OpenDNS – Web-filtering for the enterprise. Really ?!?

7 02 2010

I was intrigued when invited to a webinar hosted by OpenDNS regarding their enterprise DNS offerings. I have been an OpenDNS user at my residence since 2006 when their service was first launched.

Traditionally OpenDNS has been targeted at the residential consumer, providing a more secure and  reliable DNS service than the consumers ISP bothered to be. You see, ISP’s make no money from DNS, its a sunken cost for them; so they put as little money into DNS as necessary to keep things running. Corporations pay considerably more for their internet service and have Service Level Agreements in place to ensure they get consistent an reliable service. So the same motivation to switch does not exist at the enterprise level. Additionally internal network infrastructure requires a local DNS service to be managed by the host company anyway, they often don’t need the technical help in managing connections to the public DNS infrastructure.

So what exactly is the proposed advantages from OpenDNS for an enterprise? Like me, you might be surprised to learn they have quite a bit to offer.

OpenDNS Filter Categories - Click to Enlarge Image

The title of the blog kinda gives it away, OpenDNS have built an extensive and granular web-filter into their DNS service which offers both technical and cost advantages to the enterprise. The argument goes as follows…

Traditional corporate web-filtering is dominated by companies such as WebSense and Blue Coat Systems. Their solutions are proxy based systems meaning that every piece of web traffic goes through their web-filter solution, often resulting in a single point of failure or point of congestion. OpenDNS by comparison checks the web address requested by the user against their filter and if granted hands-off control back to the browser allowing traffic to flow unimpeded by the filtering system. Additionally, OpenDNS does not monitor the web traffic after hand-off so there are no additional privacy concerns.

On-premise web filtering equipment can be costly and complex to maintain, especially when a large number of locations are involved. With OpenDNS no additional hardware is required. This means no up-front capital outlay, quick deployment and minimal maintenance. (To be fair to WebSense, they have hosted cloud based solutions as well – but they are still proxy based).

OpenDNS tout some high profile clients such as NVidia, BP and Tampa Airport. To add a local flavor, the Metropolitan Government of Nashville and Davidson County chose OpenDNS for free WiFi services in 2008.

The Q&A session following the presentation raised and answered some concerns.

Q. What if the end user (or a piece of malware) uses an IP address rather than a web address, therefore not requiring DNS translation. Will this not bypass the filter? A. In most cases this will not bypass the filter, most HTTP traffic is based on HTTP 1.1 which requires that a host header be included, therefore the request is still routed via OpenDNS. One note of concern, ‘in most cases’ isn’t exactly iron-clad security.

Q. Roaming users need to use the  OpenDNS Dynamic IP software to provide continuous coverage. Is there a client for Linux systems? A. OpenDNS do not have a Linux client yet, they advise use of a  3rd party system for those systems, OpenDNS servers will work with these 3rd party systems.

Q. Can OpenDNS web-filtering be time sensitive (e.g. news sites can only be browsed during off-hours, lunch time)? A. No – this is not possible at this time for enterprise customers, only the residential Netgear hardware based OpenDNS solution can offer this.

Q. Support for IPV6? A. Not yet, some parts of the OpenDNS infrastructure are not ready for IPV6 just yet.

Q. Content Filtering? A. By definition OpenDNS’s service does not attempt to provide content filtering. This is both a benefit and a failing. It is a benefit because false positives are fairly likely with content filters due to the contextual nature of English and other languages, so OpenDNS’s potential for false positives is reduced. Of course it’s a failing since it doesn’t have this feature at all.

Bottom Line: OpenDNS is a credible and robust solution for most enterprises. It does not offer the very highest level of scrutiny available, so may not be appropriate for enterprises requiring very strict or advanced filtering options. For the majority of enterprises it offers a very affordable, very reliable solution that requires very little technical expertise or up front capital to deploy or maintain. A clear cut decision IMHO for small to medium businesses looking for a web-filtering solution.




Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.

%d bloggers like this: