Use OpenDNS to block winzipices.cn

By Jonathan Yaniv
in Back Page News

 Share

Recommended Posts

Explorer

Jonathan Yaniv

Posted
  • Author
Posted

Maybe, but that doesn't change the fact that they're way faster than OpenDNS (for me). I'm quite surprised that despite being around for so many years, they have such few servers (5, 1 upcoming), while DNS Advantage has so many (14, 3 upcoming).

Node_locations.png

--

Also, I fail to see how OpenDNS's servers are "situated strategically", considering the fact that most of them ('cept one) are located in the US -_-

In any case, a little bit of competition never harmed anyone :)

Ill talk with David about that.

Explorer

Jonathan Yaniv

Posted
  • Author
Posted
Would i notice a difference even if my ISP's DNS servers ping faster than the opendns one?

The malware blocking and the faster speeds are tempting, but i don't want to take a speed decrease.

There isnt any Malware blocking "yet", but i know its coming.

However, there is a fully functional adware blocking category.

Experienced

MMaster23

Posted
Posted

I know it's for the better good but I don't like the idea of a group of people selecting the internet for me.

I know multiple people need to mark an address for spam/adware but look at google-bombs or Digg .. find enough people like you and you'll can block pretty much any website...

The internet and it's DNS as it is, is good enough.. If your ISP is really slow, switch ISPs.

Also there are plenty of DNS servers out there .. just regular DNS servers.

OpenDNS' website makes it look like DNS caching is a bad thing .. but basically .. they are doing the EXACT same thing.

Prob. implemented a bit different but other than that .. it's EXACTLY the same.

Proficient

[deXter]

Posted
Posted

^

The filtering isn't forced on you; you can apply a category IF you choose to sign up and register your IP (or use their client). Otherwise, if you just use the DNS servers without registering, OpenDNS or anything else work as regular servers. Even *if* you register, you don't have to block servers if you don't want to.

This isn't about your ISP being slow, this is about resolving URLs faster. No ISP (afaik) maintains a cache as large OpenDNS / DNS Advantage / etc, so there are plenty of chances that your DNS request is propogated across many secondary DNS servers. What this affects is not the loading speed of particular objects, rather, the pause (gap) between loading objects on a page from different domains.

The speed results will vary from site to site. Forums usually have a chance of seeing speed improvements as avatars and signatures tend to be hosted on a variety of different servers. Once again, this *won't* affect the loading speed of the forum itself, so it's easy to say that you didn't notice any improvements.

Finally, it all depends on your ISP's DNS cache/speed. If you are sceptical about performance benefits, why not compare your ISP's DNS performance with other public servers?

Neowinian

hosebeast

Posted
Posted
There isnt any Malware blocking "yet", but i know its coming.

Malware is blocked automatically for all registered users, as part of the "Phishing" category. Management of the Phishing category is handled separately by PhishTank (just like the adult categories are managed by St. Bernard instead of OpenDNS user voting).

"Registered" simply means that you signed up at OpenDNS and specified your IP address(es), as opposed to simply pointing to their DNS servers (which you can do without registering).

At this time, however, PhishTank doesn't yet have winzipices.cn listed.

Explorer

Jonathan Yaniv

Posted
  • Author
Posted
Malware is blocked automatically for all registered users, as part of the "Phishing" category. Management of the Phishing category is handled separately by PhishTank (just like the adult categories are managed by St. Bernard instead of OpenDNS user voting).

"Registered" simply means that you signed up at OpenDNS and specified your IP address(es), as opposed to simply pointing to their DNS servers (which you can do without registering).

At this time, however, PhishTank doesn't yet have winzipices.cn listed.

Not exactly.. I cant discuss this in greater detail sorry. :-(

Neowinian

hosebeast

Posted
Posted
OpenDNS caches are going to expire at the same time as my ISP's caches, unless OpenDNS is ignoring the TTL.

Ahh, but with OpenDNS's larger user base, there's a higher probability that expired entries will get recached by somebody else's queries before the next time you need to resolve them.

