Hi Guys,

Check out the following: http://www.opendns.com/

They promise to speed up the net, make you safer & better looking. Well as for the later, I guess we can't improve on perfection. Anywho first got wind of this from the new PC World rag.

Take Care
rico

Hi Again.

Just changed my to Open DNS & wow, big improvement!

208.67.222.222
208.67.220.220

Rocks Rico

Take Care
rico

Looked it over a little bit, Do they have, and if they do, did you read their EULA and or privacy policy?

Hi Thunder,

I did read there "Privacy Policy" it seems ok to me. I never read the same for my my ISP. Did you see something scary when you looked it over?

Thanks & Take Care
rico

OT ON/
As i wanted to test the different speed, i searched for a soft which allows me to switch Internet/Network settings on the fly. I found 'Mobile Net Switch', which i can use with my Laptop in lots of ocasions. Rico, thanks to this thread i found this soft.
Info: http://www.mobilenetswitch.com/
OT OFF/

I've been using OpenDNS for a few weeks now and have had good results. I never though I'd say that I'm happy with something as trivial as DNS servers :) The automatic spellchecking is going to spoil me...

-{ Quote: "Hi Thunder,

I did read there "Privacy Policy" it seems ok to me. I never read the same for my my ISP. Did you see something scary when you looked it over?

Thanks & Take Care
rico" }-


No, nothing really. Just a little paranoid of new freebies that are outside of my realm of control. Sometimes I will see a product or service that my gut tells me is just not "quit right". No real reason for it. I do give you a big :thumb: for you having read the EULA though. Many are click happy and would not have bothered.

-{ Quote: "OT ON/
As i wanted to test the different speed, i searched for a soft which allows me to switch Internet/Network settings on the fly. I found 'Mobile Net Switch', which i can use with my Laptop in lots of ocasions. Rico, thanks to this thread i found this soft.
Info: http://www.mobilenetswitch.com/
OT OFF/" }-

OT back ON/ Thanks Tommy. Going to give it a try myself. OT back OFF/ ;D

-{ Quote: "OT ON/
As i wanted to test the different speed, i searched for a soft which allows me to switch Internet/Network settings on the fly. I found 'Mobile Net Switch', which i can use with my Laptop in lots of ocasions. Rico, thanks to this thread i found this soft.
Info: http://www.mobilenetswitch.com/
OT OFF/" }-
Is this freeware? Went to the site. One place it says never expires, nothing about purchasing. Then going to order it says 24 euro. ???

-{ Quote: "Is this freeware? Went to the site. One place it says never expires, nothing about purchasing. Then going to order it says 24 euro. ???" }-
Its seams to be freeware and shareware, but has in the non registered version a startup-screen, the payed version doesn't has it. Regarding the webside there are _no_ limitations in the non payed version and does not expire.

Thanks for clearing that up.

very interesting. ive entered the opendns server IPs, so now ill wait and see if theres any improvement.

thanks for sharing Rico.

I too had setup openDNS, but last Friday night I was not able to reach this forum. I got the search page of openDNS...
I'm still waiting for their explanation.

i don't understand why you all trust this place?? have you all read up on it? i suppose you have. but, earlier today i issued a dig command (in linux) and the 'Query time' was alot slower then my ISPs nameservers. i didn't look anything up though, but i don't see how it can be quicker then an ISP DNS and be as accurate. are you using it because it's safer and it checks the top-level domain and corrects it if it's incorrect?

maybe i should read about it lol

-{ Quote: "i don't understand why you all trust this place??" }-
its not that i trust it, im just trying it. ive no problems so far, though im unsure about how to "test" it.
-{ Quote: "but i don't see how it can be quicker then an ISP DNS" }-
voila:
-{ Quote: "Why is OpenDNS faster than other DNS services?

Two things make OpenDNS faster than similar services. First, OpenDNS runs a really big, smart cache, so every OpenDNS user benefits from the activities of the broader OpenDNS user base. Second, OpenDNS runs a high-performance network which is geographically distributed (see network map) and serviced by several redundant connections. OpenDNS responds to your query from the nearest location. That means we're very fast (and extremely reliable, to boot)." }-

So far, their sevice works as claimed for me. Haven't tried any deliberate spelling errors yet, but as for speed, they do seem substantially faster than my ISPs DNS servers. Time will tell.
-{ Quote: "i don't understand why you all trust this place??" }-
What specifically would you be concerned about? If they were redirecting you or something like that, someone would have noticed that by now. About the only thing I can think of offhand is logging your activity and possibly sharing or selling that data. Then again, the DNS servers from your own ISP could be doing that and you would have no way of knowing.
Rick

-{ Quote: "voila:
Two things make OpenDNS faster than similar services..." }-it says similar services not ISPs. i still can't see how it can be faster then an ISP, it must use more hops. it can only be faster if the lookup is so quick at their servers it makes the extra hops redundant.

does anyone really understand it all? i don't.

