Hi, Recursion is the service you want to use in this scenario, so not sure what you mean by this to be honest. Actually using Simple DNS you will be using the root nameservers anyway. To answer the original question, I can't see what difference it makes using your nameservers and the root hints will make over using OpenDNS. OpenDNS has some extra features, like blocking specific sites in a database, as well as having a large DNS cache, which can sometimes increase lookup times, but on a LAN with a DNS server, I find this less of an issue, as people tend to visit the same websites, so the sites that are being visited by the users are cached in the local DNS server already. If you are a business customer, then I think you need to pay them as well. I looked into it a while ago as a replacement to an on-premis filtering product, so we could get filtering across the board for external users as well, but in the end didn't go with it as it was going to be quite expensive, and they were bing taken over by Cisco! Andrew. ________________________________________ From: Blind-sysadmins [blind-sysadmins-bounces@lists.hodgsonfamily.org] on behalf of Steve Nutt [steve@comproom.co.uk] Sent: 03 March 2016 07:02 To: 'Blind sysadmins list' Subject: Re: [Blind-sysadmins] Open DNS in a corporate environment? Hi, I don't use OpenDNS, because it allows DNS recursion, which can slow down lookups potentially. I allow recursion, but only for trusted IPs. I use SimpleDNS for Windows on a 2012 R2 Windows virtual server. Each to their own I guess. All the best Steve -----Original Message----- From: Blind-sysadmins [mailto:blind-sysadmins-bounces@lists.hodgsonfamily.org] On Behalf Of Ryan Shugart Sent: 03 March 2016 06:04 To: Blind sysadmins list Subject: [Blind-sysadmins] Open DNS in a corporate environment? Hi: Anyone used Open DNS on a business network? Currently our internal DNS servers resolve external queries by just going to the root servers and working from there, but our security guy has it in his head that OpenDNS is a better way to go for some reason. In looking at their web site they do offer some business services that report to block malware by blocking its DNS lookups (until malware writers use IP addresses directly or point to another public DNS server I guess that would work well.) I know quite a few people that use OpenDNS at home and I think it works well, I’m just wondering if its really more secure than just going the route we go today. Thanks. Ryan _______________________________________________ Blind-sysadmins mailing list Blind-sysadmins@lists.hodgsonfamily.org https://lists.hodgsonfamily.org/listinfo/blind-sysadmins _______________________________________________ Blind-sysadmins mailing list Blind-sysadmins@lists.hodgsonfamily.org https://lists.hodgsonfamily.org/listinfo/blind-sysadmins

Thanks everyone. Sounds like Open DNS on its own won’t make a huge difference either way from our current setup, although I do need to verify we’re paying for this as we are a for profit company and I was kind of wondering that myself. We use all Cisco routers and switches so for all I know its covered in our Cisco agreement (I don’t mess with the networking stuff) but I will verify. We have offices all over the world on the network, and I have heard sometimes the decision for deciding local content is made at the DNS layer, AKA the IP address returned is for a local site for somewhere like Google, although I think this isn’t as true as it once was. So one thing I need to test is whether remote sites still get localized content even after pointing their DNS servers to filter through Open DNS. Ryan -----Original Message----- From: Blind-sysadmins on behalf of Scott Granados Reply-To: Blind sysadmins list Date: Thursday, March 3, 2016 at 6:11 AM To: Blind sysadmins list Subject: Re: [Blind-sysadmins] Open DNS in a corporate environment?

So personally, I’ve always run a pair of bind servers and used the DNS system the way it was intended.:) Open DNS isn’t a bad way to go and I know some businesses and schools using it. Never heard anything negative that would scare me away from giving it a try. I have had reliability issues using google’s DNS but not open DNS.

Good luck.

...

On Mar 3, 2016, at 3:55 AM, Andrew Hodgson wrote:

Hi,

Recursion is the service you want to use in this scenario, so not sure what you mean by this to be honest. Actually using Simple DNS you will be using the root nameservers anyway.

To answer the original question, I can't see what difference it makes using your nameservers and the root hints will make over using OpenDNS. OpenDNS has some extra features, like blocking specific sites in a database, as well as having a large DNS cache, which can sometimes increase lookup times, but on a LAN with a DNS server, I find this less of an issue, as people tend to visit the same websites, so the sites that are being visited by the users are cached in the local DNS server already.

If you are a business customer, then I think you need to pay them as well. I looked into it a while ago as a replacement to an on-premis filtering product, so we could get filtering across the board for external users as well, but in the end didn't go with it as it was going to be quite expensive, and they were bing taken over by Cisco!

