The attempt to put a positive spin on the ad-version is kind of absurd.
Translation: "We tried to serve ads in a way that broke basic functionality for many people. But we didn't make that much money, so we are going to stop being malicious actors, and we're going to start following the protocols we're supposed to follow."
Except that isn't accurate. I get that's how you see it, but that's just not true.
It's ridiculous to say we broke things for many people. Our growth numbers tell a different story. Doesn't mean DNS nerds didn't like creating an account to re-enable standard nxdomain behavior, but it didn't cause issues for most people.
We made real money from ads, enough to be profitable with a decent-sized (20+) team. But we never saw a way to go from 5m to 50m or 500m with ads though. And we never loved the ads. I just never thought it aligned our interests with our customers in the right way. I get that Google has figured it out, and Facebook and Twitter sort of have, but we couldn't, and didn't want to.
Plus, at the time, you have to recall the browser landscape was wildly different. In fact, it's very possible that we may have created the eventuality of today by doing what we did. Chrome didn't even exist when we started. There was no omnibus. I demo'ed our service to Sundar Pichai back in 2007.
Turns out jblow's right. I banished OpenDNS because it was breaking basic DNS functionality to serve its ads (and is terrible privacy wise), this is the exact bad behaviour from ISP openDNS was supposed to help with.
But don't take my word for it and read this 2009 post from Stephane Bortzmeyer working at AFNIC in R&D in DNS security[1].
As jblow said the whole "no more ads" post reads as PR spin, same goes for your reply to him:
- growth numbers don't tell any story apart maybe from «many people read the "Open" part of the OpenDNS name and turn their brains off» [2].
- DNS nerds run their own DNS and keep away from openDNS for breaking DNS and invading privacy.
- not causing issues for most people doesn't disprove that it did cause issue for many people.
I do remember the browser landscape before openDNS and I'm quite happy to debunk your boasting attempt at being significant. The "search from the address bar" functionality has been around long before google chrome came to existence, actually it was in opera before openDNS existed and even better it allows to choose the search engine and use several with the use of a keyword. This was then added to firefox back in firefox 3. Again don't take my word for it and look a this 2008 post[3].
You hijacked NXDOMAIN breaking many applications in my personal experience. Over the past 4 years I have cautioned hundreds of people not to use this service because of that. It is not an issue that affects "DNS nerds", it affects everyone.
Give me a break they offered a service for free. Sure if they were an ISP I'd agree with you because your paying for the service but otherwise just don't use it?
It's bait and switch though. They claimed they offered a DNS service, but by deliberately breaking the spec, they offered something that wasn't a DNS service. It was something, but not DNS. I don't care how much it cost, it's dishonest.
Sure. I offer a service for free. I will back up all your email! Just forward it all to me and I will make sure you can get it back!
Does that sound like a harmless service? OpenDNS knowingly and deliberately broke the Internet for its customers. I have actually spent time debugging issues it caused just to find that the client was using their resolvers. They were not a free service, they were actively harmful. I am glad the profits are no longer there for them to keep up this malicious practice.
As davidu mentioned, you can make a free account on the site and restore normal NXDOMAIN behavior. Non-broken DNS was opt-in, but it was still a free service.
> It's ridiculous to say we broke things for many people.
Two weeks ago, I had to swap my company's network over to OpenDNS because Google DNS was having an outage. And then a day later, I spent 2 hours trying to chase down a problem running something that turned out was a result of OpenDNS feeding a page full of ads to something that was expecting JSON.
You might not have broken things for all the people that continued to use your service, but you broke things for people like me. And this is a place where people like me hang out....
The application broke because it couldn't handle unexpected input, I think you stated the problem and it was the application. OpenDNS has been clear about returning an HTML page of adverts. I appreciate the category level filter and the ability to block known harmful sites from my family's casual browsing. When my wife or kids want to browse to gun, gambling, typo-squatting or hate sites they'll need to learn how to resolve IP addresses (and I'll be proud of them). I also hope they'll learn to code and safely handle unexpected input.
