Powerpoint exploring the locations used in television show Time Clash
OpenDNS Whitepaper: Platform Technology
1. DELIVERY PLATFORM AND TECHNOLOGY OVERVIEW
OpenDNS Enterprise Secures Internet Connections with 100% Uptime
Our global security network, Anycast routing and SmartCache™ technologies deliver a simpler, faster
and more reliable Internet experience without requiring you to change your network topology.
Let’s face it, if there were no security and compliance However, even if we lived in a threat-free world, you
threats to protect users and devices from, you wouldn’t still would deal with the inherent complexity and
complicate and risk your network infrastructure by inconsistency of several, less-than-100%-reliable
installing countless network devices (e.g. firewalls, in-line recursive DNS services provided by your ISPs. This
filters, proxies). You would deploy the minimum number of common situation impacts organizations that use
switches and routers between your devices and the redundant Internet pipes with more than one ISP or
Internet. Traffic would flow at the maximum speed and have multiple network locations with different ISPs.
throughput provided by your ISPs (Internet Service OpenDNS addresses both these problems, while
Providers), and there would be no additional points of securing every Internet connection, by eliminating
failure (or complication) to manage and maintain daily. the common requirement to add network devices or
You would be happy, and your end users would be happy. in any way change your network topology, and
Regrettably, the risk of data loss, identity theft, simultaneously consolidating all these disparate
inappropriate or malicious resource consumption, brand recursive DNS services into one ultra-reliable global
damage, etc. is great enough to justify adding network DNS service with the same two consistent IP
infrastructure risks and investing your time. addresses (208.67.222.222 and 208.67.220.220).
Connected at Internet’s Core Fabric for a Faster, More Global Service
The Internet is often referred to as a “Network of networks and OpenDNS’s services, as well as
Networks”, as it consists of over 5,000 ISPs between authoritative DNS servers and OpenDNS’s
interconnected with one another in a sparsely meshed services. More geographic isolation between IXPs,
fabric. The core of the Internet’s fabric is created using translates to fewer issues in one region spilling over
peering agreements at IXPs (Internet Exchange Points), and impacting another (e.g. disaster at datacenter,
which allow first-tier ISPs or other service providers like large-scale
OpenDNS to exchange traffic bound for one another’s routing
customers. Millions of business networks and billions of errors).
home networks are connected via transit agreements for
DIA (direct Internet access) from each ISP’s PoP (points
of presence). Transit agreements are also used to connect
OpenDNS to first-tier ISPs and first-tier ISPs to smaller
ISPs, commonly at the Internet’s edges.
OpenDNS selects strategic IXPs to connect
our PoPs to the Internet’s core using two
criteria – Internet connectivity and
geography. More peering and transit
agreements established with ISPs
at a IXP, translates to fewer
connection hops and latency
incurred between the customer’s
For more information please visit: www.opendns.com or call 877-811-2367
2. Many regional second- or third-tier ISPs that business available everywhere today, there are further plans to
or home networks receive DIA from have no peering increase usage in Asia-Pacific and South America.
agreements at IXPs or
geographic dispersion making
their DNS services susceptible
to greater latency to retrieve
DNS responses or outages,
respectfully. OpenDNS currently
has selected 12 PoPs, which
interconnect with
the number one,
two and three most
well-connected
IXPs globally, and
in particular in the
Americas, Europe
and Asia-Pacific.
While OpenDNS is
“All Roads Lead to Rome” for a Faster, Simpler Internet Experience
Most local network setups or global services use pair of IP addresses. Such as configuring DHCP servers
traditional Unicast routing, for which each server at and creating, backing up or cloning hard disk or virtual
each location advertises a unique IP address. In machine images used anywhere, at any time. The
regards to an ISP’s DNS service, it would mean that benefit to your end users is faster connections to the
every recursive DNS resolver is assigned a different IP Internet. OpenDNS blends Anycast’s fewest-hop routing
address. Some services may offer a single IP address logic to ensure your DNS queries go to the nearest PoP,
per PoP even if it consists of hundreds of servers, which and our proprietary network topology using two
is commonly implemented by load-balancers deployed overlapping global Anycast “clouds” with different
at each location, but this has the same drawbacks of routing policies to enable your stub DNS resolvers to
Unicast routing. Anycast routing enables multiple pick the lowest-latency route.
servers at multiple locations to advertise the same IP
address globally, not per location, and without load
balancers adding more latency and risk of failure. In
regards to OpenDNS’s DNS service, it enables our
global PoPs consisting of 1000s of identical recursive
DNS resolvers to advertise the same IP address pair.
OpenDNS absorbs the time, cost and complexity to
setup our true Anycasted security network. It
requires that we maintain our own hardware,
a large IP address space, direct relationships
with your upstream ISPs, and sophisticated
network routing policies.
The benefit to you is that it is much simpler
to setup every network device by using the same
3. Self-Healing Routes Lead to a More
Reliable Internet Experience
Rather than crude round-robin
methods or physical load
balancers, Anycast uses load-
balanced routing
logic, which is
invisible to
individual servers or
entire PoPs. If a
server or entire PoP
is taken offline for
maintenance, disasters,
failures or attacks, it ceases
to advertise its shared IP address and upstream as other
layer-3 network devices will transparently re-route global services
the traffic. So when you send a DNS query to claiming 99.999% up-
OpenDNS, it will always return a response from the time SLAs (service level
quickest, closest available DNS resolver! This agreements) so often do. It’s that
eliminates you ever needing to make changes because reliable and why we can truly claim that
we are conducting maintenance on servers closest to we’ve had 100% uptime since we launched our
your network locations or we experience a major failure, services in 2006.
SmartCache Leads to a Even Faster and Smarter Internet Experience
OpenDNS receives billions of DNS queries daily from Many authoritative DNS outages, attacks or failures
almost 2% of the Internet’s users and their devices. have impacted business-critical sites such as
When OpenDNS receives each subsequent DNS query, salesforce.com, amazon.com and petco.com, or even
we already know the answer (much more often than millions of domain, such as when the top-level domain
your regional ISPs), so we do not make you wait on the used by Germany (.de) was unreachable. When such
authoritative DNS servers to return this same answer. incidents occur, which is not uncommon, OpenDNS still
While we know almost every server’s address across returns the last-known correct address using our
entire global Internet at any given, this is not what exclusive caching logic, whereas the rest of the
makes our caching technology unique. Internet’s users will not be able to reach the domain.
DNS RESOLVER: STUB
RECURSIVE AUTHORITATIVE
What uses it?
Every device worldwide OPTION 1 OPTION 2 Third-party servers
(e.g. clients, servers) Regional ISP Servers Global OpenDNS Servers worldwide
Non-Cached Query: STEP 1: IS THERE A VALID/NON-EXPIRED CACHED ANSWER?
“where is foo.com?” Less likely with only Very likely with 40+ billion
+ lookup latency regional coverage global queries daily
No Cached Response Cached Response: Answer #1 (GOOD):
Gets Answer #1: (added latency) ê “foo.com is at 1.2.3.4” “foo.com is at 1.2.3.4”
How does it work? “foo.com is at 1.2.3.4” STEP 2: IF THERE IS NO/EXPIRED CACHED ANSWER, THEN... or
(always with OpenDNS)
Query: “where is foo.com?” + lookup latency Answer #2 (BAD):
or New Response: (#1)“foo.com is at 1.2.3.4” or “Server Failed”
Gets Answer #2:
New Response: Last-Known Cached Response:
“Server Failed”
(sometimes with ISP) (#2) “Server Failed” “foo.com is at 1.2.3.4”
For more information please visit: www.opendns.com or call 877-811-2367