What is the OpenDNS Global Network?
The Global Network is OpenDNS’s infrastructure that handles more than two percent of the world’s daily Internet requests with proven 100 percent uptime. It enforces security policies with no added latency, and in minutes covers any device worldwide, for our enterprise security product—Umbrella.
How we enforce policies
Before you can access the Web, your device establishes connections to thousands of networks and systems across the Internet. Each time, your device must know the destination’s IP address—and that is where OpenDNS comes in.
We have built and distributed multi-tenant DNS resolvers, HTTP/S proxies, VPN gateways, and block page servers around the world. Working in tandem with the predictive intelligence from the Security Graph, our service allows connections to safe locations, blocks connections to malicious locations, or proxies connections to enforce policies at the URL-level for deeper inspection.
The advantage to enforcing security at the DNS layer is that it precedes the TCP/IP connection, enabling our service to be agnostic to the connection’s port, protocol or app. Our Windows and Mac OS X endpoint footprints can enforce security at both the DNS and IP layers—addressing the small number of malicious payloads that use hard-coded IP addresses to establish direct command & control connections.
What happens each time we receive a DNS request?
- First, we determine which policy to enforce. Some DNS requests embed a customer’s internal IP address, user name, or device name. We always know the public IP address that sent the DNS request. We will match either type of identity with a customer’s policy.
- Second, we determine the IP address mapped to the domain name. An IP address is often already cached in every DNS resolver, or if not, we contact the domain’s authoritative nameservers to resolve the IP address.
- Third, we determine if the domain name or IP address is categorized. We have three sources of categorization based on OpenDNS Security Graph, OpenDNS Domain Tagging, and customers’ custom domain lists created in Umbrella.
- Fourth, based on the categorization of the domain or IP your device is trying to connect to, you will be routed in different ways. If the destination is safe, you will be routed to it directly. However, if your device is trying to connect to a bad location, you will be directed to our nearest block page server. In cases when we need to inspect the destination in more detail, you will be routed through the Intelligent Proxy.
- The advantage of OpenDNS’s Intelligent Proxy is that it selectively proxies connections to provide the ability to block at the URL-level or lower. This means the Intelligent Proxy introduces significantly less latency overall than conventional proxies.
How we avoid introducing new latency, bottlenecks, or points of failure
Simply put, we don’t introduce anything new to the way the Internet works. You currently use a recursive DNS provider, and we’re just a faster, more reliable and security-focused alternative.
To ensure 100 percent uptime, we use Anycast routing for global failover. We announce one IP address for hundreds of DNS resolvers across all data center locations. Even if multiple locations go offline, there are no service disruptions, because DNS requests are transparently routed to the next best location.
To offer a faster service, we locate our data centers at Internet Exchange Points —the crossroads through which all Internet traffic passes. Here, OpenDNS establishes relationships with thousands of the world’s largest ISPs or CDNs to shorten the path between our network and every other network—including those belonging to our customers.
- Our massive scale of over 80 billion daily DNS requests provides other advantages. We already have nearly every DNS record cached, which means that we can avoid waiting for multiple authoritative nameservers to respond with the IP address.
How Umbrella adds granular enforcement and off-network coverage
In addition to using your existing Internet gateways, DNS, or DHCP servers to forward external DNS requests to our Global Network, OpenDNS provides several lightweight software options that require no admin intervention once they are deployed.
Our Virtual Appliance for VMware or Hyper-V embeds an internal IP address, Active Directory user name, and device name into DNS requests before they leave your network. Granular policy enforcement is achieved without installing endpoint software or re-authenticating users. However, to achieve off-network coverage endpoint software is a necessary evil. By enforcing policies in our Global Network, not in the software, we avoid impacting network or system performance. One option is enabling Roaming Security for Cisco AnyConnect v4.3 or higher. A second option is deploying OpenDNS Roaming Client alongside any VPN agent. With both options, there’s absolutely nothing new for end-users to do or any performance sacrifice. The Windows or Mac OS X endpoint footprint simply embeds the hostname (and username with AnyConnect) into DNS requests before they leave the device.Mobile device protection uses VPN technology
- Our Mobile App for iOS devices establishes an always-on IPsec tunnel that encrypts and forwards all traffic to our Global Network.
Partnerships for a faster Internet
We collaborate with Content Delivery Networks (CDN) partners to provide EDNS subnet support for our customers, as part of a worldwide effort to improve Internet speeds. The joint initiative enables CDNs to make more intelligent routing decisions based on the approximate location of a user rather than the location of the user’s OpenDNS server.