Just because our name is OpenDNS it doesn’t mean that we are solely focused on the DNS protocol. Being a DNS provider has a lot of advantages; It offers a bird’s eye view of connectivity across our entire customer base, allows us to use that data to benefit everybody, and it’s a simple way to inspect traffic from any device, anywhere, and at any time. However, high quality security requires information beyond domain names alone. This is where the OpenDNS Intelligent Proxy comes in. We call it the “intelligent proxy” because unlike other proxy based solutions, we don’t have to proxy absolutely everything to catch suspicious activity. Whenever we see a DNS query to a questionable domain, perhaps one that we don’t want to completely allow or block, we direct the request to a proxy. By doing this, we can dive deeper into the transaction and make a more informed decision on whether it is safe or potentially dangerous.
Inspecting traffic
A key feature, which lends itself to the success of the proxy, is its speed. The overhead is less than 200ms per query. This is because our fleet of proxies is spread a across our data centers worldwide – with plans for additional areas in the near-term. In addition, we only perform deep inspection of suspicious domains that meet certain criteria. Everything else goes straight to the internet.
A query for a safe site (seen below) will return the original address:
But a query for a questionable one (see below) will return an IP of one of the proxies:
Monitoring Stats
A granular understanding of how our global proxies operate is very important. The things we monitor are important not just for traffic patterns, anomalies, latency, and performance, but also serve as an important source of data for our research team. Cross referencing performance parameters like requests per second or bytes per second with security parameters such as DNS query results, the number of blocked requests, and changes to our suspicious list of URLs/domains serve many purposes. Among them are:
- Detecting malware outbreaks, which often involve a spike in the number of blocked requests from a specific destination.
- Detecting DoS attacks, which are characterized by a general spike in traffic, usually from one or few sources.
- Noticing when something is not right on our end, like a false positive entry in the suspicious URL list that creates an increase in proxy activity without a legitimate reason.
Thanks to our monitoring systems, we can react fast and optimize our customers browsing experience before they even notice that an incident is taking place. Similar to security updates, each server in the fleet is responsible for pushing its own statistics to a centralized database. We use tools built in-house to visualize the data as well as open source projects such as Graphite and Nagios to alert whenever anomalies are detected. Examples of these visualizations are shown below.
A platform for growth
At the time of this blog post we are mostly looking at HTTP traffic, but we have big plans for the Intelligent Proxy. From the beginning we have been building this architecture to support more protocols and inspect the data using a variety of techniques in parallel. Our team is constantly coming up with new ideas to leverage data from the billions of DNS queries we serve daily, as well as looking for innovative partners to collaborate with. As you can see, the OpenDNS Proxy is actually a platform. It provides multiple layers of inspection without impacting the end user experience or configuration. We can easily scale up and add servers if the need arises. We are very excited to work on this project and plan on providing many exciting new features in the upcoming months. Stay tuned…