My experiment with using Google Public DNS and OpenDNS is over, and I'm back to using the Optus ones. Behold an incredibly long rant on DNS.

Weasel word warning

Hey, that's some fancy alliteration if I may say so myself. And those last three words had a lot of "s" sounds in it, like Severus Snape. I gave up on Harry Potter after Goblet of Fire left me yawning so much I nearly broke my jaw. True story.

Lat……………. ency

There are two problems with using services such as OpenDNS and Google Public DNS (referred to henceforth as just Google in this post). The first is the obvious issue with latency; when you're accessing a DNS server in a distant country you'll [virtually] never get the same performance as a server running locally, especially so if its at your ISP. Well, unless your ISP really, really, really sucks, and particularly in Australia this isn't a far out possibility. Needless to say, APC and other magazines that sound like surge protector manufacturers have had articles discussing the issue of latency.

This isn't the focus of this post so I won't go into this aspect of it for too much longer, suffice to say my pings were on average two significant figures shorter when using my ISP's DNS servers than Google and OpenDNS.

Okay, what’s the real issue?

The second isn't a technological problem with the services themselves, but rather the way some people talk about them. Much like many of my American comrades have to endure the frustration of hearing about body scanners taking naked pictures without much talk at all about the inherent safety risks that intense radiation presents, people only seem to discuss the issue of open DNS services being speed.

The question is: do you trust Google, OpenDNS or your ISP? Or perhaps a more pertinent question: out of Google, OpenDNS and your ISP, which do you trust the most?

What do I mean by trust? I'd answer you, but I hate rhetorical questions, mainly because I can never spell the word rhetorical.

Trust issue one: Tinfoilhatism

Particularly in the UK where services like Phorm have become infamous (notorious you could say), ISPs have realised they can milk their customers out of more money by turning DNS into another source of revenue. Ah I hear you say, do they pass those savings onto you? Tee hee, you're funny ;).

Some ISPs use DNS to hijack 404 page requests so instead of getting an error message from your browser, you get a page laden with ads, and a search engine box that gives referral money to the ISP. Its a minor annoyance for end users, and it wrecks havoc with services and software that rely on receiving a 404 to confirm a resource is unavailable. Some ISPs allow you to disable this behaviour, fortunately mine does. I wish they just didn't do it in the first place.

The more invasive form of this, and I consider it a brazen form of man-in-the-middle attack, is when ISPs actively mine the data that you're accessing online, and uses it for their own devious purposes. Advertising. Selling to intelligence agencies. Performing illegal electronic wire taps without an opt in. Having your IP addresses being resolved by a DNS server outside their control wouldn't stop this, but anything to make their lives more inconvenient and their logs more confusing is always a plus.

So we come to the question, do you trust that your ISP isn't performing this nonsense, or would you rather rely on OpenDNS or Google? Both are freemium outfits (AFAIK) but I can't help but think they'd be doing something sneaky to their free users. OpenDNS even hijacks 404 error pages by default too!

Trust issue two: Maintenance

One would think that by using DNS as a revenue source they'd hopefully invest more time and money in the DNS servers themselves, as I suspect many are running on cheap old boxes in basements gathering dust. DNS is a very unsexy, if necessary service that ISPs provide, not at all like that cool mirrored content that some ISPs still count towards quotas (COUGH Optus COUGH) and selective on-demand video and whatnot that's easy to advertise and makes a mockery of net neutrality. But that's for another post.

Because DNS is so terribly unsexy, many ISPs that run obligatory DNS servers simply don't enforce stringent security protocols when it comes to maintenance. DNS spoofing is real and is being actively performed in the wild, and while there are technological solutions (aka: marketing speak for patches) an alarming number of said servers are still vulnerable.

When looked at from this angle, I would think a service like OpenDNS (and to a lesser extent Google) who's very existence is dependent upon delivering reliable, secure DNS resolutions would be at the forefront of keeping their servers patched and bolted down. If an ISP in Australia has a botched DNS server, it affects their customers. If OpenDNS were to botch one of theirs, people around the world would be messed up, to afford ourselves the use of sophisticated networking parlance.

Good grief, that was an ordeal

Inevitably with me, despite generally erring on the side of caution with my refusal to use Chrome (Chromium and WebKit are just fine) and arming Firefox to the teeth with security and privacy extensions, I decided the risk that Optus is doing something fishy was worth it for the vastly improved performance. Besides, we'll be churning to Internode once this latest bill cycle is over, and I most certainly trust them more than Optus!