With the DNS Changer malware set to potentially shut off Internet access to hundreds of thousands of Internet users on Tuesday July 9th, DNS once again is a hot topic. While DNS can be hosted locally or delivered via an ISP, it can also be provided by a third party service like OpenDNS.
While DNS has been identified as a risk with DNS Changer, control via OpenDNS can actually provide security protection beyond just validated DNS access.
OpenDNS CEO and Founder David Ulevitch explained to Enterprise Networking Planet that his company's DNS infrastructure provides a distributed security network. In addition to providing DNS lookup services, the commercial OpenDNS service can also be used to protect users from objectionable content as well as some malware risks.
Until this week, the OpenDNS service however did not fully integrate with onsite enterprise identity and access, especially Microsoft's ActiveDirectory. That is now changing with the OpenDNS Enterprise Insights solution.
"We have seen good success over the last few years, but what has been limiting is that we don't integrate with ActiveDirectory," Ulevitch said. "Enterprise Insights now bridges the gap, so we can attach identity and provide more granular depth of reporting."
The way the system works is it's a virtual machine image that is deployable on VMware. The virtual image provides a proxy for DNS services. OpenDNS' DNS service is not based on the open source BIND DNS server which is widely deployed. Instead the original implementation is based on the djbdns DNS server, though Ulevitch stressed that his company has added significantly expanded on the base, such that the system delivers more performance.
The threat intelligence that OpenDNS provides comes from a number of sources. The company has relationships with third party research groups and it has its own security research team as well. That in-house team is now led by the former CTO of Websense who joined OpenDNS in March.
The current DNS Changer malware scare is likely to also be a driver for the OpenDNS business as consumers and business alike look for alternatives for DNS infrastructure. Ulevitch noted that it's high time that people unbundle their DNS from their own ISPs. In the early days of the Internet, many users simply used their ISPs email service. Over the years, with the advent of Hotmail, Gmail and other online services, email became unbundled. It's a process that Ulevitch hopes to see with DNS now too.
While OpenDNS offers users the promise of reduced infrastructure costs, OpenDNS itself is growing its own infrastructure. Currently OpenDNS runs its own equipment across 14 data centers, 9 of which are in the U.S. The company is in the process of rapid expansion and could have as many as 20 data center locations by the end of the year.
At the core of that infrastructure is Juniper MX-series routers, which are replacing some Cisco gear.
"We found that Juniper hardware was more conducive to sending massive amount of packet per second," Ulevitch said. "We're running one of the world's largest DNS services so we're obviously a DDoS target for folks, so we have a tremendous amount of network capacity at all times."