Monday, August 20, 2012

Looks like I'm done with OpenDNS

Here's why:

For some reason they feel it's necessary to proxy/decrypt SSL sessions.  Really dislike it ALLOT when I go to login to my bank or PayPal account and get a warning about the SSL cert belonging not to PayPal but OpenDNS.  Hey OpenDNS - WTF?  What possible rationale do you have for doing this?

If I'm a customer that wants you to scan my outbound traffic for data leaks and authorize this then fine.  Doing it to folks that just want fast reliable DNS is shady at best.  Like a mailbox rental place that opens everyone's letters and packages before sending them.  

Second, I use a certain anonymizing proxy for some things.  Suddenly OpenDNS has decided to just not resolve that FQDN. They aren't openly blocking it. They just refuse to resolve it.  They will tell you the DNS servers responsible for that domain but just refuse to return the actual records - substituting them with one of their own (I suspect another OpenDNS man in the middle attack).  The servers are working, the DNS servers for that domain are working, and looking up that FQDN on any other DNS server that behaves rationally returns the actual address records.  Not OpenDNS - the passive aggressive filtering DNS company...

Annoying.  I had held them out and even recommended them as a respectable, fast and trustworthy company.  Hate it when I get proven wrong.

No comments: