OpenDNS & DNSCrypt – Cool new security for the web

29 Jan

I’ve got to hand it to the folks at OpenDNS… they are really, really, smart cookies.

I think Clayton Christensen would be proud. They took a pretty mundane job that needs to be done, reliable domain name services (DNS), and have created the number one DNS service on the internet.  They are so big, it is difficult to see a competitor trying to come after them.  In fact, one has to wonder why Google didn’t think of this… and why they aren’t competing.

DNS is the internet service your computer uses to find servers on the web.  When you type in “” into your browser, the network software in your computer sends it to a DNS server which returns a numeric IP address.  Think of DNS like a phone book: you search for a name and end up with a phone number.

All internet service providers (ISPs) provide DNS services.  Unfortunately, while DNS is very important to the proper operation of their network, they really don’t spend a lot of time optimizing it.  What does that mean to you?  Slow lookups… which means it takes longer to get to the website you want to view.

OpenDNS solved that by creating a really, really, REALLY fast and reliable DNS.  It is likely that if you change your computer to use OpenDNS, you will have a faster browsing experience.

Best of all, OpenDNS is free.

But the folks at OpenDNS didn’t stop there.  They added things parental controls and usage monitor. Doing it in a DNS server is the perfect place to do it, instead of each computer, because it is centralized in “the cloud.”

What is OpenDNS’s economic incentive to do this?  Just like Google sells information about the click throughs that occur when people search on Google, OpenDNS sells information about who is looking up which websites when.

Additionally, OpenDNS sells premium DNS services to large organizations like BP and Eastern Mountain Sports.

Now OpenDNS has created DNSCrypt.  What’s that and how does it make them money?

Well, when your computer talks to a regular DNS, it does so in a very trusting manner.  DNS was designed for an internet where the network was completely trusted: when a computer wishes to be directed to a computer at a specific numeric IP address, it was assumed the network would reliably and truthfully directed you to that computer.

Unfortunately, when your computer is in the wild, such as on a WiFi hotspot, your computer may not be on a trustworthy network.  The network can actually intercept requests going to a DNS server and provide nefarious responses.

For example, let’s say your computer is asking to go to and you are using your computer on a bad guy’s WiFi hotspot (or a good hotspot that has been hacked).  The evil network can imitate the DNS your computer was trying to use and direct it to a bad guy’s website that looks like your bank’s website.  Then all the bad guy’s website needs to do is simulate the login page of your bank.  You’ll enter your userid and password, they’ll save it, and then pass you to the bank’s website.  It might appear as if you’ve typed the wrong password, so once you are at the legitimate bank’s website, you’ll be prompted again, and this time login into your bank’s website. You won’t even know your userid and password have been compromised.

(You might ask about the lock icon in the status line of your browser and why that can’t be trusted.  Most people don’t even pay attention to the lock icon anymore, and that can be hacked, too, for lots of other reasons we won’t go into here.)

The bottom line is the bad guys can trick your computer into tricking you to give up your userid and password. This is called man-in-the-middle attack.

What DNSCrypt does is this: it causes your computer to only use a DNS server if that server can speak a secret language.  In more technical terms, it encrypts all the requests flowing from your computer to a DNS server.  Since this is encrypted, the bad guys can’t get in the middle and pretend to be a DNS.

What is the business opportunity, then for OpenDNS by providing DNSCrypt?  By providing DNSCrypt, more people will use OpenDNS, resulting in more websites being looked up by OpenDNS, and resulting in more information for OpenDNS to sell.  In fact, one could see a day virtually everyone who has a mobile device uses DNSCrypt and by extension OpenDNS.

Honestly, you got to love these folks… this is brilliant way to make money, much in the same brilliant way that Google makes their money.  Given what OpenDNS has accomplished already, I see them being right up there with the significant web businesses in the future. Further, I’m convinced they’ve got a bunch of other cool money making ideas up their sleeves.

OpenDNS-a company to watch.


One response to “OpenDNS & DNSCrypt – Cool new security for the web

  1. Douglas Quine

    January 29, 2012 at 6:41 pm

    I suspect that OpenDNS makes most of their money with paid advertising when you have a typo in the URL and get their error page.

    It is interesting to read your blog, I must admit that since I first starting encountering OpenDNS pages for invalid URLs, I had been regarding them as advertising spam like the sites that try to sell unused domain names.


Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

%d bloggers like this: