The Problem: Managing Internet access
Broadband Internet access at speeds of 3 to 10 Megabits/sec is generally available at most business locations in the US, and t1 (1.5 Mbits/sec) server is available everywhere (for a higehr price of course). Managing how this internet bandwidth is used though is more important than ever before as many companies are pushing business-critical traffic such as LAN to LAN VPNs to other offices and outsourced applications, both web and non-web based. End users that run Peer2Peer (P2P) file sharing, streaming media, and large web searches/requests like Craigslist, Ebay, and fan site message boards can easily render a corporate network unusable, unstable, or simply very slow and unresponsive for periods ranging from a few seconds to minutes or more. Content filtering devices such as WebSense, SurfControl, and Barracuda Networks Web Filter are certainly options for some organizations but these solutions tend to work best when the internet access is centralized at one common choke point, such as in front of an internet-facing firewall. What about networks that are de-centralized, though, where multiple locations of operation are spread across a WAN or VPN cloud? It certainly is less than optimal in terms of bandwidth usage and performance to backhaul internet access to a common choke point where a single appliance can manage the internet access policy. Licensing for these commercial appliances is also not cheap.
OpenDNS and proxy cache solution
OpenDNS is a service that you can sign up and test for free at http://www.opendns.com. Commercial use does come with an access charge, and there are additional benefits that come with the paid-for service. Richweb sets up an openbsd appliance on a 1u rack mount server (or desktop tower for lower budgets) and configures a DNS cache on the appliance (we refer to these appliances as an sgw box or secure gateway). The sgw box has the local DNS cache set to forward all queries to the OpenDNS servers. Additionally, squid proxy cache is installed on the sgw box. The local GPO (windows domain group policies) can be set to require that all outbound http traffic uses the proxy server on a per user, per group policy level.
Once you have an account created with OpenDNS, you can automatically add the ip address of the proxy server into the managed Domain List with OpenDNS. You can then set controls over what types of content to allow via the OpenDNS web console. It acts very much like a typical web-content filter, except that the filtering is done at the DNS level, not at the http level.
Since the squid proxy cache is caching both DNS responses as well as fetched http data, the cache will speed up web access and save bandwidth by usually 30 to 50% if not more. If you have multiple internet connections, such as a private t1 or vpn connection back to a head quarters link, and a broadband (FIOS or Comcast) internet connection, you can start load balancing traffic across the broadband connection by pointing the proxy server out that internet pipe. This leaves the other connection free for handling business applications, vpns, etc that will run better without being clogged with internet traffic.
Be sure to review the information in this link below for an interaction between OpenDNS and your local Email server that can cause problems: