Detouring your website lookups – ISP DNS Proxy
We apologize in advance that some aspects of this article contain NerdSpeak but we hope that the gist of the article is of value to you.
What is this DNS proxy all about?
DNS is fundamental to the Internet, similar to your address book or phone book. We don\’t want to know all the IP addresses behind websites, so DNS does the lookup for us. Internet Service Providers have always provided this lookup service as part of their service offering, but many people and companies prefer to use alternate lookup servers such as OpenDNS or Google. Some ISPs are now intercepting their customers\’ lookups, if they are using an alternate lookup server (in the form of a Proxy) and providing answers directly rather than allowing them to use these alternate lookup providers.
How do I know if my ISP detours or proxies my DNS?
OpenDNS has an article that describes this for you, and this was our result when we suspected the ISP had turned on DNS Proxy services and this verified it:
Why is this bad?
Proxying these DNS lookups is bad for us for the following reasons:
- It prevents customer choice
- It breaks DNS filtering features that are extremely useful for a number of reasons including customer-controlled filtering and botnet protection
- It is a bit like a dictatorship on the Internet
Why might ISPs do this?
ISPs actually do have some legitimate reasons why they would want to do this:
- Minimize technical support costs. Your computer\’s DNS servers may be setup with one set of servers at work and they may not work at home, or vice-versa. This is when the ISP incurs technical support costs that they would rather avoid. If they proxy your DNS, then your non-compliant settings magically work, a technical support call and downtime frustration is avoided. However, this is just a band-aid and doesn\’t solve the root problem.
- Protect their customers from botnets. Although the intention is good here, having an ISP responsible for your Internet security forces them to apply a one-size-fits-all policy which has ill side effects. It\’s like our government dictating what kind of grass we can grow in our yard.
What should they do instead?
Opt Out. Considering that ISPs have reasonably good reasons for doing this, just offer customers an Opt-Out option. This way, all of us that have enjoyed the features of OpenDNS and Google DNS servers can continue to enjoy them and everyone is happy. 🙂
Are there any workarounds if the ISP does not offer an Opt-Out feature?
Yes, there certainly are ways to work around this.
- TCP vs UDP – some ISPs only proxy UDP-based DNS requests but not TCP. To find out, check this arcticle: http://www.opendns.com/support/article/208 Note, however, that switching your services to use TCP only will affect your performance and each DNS lookup will take longer.
- VPN – A VPN connection makes your type of traffic invisible by your ISP so they cannot proxy DNS. If you have an internal DNS server that you want to use OpenDNS or Google recursively, make the VPN connection only from that server and not from your desktop. That way everyone on that network gets the benefit of the one VPN connection. Alternatively, if you make your own VPN connection, choose to NOT make it your default route (an option in VPN software) but do use the VPN\’s DNS servers.
What obviously motivated this article is that we\’re huge OpenDNS fans – check out how you can take advantage of what OpenDNS has to offer both in free and commercial flavours… If you have any comments, please feel free to share. Thanks to Arthur Wiebe for his input on this article.
David R in Ontario, Canada
February 22, 2010