-{ Quote: "So far, their sevice works as claimed for me. Haven't tried any deliberate spelling errors yet, but as for speed, they do seem substantially faster than my ISPs DNS servers. Time will tell.

What specifically would you be concerned about?" }-
nothing specific, i just thought if they are doing something to speed up the lookups then it might be more likely to be DNS poisoned. maybe they have extra software running which isn't safe, i don't know, i just wouldn't trust something like this, that's all.

Hi Guys,

Regarding OpenDNS so far its worked as stated, for me. Also along those same lines check out:

www.ntcanuck.com When I posted at Dozleng about OpenDNS an admin or moderator suggested this site.

The author of article I read in PC World, was the president of PIBMUG, "Pasadena IBM Users Group", so I'll jot him a note asking, what's known about safety/compromised, while using OpenDNS. I suspect it's okay or the author & PC World would be in deep do do. They had to do "due diligence" before publishing. I'll post any response I receive.

As Always

Take Care
rico

-{ Quote: "Also along those same lines check out:" }-
I appreciate that!
Hm, I assume that when Treewalk is installed, I could disable the Windows DNS service?

-{ Quote: "I appreciate that!
Hm, I assume that when Treewalk is installed, I could disable the Windows DNS service?" }-
You can disable the windows dns service with nothing installed. it is an uneccesary thing that each application should be in charge of, not some global windows service that can be abused. Just my opinion though.

Alphalutra1

-{ Quote: "nothing specific, i just thought if they are doing something to speed up the lookups then it might be more likely to be DNS poisoned. maybe they have extra software running which isn't safe, i don't know, i just wouldn't trust something like this, that's all." }-
I don't see where they'd be any more likely to have a DNS poisoning than any other service. If what they're claiming is true, there may actually be less chance of running into DNS poisoning, assuming they don't have to connect to as many other DNS servers as often as others do. I don't recall if DNS poisoning is a problem on this kind of server or if the root servers are the ones attacked this way.
As for comparing them to an ISPs DNS servers, I've just made the switch to DSL from dialup service. Took a lot of phone calls to get all the problems sorted out. Should be in a separate thread called DSL horror stories. Anyway, when I compare it to my ISPs DNS, the most obvious difference is the lack of a delay from the time I click a link until my browser actually responds. With Open DNS, it's almost instantaneous. With my ISPs own DNS, there's about a 1-2 second delay most of the time. Maybe they're just having problems right now, so I'll switch back and forth for a while and compare them for a few weeks. So far, everything about Open DNS seems legitimate.
Rick

-{ Quote: "Anyway, when I compare it to my ISP's DNS, the most obvious difference is the lack of a delay from the time I click a link until my browser actually responds. With Open DNS, it's almost instantaneous. With my ISP's own DNS, there's about a 1-2 second delay most of the time." }-
I have the same results as you with OpenDNS being about one to two seconds faster than my ISP's DNS.
-{ Quote: "so I'll switch back and forth for a while and compare them for a few weeks." }-
Over the last few days I have done the switching back and forth a few times and so far OpenDNS has remained faster than my ISP. I will keep doing this randomly for a while to see if the speed remains the same.
-{ Quote: "So far, everything about Open DNS seems legitimate." }-
Agreed... I looked over their privacy policy also and it seemed OK to me....

-{ Quote: "Anyway, when I compare it to my ISPs DNS, the most obvious difference is the lack of a delay from the time I click a link until my browser actually responds. With Open DNS, it's almost instantaneous. With my ISPs own DNS, there's about a 1-2 second delay most of the time." }-
Excuse me...
When you test, do you clear the browser cache and Windows DNS cache?

Do you have an opinion about the Treewalk personal DNS server?

I don't know much about this. If you change dns servers, does your IP address change?

-{ Quote: "I don't know much about this. If you change dns servers, does your IP address change?" }-
No, you just use a different lookup server for internet addresses.

I have been using Treewalk DNS for years, its a very stable and safe program, it converts the DNS from your PC, automatically disables Windows DNS and also lets you update ICANN root. Speeded up my net access significantly. Its free for life with no strings attached and takes little resources, just have to give full inbound rights to named.exe process which is totally safe.

www.ntcanuck.com or www.treewalkdns.com

-{ Quote: "When you test, do you clear the browser cache and Windows DNS cache?
Do you have an opinion about the Treewalk personal DNS server?" }-
My browser cache is cleared automatically when I close it. Didn't think about the windows DNS cache, but I will the next time I switch. I haven't tested how well either does under controlled conditions. If I can find time, I'd like to.
The service rep for my DSL service told me they were having problems with their servers on one of the days I called them. While downloads are much faster with the DSL, normal web browsing with their service is barely faster than my dialup service was. Using the Open DNS, it actually feels like DSL now. If my regular service is having some kind of problem, it's probably not a fair comparison. Then again, they've had this problem for better than a week now.
Never tried Treewalk. From what I see, it doesn't run on my operating systems, Win98 and Ubuntu Linux.
Rick

Bine PE runs on 98,its from makers of Treewalk, nothing for Linux yet.

-{ Quote: "Using the Open DNS, it actually feels like DSL now.
From what I see, it doesn't run on my operating systems, Win98 and Ubuntu Linux.
Rick" }-
At least you have an alternative, which is great.
There is a version for win98, called BIND-LE (http://ntcanuck.com/downloads.htm), same website as Treewalk.
And Ubuntu has BIND available, which is probably more troublesome to setup then the easy to go TreeWalk installer.

-{ Quote: "i don't understand why you all trust this place?? have you all read up on it?" }-They do have a privacy policy, their address and phone number listed on the page, and an introduction to each member of the team with each of their emaill addresses. If you look up the building you can see that it really is a high-rise building (http://www.emporis.com/en/wm/bu/?id=118734), and seems to be shared with a number of legitimate and government offices. If they're trying to hide something, they're doing a lousy job.

-{ Quote: "but, earlier today i issued a dig command (in linux) and the 'Query time' was alot slower then my ISPs nameservers." }-I noticed the same thing just pinging the server, but many times it does indeed go a little faster. Either we're not getting the optimized connection when doing such things or they are just processing actual DNS requests faster. Of course the difference between OpenDNS and my ISP's DNS servers was a difference of about 10 milliseconds, which is not something I would readily notice. Of course this is all also likely to be different for different people, especially the difference between OpenDNS and their ISP.

-{ Quote: "Do you have an opinion about the Treewalk personal DNS server?" }-I've tried it a few times without much luck. The first couple times it crashed frequently, then when I tried again recently to serve my LAN it would fail to lookup new sites unless I refreshed about 3+ times.. locally it seemed to be OK, but still missed some sites here and there.

For some people, however, it seems to work really smoothly, I don't know. When it did work for me it was pretty nice, things did speed up, but for my purposes it was just a no-go. If you're interested I would say give it a try, worst case scenario you uninstall it.

Treewalk is a great product and helps web surfing speed up considerably. It never had a problem on my pc except that it can be the only local proxy or else it won't work. So yes, it won't work with the proxomitron or privoxy :'(

Alphalutra1

-{ Quote: "Treewalk is a great product and helps web surfing speed up considerably. It never had a problem on my pc except that it can be the only local proxy or else it won't work. So yes, it won't work with the proxomitron or privoxy :'(" }-
Whether TreeWalk DNS improves speeds will depend on your ISP. It did nothing for me--I guess I have a pretty good DNS service.

Maybe installing the Microsoft Loopback Adapter (http://www.google.com/search?q=microsoft%20loopback%20adapter), giving the loopback adapter a unique subnet address, and then using that subnet address for your TCP/IP DNS settings (rather than 127.0.0.1), would work to avoid the issue you had with 127.0.0.1. The TreeWalk DNS site mentions this procedure.

I've personally seen the TreeWalk DNS service absolutely devour CPU on several occasions, so I was thinking about trying the loopback adapter myself--if I continue using TreeWalk DNS in the first place, that is.

Incidentally, the CEO and the VP of product development at OpenDNS.com had this to say when I inquired about DNS cache poisoning (quoted here with explicit permission):

-{ Quote: "Cache poisoning typically was a problem for nameservers that mixed logic in how they handled recursive and authoritative DNS responses. Since OpenDNS was designed from the ground up to avoid issues involving cache poisoning and other threats we believe we are well protected from these types of attacks. We carefully check and rely on the chain of trust built into DNS delegations and refuse to trust 'additional information' handed back from authoritative nameservers that is not part of the needed glue." }-

Hi Guys,

Received an email form Steve Bass author of OpenDNS article, from PC World regarding safety. He assures me that everything is safe.

Also it seems that OpenDNS, has worked with CastleCops, & at OpenDNS you will find an acknowledgement, regarding CastleCops. Visiting Castlecops I found 4 threads regarding OpenDNS one post from Paul an admin type.

As far as I'm concerned, the safety thing is over & done!

Take Care
rico

ps at Castlecops, I just typed "OpenDNS" in there search box.

There are a lot of nasty things that could happen with DNS records when you use a third-party service, but I figure the same thing could happen with your ISP, too.

From all I've seen, it's a really nice service that really works, and I'm happy with it so far.

Running Treewalk on an ancient dual P-III 850 machine, absolutely no CPU overload problems here.

-{ Quote: "Running Treewalk on an ancient dual P-III 850 machine, absolutely no CPU overload problems here." }-
The problem only happens under certain circumstances, and is mentioned on their site. It has only happened a few times on my system. It has nothing whatsoever to do with the type of CPU you have (but why on earth would it?).

i love opendns. it fixed my network problems :D

-{ Quote: "i don't understand why you all trust this place?? have you all read up on it? i suppose you have. but, earlier today i issued a dig command (in linux) and the 'Query time' was alot slower then my ISPs nameservers. i didn't look anything up though, but i don't see how it can be quicker then an ISP DNS and be as accurate. are you using it because it's safer and it checks the top-level domain and corrects it if it's incorrect?" }-

-{ Quote: "i love opendns. it fixed my network problems :D" }-

;D ;D :thumb: :thumb:

Is there a way to communicate the DNS info over a secure channel?
Perhaps with some kind of local DNS proxy utility so your preferred and alternate DNS servers are directed to 127.0.0.1:53 (local host) and the utility communicates via SSL or other secure means to OpenDNS servers?
Even for pay this would be an interesting option like a Secure DNS Proxy Service.

Sure you can do this somewhat with forwarding the DNS requests through the TOR or SSH proxy servers, but those don't cover every DNS request.

I asked if this could be done with a SOCKS proxy a long time ago, but never got an answer.

-{ Quote: ";D ;D :thumb: :thumb:" }-
i just don't care if it's secure or not, it's either this or no connection. i have a screenshot of a page taking over 1 hour 15 minutes to load with tiscali's DNS. i really, really hate tiscali. they have known about this problem for a month or so, i have asked them to fix it but they haven't even bothered replying. there are 100s of posts about it at tiscali forums uk, they don't help anyone. their support team are idiots.

i hate tiscali.

This is very interesting but what type of speed improvements are we talking about? Or is it a try it an see?

-{ Quote: "This is very interesting but what type of speed improvements are we talking about? Or is it a try it an see?" }-
You may see a significant improvement, or you may see no (noticible) improvement at all. I fell into the latter category. It depends on your ISP service.

-{ Quote: "You may see a significant improvement, or you may see no (noticible) improvement at all. I fell into the latter category. It depends on your ISP service." }-

I am using Comcast Cable, it is pretty darn fast here in DC. I assume you can set it back as easily as it is changed.

It wouldn't affect any Radius server setting would it?

You would change the DNS setting in your router, that's all.
Performance increase only applies to DNS lookups.

-{ Quote: "Is there a way to communicate the DNS info over a secure channel?
Perhaps with some kind of local DNS proxy utility so your preferred and alternate DNS servers are directed to 127.0.0.1:53 (local host) and the utility communicates via SSL or other secure means to OpenDNS servers?" }-The performance overhead would be a killer - DNS uses UDP for speed to avoid the overheads of establishing a TCP connection. TCP connection plus SSL negotiation (including certificate check) for every DNS request would slow most connections to a crawl (aggressively caching past requests would become a necessity).-{ Quote: "Sure you can do this somewhat with forwarding the DNS requests through the TOR or SSH proxy servers, but those don't cover every DNS request." }-In my experience, Tor does cover every DNS request - the only time your browser should attempt one directly is with protocols not covered by Privoxy/Tor (e.g. FTP).

-{ Quote: "You would change the DNS setting in your router, that's all.
Performance increase only applies to DNS lookups." }-

Thanks Wilbertnl

-{ Quote: "DNS uses UDP for speed to avoid the overheads of establishing a TCP connection." }-
And doesn't a DNS request/response fit in one single network packet? That is what I remember of it.

-{ Quote: "The performance overhead would be a killer - DNS uses UDP for speed to avoid the overheads of establishing a TCP connection. TCP connection plus SSL negotiation (including certificate check) for every DNS request would slow most connections to a crawl (aggressively caching past requests would become a necessity)." }-
There is no secure communication channel possible through UDP?
Because it is a one way street?
Would a secure channel be possible through 2 UDP connections, one send and one receive?
Would the DNS performance of such a setup be any worse than it is now when the DNS is forwarded through the proxy?

-{ Quote: "In my experience, Tor does cover every DNS request - the only time your browser should attempt one directly is with protocols not covered by Privoxy/Tor (e.g. FTP)." }-
I was referring to DNS communication outside of the browser.
For example, command line pings and DNS lookups, programs like Port Explorer doing IP resolving, Windows Automatic Updates, and other programs that don't utilize the web browser but still make DNS requests through svchost. These programs don't have an easy way to set up communication through a proxy.

Is it possible for these types of programs to have their DNS requests go through a proxy like TOR? What about an SSH proxy?
Is there a way to force svchost to perform all DNS lookups through these proxies not just the browser?

-{ Quote: "You would change the DNS setting in your router, that's all.
Performance increase only applies to DNS lookups." }-
Then you'd have to point your TCP/IP settings to query the router for DNS (i.e. plug in your router's IP address as a DNS server), otherwise it won't do so.

-{ Quote: "Then you'd have to point your TCP/IP settings to query the router for DNS (i.e. plug in your router's IP address as a DNS server), otherwise it won't do so." }-
That is correct, I assumed that the DHCP service of the router is used. ;)
If you want to test openDNS on one computer, you could modify the IP-settings for that computer.

Incidentally, one can use this link to easily check whether or not OpenDNS is being used...

http://welcome.opendns.com/

I am using openDNS right now :D The internet seems much snappier which is nice. I also like the spell check and phishing protection. Another nice feature is the fact that all I had to do was change my router's DNS settings, but that is because it runs linux ;)

Alphalutra1

-{ Quote: "Another nice feature is the fact that all I had to do was change my router's DNS settings, but that is because it runs linux ;)" }-
That's not a feature of OpenDNS, and it's not because you use Linux. I just installed Ubuntu and had no DNS until I plugged in my router's IP address--probably because I don't use DHCP. With DHCP, I'd expect it to "just work" on Windows or Linux.

-{ Quote: "This is very interesting but what type of speed improvements are we talking about? Or is it a try it an see?" }-
For me, the results are somewhat variable. Using my ISPs DNS, I often have a 1-2 second hesitation before the webpage begins to open. This is the case over half the time. With Open DNS, I'm rarely seeing that hesitation. While I haven't tried to actually measure the difference, on the average I'd estimate I'm getting pages opened at least a full second faster, often closer to 2 seconds. Getting the same results with both Ubuntu and Win98. For me, the question is not so much whether Open DNS is that fast, but whether my ISPs DNS is that slow. Even when I was on dialup, I didn't have that initial hesitation before the page started to load.
Rick

-{ Quote: "And doesn't a DNS request/response fit in one single network packet? That is what I remember of it." }-Normally yes - indeed if a request exceeds one packet DNS should use TCP for it instead.-{ Quote: "There is no secure communication channel possible through UDP?
Because it is a one way street?
Would a secure channel be possible through 2 UDP connections, one send and one receive?
Would the DNS performance of such a setup be any worse than it is now when the DNS is forwarded through the proxy?" }-UDP can be used for secure communcations provided the application is prepared to do all the work normally done by TCP (splitting data into packets, marking each packet with a connection ID, verifying that packets have arrived at their destination, adjusting transmission rate to match network capacity) and SSL (exchange of public keys, verifying keys with certificate authority, generating session keys and encrypting data) but it is designed for speed rather than reliability so would not be a good choice.

An encrypted secure channel would require the facilities offered by TCP and SSL so it is unlikely that a bespoke "Secure UDP" implementation would offer any major performance advantages.-{ Quote: "I was referring to DNS communication outside of the browser.
For example, command line pings and DNS lookups, programs like Port Explorer doing IP resolving, Windows Automatic Updates, and other programs that don't utilize the web browser but still make DNS requests through svchost. These programs don't have an easy way to set up communication through a proxy." }-Tor does not handle ICMP or UDP ruling out pings and DNS lookups from the command line (along with a number of DoS/DDoS techniques). Almost any application using TCP (the vast majority) should be able to be routed via Tor by Socksifying it but please don't try pushing Windows Updates (or other bandwidth-intensive applications) through it (see here (http://www.wilderssecurity.com/showpost.php?p=858636&postcount=24) for why).