[Edit: you didn't say your application unsafely handled the input, just making the point and not meaning to sound too snarky]
OpenDNS worked the way it was supposed to. It wasn't the right DNS solution for this situation.
I also don't think OpenDNS is a tool of censorship, as it is so easily circumvented. I hope my children learn how to circumvent tools of censorship and this can be their first practice... Until then it reduces the risk of accidentally going to phishing websites.
I'm only pointing out that in this spesific case it had nothing to do with the robustness of the application.
More specifically: A better application might have warned you about the failing part so that you won't have to go looking for it. Fixing the problem would still include either replacing OpenDNS or working around it.
The relevant question isn't whether it is "breaking things" in the abstract, but whether it is breaking things in a way meaningfully detrimental to end users. Or, if you really want to stretch it, perhaps also include externalities imposed on the "internet as a whole."
In the era before the omnibox, I personally can't see much in the way of "breaking things" on account of OpenDNS. Doesn't mean you and others can't disagree with that, but it's not as cut and dried as your statement seems to imply.
Agreed, I've run into this behaviour several times and it is confusing and annoying, especially while programming. A DNS response for a non-existent domain shouldn't be "this page full of adverts", it should be "this domain doesn't exist".
You are no different from ISPs hijacking all the unresolved names, breaking default web functionalities. I wonder how naive can your remaining users be, to still use your ad-bloated service...
My ISP was no better. And giving my DNS requests over to Google seems retarded, considering they're an ad company first and foremost. I'd run my own DNS server but afaik I'd still need to find a dns provider like google/opendns since DNS is heirarchical, I can't hold the entire internet's worth of DNS entries on my server. If someone could offer up some free DNS providers that I can use I'll point my dns requests to those, thanks.
Looks like Google's 8.8.8.8/8.8.4.4 stole them quite a bunch of traffic, simply due to it being (often) faster and ad-free. It was e.g. impossible to use OpenDNS on a server doing mail stuff because OpenDNS would resolve everything and their dead mother instead of returning NXDOMAIN.
Well, now I think I'll switch over to OpenDNS as soon as they prove to deliver un-manipulated DNS service. One way less for Google to track me.
edit: does anyone know if Cloudflare is also in the DNS business, from the resolver side? I know they and Amazon (Route53) do DNS server hosting, but does Cloudflare also provide public resolvers?
Google says that they don't use Google DNS for tracking.
From the Google DNS privacy page: "We built Google Public DNS to make the web faster and to retain as little information about usage as we could, while still being able to detect and fix problems. Google Public DNS does not permanently store personally identifiable information."
They go on in some detail to say how and what they log.
But you can bet that at least the NSA and 3-letter-agencies around the world do monitor anything going to or coming from these two IPs. It's just a too convenient target.
More distributed resolvers (like with Cloudflare/Amazon datacenters directly linked to ISPs) would make this type of spying orders of magnitude harder (they must actively infiltrate the ISPs network instead of just tapping the DECIX/exchange switches, which e.g. German BND is ALLOWED to do!).
Shit, I'd pay for Cloudflare or any other service to build robust, interception-secured DNS servers. Or my provider, but providers have a shameful track record of building fast and reliable DNS servers.
We support DNSCrypt which will encrypt your DNS traffic between you and us. That's the last mile, at least. We support DNSCurve for the other hops, but almost nobody else does.
That's probably enough for most uses, as the unencrypted queries entering the cache are mixed with millions of other people's.
Myself, I'm still wary of providing data to any third party. Maybe it isn't the case any more, but at least recently, OpenDNS stored identifiable logs forever and potentially resold that data.
DNSCrypt meets this need and is based on the same crypto from DJB. If you're running a full-blown resolver, I'm not sure if DNSCurve works if you forward to us... I'd have to find out.
> More distributed resolvers (like with Cloudflare/Amazon datacenters directly linked to ISPs)
Cloudflare has 24 datacenters[0]. Google Public DNS is deployed in 45 peering points over at least 16 metros[1]. I would be very surprised if Cloudflare/Amazon were more distributed than Google in this regard.
