DNS Server?

[LilSnoop40]

Good morning yesterday i saw a tweet that said to use OpenDNS server in your router.  what is the benefit to doing this, is there better options?  my current provider is RCN i have never changed the DNS setting in my router before as it suggested doing.  i read you could use googles DNS server as well, please explain.

 

Thank you

[Jub]

Depending on where you live, ISP provided DNS servers are sometimes censored or redirects wrong addresses to pages with ads or worse. The benefits of using an alternative, like OpenDNS, is that they can be open and unrestricted, and even provide extra functionality like filters per a user's choice. Another benefit is speed: most likely for instance Google's public DNS servers will outperform your ISP's.

 

Note that there are many options besides Google and OpenDNS. I always use Google's because it's free, very fast and unrestricted. Perhaps they collect my data, perhaps not.

[LilSnoop40]

Thanks for the feed back Jub, would you suggest using google dns servers over OpenDNS.  I put there server ip's in my router yesterday, even though i had question about doing so.  i live in the US, PA to be exact.

 

Thanks

[cork1958]

Use this tool to find the fastest servers in your area, https://www.grc.com/dns/benchmark.htm

 

That tool will also tell you how the server redirects any bad requests.

 

As far as Googles servers, they are no where near the top of list for me, nor are Open DNS's. Neither are as close to as good as so many people try to make them out to be!

 

Haven't ever came across a dns server that wasn't free either!

[AStaUK]

Originally I switched from my ISP's DNS to Google's public DNS because it was faster, but recently I've been using OpenDNS because they also offer an additional feature for free they now block DNS entries for known phishing sites.  In benchmarking they are slightly quicker for me than Google, but outside of benchmarks it's nothing anyone would notice.

[LilSnoop40]

ok i downloaded that program and looked at all the data not sure what i am looking at even after reading the conclusion tab.  not sure what the different color dots mean solid green, just a green circle etc...  i removed the 30 bad servers as well off the list.

 

 

Thanks

[Steven P. Administrators]

1 hour ago, cork1958 said:

Use this tool to find the fastest servers in your area, https://www.grc.com/dns/benchmark.htm

 

That tool will also tell you how the server redirects any bad requests.

 

As far as Googles servers, they are no where near the top of list for me, nor are Open DNS's. Neither are as close to as good as so many people try to make them out to be!

 

Haven't ever came across a dns server that wasn't free either!

Thanks for the tip!

[+BudMan MVC]

The benchmarks can be misleading as well.  You router should be caching what it looks up anyway.  So saying you can look www.something.com 2ms faster from google vs your isp is kind of meaningless.  Your clients also cache what they lookup.

 

Now your routers cache might be small, but again couple of ms is not going to matter as the forwarder your using is going to cache and client is also going to cache for the length of the TTL of the record.

 

In the long run sure it might be a bit better to use a caching nameserver like opendns or google that get LOTS and LOTS of requests for lots of sites.  So anytime you might need to lookup up something its already been looked up and in the cache.. Save you a couple of ms.. But in the big picture not going to really make any real difference in your browsing if you ask me.

 

Keep in mind google and open are not really doing this out of the goodness in their hearts - they are getting something for it..  Opendns use to return ads or their page when what you were looking returned a nx or fail.  They have stopped this practice from my understanding, it was not proper rfc compliant to do that and they got huge amount of flak for it.  As to phishing sites if that is your concern.. Most browsers use some form of this anyway - firefox has their own listing of bad sites and prevents you from going their for example.

 

I don't believe opendns has yet to add dnssec support, and while they did add ipv6 - its a sandbox type deployment and if your using their ipv6 ns you don't get any of the phishing protection, etc.

 

While google does have ipv6 and dnssec, keep in mind that use of these public dns might not return the best CDN for your use.  Unless they happen to run a ns in your actual location.  Your app/browser might be told to use a CDN server that is not really the best one for you to use based upon your location.  I know google is working with some of the big CDNs to send part of your IP in the query to know which CDN location might be closer to you for streaming that movie or downloading that update, etc.

