OpenDNS can be easy to undo


A couple of readers, including one of our own expert geeks, had a few points to add about my recent column on OpenDNS, a free service that allows users to filter certain types of incoming content from their computer or network.

By following an easy set of online instructions (, users can reassign the task of translating Web addresses to OpenDNS. Once the service is in charge of turning the Web addresses into their corresponding server locations, you get more control over what actually gets into your network. That can be particularly valuable if you’re trying to protect children from certain types of content.

But the problem with this strategy, according to IBM Distinguished Engineer and IT Security Architect Jeff Crume, is that it’s as easy to undo as it is to implement. Any user with some degree of tech savvy can change the DNS settings, completely circumventing OpenDNS.

“As a content filtering solution, it is only going to be as good as the level of cooperation you have from end users,” Crume said in an email. “If those end users are kids you’re trying to corral, I wouldn’t put a great deal of confidence in this mechanism.”

Turning OpenDNS into the gatekeeper of your home or business network also means added protection, most notably from phishing. Scam sites like these can look just like legitimate ones, but are built to capture personal information like username/password combinations and banking information.

Relies on big assumption

How well OpenDNS protection works, Crume says, depends on how much information the company has managed to gather on malicious sites.

“As a security defense, the most it would be able to do is block some of the drive-by download sites that try to infect your system,” Crume said. “Even that relies on a big assumption that it knows which ones are doing this, which is no small feat given the ever-changing landscape of Web sites popping up on the Internet.”

To keep up, OpenDNS uses a site it maintains called PhishTank (, a database of information that allows any users to submit sites they think could be scams. Votes from the PhishTank community then determine whether a site receives a phishing designation.

It’s hard to know how complete this list really is. But by comparing known phishing sites from this database to the addresses you try to access from your network, OpenDNS is able at least to protect users from a constantly evolving list contributed by the crowd.

Be aware of limitations

Crume mentioned one additional caveat for prospective users of OpenDNS: privacy. By default, Internet service providers are typically the ones responsible for using the Domain Name System to interpret Web addresses. That means every URL you type or click is processed by divisions in companies like Comcast, Time Warner Cable, Verizon or AT&T. Switching services means this Internet usage information is in the hands of OpenDNS instead.

While that might not be a bad thing, Crume said, it’s something for users to think about.

“If privacy is a big issue for you, then you need to decide whom you trust more with this information, OpenDNS or your ISP,” Crume said.

To be clear, none of this necessarily means you shouldn’t use OpenDNS (for what it’s worth, I still do). Like many services designed to protect users, it’s a solution with some limitations best suited for certain situations.

What’s important is that you’re aware of those limitations so you can decide whether it’s a good fit.

Send technology questions to Please include your name, city and daytime phone number. Sorry, we can’t answer every question.

News & Observer is pleased to provide this opportunity to share information, experiences and observations about what's in the news. Some of the comments may be reprinted elsewhere in the site or in the newspaper. We encourage lively, open debate on the issues of the day, and ask that you refrain from profanity, hate speech, personal comments and remarks that are off point. Thank you for taking the time to offer your thoughts.

Commenting FAQs | Terms of Service