Google is by far the largest public one, next to OpenDNS. The rest are provider DNS servers, which can't be tracked that easily (NSLs and other "pseudolegal" stuff aside).
It is a shame that the Internet has descended from a place where everyone could implicitly trust everyone into a hellhole of spammers, hackers, spooks and other retards. One cannot even trust that private two-way communication STAYS private because our own fucking governments have done everything to erode that trust.
It is bad times that one can trust Google to keep your data half-way safe, but your government not. It should be just the other way around!
It's not "our own" government, for any "our own" that purports to include me. It is a junta with enough guns to have their way with people across a continent. Pretending otherwise may sound "non extremist" and "responsible", but it's still ridiculously naive and bound to lead to nothing but disappointment. In ever increasing doses.
Practically, a good start is to recognize that not all valuable communication mechanisms benefit all that much from minimizing latency of packet delivery. IOW, not all, in fact not even most, means of communication really need the kind of "apparently real time" performance that telephony requires.
Moving services that don't, to a protocol where the focus is on making mixing and anonymizing simple, reliable and robust; rather than simply max throughput and min latency, would make end user security and anonymity guarantees much easier to make. And, for many types of channels, this can be done without much at all in the way of negative side effects, given how fast the underlying switching infrastructure has gotten.
Current protocols were necessary for any kind of usability when hardware was slow and expensive. And good enough privacy and security vise, when even the NSA didn't really have the means to do much wide net spying at the network level. But neither of those realities of the original internet is true anymore. Instead, sorry for the pompousness, the new environment is so different as to require, or at least recommend, something almost akin to a "new internet." Built with the "new" threats to communication in mind.
I'm not working anywhere, at a startup nor anywhere else, that could conceivably "profit" from any of the above ramble. If what I'm saying makes no sense, it's because I'm a moron (or at least misinformed), not because I'm a scumbag.
> It's not "our own" government, for any "our own" that purports to include me. It is a junta with enough guns to have their way with people across a continent.
Virtually all governments spy on their and other countries' citizens these days, not just the US. We Germans spy, the Brits and the rest of Five Eyes spy, the Russians spy, the Chinese spy, the Iranians spy and I bet that even North Korea has quite some good hackers.
And for the rest of your comments: indeed, a "new internet" would be required. But as you can see on the adoption rate of IPv6, we're stuck with this mess unless quantum computing forces us to switch.
IPv6 doesn't fundamentally offer end users anything far beyond the current standards.
I'm imagining a protocol for less tightly coupled endpoints could be written to, while the "switches" merely translate traffic to route it on current infrastructure. A more application agnostic version of mixmaster or TOR, so to speak. The important part, is really to get enough of a variety of end user apps written to it, to prevent anyone from knowing much about the traffic simply due to the protocol spoken. Then, over time, to optimize away more and more crud, until we've got dedicated hardware. It may still be a bit utopian, but the current mess isn't really serving people all that well anymore, either.
Which is a pretty good indication that all meaningful solutions to the spying problems, need to work at a level more fundamental than government. Routing around them, or rendering them impotent, by design, if you wish.
There's no one I know in between, except of course the DNS servers set up by providers like AT&T, Comcast etc., which are locked to their customers only.
I'm also concerned with google's tracking and would be happy to use an alternative to 8.8.8.8 but openDNS is not exactly shining on the privacy side as pointed out in 2009:
« They also keep permanent logs of all queries, which could be subpoenaed by a government entity. Their joke of a privacy policy allows them to sell your logs to "Affiliated Businesses", which pretty much means anybody. Not that it really matters - they could amend their privacy policy tomorrow morning and be selling your info by the afternoon.»
http://beta.slashdot.org/comments.pl?sid=1297613&cid=2864072...
As much as I'd like to diversify the entities tracking me, I don't think I'll ever return to openDNS which is not to be trusted in my book, reading the spin that the "no more ads " is just comforts me with this idea.
I've been using this for about 6 months in various parts of the globe and have been very happy. If there is a donate button on their site (my Deutsch language is lacking) I would like to know.
