How we are different from OpenDNS

Posted July 11, 2017 by David Redekop to DNS

For those familiar with the great service from our OpenDNS friends, a common question we get is “How are you different from OpenDNS?”

Well, we don’t compete with them. Assuming you also like them, our service complements theirs! In fact, quite a number of our subscribers are OpenDNS subscribers as we integrate quite well as you’ll see if you try it out, including a native built-in OpenDNS Updater so you don’t need to run your dynamic IP updater on any other device.

There are many other differences though, here’s a partial list that most often applies:

  • Deterministic answers – apply different DNS policies to different devices. For example:
    • IoT devices for example, need a very limited whitelist
    • Guest iOS devices may just want obviously-bad content blocked
    • CFO money transfer devices need a very limited whitelist only to the bank in use
  • Whitelisting is our specialty
    • Start with nothing, add what you need
    • Cloud-based web crawler searches and identifies dependencies and threat intelligence to allow only what is safe
  • Domain-joined devices do not need to use Active Directory’s DNS servers:
    • Our rainbow (or re-direct) lists feature AD domain redirection to AD so that all non-AD queries are never sent to AD DNS.
    • Benefit #1 is that your Active Directory DNS servers can now experience a high-level of protection by having strict egress control
    • Benefit #2 is that your devices can experience different treatment from others (appropriate policy based on use case)
  • A live log for complete visibility of DNS queries (and their answers) that occur on your network
  • Tight integration with firewall rules disallows the easiest of DNS filtering circumvention:
    • This also hijacks the hijackers – if you have malware that changes your DNS servers to 8.8.8.8, for example, DNSthingy hijacks the DNS queries and answers them by the policy/rule set applied to the device
    • If you use the “No Internet” rule, it’s more than just a DNS firewall. All traffic is blocked while maintaining internal visibility. Perfect for a NAS or devices that should never have egress access at all (a simple way to stop exfiltration).
  • Importantly, we do not offer public resolver services at all. DNSthingy has a focus in the on-premise space where layer 2 (mac address) can be followed for IP address changes, etc. This is how we are completely different and yet integrates with OpenDNS (and other cloud public resolvers, for that matter). We also appreciate the security that DNSSEC and DNScrypt bring to Internet security, so those are included and dashboard switches for you to enable are coming shortly.

Thanks for reading, we have much more coming to our blog in the next few days!