The other aspect which is poorly misunderstood (because OpenDNS has been evasive about explaining it, due to privacy concerns) is that OpenDNS is actually running two different types of caching:

1. Caching of DNS. Nothing terribly special here. TTL is honored per RFC.

2. Web Proxy (HTTP caching) in certain situations. Here's where the privacy issue comes in. When this feature was quietly introduced, OpenDNS made it the default for all existing users without notifying them, and they didn't update their posted privacy policy (although the existing policy did not exclude the possibility, it also did not make it clear that they might do this). After a user raised the issue, they updated their policy and also disabled it in the default settings. To enable it, you must go to the "Network Shortcuts" section of the Settings tab in your Dashboard and check the box labelled "Enable OpenDNS proxy." Don't bother reading their explanation in the "Expand for details" link, because it's misleading; it makes you think that this feature is just to workaround an issue with Google Toolbar, but it affects any browser or other program even if you never install Google Toolbar. The problem is: They won't let you enable adult site blocking without enabling this option, so many people will simply enable it without drilling down in the KB article and testing for themselves.

I know what you're thinking: How can OpenDNS intercept my HTTP traffic if I don't set my browser proxy to point to their servers? I'm just pointing my DNS. Well, here's how it works... Whenever you try to resolve either of the following:

  • A non-existent DNS name (either a typo, outdated link, or a domain whose authoritative name servers are down and isn't currently cached in OpenDNS's DNS cache)
  • Certain specific DNS names like www.google.com (but not google.com)

OpenDNS returns the IP address of their Web Proxy server, not the actual site. Test for yourself!

  1. Enable the proxy in your OpenDNS settings. Click Save and wait a few minutes for your account to finish updating.
  2. Clear your local DNS cache (both your computer and any intermediate DNS server if you pointed your router or a LAN DNS server to OpenDNS).
  3. Try to resolve www.google.com using ping or nslookup. Notice that you get an address like 208.69.32.* and if you are familiar with DNS and use nslookup, you will see that OpenDNS resolved www.google.com as a CNAME for google.navigation.opendns.com which is their Web Proxy. You can also go to ARIN and look up the netblock 208.69.32.230 to see that it belongs to OpenDNS and not Google. So when you go to www.google.com in your browser (any browser, regardless of your browser's proxy settings), OpenDNS's Web Proxy server is actually stepping into the middle. It uses the "host" value in the HTTP headers coming from any HTTP 1.1-compliant web browser (which covers all major browsers released in the past 10 years) to see that you were trying to go to www.google.com and OpenDNS fetches the page from Google's real site (or from OpenDNS's web cache, which happens 99.9% of the time) and sends it to your browser. Your browser thinks it's talking to Google the whole time. This doesn't happen on every Google URL. In particular, any Google URL which may use SSL will never be intercepted by the Web Proxy because OpenDNS can't spoof Google's SSL certificates properly.
  4. Now try to resolve a non-existent DNS name such as fdgfd.jghrd.com and notice that it also resolves to the 208.69.32.* address. This does not mean that fdgfd.jghrd.com is a CNAME for www.google.com; it simply means that OpenDNS is trying to catch your typos and redirect you to their own search engine (where they display ads). However, this effectively bypasses any similar "auto-search" feature which may be built into your browser or a browser toolbar that you installed. Those features work by catching failed DNS queries but your DNS queries will never fail with OpenDNS's proxy enabled.
  5. Point your DNS to your ISP's DNS servers (or for this quick test, you can point directly to Google's authoritative name servers which you can get from a whois lookup, for example 216.239.32.10 or 216.239.34.10).
  6. Again, clear your local DNS cache(s).
  7. Resolve www.google.com again. Notice that you will get addresses in a completely different netblock like 74.125.45.* (the exact ones you get may differ as Google constantly spreads their traffic around, but no matter what you get, you can verify with ARIN that Google owns these addresses.

Now you can understand that OpenDNS is already capturing millions of Google searches, URL typos and dead links from many users who don't fully realize it. That's not such a big deal, but it also tells you that OpenDNS has the technical ability to start capturing ALL traffic from every non-SSL site if they chose to start doing so. That's why it was important for them to update their privacy policy and make a clear statement of what they intend to do, and don't intend to do. They've done so (assuming you trust them 100%).