Given it costs at least $25 to send, and more fees to receive, a bank wire transfer it seems strange to only offer this method. Perhaps it is easier if you have a European bank.
> Text ads and banners alike, they’re all vectors for the spread of malware.
That's an excellent argument pro-ad blockers. Typically ad-blocker users are berated because they're 'stealing from the publishers' or something to that effect, but it makes good sense from a security point of view too. And it rationalizes so much better than 'the web is faster this way' (assuming that's even the case).
I guess it's good for security... but if your computer can be hijacked by loading a website, you're going to have a bad day even if you're blocking ads. For example, I would bet hacked websites are a much more common malware vector than ads.
With the proliferation of real-time auction and backfill ad networks, the ability for a bad user to inject javascript or malicious Flash ads into the ad creative space carried on major sites has grown dramatically over the last few years.
It's hard to even tell who is serving up your ads sometimes without pulling out wireshark or some kind of HTTP proxy to look at the request chain.
Again, though, if an ad blocker is the only thing standing between you and a zero-day, you need to immediately stop what you're doing and patch your browser.
It's true there are bad actors taking advantage of ad networks. There are bad actors hacking Wordpress installs too.
I don't think you know what a zero-day is or if you do I would be interested to know what is standing between you and one. By definition there is no patch for a zero-day.
Perhaps there are other ways to meaningfully compromise site security? It's not just a zero day that breaks out of the web browser sandbox and installs a rootkit, it's the hostile javascript running in the context of the page that might not be properly scoped and ends up stealing information straight out of the DOM (or stores or whatever.)
Yes, but that does not mean it does not happen and when a very large website gets used to deliver malware through advertising it can be very effective. Such as this top10 dutch website:
I would bet that malicious websites advertised in google ads are more common because they require less efforts and because I had to deal several times the aftermath of people clicking the first link in a google search for the flash plugin which turned out to be a google ad for a malicious website serving malware infected flash installer.
iirc flash ads with malicious payloads were the vector used to infiltrate the networks of NYC and other newspapers by Syrian Electronic Army, Anonymous and other public scale hacks.
It's also a good argument for certain security-focused DNS providers to block domains that are used to serve ads, at least on an opt-in basis if not by default for settings like public wifi.
We removed that page when we updated our website. Google is surprisingly slow in this case to update their results. No idea. Nothing we're doing on our end I don't think.
Its nice to say "we stopped doing it because we love our users" but I always feel like there is something more behind the scenes that makes these things happen.
Did chrome or Firefox recently change the way they handle nonexistent DNS answers so that opendns '404 pages' would no longer work? If the writing was on the wall it might make sense for opendns to get ahead of it, since there wouldn't be much they could do to combat browser level changes.
Or:
Did google/yahoo not renew their search feed agreement with them to be the search provider and/or significantly change the rates?
I know google has been coming down very hard on toolbar makers so perhaps this is googles way of getting out of that biz (And forcing opendns's hand)
We said browser changes over the years ate into that revenue stream. In other words, as our traffic volume quadrupled, we were essentially making similar amounts of money, rowing four times as hard for each dollar.
Part of it was the browsers, and part of it was us not wanting to do lame techniques like pop-ups, flash ads, and other obnoxious things.
It was an arms race we weren't interested in participating in, and one we ultimately expected to lose. Who wants to fight a battle for a cause they don't even believe in?
I could think of so many things I'd rather focus our engineering talents on than maximizing how many nickels we could shake out of each user. So we decide to do make the change and focus on creating things of value instead.
He apparently didn't read your post. I don't understand why the hate. Your post was very clear on why you did what you did.
PS: I would suggest you get additional DNS addresses that are easier. I mean, google's are so conveniently easy: 8.8.8.8 and 8.8.4.4. I can readily add them without giving them much thought after any installation.
Or maybe the truth is just as they explained it? That people don't like ads, that this fact is the most-cited reason people don't use OpenDNS, that they have an even better revenue model now (security analysis), and that by dropping their old way of doing things they will be able to attract vastly more people to use their service which will make their "security big data" even bigger and thus more useful/profitable?
