Results 1 to 8 of 8
  1. #1
    Untangle Ninja sky-knight's Avatar
    Join Date
    Apr 2008
    Location
    Phoenix, AZ
    Posts
    25,304

    Default Why OpenDNS Sucks

    This little nugget is for all Untangle resellers. Lately I've been trying to evaluate Untangle alternatives. These efforts have spanned multiple products, but always I seem to be trying to fall back on the use of the OpenDNS enterprise services for Web Filtration, as it is an inexpensive, CIPA certified, web filtration product.

    OpenDNS is not an enterprise ready filtration product.

    I hear you; Rob that's a pretty bold claim. Well let me back it up with some experience I recently obtained the hard way with a new customer.

    As a DNS filter, the only way to be subject to the filter is to subject the machine to DNS resolution via the OpenDNS service. So usually you end up configuring your DHCP server to hand out OpenDNS enabled addressing to DHCP clients on the network, or you configure your AD server to forward to OpenDNS for Internet resolution.

    This means either, every machine subject to your AD server is subject to OpenDNS, or every machine on a given IP segment is subject to OpenDNS.

    So what's the problem? What happens when you need to exempt a specific employee from filtration? (Note you can't do this at all without paying for the Enterprise features)

    Case: A new customer of mine utilizes OpenDNS Enterprise for content control. This control scheme exists to, among other things, prevent employees from wasting their lives on Facebook while at work. This customer maintains 5 discreet locations, all of which handle retail traffic, and as such have relatively high turnover on employee retention. So, each location has a manager that handles HR for that location, and this individual needs to be able to research new prospective employees quickly. One of the tools used to perform this investigation is Facebook!

    So I have a directive to remove Facebook access from employees, but allow managers access to Facebook. This access for the managers needs to be machine portable, and even if I wanted to give them a laptop for Facebook use I wouldn't want to remove all OpenDNS protection just to give them Facebook access.

    So what do you do to give them access? OpenDNS provides a mechanism where you can invite an e-mail address for an exemption of the filters. This mechanism is rather flexible in allowing the administrator to configure what filters that specific admin can bypass, and what they can't, and even when they can or can't bypass the filters.

    Except how it works, by necessity, is completely bone headed. The manager attempts to access Facebook, they are presented the block page, then they put in a username / password to bypass the block, and they are then shoved through an OpenDNS transparent proxy to get at the content.

    Let's let that sink in for a moment. SSL breaking transparent proxy.

    Then there is the issue of the user's experience. Having to input that password every single time they click on something that is blocked. It's driving the managers nuts, but they deal with it because it's all they know!

    Unfortunately for me, I know Untangle, and it drives me nuts that such an annoyance lives on one of my networks.

    Consider Untangle, a local content control system with full AD integration. Creative use of the Policy Manager and Directory Connector give us all of these controls, but deployed in such a way as to prevent any user knowledge it's even happening, much less annoying them. They log into a Windows station and simply by virtue of them being them, the login script works its magic and the user gets access to the content defined by the security policies enshrined in the Untangle virtual rack in question.

    Alternately, they hit the CP, authenticate for a period of time and get access that way.

    My point is, the user experience in regards to Untangle vs OpenDNS is infinitely better. Not to mention the inherent flexibility of Untangle policies grants far greater granularity on what a user can and cannot access. The concept of "bypass" is completely removed, which makes for a far more sane administrator.

    And I personally, am all about being lazy. Time is something we IT professionals just don't have to spare. So once again Untangle maintains its position in my lineup, because it's simply the best there is. I have to date discovered no other product that can protect users as fully, in a single server or VM, in as easy a manner for both users and administrators, as well as provide as many tools for recovery of the UTM itself.

    OpenDNS in comparison has nothing to backup, nothing to restore as it's a cloud service. But the price is paid in user and administrative pain. In my opinion the "cloud" isn't a place to put this sort of thing and as such isn't enterprise ready. It simply costs too much in time, and it makes users frustrated. Frustrated users are not productive people!

    How about support? Untangle Support may keep bankers hours but at least I can get a human on the phone. I called on Monday the 4th for some assistance with OpenDNS (the web UI was acting up), I'm still waiting for a response. The issue has since been resolved, but there was no customer contact for that resolution. Am I old fashioned expecting companies you pay for stuff to actually respond to customer inquiries?

    Of course those of you that follow me on Facebook already know, Dell did the same thing... Call on Monday to try and buy a hard disk desperately needed for a SAN, call today and scream because no one called me back. It's been 36 hours, not asking for support, asking for a part number and a place to swipe a credit card! Perhaps both inquiries simply fell through the cracks? I don't have a clue, I just have a client to keep online.
    Last edited by sky-knight; 06-07-2012 at 09:55 AM.
    Rob Sandling, BS:SWE, MCP
    NexgenAppliances.com
    Phone: 866-794-8879 x201
    Email: support@nexgenappliances.com

  2. #2
    Untangle Ninja dwasserman's Avatar
    Join Date
    Jun 2008
    Location
    Argentina
    Posts
    4,348

    Default

    Its all true, but......
    Ever you can do "something"
    For example if you have 2 or more public ip can create different policies in opendns and nat rules.
    Or you can play in your internal dhcp server creating 2 or more scopes, changing the external dns resolver.

    Anyway, the underlying concept in OpenDns is a unique enterprise-wide policy.
    I agree that we must seek the best tool for every situation
    The world is divided into 10 kinds of people, who know binary and those not

  3. #3
    Untangle Ninja sky-knight's Avatar
    Join Date
    Apr 2008
    Location
    Phoenix, AZ
    Posts
    25,304

    Default

    There is no such thing as a unique enterprise-wide policy.

    Everywhere you go there are exceptions, exemptions, and rules that govern how and where this stuff applies.

    Now in smaller networks, where the "free" filter is employed in a generic way it's a terrific solution. However, that doesn't scale to the "enterprise" unless you're using it as a baseline malware filter and backing it up with something else.

    And two Web Filters? That's just headache!
    Rob Sandling, BS:SWE, MCP
    NexgenAppliances.com
    Phone: 866-794-8879 x201
    Email: support@nexgenappliances.com

  4. #4
    Untangle Junkie dmorris's Avatar
    Join Date
    Nov 2006
    Location
    San Carlos, CA
    Posts
    17,747

    Default

    Personally I find any DNS-based filtering lacking because it can only filter on the hostname not the URI unless you do some really nasty proxy tricks.

    You can either block youtube.com or not. You can't just block certain videos because the DNS doesn't see the URI.
    You can either block google.com or not - you can't just limit it to safe searches.
    You can either block wikipedia or not. etc etc.

    Its like trying to filter spam base only on the emails' subjects.

    On the plus side its very easy to deploy which is what many people need.
    Attention: Support and help on the Untangle Forums is provided by volunteers and community members like yourself.
    If you need Untangle support please call or email support@untangle.com

  5. #5
    Untangle Ninja sky-knight's Avatar
    Join Date
    Apr 2008
    Location
    Phoenix, AZ
    Posts
    25,304

    Default

    Yeah, but for those of us that have had access to "better" the DNS based stuff is stifling.

    I'm still trying to figure out how to integrate Untangle for this new customer. They have an ISP that does Mikrotik edge devices for them, they maintain the connection and the edge device. So I have to maintain PCI compliance when I can't audit the edge router myself... very strange.

    That said, they do a decent job and they have local people. Since they are over 2 hours away, having someone I can call to fix the last mile problems without having to drive myself makes support easier in some cases. Then again, these are the guys that replaced the router at the primary location and managed to screw up half of the port forwards, at least one NAT policy, and break EVERY SINGLE remote VPN link... that was a mess.

    I just go around to OpenDNS this past week and I was appalled at how little you can do with the "enterprise" version. If "enterprise" admins are happy with that service level, I'm either an overbearing perfectionist, or the average admin is a few crayons short of a full box. I'm sure both apply equally most days!
    Rob Sandling, BS:SWE, MCP
    NexgenAppliances.com
    Phone: 866-794-8879 x201
    Email: support@nexgenappliances.com

  6. #6
    Untangle Ninja YeOldeStonecat's Avatar
    Join Date
    Aug 2007
    Posts
    1,549

    Default

    I recently put Untangle (on an NG-100) out in a small school, to take over their network. Replaced a Cisco RV016 at the edge. The IT woman there previously used OpenDNS for their content filtering.

    I've liked using OpenDNS for their additional malware protection, but never used it for content filtering. She showed me how easy it was to put blocks on..and allow staff through, via the user/pass thing. She was actually bummed at the complication of having to setup policies and multiple racks in Untangle to allow the same thing.

    It's a small school out on an exclusive island, k-12 and less than 60 students. 1x hour ferry boat ride over to it. I'm crossing my fingers big time hoping that ng's hard drive doesn't tank like they have been this past winter.

  7. #7
    Untangle Ninja sky-knight's Avatar
    Join Date
    Apr 2008
    Location
    Phoenix, AZ
    Posts
    25,304

    Default

    As soon as I can figure out a way to sanely support the linux mirroring with Untangle, I'm going to light up the second drive option those 100s can carry.

    It installs and works wonderfully! It's just not something I can support remotely easily.

    We've had more issues with SSDs this past year than rotating drives. I think you've managed to snag just about all of the rotating drive failures. Still a mirror would be nice to add, and heck perhaps it's just one of those things only our resellers can offer. If you're interested I can show you how to deploy one.
    Rob Sandling, BS:SWE, MCP
    NexgenAppliances.com
    Phone: 866-794-8879 x201
    Email: support@nexgenappliances.com

  8. #8
    Master Untangler
    Join Date
    Dec 2010
    Location
    Boerne, TX
    Posts
    261

    Default

    Quote Originally Posted by sky-knight View Post
    How about support? Untangle Support may keep bankers hours but at least I can get a human on the phone. I called on Monday the 4th for some assistance with OpenDNS (the web UI was acting up), I'm still waiting for a response. The issue has since been resolved, but there was no customer contact for that resolution. Am I old fashioned expecting companies you pay for stuff to actually respond to customer inquiries?
    I think that is the question of the year, Rob. At the end of the day, support is what people need...and what they pay for (or lack thereof). What most of us do in IT is not simply sell hardware or software, but provide our expertise to resolve problems. IT must not be thought of as an expense center, but a workforce multiplier.

    I've refused to support some prospective customers because they would not invest in doing the right thing for their infrastructure. They wanted me to be perpetually frustrated with issues that I must resolve when I have no power to change the systems that caused them.

    Kind of like a firefighter being continually called to put out fires at a company when he can clearly see the "octapus outlets" feeding equipment all around the room and old rags and cleaning chemicals are stored in the corner. Or how about a business owner that is mad about how much his employees are being paid with little to show for it. Never mind many of them are playing on the internet all day instead of making money for the company. This same owner would balk at hiring a consultant to resolve the issue because it would cost him "extra" to take care of the problem.
    ...Rick

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •  

SEO by vBSEO 3.6.0 PL2