Sitefinder II, the sequel...

Joe Greco jgreco at
Tue Jul 11 12:40:40 UTC 2006

Patrick writes:
> I'm not going to use the service either, but for different reasons  
> than you state.  And it does have "many of the same flaws" as  
> Sitefinder.

Yes, it does.  However, many of those flaws revolve around servers being
forced to opt in to the (original) Sitefinder; it should be clear that
you do not want servers participating in this, and you have the option to
make it so.

Regardless, this may create some operational challenges - both for client
sites and for OpenDNS.  I note with some amusement that their home page 
says "22,340,882 DNS requests", which is a trivial number of requests.
Obviously anycast will help the service scale in the traditional manner, 
but depending on the amount of "smart" they're trying to do, they could
be adding a lot of work to the process of handling errors (fortunately
they seem to be doing nothing significant at the DNS level).  I think of 
the sheer volume of bogus traffic at the roots, for example.

Client sites with dedicated recursers are going to be presented with a
challenge:  if their servers use the recursers, then will they set up
a parallel set of caching forwarding recursers for desktop-to-OpenDNS
use, or will they simply let OpenDNS be their default resolver for
desktops?  (etc)  What happens if/when OpenDNS gets too busy, or fails,
or goes TU?

DNS was designed to be a distributed network for name resolution.  The
whole concept of OpenDNS, while clever, seems to violate - at least 
somewhat - the spirit behind DNS.  Taken to the extreme, every desktop
on the planet would be pointed to their servers, and at that point, we
essentially have something resembling a centralized host file database 
server.  We'll effectively have eliminated the distributed caching
recurser network, and be left only with the authoritative server tree,
which would be better integrated into OpenDNS too at that point.  Of
course, we're not likely to see anywhere near 100% penetration of

> But Sitefinder had only one fatal flaw: The Lack Of Choice.
> Obviously that flaw is not shared.

It is merely replaced with another (others?).  I believe Paul Vixie 
was just recently reminding people about DNS coherence in the thread 
"DNS Based Load Balancers", and I expected to see that objection show 
up here right away.

I have not been convinced that coherence is a property that *must* be
maintained within the DNS, though I see certain portions that must
obviously remain coherent.  I've written DNS based load balancers in
the past, which worked very successfully for their intended application,
so my views may be mildly slanted.

I would be curious to know exactly how invasive this is into the system,
and what sorts of things are done.  I did do some poking at their
resolver with some queries, and here's what I noticed.


Name:    www.sol.nte

okay, that makes sense

> www.<someofflinedomain>.com.
*** Request to timed-out

okay, that's fine (domain has inaccessible NS's)

but this:


bothers me.

It almost looks like their "magic technology" was to take nonexistent
results and replace them with their web redirector.  I don't *think*
the original Sitefinder behaved like that for delegated domains, though
I really cannot recall the exact effect of a wildcard in this case.

There are still numerous security risks associated with losing final
control over your namespace, and there is also the attractiveness factor
for crackers - it'd be a really scary thing to have a lot of people
using this and then have a cache entry for a major bank get corrupted or
inserted maliciously.

> Of course, everyone should feel free to espouse their opinions on the  
> service, and use it or not, and try to persuade others to use it or  
> not.  But just like any other service, software, protocol, or other  
> _optional_ choice in running your network (or home computer), we will  
> just have to let the market decide.  Chances are, there's enough  
> Internet to go around for everyone, whether they use the service or not.

Well, it may not be perfect, but it is at least a "Sitefinder done (more)
right" than the last spectacle.  I have my reservations.

... JG
Joe Greco - Network Services - Milwaukee, WI -
"We call it the 'one bite at the apple' rule. Give me one chance [and] then I
won't contact you again." - Direct Marketing Ass'n position on e-mail spam(CNN)
With 24 million small businesses in the US alone, that's way too many apples.

More information about the NANOG mailing list