Andrew. ________________________________________ From: Blind-sysadmins [blind-sysadmins-bounces@lists.hodgsonfamily.org] on behalf of Steve Nutt [steve@comproom.co.uk] Sent: 03 March 2016 07:02 To: 'Blind sysadmins list' Subject: Re: [Blind-sysadmins] Open DNS in a corporate environment?

Hi,

I don't use OpenDNS, because it allows DNS recursion, which can slow down lookups potentially. I allow recursion, but only for trusted IPs.

I use SimpleDNS for Windows on a 2012 R2 Windows virtual server.

Each to their own I guess.

All the best

Steve

-----Original Message----- From: Blind-sysadmins [mailto:blind-sysadmins-bounces@lists.hodgsonfamily.org] On Behalf Of Ryan Shugart Sent: 03 March 2016 06:04 To: Blind sysadmins list Subject: [Blind-sysadmins] Open DNS in a corporate environment?

Hi: Anyone used Open DNS on a business network? Currently our internal DNS servers resolve external queries by just going to the root servers and working from there, but our security guy has it in his head that OpenDNS is a better way to go for some reason. In looking at their web site they do offer some business services that report to block malware by blocking its DNS lookups (until malware writers use IP addresses directly or point to another public DNS server I guess that would work well.) I know quite a few people that use OpenDNS at home and I think it works well, I’m just wondering if its really more secure than just going the route we go today. Thanks. Ryan _______________________________________________ Blind-sysadmins mailing list Blind-sysadmins@lists.hodgsonfamily.org https://lists.hodgsonfamily.org/listinfo/blind-sysadmins

_______________________________________________ Blind-sysadmins mailing list Blind-sysadmins@lists.hodgsonfamily.org https://lists.hodgsonfamily.org/listinfo/blind-sysadmins

_______________________________________________ Blind-sysadmins mailing list Blind-sysadmins@lists.hodgsonfamily.org https://lists.hodgsonfamily.org/listinfo/blind-sysadmins

_______________________________________________ Blind-sysadmins mailing list Blind-sysadmins@lists.hodgsonfamily.org https://lists.hodgsonfamily.org/listinfo/blind-sysadmins

+1, sounds like a fair bit of work for little return.

On Mar 3, 2016, at 10:02 AM, Andrew Hodgson wrote:

Hi,

OpenDNS uses an anycast network, and so the requests coming from OpenDNS will be from your country. Therefor the IP addresses you get should be relevant for your country as well.

Personally if you are happy with your Internet filtering I would stick with what you have already.

Thanks. Andrew.

________________________________________ From: Blind-sysadmins [blind-sysadmins-bounces@lists.hodgsonfamily.org] on behalf of Ryan Shugart [rshugart@ryanshugart.com] Sent: 03 March 2016 14:58 To: Blind sysadmins list Subject: Re: [Blind-sysadmins] Open DNS in a corporate environment?

Thanks everyone. Sounds like Open DNS on its own won’t make a huge difference either way from our current setup, although I do need to verify we’re paying for this as we are a for profit company and I was kind of wondering that myself. We use all Cisco routers and switches so for all I know its covered in our Cisco agreement (I don’t mess with the networking stuff) but I will verify. We have offices all over the world on the network, and I have heard sometimes the decision for deciding local content is made at the DNS layer, AKA the IP address returned is for a local site for somewhere like Google, although I think this isn’t as true as it once was. So one thing I need to test is whether remote sites still get localized content even after pointing their DNS servers to filter through Open DNS. Ryan

-----Original Message----- From: Blind-sysadmins on behalf of Scott Granados Reply-To: Blind sysadmins list Date: Thursday, March 3, 2016 at 6:11 AM To: Blind sysadmins list Subject: Re: [Blind-sysadmins] Open DNS in a corporate environment?

...

So personally, I’ve always run a pair of bind servers and used the DNS system the way it was intended.:) Open DNS isn’t a bad way to go and I know some businesses and schools using it. Never heard anything negative that would scare me away from giving it a try. I have had reliability issues using google’s DNS but not open DNS.

Good luck.

...

On Mar 3, 2016, at 3:55 AM, Andrew Hodgson wrote:

Hi,

Recursion is the service you want to use in this scenario, so not sure what you mean by this to be honest. Actually using Simple DNS you will be using the root nameservers anyway.

To answer the original question, I can't see what difference it makes using your nameservers and the root hints will make over using OpenDNS. OpenDNS has some extra features, like blocking specific sites in a database, as well as having a large DNS cache, which can sometimes increase lookup times, but on a LAN with a DNS server, I find this less of an issue, as people tend to visit the same websites, so the sites that are being visited by the users are cached in the local DNS server already.

If you are a business customer, then I think you need to pay them as well. I looked into it a while ago as a replacement to an on-premis filtering product, so we could get filtering across the board for external users as well, but in the end didn't go with it as it was going to be quite expensive, and they were bing taken over by Cisco!

Andrew. ________________________________________ From: Blind-sysadmins [blind-sysadmins-bounces@lists.hodgsonfamily.org] on behalf of Steve Nutt [steve@comproom.co.uk] Sent: 03 March 2016 07:02 To: 'Blind sysadmins list' Subject: Re: [Blind-sysadmins] Open DNS in a corporate environment?

Hi,

I don't use OpenDNS, because it allows DNS recursion, which can slow down lookups potentially. I allow recursion, but only for trusted IPs.

I use SimpleDNS for Windows on a 2012 R2 Windows virtual server.

Each to their own I guess.

All the best

Steve

-----Original Message----- From: Blind-sysadmins [mailto:blind-sysadmins-bounces@lists.hodgsonfamily.org] On Behalf Of Ryan Shugart Sent: 03 March 2016 06:04 To: Blind sysadmins list Subject: [Blind-sysadmins] Open DNS in a corporate environment?

Hi: Anyone used Open DNS on a business network? Currently our internal DNS servers resolve external queries by just going to the root servers and working from there, but our security guy has it in his head that OpenDNS is a better way to go for some reason. In looking at their web site they do offer some business services that report to block malware by blocking its DNS lookups (until malware writers use IP addresses directly or point to another public DNS server I guess that would work well.) I know quite a few people that use OpenDNS at home and I think it works well, I’m just wondering if its really more secure than just going the route we go today. Thanks. Ryan _______________________________________________ Blind-sysadmins mailing list Blind-sysadmins@lists.hodgsonfamily.org https://lists.hodgsonfamily.org/listinfo/blind-sysadmins

_______________________________________________ Blind-sysadmins mailing list Blind-sysadmins@lists.hodgsonfamily.org https://lists.hodgsonfamily.org/listinfo/blind-sysadmins

_______________________________________________ Blind-sysadmins mailing list Blind-sysadmins@lists.hodgsonfamily.org https://lists.hodgsonfamily.org/listinfo/blind-sysadmins

_______________________________________________ Blind-sysadmins mailing list Blind-sysadmins@lists.hodgsonfamily.org https://lists.hodgsonfamily.org/listinfo/blind-sysadmins

---

Blind-sysadmins mailing list Blind-sysadmins@lists.hodgsonfamily.org https://lists.hodgsonfamily.org/listinfo/blind-sysadmins

_______________________________________________ Blind-sysadmins mailing list Blind-sysadmins@lists.hodgsonfamily.org https://lists.hodgsonfamily.org/listinfo/blind-sysadmins

Well unfortunately in the end not my call. Our security guy has made the final call and I've been told to go along with it. Fortunately I have a Powershell script to go out and change them all (there's about 40 domain controlers each with the DNS role as well.) It should be fairly painless though. Considering we actually don't filter internet traffic much this might be some kind of change but overall I do agree with the common opinion. I did ask them to make sure we're properly licensed to do this though. Thanks again. Ryan ________________________________________ From: Blind-sysadmins [blind-sysadmins-bounces@lists.hodgsonfamily.org] on behalf of Scott Granados [scott@granados-llc.net] Sent: Thursday, March 3, 2016 8:05 AM To: Blind sysadmins list Subject: Re: [Blind-sysadmins] Open DNS in a corporate environment? +1, sounds like a fair bit of work for little return.

On Mar 3, 2016, at 10:02 AM, Andrew Hodgson wrote:

Hi,

OpenDNS uses an anycast network, and so the requests coming from OpenDNS will be from your country. Therefor the IP addresses you get should be relevant for your country as well.

Personally if you are happy with your Internet filtering I would stick with what you have already.

Thanks. Andrew.

________________________________________ From: Blind-sysadmins [blind-sysadmins-bounces@lists.hodgsonfamily.org] on behalf of Ryan Shugart [rshugart@ryanshugart.com] Sent: 03 March 2016 14:58 To: Blind sysadmins list Subject: Re: [Blind-sysadmins] Open DNS in a corporate environment?

Thanks everyone. Sounds like Open DNS on its own won’t make a huge difference either way from our current setup, although I do need to verify we’re paying for this as we are a for profit company and I was kind of wondering that myself. We use all Cisco routers and switches so for all I know its covered in our Cisco agreement (I don’t mess with the networking stuff) but I will verify. We have offices all over the world on the network, and I have heard sometimes the decision for deciding local content is made at the DNS layer, AKA the IP address returned is for a local site for somewhere like Google, although I think this isn’t as true as it once was. So one thing I need to test is whether remote sites still get localized content even after pointing their DNS servers to filter through Open DNS. Ryan

-----Original Message----- From: Blind-sysadmins on behalf of Scott Granados Reply-To: Blind sysadmins list Date: Thursday, March 3, 2016 at 6:11 AM To: Blind sysadmins list Subject: Re: [Blind-sysadmins] Open DNS in a corporate environment?

...

So personally, I’ve always run a pair of bind servers and used the DNS system the way it was intended.:) Open DNS isn’t a bad way to go and I know some businesses and schools using it. Never heard anything negative that would scare me away from giving it a try. I have had reliability issues using google’s DNS but not open DNS.

Good luck.

...

On Mar 3, 2016, at 3:55 AM, Andrew Hodgson wrote:

Hi,

Recursion is the service you want to use in this scenario, so not sure what you mean by this to be honest. Actually using Simple DNS you will be using the root nameservers anyway.

To answer the original question, I can't see what difference it makes using your nameservers and the root hints will make over using OpenDNS. OpenDNS has some extra features, like blocking specific sites in a database, as well as having a large DNS cache, which can sometimes increase lookup times, but on a LAN with a DNS server, I find this less of an issue, as people tend to visit the same websites, so the sites that are being visited by the users are cached in the local DNS server already.

If you are a business customer, then I think you need to pay them as well. I looked into it a while ago as a replacement to an on-premis filtering product, so we could get filtering across the board for external users as well, but in the end didn't go with it as it was going to be quite expensive, and they were bing taken over by Cisco!

Andrew. ________________________________________ From: Blind-sysadmins [blind-sysadmins-bounces@lists.hodgsonfamily.org] on behalf of Steve Nutt [steve@comproom.co.uk] Sent: 03 March 2016 07:02 To: 'Blind sysadmins list' Subject: Re: [Blind-sysadmins] Open DNS in a corporate environment?

Hi,

I don't use OpenDNS, because it allows DNS recursion, which can slow down lookups potentially. I allow recursion, but only for trusted IPs.

I use SimpleDNS for Windows on a 2012 R2 Windows virtual server.

Each to their own I guess.

All the best

Steve

-----Original Message----- From: Blind-sysadmins [mailto:blind-sysadmins-bounces@lists.hodgsonfamily.org] On Behalf Of Ryan Shugart Sent: 03 March 2016 06:04 To: Blind sysadmins list Subject: [Blind-sysadmins] Open DNS in a corporate environment?

Hi: Anyone used Open DNS on a business network? Currently our internal DNS servers resolve external queries by just going to the root servers and working from there, but our security guy has it in his head that OpenDNS is a better way to go for some reason. In looking at their web site they do offer some business services that report to block malware by blocking its DNS lookups (until malware writers use IP addresses directly or point to another public DNS server I guess that would work well.) I know quite a few people that use OpenDNS at home and I think it works well, I’m just wondering if its really more secure than just going the route we go today. Thanks. Ryan _______________________________________________ Blind-sysadmins mailing list Blind-sysadmins@lists.hodgsonfamily.org https://lists.hodgsonfamily.org/listinfo/blind-sysadmins

_______________________________________________ Blind-sysadmins mailing list Blind-sysadmins@lists.hodgsonfamily.org https://lists.hodgsonfamily.org/listinfo/blind-sysadmins

_______________________________________________ Blind-sysadmins mailing list Blind-sysadmins@lists.hodgsonfamily.org https://lists.hodgsonfamily.org/listinfo/blind-sysadmins

_______________________________________________ Blind-sysadmins mailing list Blind-sysadmins@lists.hodgsonfamily.org https://lists.hodgsonfamily.org/listinfo/blind-sysadmins

---

Blind-sysadmins mailing list Blind-sysadmins@lists.hodgsonfamily.org https://lists.hodgsonfamily.org/listinfo/blind-sysadmins

_______________________________________________ Blind-sysadmins mailing list Blind-sysadmins@lists.hodgsonfamily.org https://lists.hodgsonfamily.org/listinfo/blind-sysadmins

_______________________________________________ Blind-sysadmins mailing list Blind-sysadmins@lists.hodgsonfamily.org https://lists.hodgsonfamily.org/listinfo/blind-sysadmins

If open DNS is doing the lookups for you that you’re forwarding on then it’s likely that geographic loadbalancers may and I mean may have issues as there are a lot of methods used for balancing. I know F5 uses a mechanism that balances traffic based on where the DNS request came from but as I recall there are a lot of other knobs not just DNS that can control geographic distribution. I haven’t played with this in a few years either so it may have changed and most likely has.

On Mar 3, 2016, at 9:58 AM, Ryan Shugart wrote:

Thanks everyone. Sounds like Open DNS on its own won’t make a huge difference either way from our current setup, although I do need to verify we’re paying for this as we are a for profit company and I was kind of wondering that myself. We use all Cisco routers and switches so for all I know its covered in our Cisco agreement (I don’t mess with the networking stuff) but I will verify. We have offices all over the world on the network, and I have heard sometimes the decision for deciding local content is made at the DNS layer, AKA the IP address returned is for a local site for somewhere like Google, although I think this isn’t as true as it once was. So one thing I need to test is whether remote sites still get localized content even after pointing their DNS servers to filter through Open DNS. Ryan

-----Original Message----- From: Blind-sysadmins on behalf of Scott Granados Reply-To: Blind sysadmins list Date: Thursday, March 3, 2016 at 6:11 AM To: Blind sysadmins list Subject: Re: [Blind-sysadmins] Open DNS in a corporate environment?

...

So personally, I’ve always run a pair of bind servers and used the DNS system the way it was intended.:) Open DNS isn’t a bad way to go and I know some businesses and schools using it. Never heard anything negative that would scare me away from giving it a try. I have had reliability issues using google’s DNS but not open DNS.

Good luck.

...

On Mar 3, 2016, at 3:55 AM, Andrew Hodgson wrote:

Hi,

Recursion is the service you want to use in this scenario, so not sure what you mean by this to be honest. Actually using Simple DNS you will be using the root nameservers anyway.

To answer the original question, I can't see what difference it makes using your nameservers and the root hints will make over using OpenDNS. OpenDNS has some extra features, like blocking specific sites in a database, as well as having a large DNS cache, which can sometimes increase lookup times, but on a LAN with a DNS server, I find this less of an issue, as people tend to visit the same websites, so the sites that are being visited by the users are cached in the local DNS server already.

If you are a business customer, then I think you need to pay them as well. I looked into it a while ago as a replacement to an on-premis filtering product, so we could get filtering across the board for external users as well, but in the end didn't go with it as it was going to be quite expensive, and they were bing taken over by Cisco!

Andrew. ________________________________________ From: Blind-sysadmins [blind-sysadmins-bounces@lists.hodgsonfamily.org] on behalf of Steve Nutt [steve@comproom.co.uk] Sent: 03 March 2016 07:02 To: 'Blind sysadmins list' Subject: Re: [Blind-sysadmins] Open DNS in a corporate environment?

Hi,

I don't use OpenDNS, because it allows DNS recursion, which can slow down lookups potentially. I allow recursion, but only for trusted IPs.

I use SimpleDNS for Windows on a 2012 R2 Windows virtual server.

Each to their own I guess.

All the best

Steve

-----Original Message----- From: Blind-sysadmins [mailto:blind-sysadmins-bounces@lists.hodgsonfamily.org] On Behalf Of Ryan Shugart Sent: 03 March 2016 06:04 To: Blind sysadmins list Subject: [Blind-sysadmins] Open DNS in a corporate environment?

Hi: Anyone used Open DNS on a business network? Currently our internal DNS servers resolve external queries by just going to the root servers and working from there, but our security guy has it in his head that OpenDNS is a better way to go for some reason. In looking at their web site they do offer some business services that report to block malware by blocking its DNS lookups (until malware writers use IP addresses directly or point to another public DNS server I guess that would work well.) I know quite a few people that use OpenDNS at home and I think it works well, I’m just wondering if its really more secure than just going the route we go today. Thanks. Ryan _______________________________________________ Blind-sysadmins mailing list Blind-sysadmins@lists.hodgsonfamily.org https://lists.hodgsonfamily.org/listinfo/blind-sysadmins

_______________________________________________ Blind-sysadmins mailing list Blind-sysadmins@lists.hodgsonfamily.org https://lists.hodgsonfamily.org/listinfo/blind-sysadmins

_______________________________________________ Blind-sysadmins mailing list Blind-sysadmins@lists.hodgsonfamily.org https://lists.hodgsonfamily.org/listinfo/blind-sysadmins

_______________________________________________ Blind-sysadmins mailing list Blind-sysadmins@lists.hodgsonfamily.org https://lists.hodgsonfamily.org/listinfo/blind-sysadmins

---

Blind-sysadmins mailing list Blind-sysadmins@lists.hodgsonfamily.org https://lists.hodgsonfamily.org/listinfo/blind-sysadmins