The Fastest and Most Secure DNS
I’ve been using DNSFilter for a few weeks and it has been an absolute pleasure. The company recently closed an investment from Justin Label at InnerLoop Capital and I’ve gotten to know the founding team. DNSFilter has an AI engine that identifies a variety of malicious threats and does not have any humans in the loop. It is also really, really fast. DNSFilter Co-Founder and CEO Ken Carnesi agreed to answer a few questions about their approach to fast and secure DNS.
Q1 - When I first heard of DNS Filter, my first thought was there were already major established players in this space? What inspired you to take on the incumbents?
Well, for me, those “established players” are exactly what creates the space for us to compete. I was actually an OpenDNS customer (I used them at the ISP I started before DNSFilter). I was a big fan of the product because I knew that traditional hardware-based solutions were on the way out. I thought, as a technology, DNS was one of the broadest, most effective and easy to manage solutions for securing your network. However, the moment I got wind of Cisco’s acquisition of OpenDNS, I personally saw prices rise, support go downhill and I knew they’d be on the way out.
Then, I thought about how much technology had progressed since 2008, when OpenDNS started. I realized we could leverage virtualization and AI to do create a better product and network faster and with much less funding, and my personal experience as an ISP would really help speed things along. Fast forward, and today we have the fastest threat protection DNS network in the world. We’re growing fast, the network is making a major shift due to the proliferation of encryption and the market has tripled in size with no end in sight.
In my opinion, Cisco has gone the path I expected them to and we intend to be the most effective and innovative company in the industry. We’re just getting started, and we have plans that go well beyond our current offerings.
Q2 - How does AI help deliver more timely security than the traditional method of curating threat feeds and manually reviewing them?
Well, as you touched on in your question, many if not all of our competitors at least at some point in the process have the issue of manual review. I see a lot of companies in the industry bragging about the size of their database - relying on impressing would-be customers with the fact that they have over a billion domains in their database. My question is - who cares?
Let me give you a real-world example. Today, you go to www.mydentist.com - it is categorized as a safe domain because it’s a dentist web site. Then, in one week, the dentist doesn’t renew the domain and it goes up for sale. It gets bought by malicious actors who then use it to host malware. If you’re relying on manual review it may be days or weeks before your filter picks up on it - in the meantime, you’re getting infected because your filter still believes it’s a dentist web site until a human actually flags it.
DNSFilter not only uses our Webshrinker AI technology to scan the database multiple times per day, but any time a customer visits a domain we’ve never seen before, we scan and categorize it in real-time, immediately adding it to the database for every DNSFilter customer in the world. We find threats in seconds, not days or weeks. In fact, we frequently find phishing or deception threats over 24 hours ahead of even Google themselves. In tests performed with several of the Fortune 500 companies we have as customers, we were 5-7x more effective than the incumbent provider. I think this speaks a lot to the AI behind our product and what we’ve been able to accomplish with the great team we have.
Q3 - For a young company, your DNS response rates are higher than almost everyone else in the market. I like this because DNS should be super reliable to begin with. What is your overall approach to DNS, use of DNS over SSL and letting your customers leverage DNS filter when they go home or travel?
I couldn’t agree more. So, as I mentioned, we wanted to focus on virtualization as opposed to racking bare metal servers in data centers. This allows us to be extremely efficient and scale on-demand nearly immediately. Right now, we operate hundreds of servers across 48 locations around the globe. Additionally, those 48 locations are split across two fully separated and fully redundant anycast networks. What this means is no point of presence is shared between our primary and secondary networks. As far as I know, we’re the only ones doing this.
Anycast technology is very resilient, to begin with - if one of our data centers was to ever go offline, you would immediately have your traffic rerouted to the next nearest location with zero packet loss. However, with two fully redundant networks, even if our entire primary network went down, the second global network is still fully anycast and available. This is how we’ve maintained 100 percent resolver uptime for the history of the company.
Separately, from a performance perspective, this vast network allows us to be the fastest threat protection/content filtering network in the world. We are also the second fastest DNS network in the world, even beating Google DNS, who we are often 2-3x faster than. This is crazy - because it means for most of our customers you can actually increase your internet performance and reliability while also adding an incredibly effective layer of protection.
For national and multi-national corporations our global network means a single setting across all devices and networks. For example, if your CEO gets off a flight from LA to London, the moment they connect to the internet in London data center location. The opposite of this is what one of our competitors do - they operate out of an AWS data center, which doesn’t support have anycast DNS. Believe it or not, this means you actually have to think about which offices and users you point to which AWS data center that’s geographically closest to you. And if that AWS data center goes down (which, trust me, they do) - good luck!
Q4 - There are a lot of different ways to offer a solution like DNS Filter. What sorts of customers have you sold to and how open are you to OEMs, MSSPs and other types of business models?
Oh absolutely, this is another area we’ve focused on. DNSFilter primarily focuses on selling to MSPs, MSSPs and Enterprises. We have something like 700 MSP partners using us at the moment, but thousands of customers globally. On the Enterprise side, we have companies like NVIDIA, who actually recently published a blog post about us. They’re using us to secure their 18,000 employees and next-generation gaming networks. They were able to deploy us globally in just a few hours.
Additionally, DNSFilter is completely API driven and fully white labeled. This means we’re perfect for an OEM type relationship. One of our customers is actually one of the largest organizations in the world. They operate a router product and we’re providing the threat protection and DNS service to what will likely grow to over 1 million homes. What I say is that we’d love to be the thing that runs all of the things - we’re cool with that.
Q5 - Where can readers go to learn more?
I would definitely direct them to please visit our web site at DNSFilter.com where they can learn more about our product and the technology behind it. Additionally, if you check out places like the MSP subreddit you’ll be able to read about our customer's opinions and experiences directly so you don’t have to take my word for it!