Layered Defense using DNS

Network protection should not rely on a single magic bullet solution, but on layers of overlapping security.  Mail should go through a couple of virus checkers and spam filters before it ever hits your inbox.  A firewall keeps unwanted network traffic out and blocks unexpected outgoing traffic.  Layered firewalls — at the Internet connection and on each computer — provide better security.  Managing outgoing traffic via DNS filtering is another layer of protection for both home and corporate networks.


OpenDNS operates a network of DNS servers and, based on your administrative choices, can block sites known for distributing stuff generally not appropriate for work — "adult material", phishing and malware — all the day down to social networking sites. They also handle typos, for example, recognizing .cmo and changing it to .com on the fly. You get full statistics on DNS queries, approved and blocked.

What do they get out of it? As far as I can tell, they can track usage patterns and subsequently sell that information. In addition, they route all NXDOMAIN requests to a page (that you sort of control) on which they place ads.

I use OpenDNS for my home network (changing the DNS server addresses on the router) and set it up at my former employer (by changing the forwarding servers used by our own DNS servers). On the corporate network, we regarded OpenDNS as an additional firewall blocking access to bad sites and a way to determine whether we had machines on the network that might be compromised.