OpenDNS, should you use it?
“OpenDNS enables tens of millions of people around the world to connect to the Internet with confidence. Anywhere. Anytime.” Sounds good doesn’t it? A few other statements that sound good are “We’re changing the face of Internet security.”, “OpenDNS has built the world’s most loved and trusted DNS service” and “we’ve done it with a fixed focus on making the Internet a better, safer place. In short, we’re the good guys.” OpenDNS takes a standard DNS system and adds features like parental controls, phishing protection and more. When using OpenDNS you can browse the web more securely, often a bit faster too and it’s completely free. So what’s the catch?
I have been trying to find that out for a few months now. Reading through their privacy policy I came up with a few questions and sent these by email to OpenDNS. This was June 27th, 2013. I received an email on July 1st from a senior support manager saying the support department was not able to answer these questions but my email was forwarded to privacy@opendns.com. For more information regarding privacy related matters I was also instructed “submit my requests in writing” (as in snail-mail letter), sure like that’s going to happen.
I followed up on July 12th and was told the senior support manager reached out to the ‘exec team’ and I would receive an update as soon as he heard back. I did not hear back so I followed up again on July 21st. This time a senior technical support engineer told me the manager was out due to a family emergency and he had to reach out to the exec team as he, in technical support, was not able to answer my questions. This I already knew and at this point I had not heard from the privacy team or the exec team. Another email went out on July 31st, this time the response read “We have just completed a big code push as of last week so they have been extremely busy. I will ask again.” Great, I’ll wait some more. Today I figured I waited long enough as it has been almost two months. I sent out my last email pointing out how ridiculous this is, thanking them for their replies and saying they could close this ticket.
Reading this, you’d think the questions I asked were extremely difficult but they were not. Here are a few sections from their privacy policy (highlights by me) and some of the questions this policy raised for me:
Use and Disclosure of Personal Information
OpenDNS does not share, rent, trade or sell your Personal Information with third parties, except as described in this Policy. If you do provide us with Personal Information, we will only use it for the purposes described where it is collected or to deliver the Services you requested, and we will not sell, license, transmit or disclose this information outside of OpenDNS unless (1) you expressly authorize us to do so, (2) it is necessary to allow our trusted service providers or agents (such as address list hosting companies, advertising and analytic companies, billing service providers, email service providers, search providers, security providers, and other similar service providers) to provide products or services for us or you, (3) it is disclosed to entities that perform marketing services on our behalf or to other entities with whom we have joint marketing agreements, (4) it is necessary in connection with a sale of all or substantially all of the assets of OpenDNS or the merger of OpenDNS into another entity or any consolidation, share exchange, combination, reorganization, or like transaction in which OpenDNS is not the survivor, or (5) otherwise as we are required or permitted by law. Also, we reserve the right to fully use and disclose any information that is not Personal Information (such as statistics, most frequented domains, phishing attempts blocked by our Services).
This piece resulted in simple questions like “who are your trusted service providers and/or agents?”, “who are the entities that perform marketing services on your behalf?” and “who are the entities with whom you have joint marketing agreements?”. Not too hard, are they? There was also a piece about data security which I wanted a bit more information on:
Data Security
We restrict access to Personal Information collected about you at our Websites to our employees, our affiliates’ employees, those who are otherwise specified in this Policy, or others who need to know that information to provide the Services to you or in the course of conducting our business operations or activities. When you enter sensitive information (such as a credit card number) on our order forms, we encrypt the transmission of that information using secure socket layer technology (SSL). While no website can guarantee security, we maintain appropriate physical, electronic, and procedural safeguards to protect your Personal Information collected via the website. We protect our databases with various physical, technical and procedural measures and we restrict access to your information by unauthorized persons. We also advise all OpenDNS employees about their responsibility to protect customer data and we provide them with appropriate guidelines for adhering to our company’s business ethics standards and confidentiality policies. Inside OpenDNS, data is stored in password-controlled servers with limited access.
Some of the questions this resulted in were “Who are your affiliates?”, “who are ‘others who need to know’ my personal information?” and “What is meant by ‘authorized persons’? Does that mean actual humans (persons) or automated processes, programs and connections from outside of OpenDNS as well?” Again, nothing earth shattering. The full privacy policy can be found here.
Nearly two months later, these simple questions have not been answered, not even one. Their privacy policy leaves a lot open to interpretation and leaves plenty of unanswered questions.
OpenDNS works, I’ve seen it work and if they can just answer a few simple questions I’d be happy to recommend their services to my readers. Unfortunately right now this is not something I am willing to do and I urge those that do use or plan to use OpenDNS to read the policy and terms carefully. To me there is only one reason questions like these go unanswered and that’s because the answers are not pretty.
great job man. thanks
any DNS suggestion?
I don’t have any though I am still looking. As soon as I find one or some worth while I will create another post. I think currently a few VPN providers (paid) offer their own DNS so your traffic would be protected and your DNS as well.
As long as you don’t sign up, and type in your IP and use the OpenDNS updater, you should be okay. I’m not sure if they have any under-the-hood tracking program that tracks your IP, regardless if you have associated it with your account. As long as you don’t associate your IP with anything, I think you’re fine.
I wrote this article on their forum 5 years ago;
forums.opendns.com/comments.php?DiscussionID=3215
When I did my NSlookup, I was using myspace at the time, and I performed the lookup using muspace.com, not myspace.com.home.. That was added by the resolver.
My simple answer is, if you don’t mind your internet usage to be able to be monitored by the OpenDNS group, then you are fine to use them. In my personal opinion, my existing DNS works just fine, and I do not want to feed my usernames and passwords for social networks and banks through some 3rd party group, so I personal do not trust OpenDNS and will not use them for any reason.
I have already proven that they are not only providing DNS results, which is fine because thhats what they say they do, but they are now piping your usage through them which leaves the realm of DNS and gives them as much power of monitoring my usage without being bound by the same laws.
My Tip for those who are still not sure, learn the ‘NSLookup’ command and use the debug switch.
someone doesn’t understand DNS…By using OpenDNS you are not feeding “usernames and passwords for social networks and banks through some 3rd party group”, those still get sent through your “trusted” ISP. All OpenDNS does is tell you http://www.facebook.com is 31.13.66.144. The benefit to the service is that they are constantly updating their DNS filters to block domain names and websites that host malware, C2C servers or other bad things, so if you try to go to http://www.baddomain.com OpenDNS will not provide the IP address of that site if they have identified it as malicious, and thus you will not be able to connect to it unless you somehow get the corresponding IP address. Of course, if you have an OpenDNS account you can override those settings and get more control over the content you want and don’t want to be able to access using DNS.
Here’s a big problem: My company uses opendns and when I start a vpn session on my personal PC at home, it starts blocking sites on my personal PC.
I consider this a breach of my privacy.
When you are on your company VPN, you are essentially on their network, not yours, so of course it blocks stuff.