Home > Use OpenDNS > Best Practices

OpenDNS / Best Practices

I. Overview For IT Administrators

  1. OpenDNS works with your network
  2. OpenDNS and content filtering
  3. OpenDNS with VPNs and private domains
  4. OpenDNS and email

II. Implementation Guide For IT Administrators

  1. Using OpenDNS with Windows Server 2003 (or SBS) with Active Directory
  2. Using OpenDNS with an internal unix-based DNS server
  3. Using OpenDNS with web proxy software (Squid, Dan's Guardian)

OpenDNS works with your network  

OpenDNS is currently being used across a wide variety of networks, all with different configurations. Our customers range from personal home networks to those of major universities, businesses, libraries and even law enforcement agencies.

While every network is unique in its own right, there are common layers in each network, especially for DNS. The purpose of this document is to examine common situations our customers address in configuring their networks to use OpenDNS, so you can better understand how OpenDNS can complement yours. While the setup may differ slightly, the situations outlined are certain to be similar to those you face. The important thing to remember is that OpenDNS is safe, reliable and will not break your network.

OpenDNS is not software

With OpenDNS you do not need to worry about downloading or installing software. To use OpenDNS, you merely choose to use our DNS servers (208.67.222.222 and 208.67.220.220) instead of those assigned by your ISP or pointing directly to the root servers. With no new software, trying OpenDNS is a no-risk opportunity to improve your network experience.

OpenDNS is recursive DNS

OpenDNS delivers recursive DNS service, which means our DNS translates the domain name requests made from your network into IP addresses. This is how all recursive DNS works; OpenDNS just does it faster and more reliably.

OpenDNS does not provide domain name hosting services or authoritative DNS for telling the Internet where your domain resolves to. We do not manage zone files or other authoritative features. For domain owners, we do offer instant cache updating with CacheCheck, so your domain updates can be instantly propagated for all OpenDNS customers.

OpenDNS and content filtering  

Filtering adult content and other unwanted sites on a network is one of the greatest advantages to using OpenDNS. With a free account, you can manage your network(s) in the Dashboard, setting custom preferences all the way down to the individual public IP address.

When behind a single IP address (common in NAT), all DNS requests from that IP will be treated with that IP's preferences. Some network administrators are able to assign a different IP address and router for each sub-group within their network. Quite simply, they set up two different routes: one for content filtering and the other for alternate access, depending on their needs. They then set up a separate network for each IP address within their OpenDNS account and filter content accordingly. Unless a machine has a public IP address, per-machine preferences are not yet possible with OpenDNS.

OpenDNS with VPNs and private domains  

OpenDNS cannot "see" your private network, so OpenDNS cannot resolve intranet domains or internal requests for printers, network shares, etc.

To avoid any problems reaching these internal resources, there are two choices.

First, you may forward only external DNS requests to OpenDNS, continuing to resolve local domains locally (i.e., on your local DNS server, such as ActiveDirectory or BIND).

Second, you may add your local domain(s) as Typo Exceptions in the OpenDNS Dashboard. For example, adding company.internal or mycompany.com to the typo exceptions list in your OpenDNS account will tell OpenDNS not to attempt to resolve these internal resources, and your local routing will continue uninterrupted.

OpenDNS and email  

Some users worry about the effect OpenDNS may have on email. A common question is "If I send email to a blocked domain what will happen?" This depends on several factors, including the MX record, the A record of the domain and a combination of both.

The way a mail server sends email is that it first checks the MX record of that domain. Once the MX record has been verified it acts as a pointer to a specific IP address.

If the MX record of the host domain it points to is blocked, then the mail will be rejected by OpenDNS servers.

If the MX record cannot be found then the mail server will query the A record of that domain and send mail there. If that domain is blocked, then mail will not be delivered.

Keep in mind, though, that it is possible for email to be delivered to a specific domain name that is blocked in the above situation if the MX record points to a domain that is not blocked. The MX record may be entirely different than that of the physical domain, therefore blocking would not be enforced.

Using OpenDNS with Windows Server 2003 (or SBS) with Active Directory  

Setting up OpenDNS on your small to medium size network is very easy. Whether you have three workstations or thirty the steps are the same. You can rest assured that updating the DNS servers on your network is simple, transparent and will improve your overall performance.

Changing the DNS settings should not cause any known issues with the Exchange server (mail server) or the other machines on that network. The DHCP server will assign these settings for external lookups through DNS forwarders.

A Windows server running Active Directory is the main portal where communication is made with the rest of the world. Changes to DNS settings do not and should not be made on the router or the individual machines. The Active Directory servers' DNS settings are all that need to be updated.

Your VPN and intranet should not be affected. Internal DNS queries will be handled internally by the Active Directory internal DNS servers. If you are sending email to a fellow employee or accessing a file on your server, the internal DNS will handle that query. OpenDNS is performing external queries for domains outside of your network.

The Exchange server should not be affected by updating to OpenDNS. Internal queries will be handled internally by the Exchange server. For instance, if you send an email to someone within your network the query will be handled internally by the Active Directory server. If you are sending email off your network OpenDNS will handle the query and act the same as your current set up without any problems.

It does not matter how many machines are on a network. All of them will use OpenDNS, as it is delegated from the Active Directory server. See our instructions for Windows Server 2003.

The instructions are much the same for Microsoft Small Business server. However, only one DNS server is present. For Windows 2000 server with multiple DNS servers running Active Directory, the settings need to be updated in those specific zones.

Using OpenDNS with an internal unix-based DNS server  

OpenDNS can be used in a number of ways on a unix-like platform. When we say unix we're talking about most flavors of Linux or *BSD. Solaris will probably work too, as will just about any unix-like operating system.

To use OpenDNS on a desktop, just edit your /etc/resolv.conf to use the OpenDNS nameservers.

  1. Modify /etc/resolv.conf to use OpenDNS
    • nameserver 208.67.222.222
    • nameserver 208.67.220.220

If you want to use OpenDNS as a forwarder on an existing unix nameserver, search our knowledge base to find the instructions for your DNS software of choice. If you don't have one, we tend to recommend the powerful dnscache server or the more widely-used DNS server called BIND. Instructions are also available for MaraDNS.

Using OpenDNS with web proxy software (Squid, Dan's Guardian)  

OpenDNS is utilized by many users to compliment their network that is already using Squid for content filtering. If you are using Squid you will find that OpenDNS is very compatible.

Those using Squid:

  1. add/modify the dns_nameservers parameter in squid.conf
    • dns_nameservers 208.67.222.222 208.67.220.220
  2. squid -k parse
  3. squid -k reconfigure

One user shared:

At my company, using OpenDNS is forced by redirection of all www traffic to machine with squid installed (and this machine is using OpenDNS servers), and also all company dnsservers have set up OpenDNS as default dns servers. It works good, it is also a way to have another web filtering layer.