 

If what your after is phishing protection, or malware protection, etc.  And you want something a bit more than what your browser already does - sure go with a dns provider that does that.  But don't think its going to make your browsing FASTER   Maybe it will - but to be honest prob just a placebo effect.  Unless of course your isp dns just blows completely.

 

If your not paying for something - then your the payment.  Might not be personal, but quite sure all of them report on what sites get the most queries and from what part of the country, etc.

 

I personally just run my own resolver, This way I know for sure I have dnssec, and I always get the information straight from the authoritative server for that I am looking up vs some cached entry, or maybe not correct for my geographic location, etc.

 

Its pretty simple to setup bind or unbound to be your local caching server, which you can than have it resolve vs forward for dns.  While this might take a couple extra of ms when looking up something new, or when the authoritative ns for the domain is on the other side of the planet from me, etc.  Once its cached it doesn't make a difference if the original lookup took 10ms or 20ms, etc.  Keep in mind when you get a query from a caching server like google or open - your only going to get what was left of the TTL.  So if that ttl is about to expire, your just going to have to look it up again.  When you run your own resolver your going to always get the full ttl for that record because you asked the authoritative server directly.

 

If your looking for speed of answer to your browser for something, running your own resolver that supports prefetching can mean that what your looking for is only as far away as your local server, so 1 or 2 ms vs having to go ask google or open that might be 30, 40 ms away from you.  Bind and Unbound both have prefetching... What that means is hey the ttl is about to expire - go ask the authoritative servers for that.  So when you ask your resolver its going to be there for you, etc.  This is great for if your always going to the same sites, etc.  But a resolver can be a bit slower if your looking up something that has never been looked up before and their authoritative servers suck or are on the other side of the planet.  That initial look might take a bit longer than asking google or open for it, etc.  But normally your taking a handful of ms - which mean nothing in the big picture.

 

Long story short, if your isp dns sucks!!  Or serves up ###### when you should be getting nx or fail.  Sure use a public dns.  There are more players than just google and open that is for sure.  But if you really want to make an informed decision do some research on how dns works.  Running some benchmark tool that tells you this server is faster than that server is not really the whole picture.  Are they using dnssec?  Do you want to be able to query them over ipv6?  Do they give you the answers that are best suited for your geographic area for stuff that uses that info to best serve up their content (CDN - content delivery network) Akamai, Amazon, OVH, Cloudflare are some you might have heard of.

 

I could go on and on about dns   Its one of my favor subjects..  And I have been playing and working with it for many many years.  I don't use any of those public services I just run my own resolver.  If I had to choose between google or open, I would lean towards google just because they have dnssec and ipv6 and never served up crap like open did for nx and fail..

[LilSnoop40]

ok, thanks for the information

[cork1958]

The green dots mean they either totally block redirects (full green circle) or partially block them (green circle)

 

The only difference is that with the full green circle you will see the usual 404 error page not found and the  partial green circle means you could see that servers error 404 page, if I remember correctly.

 

As budman stated though, the small difference in speed is measured in milliseconds, so you're not going to see any real major difference. The main thing is the dependability of what ever server you use and how it redirects.

 

You're welcome also Steven!

[+BudMan MVC]

4 hours ago, cork1958 said:

The only difference is that with the full green circle you will see the usual 404 error page not found and the  partial green circle means you could see that servers error 404 page, if I remember correctly

that is not even close

https://www.grc.com/dns/operation.htm

 

See the link for full details.

[cork1958]

20 hours ago, BudMan said:

that is not even close

https://www.grc.com/dns/operation.htm

 

See the link for full details.

Thanks for looking that up, budman, and as I said, I wasn't positive on what they meant, but I am fairly sure they USED to mean what I said. Been a long time (as in years) since I paid any attention to that part of that tool.