There's one more twist: Whenever you resolve any valid DNS name which appear to be a web site, OpenDNS's DNS servers immediately pass it to their Web Proxy servers before they reply to your DNS query. That's really the biggest reason why OpenDNS isn't as fast as DNS Advantage when you are strictly measuring DNS response time. This accomplishes one or two things for OpenDNS, depending on the particular DNS name:

  • If the DNS name is one which they always intercept (such as www.google.com), they can pre-load their HTTP cache. By the time your browser receives the DNS reply (which would contain the IP address of OpenDNS's Web Proxy) and then sends the HTTP GET request, the Web Proxy has already ensured that it has a non-expired copy of the content you want (content which OpenDNS could theoretically modify).
  • If their Web Proxy cannot connect to port 80 at the true IP address, their DNS servers will reply with the IP address of their Web Proxy so that OpenDNS can redirect you to their custom error/search page. This is slightly different than the auto-search feature described above. The feature above is applicable to non-existent DNS names. This feature applies to existing DNS names where the host is simply down or unreachable at the moment. Think about this for a second. It means that a true and correct IP address is available for your DNS query, but OpenDNS sends you a different address instead. I don't mind when they send me a bogus address for non-existent DNS names, but this is a whole different story because it can cause problems for DNS names that are occasionally used for HTTP but mainly for other protocols such as IMAP or SSH.

Having said all this, I personally do use OpenDNS and I recommend it to others. However, I avoid pointing LAN-connected computers directly to OpenDNS. Whenever there is a DNS server available on the LAN which is capable of domain-specific "forwarders" (example: Windows Server 2003/2008 or Unix/Linux bind; Windows 2000's forwarders can't do domain-specific), I set the default forwarders to OpenDNS and I add domain-specific forwarders which send google.com and certain other domains I care about to the authoritative name servers for those domains.

Explorer

Jonathan Yaniv

Posted
  • Author
Posted
Ahh, but with OpenDNS's larger user base, there's a higher probability that expired entries will get recached by somebody else's queries before the next time you need to resolve them.

The other aspect which is poorly misunderstood (because OpenDNS has been evasive about explaining it, due to privacy concerns) is that OpenDNS is actually running two different types of caching:

1. Caching of DNS. Nothing terribly special here. TTL is honored per RFC.

2. Web Proxy (HTTP caching) in certain situations. Here's where the privacy issue comes in. When this feature was quietly introduced, OpenDNS made it the default for all existing users without notifying them, and they didn't update their posted privacy policy (although the existing policy did not exclude the possibility, it also did not make it clear that they might do this). After a user raised the issue, they updated their policy and also disabled it in the default settings. To enable it, you must go to the "Network Shortcuts" section of the Settings tab in your Dashboard and check the box labelled "Enable OpenDNS proxy." Don't bother reading their explanation in the "Expand for details" link, because it's misleading; it makes you think that this feature is just to workaround an issue with Google Toolbar, but it affects any browser or other program even if you never install Google Toolbar. The problem is: They won't let you enable adult site blocking without enabling this option, so many people will simply enable it without drilling down in the KB article and testing for themselves.

I know what you're thinking: How can OpenDNS intercept my HTTP traffic if I don't set my browser proxy to point to their servers? I'm just pointing my DNS. Well, here's how it works... Whenever you try to resolve either of the following:

  • A non-existent DNS name (either a typo, outdated link, or a domain whose authoritative name servers are down and isn't currently cached in OpenDNS's DNS cache)
  • Certain specific DNS names like www.google.com (but not google.com)

OpenDNS returns the IP address of their Web Proxy server, not the actual site. Test for yourself!

