanation in the "Expand for details" link, because it's misleading; it makes you think that this feature is just to workaround an issue with Google Toolbar, but it affects any browser or other program even if you never install Google Toolbar. The problem is: They won't let you enable adult site blocking without enabling this option, so many people will simply enable it without drilling down in the KB article and testing for themselves.

I know what you're thinking: How can OpenDNS intercept my HTTP traffic if I don't set my browser proxy to point to their servers? I'm just pointing my DNS. Well, here's how it works... Whenever you try to resolve either of the following:

• A non-existent DNS name (either a typo, outdated link, or a domain whose authoritative name servers are down and isn't currently cached in OpenDNS's DNS cache)
  
• Certain specific DNS names like www.google.com (but not google.com)
  

OpenDNS returns the IP address of their Web Proxy server, not the actual site. Test for yourself!

1. Enable the proxy in your OpenDNS settings. Click Save and wait a few minutes for your account to finish updating.
   
2. Clear your local DNS cache (both your computer and any intermediate DNS server if you pointed your router or a LAN DNS server to OpenDNS).
   
3. Try to resolve www.google.com using ping or nslookup. Notice that you get an address like 208.69.32.* and if you are familiar with DNS and use nslookup, you will see that OpenDNS resolved www.google.com as a CNAME for google.navigation.opendns.com which is their Web Proxy. You can also go to ARIN and look up the netblock 208.69.32.230 to see that it belongs to OpenDNS and not Google. So when you go to www.google.com in your browser (any browser, regardless of your browser's proxy settings), OpenDNS's Web Proxy server is actually stepping into the middle. It uses the "host" value in the HTTP headers coming from any HTTP 1.1-compliant web browser (which covers all major browsers released in the past 10 years) to see that you were trying to go to www.google.com and OpenDNS fetches the page from Google's real site (or from OpenDNS's web cache, which happens 99.9% of the time) and sends it to your browser. Your browser thinks it's talking to Google the whole time. This doesn't happen on every Google URL. In particular, any Google URL which may use SSL will never be intercepted by the Web Proxy because OpenDNS can't spoof Google's SSL certificates properly.
   
4. Now try to resolve a non-existent DNS name such as fdgfd.jghrd.com and notice that it also resolves to the 208.69.32.* address. This does not mean that fdgfd.jghrd.com is a CNAME for www.google.com; it simply means that OpenDNS is trying to catch your typos and redirect you to their own search engine (where they display ads). However, this effectively bypasses any similar "auto-search" feature which may be built into your browser or a browser toolbar that you installed. Those features work by catching failed DNS queries but your DNS queries will never fail with OpenDNS's proxy enabled.
   
5. Point your DNS to your ISP's DNS servers (or for this quick test, you can point directly to Google's authoritative name servers which you can get from a whois lookup, for example 216.239.32.10 or 216.239.34.10).
   
6. Again, clear your local DNS cache(s).
   
7. Resolve www.google.com again. Notice that you will get addresses in a completely different netblock like 74.125.45.* (the exact ones you get may differ as Google constantly spreads their traffic around, but no matter what you get, you can verify with ARIN that Google owns these addresses.
   

Now you can understand that OpenDNS is already capturing millions of Google searches, URL typos and dead links from many users who don't fully realize it. That's not such a big deal, but it also tells you that OpenDNS has the technical ability to start capturing ALL traffic from every non-SSL site if they chose to start doing so. That's why it was important for them to update their privacy policy and make a clear statement of what they intend to do, and don't intend to do. They've done so (assuming you trust them 100%).

There's one more twist: Whenever you resolve any valid DNS name which appear to be a web site, OpenDNS's DNS servers immediately pass it to their Web Proxy servers before they reply to your DNS query. That's really the biggest reason why OpenDNS isn't as fast as DNS Advantage when you are strictly measuring DNS response time. This accomplishes one or two things for OpenDNS, depending on the particular DNS name:

• If the DNS name is one which they always intercept (such as www.google.com), they can pre-load their HTTP cache. By the time your browser receives the DNS reply (which would contain the IP address of OpenDNS's Web Proxy) and then sends the HTTP GET request, the Web Proxy has already ensured that it has a non-expired copy of the content you want (content which OpenDNS could theoretically modify).
  
