OpenDNS Whitepaper: Platform Technology


Published on

Overview of the technology that behind OpenDNS, the largest Internet-wide security network.

Published in: Technology
  • Be the first to comment

  • Be the first to like this

No Downloads
Total views
On SlideShare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide

OpenDNS Whitepaper: Platform Technology

  1. 1. DELIVERY PLATFORM AND TECHNOLOGY OVERVIEW OpenDNS Enterprise Secures Internet Connections with 100% Uptime Our global security network, Anycast routing and SmartCache™ technologies deliver a simpler, faster and more reliable Internet experience without requiring you to change your network topology. Let’s face it, if there were no security and compliance However, even if we lived in a threat-free world, you threats to protect users and devices from, you wouldn’t still would deal with the inherent complexity and complicate and risk your network infrastructure by inconsistency of several, less-than-100%-reliable installing countless network devices (e.g. firewalls, in-line recursive DNS services provided by your ISPs. This filters, proxies). You would deploy the minimum number of common situation impacts organizations that use switches and routers between your devices and the redundant Internet pipes with more than one ISP or Internet. Traffic would flow at the maximum speed and have multiple network locations with different ISPs. throughput provided by your ISPs (Internet Service OpenDNS addresses both these problems, while Providers), and there would be no additional points of securing every Internet connection, by eliminating failure (or complication) to manage and maintain daily. the common requirement to add network devices or You would be happy, and your end users would be happy. in any way change your network topology, and Regrettably, the risk of data loss, identity theft, simultaneously consolidating all these disparate inappropriate or malicious resource consumption, brand recursive DNS services into one ultra-reliable global damage, etc. is great enough to justify adding network DNS service with the same two consistent IP infrastructure risks and investing your time. addresses ( and Connected at Internet’s Core Fabric for a Faster, More Global Service The Internet is often referred to as a “Network of networks and OpenDNS’s services, as well as Networks”, as it consists of over 5,000 ISPs between authoritative DNS servers and OpenDNS’s interconnected with one another in a sparsely meshed services. More geographic isolation between IXPs, fabric. The core of the Internet’s fabric is created using translates to fewer issues in one region spilling over peering agreements at IXPs (Internet Exchange Points), and impacting another (e.g. disaster at datacenter, which allow first-tier ISPs or other service providers like large-scale OpenDNS to exchange traffic bound for one another’s routing customers. Millions of business networks and billions of errors). home networks are connected via transit agreements for DIA (direct Internet access) from each ISP’s PoP (points of presence). Transit agreements are also used to connect OpenDNS to first-tier ISPs and first-tier ISPs to smaller ISPs, commonly at the Internet’s edges. OpenDNS selects strategic IXPs to connect our PoPs to the Internet’s core using two criteria – Internet connectivity and geography. More peering and transit agreements established with ISPs at a IXP, translates to fewer connection hops and latency incurred between the customer’sFor more information please visit: or call 877-811-2367
  2. 2. Many regional second- or third-tier ISPs that business available everywhere today, there are further plans to or home networks receive DIA from have no peering increase usage in Asia-Pacific and South America. agreements at IXPs or geographic dispersion making their DNS services susceptible to greater latency to retrieve DNS responses or outages, respectfully. OpenDNS currently has selected 12 PoPs, which interconnect with the number one, two and three most well-connected IXPs globally, and in particular in the Americas, Europe and Asia-Pacific. While OpenDNS is “All Roads Lead to Rome” for a Faster, Simpler Internet Experience Most local network setups or global services use pair of IP addresses. Such as configuring DHCP servers traditional Unicast routing, for which each server at and creating, backing up or cloning hard disk or virtual each location advertises a unique IP address. In machine images used anywhere, at any time. The regards to an ISP’s DNS service, it would mean that benefit to your end users is faster connections to the every recursive DNS resolver is assigned a different IP Internet. OpenDNS blends Anycast’s fewest-hop routing address. Some services may offer a single IP address logic to ensure your DNS queries go to the nearest PoP, per PoP even if it consists of hundreds of servers, which and our proprietary network topology using two is commonly implemented by load-balancers deployed overlapping global Anycast “clouds” with different at each location, but this has the same drawbacks of routing policies to enable your stub DNS resolvers to Unicast routing. Anycast routing enables multiple pick the lowest-latency route. servers at multiple locations to advertise the same IP address globally, not per location, and without load balancers adding more latency and risk of failure. In regards to OpenDNS’s DNS service, it enables our global PoPs consisting of 1000s of identical recursive DNS resolvers to advertise the same IP address pair. OpenDNS absorbs the time, cost and complexity to setup our true Anycasted security network. It requires that we maintain our own hardware, a large IP address space, direct relationships with your upstream ISPs, and sophisticated network routing policies. The benefit to you is that it is much simpler to setup every network device by using the same  
  3. 3. Self-Healing Routes Lead to a MoreReliable Internet ExperienceRather than crude round-robinmethods or physical loadbalancers, Anycast uses load-balanced routinglogic, which isinvisible toindividual servers orentire PoPs. If aserver or entire PoPis taken offline formaintenance, disasters,failures or attacks, it ceasesto advertise its shared IP address and upstream as otherlayer-3 network devices will transparently re-route global servicesthe traffic. So when you send a DNS query to claiming 99.999% up-OpenDNS, it will always return a response from the time SLAs (service levelquickest, closest available DNS resolver! This agreements) so often do. It’s thateliminates you ever needing to make changes because reliable and why we can truly claim thatwe are conducting maintenance on servers closest to we’ve had 100% uptime since we launched ouryour network locations or we experience a major failure, services in 2006.SmartCache Leads to a Even Faster and Smarter Internet ExperienceOpenDNS receives billions of DNS queries daily from Many authoritative DNS outages, attacks or failuresalmost 2% of the Internet’s users and their devices. have impacted business-critical sites such asWhen OpenDNS receives each subsequent DNS query,, and, or evenwe already know the answer (much more often than millions of domain, such as when the top-level domainyour regional ISPs), so we do not make you wait on the used by Germany (.de) was unreachable. When suchauthoritative DNS servers to return this same answer. incidents occur, which is not uncommon, OpenDNS stillWhile we know almost every server’s address across returns the last-known correct address using ourentire global Internet at any given, this is not what exclusive caching logic, whereas the rest of themakes our caching technology unique. Internet’s users will not be able to reach the domain.DNS RESOLVER: STUB   RECURSIVE AUTHORITATIVE  What uses it? Every device worldwide OPTION 1 OPTION 2 Third-party servers (e.g. clients, servers) Regional ISP Servers Global OpenDNS Servers worldwide Non-Cached Query: STEP 1: IS THERE A VALID/NON-EXPIRED CACHED ANSWER? “where is” Less likely with only Very likely with 40+ billion + lookup latency regional coverage global queries daily No Cached Response Cached Response: Answer #1 (GOOD): Gets Answer #1: (added latency) ê “ is at” “ is at”How does it work? “ is at” STEP 2: IF THERE IS NO/EXPIRED CACHED ANSWER, THEN... or (always with OpenDNS) Query: “where is” + lookup latency Answer #2 (BAD): or New Response: (#1)“ is at” or “Server Failed” Gets Answer #2: New Response: Last-Known Cached Response: “Server Failed” (sometimes with ISP) (#2) “Server Failed” “ is at” For more information please visit: or call 877-811-2367