Add to Technorati Favorites

Using OpenDNS with your own DNS

Posted by Roel Gloudemans on 21 February 2008 | 1 Comments

Tags: Linux, DNS

Yesterday I read an article about OpenDNS http://www.opendns.com. OpenDNS adds the possibility of domain name based filtering. You can configure your own white and blacklist, but they also have a list of categories you can choose from. Most interesting category I found was phising, but I image that if you got small children at home you'd also want to block porn and such. Domain name spelling correction is an added bonus, plus they promise almost 100% service availability, superior performance, domain name spell checking and statistics gathering (can be turned off).

The service is free, but you have to register and put in your source IP address, because the service is configured via the OpenDNS website. Teh only thing you need to change on your PC is the DNS address to use. I suppose most people have this on auto-configure (via DHCP), so this add a (small) piece of configuration. A downside is that this free service must get its funding from someplace, so ads are shown when pages are blocked or not found, but I can live with this.

Myself, I run a couple of services on a home server, among which this webserver and my mailserver. Because of this I have an internal DNS server which forwards all non gloudemans.info queries to the DNS of my ISP. All internal clients also use my local DNS, or they wouldn't be able to find my own webserver. Now I could just change my forwarders to point at the OpenDNS DNS servers, but this could have a couple of issues:

  • Some mail is relayed via a server from my ISP. The DNS name of this server is only in the ISP's DNS
  • It adds another party that can see who I'm sending mail to. I'm willing to trust my ISP, but to trust some free service off the Internet is another matter.
  • The network path to OpenDNS DNS servers is longer, though the OpenDNS servers might provide a better uptime, I doubt the actual uptime measured as I see it (including the network between me and OpenDNS) is better. I can live with this for browsing, but I'd like better availability for the services I have running.
  • e.g. the mailserver doesn't need the functionality OpenDNS offers. Bugs in thew OpenDNS software, like spell checking domain names might even have an adverse effect. This is a nonexistent issue at a moment, but it was in the past and illustrates my point.
Now if the performance of OpenDNS is really better, I could think about using it for my mailserver as well (but then again, what's the importance if a mail goes out within 2 or one second). So I decided to do a quick test with this script. It looks up a couple of domains and displays the time it took in seconds. I ran the script twice for my ISP's DNS and for OpenDNS and got these results. As you can see, the performance of both DNS servers is very similar. The ISP DNS servers have a few spikes in them, but on the whole there isn't much difference. So there is no business case to use it on mail, but I still would like it for my browser.

Luckily the DNS server software used for most Linuxes (Bind) has a featured called views. WIth views you can control the actions of the name server based on the client. First, there needs to be a clear distinction between server and client network addresses. You can enter each client address into the DNS configuration by hand, but I subnetted my local network from a class C (netmask 24) to a netmask 26, giving me 4 distict IP ranges. I still use the 24 netmask on all systems, but now I have the ability to make a distinction. 1-63 is all server related, 64 to 127 is wired client, 128-191 is wireless client and 192 to 255 is DHCP range.

My named.conf looked like (not a complete working config)

options
{
// Put files that named is allowed to write in the data/ directory:
directory "/var/named"; // the default
dump-file "data/cache_dump.db";
statistics-file "data/named_stats.txt";
memstatistics-file "data/named_mem_stats.txt";
auth-nxdomain yes;
listen-on { 127.0.0.1; 10.0.0.2; };
forwarders {
//ISP DNS one
192.192.192.192;
//ISP DNS two
192.192.129.193;
};
allow-transfer {
none;
};
};
zone "0.0.10.in-addr.arpa." IN {
type master;
file "10.0.0.db";
};
zone "gloudemans.info." IN {
type master;
file "gloudemans.info.db";
};
Using my newly defined subnets and using views, I changed this into (non working example):
acl serverips {
//Dont forget the localhost
127.0.0.1;
10.0.0.0/26;
};
acl clientips {
// Wired stations
10.0.0.64/26;
// Wireless stations
10.0.0.128/26;
// DHCP range
10.0.0.192/26;
};
options
{
// Put files that named is allowed to write in the data/ directory:
directory "/var/named"; // the default
dump-file "data/cache_dump.db";
statistics-file "data/named_stats.txt";
memstatistics-file "data/named_mem_stats.txt";
auth-nxdomain yes;
listen-on { 127.0.0.1; 10.0.0.2; };
allow-transfer {
none;
};
};
view servers {
match-clients { serverips; };
forwarders {
//ISP DNS one
192.192.192.192;
//ISP DNS two
192.192.129.193;
};
zone "0.0.10.in-addr.arpa." IN {
type master;
file "10.0.0.db";
};
zone "gloudemans.info." IN {
type master;
file "gloudemans.info.db";
};
};
view clients {
match-clients { clientips; };
forwarders {
//OpenDNS one
208.67.222.222;
//OpewnDNS two
208.67.220.220;
};
zone "0.0.10.in-addr.arpa." IN {
type master;
file "10.0.0.db";
};
zone "gloudemans.info." IN {
type master;
file "gloudemans.info.db";
};
};
Now all server related stuff, like mail and local webserver statistics gathering etc. is using the ISP DNS servers, while all local web browsers resolve non local domains via OpenDNS and this profit from all its features. Note that this setup is not secure. If someone doesn't want to use the OpenDNS on purpose. A change of the client IP number is enough. This setup will work to keep your little children away from sites they should not see, it won't work for the teenager (unless you only use 127.0.0.1 for the server IP), but at that age a proper conversation is probably better idea than just blocking content anyway.


Post your comment

Comments

  • Note that a split DNS also solves this issue, but for my home server (with no outside access to my DNS) I don't find it worthwhile to set this up.

    Posted by Roel Gloudemans, 21/02/2008 8:32pm (9 months ago)

RSS feed for comments on this page