  1. Enable the proxy in your OpenDNS settings. Click Save and wait a few minutes for your account to finish updating.
  2. Clear your local DNS cache (both your computer and any intermediate DNS server if you pointed your router or a LAN DNS server to OpenDNS).
  3. Try to resolve www.google.com using ping or nslookup. Notice that you get an address like 208.69.32.* and if you are familiar with DNS and use nslookup, you will see that OpenDNS resolved www.google.com as a CNAME for google.navigation.opendns.com which is their Web Proxy. You can also go to ARIN and look up the netblock 208.69.32.230 to see that it belongs to OpenDNS and not Google. So when you go to www.google.com in your browser (any browser, regardless of your browser's proxy settings), OpenDNS's Web Proxy server is actually stepping into the middle. It uses the "host" value in the HTTP headers coming from any HTTP 1.1-compliant web browser (which covers all major browsers released in the past 10 years) to see that you were trying to go to www.google.com and OpenDNS fetches the page from Google's real site (or from OpenDNS's web cache, which happens 99.9% of the time) and sends it to your browser. Your browser thinks it's talking to Google the whole time. This doesn't happen on every Google URL. In particular, any Google URL which may use SSL will never be intercepted by the Web Proxy because OpenDNS can't spoof Google's SSL certificates properly.
  4. Now try to resolve a non-existent DNS name such as fdgfd.jghrd.com and notice that it also resolves to the 208.69.32.* address. This does not mean that fdgfd.jghrd.com is a CNAME for www.google.com; it simply means that OpenDNS is trying to catch your typos and redirect you to their own search engine (where they display ads). However, this effectively bypasses any similar "auto-search" feature which may be built into your browser or a browser toolbar that you installed. Those features work by catching failed DNS queries but your DNS queries will never fail with OpenDNS's proxy enabled.
  5. Point your DNS to your ISP's DNS servers (or for this quick test, you can point directly to Google's authoritative name servers which you can get from a whois lookup, for example 216.239.32.10 or 216.239.34.10).
  6. Again, clear your local DNS cache(s).
  7. Resolve www.google.com again. Notice that you will get addresses in a completely different netblock like 74.125.45.* (the exact ones you get may differ as Google constantly spreads their traffic around, but no matter what you get, you can verify with ARIN that Google owns these addresses.

Now you can understand that OpenDNS is already capturing millions of Google searches, URL typos and dead links from many users who don't fully realize it. That's not such a big deal, but it also tells you that OpenDNS has the technical ability to start capturing ALL traffic from every non-SSL site if they chose to start doing so. That's why it was important for them to update their privacy policy and make a clear statement of what they intend to do, and don't intend to do. They've done so (assuming you trust them 100%).

There's one more twist: Whenever you resolve any valid DNS name which appear to be a web site, OpenDNS's DNS servers immediately pass it to their Web Proxy servers before they reply to your DNS query. That's really the biggest reason why OpenDNS isn't as fast as DNS Advantage when you are strictly measuring DNS response time. This accomplishes one or two things for OpenDNS, depending on the particular DNS name:

  • If the DNS name is one which they always intercept (such as www.google.com), they can pre-load their HTTP cache. By the time your browser receives the DNS reply (which would contain the IP address of OpenDNS's Web Proxy) and then sends the HTTP GET request, the Web Proxy has already ensured that it has a non-expired copy of the content you want (content which OpenDNS could theoretically modify).
  • If their Web Proxy cannot connect to port 80 at the true IP address, their DNS servers will reply with the IP address of their Web Proxy so that OpenDNS can redirect you to their custom error/search page. This is slightly different than the auto-search feature described above. The feature above is applicable to non-existent DNS names. This feature applies to existing DNS names where the host is simply down or unreachable at the moment. Think about this for a second. It means that a true and correct IP address is available for your DNS query, but OpenDNS sends you a different address instead. I don't mind when they send me a bogus address for non-existent DNS names, but this is a whole different story because it can cause problems for DNS names that are occasionally used for HTTP but mainly for other protocols such as IMAP or SSH.

Having said all this, I personally do use OpenDNS and I recommend it to others. However, I avoid pointing LAN-connected computers directly to OpenDNS. Whenever there is a DNS server available on the LAN which is capable of domain-specific "forwarders" (example: Windows Server 2003/2008 or Unix/Linux bind; Windows 2000's forwarders can't do domain-specific), I set the default forwarders to OpenDNS and I add domain-specific forwarders which send google.com and certain other domains I care about to the authoritative name servers for those domains.

It has some advantages, if nameservers are not responding, it will throw it directly to guide.opendns.com instead of trying to connect, then timing out.

Grand Master

LOC Veteran

Posted
  • Veteran
Posted

Hmmm, anyone mixing and matching DNS services? Like one OpenDNS and one DNS Advantage, or one DNS Advantage and one ScrubIT?

I've been using OpenDNS for quite awhile, but DNS Advantage has a server literally down my block, so I'll give them a go for one slot of DNS :D

Collaborator

Hak Foo

Posted
Posted
Hmmm, anyone mixing and matching DNS services? Like one OpenDNS and one DNS Advantage, or one DNS Advantage and one ScrubIT?

I've been using OpenDNS for quite awhile, but DNS Advantage has a server literally down my block, so I'll give them a go for one slot of DNS :D

What concerns me about these alternative-DNS systems is the way it's financed.

Doesn't it work by basically returning an ad server if you look up a bogus domain?

I was under the impression that breaking the "non-existent domain" response was considered a hugely bad thing when ISPs did it, or when the registrars tried to do it... so why is it acceptable if a third-party DNS supplier does it?

Grand Master

The_Decryptor Veteran

Posted
  • Veteran
Posted
Those features work by catching failed DNS queries but your DNS queries will never fail with OpenDNS's proxy enabled.

I can't stand behavior like that, a failure is supposed to be a failure, not silently redirected to an ad site.

Verisign did it and people ended up working around it in DNS servers, my router's DNS server supports it for a generic list of IP addresses (so I can make it return a failure even if the server gives me a IP)

And my ISP already proxies everything, running through multiple proxies would be slower than directly loading the site.

This topic is now closed to further replies.
 Share
Go to topic listing

  • Recently Browsing   0 members

    • No registered users viewing this page.

  • Posts

    • What are you listening to?

      By darkz · Posted

    • Neowin's 2026 Desktop Thread

      By darkz · Posted

      👽
    • Nvidia 610.62 driver lands with big bug fixes and Empulse support

      By excalpius · Posted

      Also, Guru3D.com always has some pros and experts lurking in the comments.
    • This 4K webcam from Acer is now only $59.99

      By Jaybonaut · Posted

      If anyone is wondering, it's 30fps at 4K
    • This 4K webcam from Acer is now only $59.99

      By TarasBuria · Posted

      This 4K webcam from Acer is now only $59.99 by Taras Buria Those looking for an affordable, high-resolution webcam from a reputable manufacturer can check out the latest deal from Acer, which puts its 4K webcam at a solid price. Thanks to a 14% discount, you can buy this all-metal 4K webcam from Acer for just $59.99. Despite the affordable price tag, the webcam has a pretty large 1/2" CMOS sensor manufactured by Sony. Apart from its size, it supports additional conveniences, such as high dynamic range and phase-detection autofocus (PDAF). Plus, the camera ensures you do not have to buy additional audio equipment, as it comes with two built-in high-sensitivity microphones, a built-in background noise filter, and the ability to pick up your voice from up to 2.5 meters away. Acer is not cheaping out on materials, and the webcam is enclosed in a more premium metal case, which is also good at heat dissipation (high-resolution cameras can get quite hot). And to make sure no one is peeping at you when the camera is in use, there is a magnetic cover also made of metal. Additional conveniences include an LED status indicator and a built-in mount that lets you place a camera on a tripod. Acer 4K Webcam for PC/Mac with All-Metal Unibody Sculpted - $59.99 | 14% off Good to know This Amazon deal is U.S.-specific and not available in other regions unless specified. We only use first-party seller links (at the time of article publishing); ensure that you purchase from a first-party seller link only. Check out Today's Deals on Amazon | or our recent tech deals. Become a Prime member (for Students or SNAP) via Neowin Get Prime Access - Prime for half price (for qualifying Medicaid, EBT, SNAP) Subscribe to Prime Video, Audible Plus, Music Unlimited, or Kindle Unlimited via Neowin As an Amazon Associate, we earn from qualifying purchases.

  • Recent Achievements

    • Conversation Starter
      NovaEdgeX earned a badge
      Conversation Starter
    • One Year In
      Console General earned a badge
      One Year In
    • One Year In
      Twozo Technologies earned a badge
      One Year In
    • One Month Later
      Twozo Technologies earned a badge
      One Month Later
    • Week One Done
      Twozo Technologies earned a badge
      Week One Done

  • Popular Contributors

    1. 1
      +primortal
      519
    2. 2
      +Edouard
      185
    3. 3
      PsYcHoKiLLa
      107
    4. 4
      Steven P.
      87
    5. 5
      ATLien_0
      67
    Show More

  • Tell a friend

    Love Neowin? Tell a friend!