Sometimes a cigar is just a cigar...
(By the way I think this change is awesome. Now if I could only get my cell phone provider -Tmobile cough- to stop hijacking my nonexistent-domain dns queries)
You should see my other response in this thread. Maximizing ad revenue put us in an arms race for a cause we don't even believe in. So why continue it? Our time is far better spent elsewhere.
Agreed. I can't imagine that the average person types in a bad domain name very frequently (compared to, lets say, the number of times they view a Facebook page each day). So you can't really sell a lot of ads this way. Also, if someone makes a mistake with a URL, they're not going to stick around very long to read an ad, since they're already impatient to be somewhere else.
We hope users will consider our enterprise security services, naturally. As more than 10,000 businesses already have. That business far eclipses the money we were making from ad revenue and has the nice side effect of directly aligning user-experience with the people paying us the dollars.
> Its nice to say "we stopped doing it because we love our users" but I always feel like there is something more behind the scenes that makes these things happen.
The decision very well was probably made because they love their users. You just have to think about why they love their users (even free ones). The vast size of their userbase is what enables them to sell security services. Without a significant userbase overall, the ability to detect anomolies and security threats diminishes which in turn devalues their security offerings. By making the experience better for their free users, they retain users better and potentially grow their userbase, which improves the capabilities of their paid security services.
So I guess an analogy for this move would be like if Google announced Gmail was going ad-free for freeloaders because their Google Apps platform was now their sole money-spinner. Though, I imagine, vastly different cost structure and conversion rates.
I find it hard to be too cynical when OpenDNS were one of the few companies to give DNSCurve a whirl.
We used OpenDNS until we sent out an email that linked to SurveyMonkey - the URL was wrong, it said surveymonkye.com
The problem was our QA never caught it, since OpenDNS 'fixed' the request during testing. 24,000 emails later, we were instantly alerted to the bad link.
They clicked the links. But OpenDNS 'fixes' the request from the browser, sending you to the right URL even if you enter the wrong one. That's why QA didn't catch it.
Oh weird. It searches for the most relevant thing and flows through? I thought their nxdomain stuff was just to serve ads, not provide redirects to existing sites.
I've always hated ads. Because most of the time products use it without embracing it and integrating it fully.
Anywhoo, I'm happy to see OpenDNS getting out of this revenue model, I hope it's gonna work so other might be inspired! Who knows.
Very nice, I might give OpenDNs another try as my backup DNS server now. I hate NXDOMAIN hijacking with a passion.
>This experience is one of the only reasons people cite to not use OpenDNS.
Yep, because people care about their privacy. I'm surprised OpenDNS didn't notice this before. I will probably start recommending them again now; after all, almost anyone is better to trust with something like DNS than google.
They obviously noticed and knew but did not care, as stated in the post OpenDNS is a revenue oriented company as such they're going after the money which for a service nobody's going to pay money for means going the "make them pay with their privacy " way a.k.a. ads.
I wonder if they're planning on implementing DNSSEC, given that this change is a prerequisite for full DNSSEC support. They would also have to be willing to use a less user-friendly method of blocking phishing domains (like return an unsigned NXDOMAIN that doesn't validate).
For those of you who prefer to use a different DNS server from of the one provided by your ISP, thanks to the work of Chris Hill you can make good use of this resolv.conf:
This is only partially related, but ad quality is just so bad, that it's becoming nearly a moral issue (as essentially is here) making ads the business model.
I wonder if there isn't a business case for highly QA'd ads? Or is there too little visibility into that for the average consumer to appreciate the value?
OpenDNS is used in a lot of places like coffee shop wifi where your users aren't the same as the savvier people who set up the internet. At least that's the only place I encounter (and then curse) their "guide".
Translation: "We tried to serve ads in a way that broke basic functionality for many people. But we didn't make that much money, so we are going to stop being malicious actors, and we're going to start following the protocols we're supposed to follow."