-{ Quote: "UDP can be used for secure communcations provided the application is prepared to do all the work normally done by TCP (splitting data into packets, marking each packet with a connection ID, verifying that packets have arrived at their destination, adjusting transmission rate to match network capacity) and SSL (exchange of public keys, verifying keys with certificate authority, generating session keys and encrypting data) but it is designed for speed rather than reliability so would not be a good choice.

An encrypted secure channel would require the facilities offered by TCP and SSL so it is unlikely that a bespoke "Secure UDP" implementation would offer any major performance advantages.

Tor does not handle ICMP or UDP ruling out pings and DNS lookups from the command line (along with a number of DoS/DDoS techniques). Almost any application using TCP (the vast majority) should be able to be routed via Tor by Socksifying it but please don't try pushing Windows Updates (or other bandwidth-intensive applications) through it (see here for why)." }-
Thank you Paranoid2000 for the excellent explanations and packetizing them so I can understand. :)

If I may ask one(okay four :) ) more questions on this subject...

DNS is on UDP, so how are TOR (and SSH) proxy clients able to forward these DNS(UDP) requests generated by the browser through the secure connection?
Normally when the browser is not setup to proxy, the DNS requests are handed off to svchost.
Is the normal (non proxy) DNS request from browser to svchost handled via SOCKS or some other form of direct communication with svchost?

Could a similar connection to OpenDNS (via SOCKS5) be setup if they offered such a Secure SOCKS DNS Service?
Such a setup might even work on the TOR exit nodes so the DNS lookups would be secure end to end. No DNS leaks.
The secure tunnel would only need to be established at the startup of the TOR server, then DNS requests would pass through the tunnel.
Would the performance in this case still be a killer?

-{ Quote: "DNS is on UDP, so how are TOR (and SSH) proxy clients able to forward these DNS(UDP) requests generated by the browser through the secure connection?" }-They don't - just passing the web page HTTP request through to the other end and letting that handle the IP address lookup is almost surely how they do it.-{ Quote: "Normally when the browser is not setup to proxy, the DNS requests are handed off to svchost." }-This applies if you have the DNS Client Service running in Windows - shut this down and future DNS requests will be done by the application itself. This is a good security measure in that it allows you to use a firewall to control DNS access on a per-application basis (plus the DNS Client Service can cause delays if you have a large Hosts file).-{ Quote: "Could a similar connection to OpenDNS (via SOCKS5) be setup if they offered such a Secure SOCKS DNS Service?
Such a setup might even work on the TOR exit nodes so the DNS lookups would be secure end to end. No DNS leaks.
The secure tunnel would only need to be established at the startup of the TOR server, then DNS requests would pass through the tunnel.
Would the performance in this case still be a killer?" }-In the case of anonymising proxies like JAP and Tor, web traffic should not need DNS requests to be passed through - the exit node can handle any DNS lookups needed (this means that you would not benefit from OpenDNS while using JAP/Tor unless the exit node was also using it). This means that DNS leaking should be a non-issue unless your browser was incorrectly set up.

The only case where sending DNS requests through JAP/Tor might make sense would be if you had an application that did its own DNS requests, e.g. a personal firewall looking up connection details for logging purposes. In such cases, there is currently no way to route such requests via Tor (and there is unlikely to ever be one, given the abuse it could be put to) so if you are concerned about your ISP being able to track you in this way (whether it is a possibility depends on the firewall in question), then disabling such a feature would be the best option.

you can use one of these to see the all the packets to and from your computer, it shows the DNS requests -
http://www.wilderssecurity.com/showthread.php?t=56378

i like this http://www.nirsoft.net/utils/smsniff.html all you have to do is install this (http://www.winpcap.org/install/default.htm) then the sniffer program, then when you run the sniffer program you have to tell it to use the wincap driver and select which Adapter to use, if it doesn't work first time try a different adapter.

-{ Quote: "That's not a feature of OpenDNS, and it's not because you use Linux. I just installed Ubuntu and had no DNS until I plugged in my router's IP address--probably because I don't use DHCP. With DHCP, I'd expect it to "just work" on Windows or Linux." }-
I was joking about the linux part and all, but some routers do not have the function of serving as the default DNS server. Through DHCP, they send the information to the client that the router is the default DNS server, and the router then is in charge of contacting the ISP's DNS addresses that it has been given. However, by using static IP addresses, the client has to provide the information themselves, to either be the router if it supports it, or the ISPs actual DNS addresses. Either will work.

Cheers,

Alphalutra1

-{ Quote: "They don't - just passing the web page HTTP request through to the other end and letting that handle the IP address lookup is almost surely how they do it." }-
That is exactly how they do it.
With your help and this Wiki: Microsoft DNS (http://en.wikipedia.org/wiki/Microsoft_DNS) I think I understand now. :thumb:
The key part was this:
-{ Quote: "Applications perform DNS lookups with the aid of a DLL. They call library functions in the DLL, which in turn handle all communications with DNS servers (over UDP or TCP) and return the final results of the lookup back to the applications." }-So the DNS Lookup Client is actually a dll that the browser uses to do the lookup.
Also interesting that it mentions over UDP or TCP. That statement leaves the door open to the possibility of TCP DNS communication.

-{ Quote: "This applies if you have the DNS Client Service running in Windows - shut this down and future DNS requests will be done by the application itself. This is a good security measure in that it allows you to use a firewall to control DNS access on a per-application basis (plus the DNS Client Service can cause delays if you have a large Hosts file)." }-
Thank you.
The Wiki also explains how the DNS Lookup Client (DNSAPI.DLL) will hand off the DNS request to the DNS Client Service/DNSCACHE (DNSRSLVR.DLL) (if running), which then does the actual lookup and passes the info back to the browser.
But because the DNS Client Service runs from a DLL, it needs SvcHost.exe (http://en.wikipedia.org/wiki/Svchost) in order to run as a service.
That's why it appears that svchost is doing the lookups which then passes the DNS reply back to the application.

-{ Quote: "In the case of anonymising proxies like JAP and Tor, web traffic should not need DNS requests to be passed through - the exit node can handle any DNS lookups needed (this means that you would not benefit from OpenDNS while using JAP/Tor unless the exit node was also using it). This means that DNS leaking should be a non-issue unless your browser was incorrectly set up." }-
I see, the DNS leaking happens on the client computer due to misconfiguration. I misused the term DNS Leaks.

What I meant to suggest was that it might be possible to create a secure DNS server where no DNS requests/replies travel in the clear at any point.
This would mean that the TOR exit node would maintain a SOCKS5 connection with OpenDNS (if they offered this service) and pass the DNS request/reply through to the (currently non-existant) Secure OpenDNS service.
This SOCKS5 connection would certainly add some delay, but the SOCKS5 connection would not have to be constantly established/broken for each DNS request, it could be constantly connected during the TOR server session. Whether this delay would still be a killer, I don't know.

-{ Quote: "The only case where sending DNS requests through JAP/Tor might make sense would be if you had an application that did its own DNS requests, e.g. a personal firewall looking up connection details for logging purposes. In such cases, there is currently no way to route such requests via Tor (and there is unlikely to ever be one, given the abuse it could be put to) so if you are concerned about your ISP being able to track you in this way (whether it is a possibility depends on the firewall in question), then disabling such a feature would be the best option." }-
The Wiki article alluded to the possibility of DNS over TCP.
The purpose would be a secure DNS lookup all the way from the client computer to the DNS server on a TOR network.
OpenDNS currently does not offer such a DNS over SOCKS service.
Even if they never offer this type of service, the DNS education was very valuable.

Thank you! :) 8)

P.S. I would still like to know if you think the delay would still be a killer, but that would be another question. ;D

-{ Quote: "you can use one of these to see the all the packets to and from your computer, it shows the DNS requests -
http://www.wilderssecurity.com/showthread.php?t=56378

i like this http://www.nirsoft.net/utils/smsniff.html all you have to do is install this (http://www.winpcap.org/install/default.htm) then the sniffer program, then when you run the sniffer program you have to tell it to use the wincap driver and select which Adapter to use, if it doesn't work first time try a different adapter." }-
Thanks for the packet sniffer info iceni60 :)

I've used Ethereal (now called Wireshark (http://www.wireshark.org/)) in the past a little.

Hi Guys,

If you've changed to OpenDNS, & you have a router you should also change, the DNS there as well. In my Netgear router after logging on to the router at:

Basic Settings

Use These DNS Servers <enter the values for primary & secondary>

208 67 222 222
208 67 220 220

<apply> wait for the update & your done!

Take Care
rico

If you want to test response time this little app is very helpful

http://www.codeproject.com/cs/internet/dnstester.asp


Verizon.net has fast DNS 4.2.2.1 to 6

Only today I knew this DNS server, and seems a great idea to improve the DNS requests...

Until now is working very well on my home router...

I already tried TreeWalk several times in the past without much success because sometimes it starts to use 100% of CPU when your connections goes down and restart...
Didn't liked it support also...

Open DNS got first server in Europe - London (http://blog.opendns.com/2006/12/31/live-from-london-its-opendns/) - Try to ping: 208.67.222.222 or 208.67.220.220
I can not use it, because I get ping 120 ms in comparision to my current DNS server with 14ms.

Pinged 17 ms

Pinged my ISP DNS 9 ms

Gerard

Where do you go to test your "ping?"

Also is a lower # better in a test result?

Thanks.

http://en.wikipedia.org/wiki/Ping - the lower, the better, 0 is an ideal.

Start - cmd - enter - ping 208.67.222.222 - enter - you will get 0 ms. ;)
Though I used SIW (http://www.softpedia.com/get/System/System-Info/SIW.shtml) (screen (http://img297.imageshack.us/img297/2494/capture01022007170139sh7.jpg)), because my win refuses to ping (permissions).

But I just read, that that pinging DNS server does not matter, because it is about how fast can Open DNS server get a response vs current DNS, so it is better to try it, I will as soon as I can.

Tried using both, I live in India, Treewalk works flawlessly on my 2K and XP64 without any hitches, Open DNS couldnt' match TW's performance, maybe if they move a server closeby things might improve but I doubt it will match TW as its using your own machine for DNS.

I just started to use OpenDNS, everything seems to be a bit faster, cool. :)

I'm using it for about 1 month, and until now everything works very well...

very nice read and lesson,made this classic a sticky :thumb:

-{ Quote: "Open DNS couldnt' match TW's performance, maybe if they move a server closeby things might improve but I doubt it will match TW as its using your own machine for DNS." }-
For uncached DNS requests, TreeWalk still has to contact a remote DNS server, which may or may not be faster than OpenDNS.

I've just changed to opendns and opening on new links is noticeably faster.

Thanks to the OP for notification of this site.

I'm very satisfied with OpenDNS... :)

If they add a server in Portugal... ;D

Hi ChairmanMeow,

Your, Welcome!

Don't forget to change your router to "Open DNS" also.

Take Care
Rico

-{ Quote: "Hi ChairmanMeow,
Don't forget to change your router to "Open DNS" also.

Take Care
Rico" }-
Rico,

I don't know what this means!

Get started: http://www.opendns.com/start/

-{ Quote: "Don't forget to change your router to "Open DNS" also." }-
Also in the router or only in the router!?

If he only use the computer on its private LAN, he only have to define the DNS servers on the router and leave the computer definitions by default...

Maybe it's just me but when using Open DNS, I haven't noticed any differences so I switched back to my ISP.

Has any testing been done comparing Open DNS to various ISP's DNS servers.

-{ Quote: "For uncached DNS requests, TreeWalk still has to contact a remote DNS server, which may or may not be faster than OpenDNS." }-


True, but you can use any of the ICANN, OSRN or OSRC root server plugins and make it faster.

Now with the London based server I see a real noticeable difference in speed actually :thumb:
I have always had slow connection to Comodo forum for some reason, but now it is really fast. (I live in sweden)

installed and look promising,very nice speed ;D

i didnt even know it had a london based server my internet at home should be faster now.
how long have they had a london server?
i have used it for around two months now.
lodore

-{ Quote: "i didnt even know it had a london based server my internet at home should be faster now.
how long have they had a london server?
i have used it for around two months now." }-
December 31st, 2006 - Live from London, it’s OpenDNS! (http://blog.opendns.com/2006/12/31/live-from-london-its-opendns/)

-{ Quote: "True, but you can use any of the ICANN, OSRN or OSRC root server plugins and make it faster." }-
It still won't be necessarily faster. Latency is what makes the difference, and the latency I typically see with the OpenDNS servers is so low that it is indistinguishable from zero in practical use.

Besides, you can configure TreeWalk to use the OpenDNS servers as well. Open named.conf and add this where the forward lines exist by default:

// 208.67.222.222 and 208.67.220.220 are OpenDNS.com servers;
// Comment out the two lines below if you don't want to use them.
forward first;
forwarders { 208.67.222.222; 208.67.220.220; };

I guess the proximity to servers is important, in my case no way can Open DNS compete with Treewalk as there are no Asia specific servers for Open DNS yet.