Mayayana said:
...
My understanding is that OpenDNS is just supposed to be an honest
operation, while an increasing number of ISPs are doing things like
showing an ad instead of a 404 page. If you use your ISP DNS that
also reports all of your destinations to them.
Wrong. OpenDNS also corrupts DNS by not reporting failures and instead
redirects you to their "help" (ad/search) page.
Unless you create an account at OpenDNS, and unless you install their
DNS client on your host (so it can connect to your online account to
update it so your online account knows your current IP address to apply
your settings), you will get a "help" page on failed DNS lookups at
OpenDNS. Only if you have an account can you configure OpenDNS not to
show its ad/search page on failed DNS lookups; however, you lose other
features if you disable their ad/search interception on DNS fail, like
letting you select categories of sites to block and your own
personalized list of domains to block (max of 50 but you can block on
domains instead of hosts which is what the hosts file does).
If you don't have an account and just use their DNS service, they will
shove their ad/search page to your web browser instead of issuing the
DNS fail. If you do have an account (which requires their DNS client
installed on your host) but configure it to disable their ad/search page
on DNS failure then you also disable other features in that account.
Because they're showing you a page means the lookup did not fail and why
this behavior screws up some programs that expect to actually get an
error if the page actually specified cannot be reached.
My ISP (Comcast) also decided to provide this, um, "help" page on a DNS
failure; however, upon request (which you have to do via chat or phone
call, not as an online configurable option) you can have them disable it
for your account which I did.
Comodo DNS and Symantec's (Norton) DNS also shove this "help"
(ad/search) page to your web browser on a DNS fail. My ISP (Comcast)
does not only because I requested them to remove their "helper" service.
Google does not so I'm using them (with fallback to my ISP's DNS server
by configuring TCP/IP to first use Google DNS and have my ISP DNS listed
second). You can easily see which of the big DNS providers are screwing
up the DNS fail (by not failing and instead sending their "help" page)
by getting Steve Gibson's DNS Benchmark utility:
https://www.grc.com/dns/benchmark.htm. It does not require
installation. Just download and run.
It will show which of the pre-defined DNS servers (and any that you add)
are corrupting the DNS fail by not failing and showing you their "help"
page. The following were shown by the benchmark tool in brown where
"Bad domain names are intercepted by provider", which were: OpenDNS,
UltraDNS, Cox, Sunbelt ThreatTrack, and AnyCast. Although the tool
comes with (downloads) its own preset list of DNS servers, you can add
more DNS servers. Typically I delete a ton of them from the preset list
since I'll never use them so I can just focus on the candidates.
Alas, probably to keep his program small, you have to visit the web page
(
https://www.grc.com/dns/operation.htm) to understand the meaning of the
various icons, like colors and what means a partial or whole circle.
I've been using AcrylicDNS, which defaults to OpenDNS but can use any
service. AcrylicDNS is a proxy. It runs as a service.
If you are not getting the "help" page on DNS fails with Acrylic, and if
they are using OpenDNS, then they have a special or business account
with OpenDNS to avoid corrupting the DNS operation (by showing a web
page and DNS succeed when it should've been a DNS fail), or they
configured their OpenDNS account to disable the "help" redirection which
may lose the other features at OpenDNS but then Acrylic replaces some
with their own features (you don't mention if Acrylic also provides
domain blocking by category, like hate, sex, alcohol, gambling, as is
available at OpenDNS).
I like it because it has its own HOSTS file that allows me to use
wildcards. For instance, I can block *.doubleclick.net. I don't have
to list all possible subdomains.
So it is not a hosts file. A hosts file can only block on hostnames
(host.domain.tld). That's why, for example, in the pre-compiled hosts
file, like from MVPS, there are over 50 entries just for Doubleclick.
Plus a nameserver can respond to any host to reply with an IP address to
ensure you will visit their page there which obviates the hosts file
because you'll never be able to define every possible hostname that
could be used.
What you describe is a URL block filter (not by IP address which is
pretty much worthless to end users but a URL string filter). Avast
anti-virus has one. OpenDNS lets you define up to 50 URLs in a free
account.
One caveat, though: AcrylicDNS is slightly buggy. Every few weeks the
service fails to start and I have to reinstall it. That only takes a
minute, but still...
Don't you have your TCP/IP setup regarding DNS specify multiple DNS
servers? If one cannot be reached then the next gets used. Or are you
stuck with all DNS requests going through the Acrylic service?
Sounds like you'd be smarter to use a local security utility
(anti-virus, firewall) that has its own URL filtering and specify
OpenDNS (unless you want one that does NOT corrupt DNS with their
redirection to a "helper" page) as your primary DNS server and your ISP
as your secondary DNS server in your TCP config.
Other options: If you don't care about privacy with your ISP you can
research other DNS servers. There are sites online that report the
speed of various servers.
Besides showing you which DNS servers are corrupting DNS with their
redirection to a "help" page (i.e., they NEVER report a failed DNS
lookup), the GRC benchmark tool can also indicate which DNS servers are
better than other; however, you need to do this test over many days to
get an idea of which is faster since a single test at just one time of
the day won't tell you how they respond to load over time. Go to the
Nameservers tab and click on the "Run benchmark" button. It's free and
doesn't install (just run it).