2

I like OpenDNS, but was wondering if anyone has experience deploying it for a location with an Exchange installation. I'm concerned specifically about whether any filtering they do would cause problems with reverse DNS lookup that might interfere with the server or the anti-spam (GFI in our case) installation. Thanks for any insights.

EDIT: Just to follow up for anyone who comes across this question, I went ahead and swapped out our ISP's DNS IPs for OpenDNS's in our LAN's DNS forwarders -- took all of a minute and a half -- and it worked fine. We eventually swapped just our mail and spam servers to point to Google DNS rather than OpenDNS only because I was tired of seeing all the mail queries in our OpenDNS reports, and it has worked great this way as well.

We also eventually swapped out our Exchange/GFI setup for Zimbra and an Exim-based mail filter/gateway (MailCleaner, excellent BTW!), and have successfully kept the same arrangement with Google DNS on these servers and everything else forwarding to OpenDNS.

nedm
  • 5,610
  • 5
  • 30
  • 52

4 Answers4

3

We use OpenDNS on a corporate network with 2 Exchange servers, and 4 Postfix mail servers without problems in the following manner:

  • We have our own internal DNS servers that forward to OpenDNS (no root servers) for outgoing DNS resolution
  • Our External DNS addresses are hosted by a 3rd party DNS provider entirely outside our system.
  • Our Reverse DNS is handled by our ISP

No problems with mail or reverse DNS.

Brent
  • 22,219
  • 19
  • 68
  • 102
2

I agree, OpenDNS is great.

Personally I would only use OpenDNS for end users. Use your ISPs DNS services for the servers, other than the speed boost OpenDNS gives you I can't see what advantage it would be to use it on a server, and is only going to add one extra thing to debug when trying to resolve a problem.

That said I think OpenDNS have thought it through quite well, if you lookup 'google.com' you get 209.85.171.100, 74.125.67.100 and 74.125.45.100 all Google IP addresses. Whereas if you lookup 'www.google.com' you get 208.69.34.231 and 208.69.34.230 both OpenDNS IP addresses.

Richard Slater
  • 3,228
  • 2
  • 28
  • 42
2

There should be no problem setting OpenDNS as the DNS provider for your network. I happen to like it. I use it at home, and we will likely be switching to it at work when we switch ISPs later this month.

EDIT: OpenDNS filters outgoing mail requests using the same filter settings as web requests. So, you will have trouble sending mail to an domain that you are blocking. There are two choices if you have this problem .. use a different DNS for the mail server, or edit your whitelist for the mail sub-domains.

DNS can be very complicated, but the basics are straight-forward. There are two separate (although related) things to worry about with respect to DNS. Many companies frequently use the same DNS provider (or servers) for both of them, that is not necessary.

First is the DNS provider which will respond to requests on the internet for information about your domain. This is the server(s) specified on the domain registration information. If this is not done by your ISP, you may need to work with the provider to insure that reverse DNS works properly.

Second is the DNS provider which will resolve requests from your network for other domains. Typically this is provided by the ISP connecting a network to the internet. This is what OpenDNS provides. The outside world does not know (or care) how your network resolves DNS requests for other domains.

I hope this makes sense .. if it doesn't please comment and I will update.

tomjedrz
  • 5,964
  • 1
  • 15
  • 26
  • Thanks, we're interested in the second case here. We'll continue to have our ISP publish our MX and A records. I'm just thinking about pointing our LAN DNS server to OpenDNS rather than our ISP-provided upstream DNS servers. Good to consider about the mail filter being the same as for the web filter. – nedm May 13 '09 at 06:10
  • This is an issue if you are planning on aggressively filtering. For instance, if you block yahoo.com, mail to yahoo will be blocked as well. Another alternative is to have a second OpenDNS account with less restrictive filtering – tomjedrz May 13 '09 at 14:59
1

I think the coolness of OpenDNS is fading in some cases. My objection to it is the increasing prevalence of high-bandwidth website such as YouTube, and even newspaper and cable news websites with lots of video.

In some cases, your ISP provides a higher speed connection to these resources via dark fiber or a CDN like Akami. They often point you to these resources via split-brain DNS. When I was stuck with Comcast, it didn't matter because their DNS servers suck. At work or at my current home, however, the upstream DNS is fine.

duffbeer703
  • 20,077
  • 4
  • 30
  • 39
  • 1
    By definition, dark fiber is fiber that isn't in use, so they cannot route your connection that way. I think you meant a dedicated peering arrangement in which your ISP peers directly with the content provider's network, providing a more direct route. – Justin Scott May 13 '09 at 03:18
  • 2
    Justin Scott's comment is very wrong. A dark fiber is simply a fiber that you light yourself. So, yes, it can be used to transmit packets. – bortzmeyer May 13 '09 at 06:57
  • Interesting remark. I hadn't realized that could actually be a problem. I guess I feel that most ISP's are pretty dumb about their DNS, whether true of not. – Martijn Heemels Sep 02 '09 at 18:09
  • About dark fiber, both definitions are actually correct. In the past it used to simply mean unlit fiber, so fiber that wasn't in use at all. Nowadays it has been extended to also mean fiber that you lease and light yourself, i.e. with your own equipment. I think this is due to the fallout of the dotcom crash. Huge overcapacity in fiber led to a lot of unlit/dark fiber. New companies are now leasing this unused fiber directly to companies needing dedicated highspeed lines. – Martijn Heemels Sep 02 '09 at 18:17