• If their Web Proxy cannot connect to port 80 at the true IP address, their DNS servers will reply with the IP address of their Web Proxy so that OpenDNS can redirect you to their custom error/search page. This is slightly different than the auto-search feature described above. The feature above is applicable to non-existent DNS names. This feature applies to existing DNS names where the host is simply down or unreachable at the moment. Think about this for a second. It means that a true and correct IP address is available for your DNS query, but OpenDNS sends you a different address instead. I don't mind when they send me a bogus address for non-existent DNS names, but this is a whole different story because it can cause problems for DNS names that are occasionally used for HTTP but mainly for other protocols such as IMAP or SSH.
  

Having said all this, I personally do use OpenDNS and I recommend it to others. However, I avoid pointing LAN-connected computers directly to OpenDNS. Whenever there is a DNS server available on the LAN which is capable of domain-specific "forwarders" (example: Windows Server 2003/2008 or Unix/Linux bind; Windows 2000's forwarders can't do domain-specific), I set the default forwarders to OpenDNS and I add domain-specific forwarders which send google.com and certain other domains I care about to the authoritative name servers for those domains.

[Jonathan Yaniv]

Ahh, but with OpenDNS's larger user base, there's a higher probability that expired entries will get recached by somebody else's queries before the next time you need to resolve them.

The other aspect which is poorly misunderstood (because OpenDNS has been evasive about explaining it, due to privacy concerns) is that OpenDNS is actually running two different types of caching:

1. Caching of DNS. Nothing terribly special here. TTL is honored per RFC.

2. Web Proxy (HTTP caching) in certain situations. Here's where the privacy issue comes in. When this feature was quietly introduced, OpenDNS made it the default for all existing users without notifying them, and they didn't update their posted privacy policy (although the existing policy did not exclude the possibility, it also did not make it clear that they might do this). After a user raised the issue, they updated their policy and also disabled it in the default settings. To enable it, you must go to the "Network Shortcuts" section of the Settings tab in your Dashboard and check the box labelled "Enable OpenDNS proxy." Don't bother reading their explanation in the "Expand for details" link, because it's misleading; it makes you think that this feature is just to workaround an issue with Google Toolbar, but it affects any browser or other program even if you never install Google Toolbar. The problem is: They won't let you enable adult site blocking without enabling this option, so many people will simply enable it without drilling down in the KB article and testing for themselves.

I know what you're thinking: How can OpenDNS intercept my HTTP traffic if I don't set my browser proxy to point to their servers? I'm just pointing my DNS. Well, here's how it works... Whenever you try to resolve either of the following:

• A non-existent DNS name (either a typo, outdated link, or a domain whose authoritative name servers are down and isn't currently cached in OpenDNS's DNS cache)
  
• Certain specific DNS names like www.google.com (but not google.com)
  

OpenDNS returns the IP address of their Web Proxy server, not the actual site. Test for yourself!

1. Enable the proxy in your OpenDNS settings. Click Save and wait a few minutes for your account to finish updating.
   
2. Clear your local DNS cache (both your computer and any intermediate DNS server if you pointed your router or a LAN DNS server to OpenDNS).
   
3. Try to resolve www.google.com using ping or nslookup. Notice that you get an address like 208.69.32.* and if you are familiar with DNS and use nslookup, you will see that OpenDNS resolved www.google.com as a CNAME for google.navigation.opendns.com which is their Web Proxy. You can also go to ARIN and look up the netblock 208.69.32.230 to see that it belongs to OpenDNS and not Google. So when you go to www.google.com in your browser (any browser, regardless of your browser's proxy settings), OpenDNS's Web Proxy server is actually stepping into the middle. It uses the "host" value in the HTTP headers coming from any HTTP 1.1-compliant web browser (which covers all major browsers released in the past 10 years) to see that you were trying to go to www.google.com and OpenDNS fetches the page from Google's real site (or from OpenDNS's web cache, which happens 99.9% of the time) and sends it to your browser. Your browser thinks it's talking to Google the whole time. This doesn't happen on every Google URL. In particular, any Google URL which may use SSL will never be intercepted by the Web Proxy because OpenDNS can't spoof Google's SSL certificates properly.
   
4. Now try to resolve a non-existent DNS name such as fdgfd.jghrd.com and notice that it also resolves to the 208.69.32.* address. This does not mean that fdgfd.jghrd.com is a CNAME for www.google.com; it simply means that OpenDNS is trying to catch your typos and redirect you to their own search engine (where they display ads). However, this effectively bypasses any similar "auto-search" feature which may be built into your browser or a browser toolbar that you installed. Those features work by catching failed DNS queries but your DNS queries will never fail with OpenDNS's proxy enabled.
   
