OpenDNS provides an extremely easy to use web filtering service for free. To make use of their service as an individual or as an organization, you simply need to set up an account and set your DNS forwarders to query OpenDNS.com servers rather than your ISP or the DNS root servers. After a few moments of configuration in the OpenDNS.com control panel choosing which types of traffic to permit or block you’re in business.
As easy as this service is to use, there are still some questions that auditors will want answers to. For instance, the first thing to check is whether or not outbound name resolution requests over UDP port 53 are restricted to only allow queries to the OpenDNS servers. If not then a user can choose to bypass the filtering simply by configuring their network stack to use an alternate DNS server on the Internet. The reason that this works is that OpenDNS functions by implementing a DNS blacklist.
Another question to ask is whether or not offices outside of the continental US or outside of the UK will be using the service. Currently, OpenDNS only has servers located in the US and UK. This doesn’t affect the ability to block, but it definitely affects the effectiveness of DNS Global Load Balancing. For instance, if you are in Japan trying to use OpenDNS, you may find yourself directed to a US based Akamai server rather than a Singapore based server since it appears to the Akamai load balancer that you are originating in the US!
OpenDNS does do some checking for well known load balanced sites (Google, for instance), but if your destination isn’t “well known”, OpenDNS could cripple your Internet network performance in some cases. If this is an issue for you, feel free to get in touch with us for a free Perl script that can act as a DNS proxy for your site, quickly and easily solving this issue.