We are considering switching to open DNS and was hoping someone else was already using it we are curious about how good/bad it is and as to the type of costs we could be looking at if we used umbrella
Hi. We (University of East London) have just taken up this service. We switched from another web-filtering service which featured an inline proxy that we transparently intercepted HTTP/HTTPS to.
It was up for renewal so we had a look at alternative. OpenDNS looked like a really good option. What I liked was that is no longer needed the bootleneck of an appliance inline on our 10GBp/s links to JANET.
Is super simple to implement. You have the basic option of just pointing your external DNS lookups at OpenDNS's public servers, however we needed more than this. They offer full reporting services now by allowing you to put their virtual appliances inside your network and point everything at them for DNS. This in conjunction with an agent on your domain-controllers (for Windows shops) means you get full IP<>username mapping which then shows up if your reporting.
On the VA's you set up delegations for your domains name and PTR records. This means all your devices can use the VA for both public and internal DNS lookups. Works great.
The web (cloud) based interface which you manage everything from is super slick and very easy to use. You can opt for just plain security filtering to block the nasty bot-nets, malware, phishing etc + you can also use categories and allow/deny access to them based on your institutions policy.
[EDIT] You also have domain white/black lists.
It also has some value-add features like an agent for Win/Mac which can protect your roaming devices by ensuring they use OpenDNS (securely) for DNS lookups even when they are on a public network.
I has something for mobiles to but I have not taken a look at this as yet.
So far I am really liking it.
Of course on the negative side you have to consider that a user using an unmanaged machine who has administrative access to their own device could monkey which their local hosts file to go around it for sites if they wanted to.
On this point we reasoned that BYOD devices could mostly drop to 3G if they wanted and access anything they like anyhow and that we are primarily interested in the protection of our own/managed devices which our users are not administrators of.
Also these days a host file would need to be a real labour of love to be practicle which your average web-site so spread out.
Plus even with the inline proxy method the savvy end user would still find a way to get around this if they are determined (I would :) ).
As for pricing I wouldn’t like to share what we paid (for a three year deal) as any prices we get are taken in under commercial confidence.
I will say that we got a nice price compared to a renewal of our existing service and that you have zero outlay on hardware when going to this solution.
[EDIT] Don't let the list price put you off. It's a starting point and they are flexible.
Answers
Hi. We (University of East London) have just taken up this service. We switched from another web-filtering service which featured an inline proxy that we transparently intercepted HTTP/HTTPS to.
It was up for renewal so we had a look at alternative. OpenDNS looked like a really good option. What I liked was that is no longer needed the bootleneck of an appliance inline on our 10GBp/s links to JANET.
Is super simple to implement. You have the basic option of just pointing your external DNS lookups at OpenDNS's public servers, however we needed more than this. They offer full reporting services now by allowing you to put their virtual appliances inside your network and point everything at them for DNS. This in conjunction with an agent on your domain-controllers (for Windows shops) means you get full IP<>username mapping which then shows up if your reporting.
On the VA's you set up delegations for your domains name and PTR records. This means all your devices can use the VA for both public and internal DNS lookups. Works great.
The web (cloud) based interface which you manage everything from is super slick and very easy to use. You can opt for just plain security filtering to block the nasty bot-nets, malware, phishing etc + you can also use categories and allow/deny access to them based on your institutions policy.
[EDIT] You also have domain white/black lists.
It also has some value-add features like an agent for Win/Mac which can protect your roaming devices by ensuring they use OpenDNS (securely) for DNS lookups even when they are on a public network.
I has something for mobiles to but I have not taken a look at this as yet.
So far I am really liking it.
Of course on the negative side you have to consider that a user using an unmanaged machine who has administrative access to their own device could monkey which their local hosts file to go around it for sites if they wanted to.
On this point we reasoned that BYOD devices could mostly drop to 3G if they wanted and access anything they like anyhow and that we are primarily interested in the protection of our own/managed devices which our users are not administrators of.
Also these days a host file would need to be a real labour of love to be practicle which your average web-site so spread out.
Plus even with the inline proxy method the savvy end user would still find a way to get around this if they are determined (I would :) ).
As for pricing I wouldn’t like to share what we paid (for a three year deal) as any prices we get are taken in under commercial confidence.
I will say that we got a nice price compared to a renewal of our existing service and that you have zero outlay on hardware when going to this solution.
[EDIT] Don't let the list price put you off. It's a starting point and they are flexible.
Hope this helps.
Simon.