5. Point your DNS to your ISP's DNS servers (or for this quick test, you can point directly to Google's authoritative name servers which you can get from a whois lookup, for example 216.239.32.10 or 216.239.34.10).
   
6. Again, clear your local DNS cache(s).
   
7. Resolve www.google.com again. Notice that you will get addresses in a completely different netblock like 74.125.45.* (the exact ones you get may differ as Google constantly spreads their traffic around, but no matter what you get, you can verify with ARIN that Google owns these addresses.
   

Now you can understand that OpenDNS is already capturing millions of Google searches, URL typos and dead links from many users who don't fully realize it. That's not such a big deal, but it also tells you that OpenDNS has the technical ability to start capturing ALL traffic from every non-SSL site if they chose to start doing so. That's why it was important for them to update their privacy policy and make a clear statement of what they intend to do, and don't intend to do. They've done so (assuming you trust them 100%).

There's one more twist: Whenever you resolve any valid DNS name which appear to be a web site, OpenDNS's DNS servers immediately pass it to their Web Proxy servers before they reply to your DNS query. That's really the biggest reason why OpenDNS isn't as fast as DNS Advantage when you are strictly measuring DNS response time. This accomplishes one or two things for OpenDNS, depending on the particular DNS name:

• If the DNS name is one which they always intercept (such as www.google.com), they can pre-load their HTTP cache. By the time your browser receives the DNS reply (which would contain the IP address of OpenDNS's Web Proxy) and then sends the HTTP GET request, the Web Proxy has already ensured that it has a non-expired copy of the content you want (content which OpenDNS could theoretically modify).
  
• If their Web Proxy cannot connect to port 80 at the true IP address, their DNS servers will reply with the IP address of their Web Proxy so that OpenDNS can redirect you to their custom error/search page. This is slightly different than the auto-search feature described above. The feature above is applicable to non-existent DNS names. This feature applies to existing DNS names where the host is simply down or unreachable at the moment. Think about this for a second. It means that a true and correct IP address is available for your DNS query, but OpenDNS sends you a different address instead. I don't mind when they send me a bogus address for non-existent DNS names, but this is a whole different story because it can cause problems for DNS names that are occasionally used for HTTP but mainly for other protocols such as IMAP or SSH.
  

Having said all this, I personally do use OpenDNS and I recommend it to others. However, I avoid pointing LAN-connected computers directly to OpenDNS. Whenever there is a DNS server available on the LAN which is capable of domain-specific "forwarders" (example: Windows Server 2003/2008 or Unix/Linux bind; Windows 2000's forwarders can't do domain-specific), I set the default forwarders to OpenDNS and I add domain-specific forwarders which send google.com and certain other domains I care about to the authoritative name servers for those domains.

It has some advantages, if nameservers are not responding, it will throw it directly to guide.opendns.com instead of trying to connect, then timing out.

[LOC Veteran]

Hmmm, anyone mixing and matching DNS services? Like one OpenDNS and one DNS Advantage, or one DNS Advantage and one ScrubIT?

I've been using OpenDNS for quite awhile, but DNS Advantage has a server literally down my block, so I'll give them a go for one slot of DNS :D

[Hak Foo]

Hmmm, anyone mixing and matching DNS services? Like one OpenDNS and one DNS Advantage, or one DNS Advantage and one ScrubIT?

I've been using OpenDNS for quite awhile, but DNS Advantage has a server literally down my block, so I'll give them a go for one slot of DNS :D

What concerns me about these alternative-DNS systems is the way it's financed.

Doesn't it work by basically returning an ad server if you look up a bogus domain?

I was under the impression that breaking the "non-existent domain" response was considered a hugely bad thing when ISPs did it, or when the registrars tried to do it... so why is it acceptable if a third-party DNS supplier does it?

[Argi]

I remember looking at OpenDNS a few years back and they still don't have any Oceania server so until they do my ISP one is still faster. :(

[The_Decryptor Veteran]

Those features work by catching failed DNS queries but your DNS queries will never fail with OpenDNS's proxy enabled.

I can't stand behavior like that, a failure is supposed to be a failure, not silently redirected to an ad site.

Verisign did it and people ended up working around it in DNS servers, my router's DNS server supports it for a generic list of IP addresses (so I can make it return a failure even if the server gives me a IP)

And my ISP already proxies everything, running through multiple proxies would be slower than directly loading the site.

[xpgeek]

The difference is ISP's and Verisign didn't give you a choice in the matter. OpenDNS is voluntary, don't like the ad pages delivered on non existent domains, then don't use it. Doesn't bother me in the slightest.