I like OpenDNS, but was wondering if anyone has experience deploying it for a location with an Exchange installation. I'm concerned specifically about whether any filtering they do would cause problems with reverse DNS lookup that might interfere with the server or the anti-spam (GFI in our case) installation. Thanks for any insights.
EDIT: Just to follow up for anyone who comes across this question, I went ahead and swapped out our ISP's DNS IPs for OpenDNS's in our LAN's DNS forwarders -- took all of a minute and a half -- and it worked fine. We eventually swapped just our mail and spam servers to point to Google DNS rather than OpenDNS only because I was tired of seeing all the mail queries in our OpenDNS reports, and it has worked great this way as well.
We also eventually swapped out our Exchange/GFI setup for Zimbra and an Exim-based mail filter/gateway (MailCleaner, excellent BTW!), and have successfully kept the same arrangement with Google DNS on these servers and everything else forwarding to OpenDNS.
We use OpenDNS on a corporate network with 2 Exchange servers, and 4 Postfix mail servers without problems in the following manner:
No problems with mail or reverse DNS.
I agree, OpenDNS is great.
Personally I would only use OpenDNS for end users. Use your ISPs DNS services for the servers, other than the speed boost OpenDNS gives you I can't see what advantage it would be to use it on a server, and is only going to add one extra thing to debug when trying to resolve a problem.
That said I think OpenDNS have thought it through quite well, if you lookup 'google.com' you get 209.85.171.100, 74.125.67.100 and 74.125.45.100 all Google IP addresses. Whereas if you lookup 'www.google.com' you get 208.69.34.231 and 208.69.34.230 both OpenDNS IP addresses.
There should be no problem setting OpenDNS as the DNS provider for your network. I happen to like it. I use it at home, and we will likely be switching to it at work when we switch ISPs later this month.
EDIT: OpenDNS filters outgoing mail requests using the same filter settings as web requests. So, you will have trouble sending mail to an domain that you are blocking. There are two choices if you have this problem .. use a different DNS for the mail server, or edit your whitelist for the mail sub-domains.
DNS can be very complicated, but the basics are straight-forward. There are two separate (although related) things to worry about with respect to DNS. Many companies frequently use the same DNS provider (or servers) for both of them, that is not necessary.
First is the DNS provider which will respond to requests on the internet for information about your domain. This is the server(s) specified on the domain registration information. If this is not done by your ISP, you may need to work with the provider to insure that reverse DNS works properly.
Second is the DNS provider which will resolve requests from your network for other domains. Typically this is provided by the ISP connecting a network to the internet. This is what OpenDNS provides. The outside world does not know (or care) how your network resolves DNS requests for other domains.
I hope this makes sense .. if it doesn't please comment and I will update.
I think the coolness of OpenDNS is fading in some cases. My objection to it is the increasing prevalence of high-bandwidth website such as YouTube, and even newspaper and cable news websites with lots of video.
In some cases, your ISP provides a higher speed connection to these resources via dark fiber or a CDN like Akami. They often point you to these resources via split-brain DNS. When I was stuck with Comcast, it didn't matter because their DNS servers suck. At work or at my current home, however, the upstream DNS is fine.