Kitz Forum
Internet => General Internet => Topic started by: maxheadroom on December 23, 2021, 07:40:13 PM
-
I originally used TalkTalk DNS server as it was already set up in the router i then tried Open DNS as it was recommended and it seemed faster i have over the year tried Google, Open and Cloudflare DNS instead of TalkTalk does it really make much difference?
Please move this if its in the wrong forum.
-
They’re all pretty good in my opinion. It’s just about who you trust in respect of privacy concerns. Your own ISP’s DNS servers ought to be the fastest since they’re the closest, unless they’re rubbish because they’re overburdened in which case try the second ISP DNS server listed, worth a go. It’s definitely worth pinging every DNS server that you try.
-
I use the following:
https://dns10.quad9.net/dns-query
https://dns-unfiltered.adguard.com/dns-query
https://doh.opendns.com/dns-query
https://dns.google/dns-query
https://dns.cloudflare.com/dns-query
https://dns.switch.ch/dns-query
And the following as bootstrap to resolve the IP addresses of the above:
9.9.9.10
149.112.112.10
2620:fe::10
2620:fe::fe:10
-
I think it was on the Netgate forum where they highly recommended you NOT use different DNS providers concurrently as them potentially giving different results (some are filtered, I believe quad9 is) could cause issues.
I believe there may also be some merit in using ISP providers in that they know their peering and routing so may return results preferring specific CDNs. Although as I understand it most public DNS providers also consider your geolocation in their results.
-
Is there a service that Quad9 offers that does not have the blocklist or other security?
The primary IP address for Quad9 is 9.9.9.9, which includes the blocklist, DNSSEC validation, and other security features. However, we do provide an unsecured service and it can be helpful in determining if there are false positives in the Quad9 threat feed or DNSSEC errors with a specific domain.
Unsecured IP: 9.9.9.10 Provides: No security blocklist, no DNSSEC, No EDNS Client-Subnet sent. Please use the unsecured secondary address of 149.112.112.10
IPv6: 2620:fe::10, 2620:fe::fe:10
https://www.quad9.net/support/faq/
-
In terms of performance, this may help you decide:
https://www.dnsperf.com/#!dns-resolvers,Europe
Note that you may see Cisco Umbrella listed, this is another name for OpenDNS.
-
I use the fastest servers by using DNSBench from Gibson Research.
Stuart
-
I use the fastest servers by using DNSBench from Gibson Research.
Stuart
+1
Results vary from day to day and hour to hour, but some BT ones are consistently near the top so I use them with Plusnet.
-
Over the years I have used:
- ISP provided. (Stopped using when their "nanny knows best" policy became apparent.)
- OpenDNS. (Stopped using when advertisements were shown rather than the true error messages in error situations.)
- Google. (Stopped using due to their obsession in documenting and archiving everything.)
- Quad 9. (Stopped using due to their "nanny knows best" policy.)
Now currently using Cloudflare's public resolver (1.1.1.1) and have configured Firefox to use DNS over HTTPS (as Cloudflare provides the service).
[Edited to fix typo.]
-
Thanks all.
-
I made a list for my firewall configuration (to block DoH requests directly from clients) for all the variants of the public servers excluding opendns, I will share it here with you guys so is a convenience list.
1.1.1.1 1.0.0.1 2606:4700:4700::1111 2606:4700:4700::1001 Cloudflare No Filter
1.1.1.2 1.0.0.2 2606:4700:4700::1112 2606:4700:4700::1002 Cloudflare Malware Filter
1.1.1.3 1.0.0.3 2606:4700:4700::1113 2606:4700:4700::1003 Cloudflare Malware and Family Filter
8.8.8.8 8.8.4.4 2001:4860:4860::8888 2001:4860:4860::8844 Google No Filter, Tracked, supports ECS
9.9.9.9 149.112.112.9 149.112.112.112 2620:fe::9 2620:fe::fe:9 2620:fe::fe Quad9 Malware Filter
9.9.9.10 149.112.112.10 2620:fe::10 2620:fe::fe:10 Quad9 No Filter
9.9.9.11 149.112.112.11 2620:fe::11 2620:fe::fe:11 Quad9 Malware Filter and supports ECS
9.9.9.12 149.112.112.12 2620:fe::12 2620:fe::fe:12 Quad9 No Filter, supports ECS
The ECS I mentioned references a feature that supposedly helps get maximum CDN performance, Netflix I think have took issue with Cloudflare not passing it on, Cloudflare state they are in discussions for CDNs to do their optimisation without the privacy exposure. My personal opinion is I have noticed no bad performance from CDN based content with ECS data omitted.
In regards to performance, Quad9 is faster for me unencrypted vs Cloudflare, I tried Quad9 DNSCrypt which had awful glaring issues, latency all over the place including timeouts, whilst my personal DNSCrypt tunnel had no such issues. I then tried Cloudflare DoH which has been working really well, and that is my current configuration I use the .2 malware servers dual stack primary IPv4 with secondary IPv6, my DoH is done via DNSCrypt-proxy (in DoH mode) on my firewall, and the unbound DNS resolver uses the local DNSCrypt as its resolver. This so I still benefit from unbound performance features such as 'serve expired'.
If you guys can do it, DoH should easily be faster than DoT due to how the protocols work, but pfsense unbound doesnt natively support DoH so would need to use something like dnscrypt-proxy as an intermediate or main resolver.
-
Thanks Chrys.
. . . (to block DoH requests directly from clients) . . .
<snip>
The ECS I mentioned references a feature that supposedly helps get maximum CDN performance, . . .
<snip>
DoH is obviously "DNS over HTTPS" but ECS puzzles me. Perhaps I am looking in the wrong place, for the best I can come up with is "Elastic Cloud Storage". :-\
-
Here you go burakkucat.
https://en.wikipedia.org/wiki/EDNS_Client_Subnet
It is a system where the DNS server forwards subnet information from the client making the DNS request, this is to help identify where the client is connecting from.
-
Thank you. :)
-
I've been meaning to double check how my DNS setup is working right now actually as I remember when I was on Cloudflare it still seemed to find Zens Netflix cache absolutely fine.
Although last I checked Netflix were still only serving half the HD bitrates they did before the pandemic which really makes me angry when I'm paying for the UHD package, which ironically is NOT throttled for UHD content. So 4K content looks great, HD content is half the bitrate it should be so suffers macro-blocking in motion.
-
Over the years I have used:
- ISP provided. (Stopped using when their "nanny knows best" policy became apparent.)
...
[Edited to fix typo.]
Interestingly I use BT's DNS because of its parental control features.
:)
-
Interestingly I use BT's DNS because of its parental control features.
:)
I think its useful as an option, but to subject everyone to it even if everyone in the household are adults is frustrating.
The problem is on the big ISPs its never fully disabled, they have court ordered blocks on piracy and certain dodgy child related sites. The latter is fair enough, except I don't trust these blocks to be implemented correctly as a few times they have accidentally blocked whole sites rather than specific iffy pages. Plus I see it as pushing things further underground, the less people stumble onto bad things online, the less it will be reported and the easier it is for the government to just pretend it doesn't exist.
Most importantly it lures parents into a false sense of security that their child is safe online, which is far from the truth.
[Moderator edited to remove a stray [list] tag.]
-
I think its useful as an option, but to subject everyone to it even if everyone in the household are adults is frustrating.
The problem is on the big ISPs its never fully disabled, they have court ordered blocks on piracy and certain dodgy child related sites. The latter is fair enough, except I don't trust these blocks to be implemented correctly as a few times they have accidentally blocked whole sites rather than specific iffy pages. Plus I see it as pushing things further underground, the less people stumble onto bad things online, the less it will be reported and the easier it is for the government to just pretend it doesn't exist.
Most importantly it lures parents into a false sense of security that their child is safe online, which is far from the truth.
Agree it's not perfect but is easy to switch off temporarily if needing to visit a site it doesn't like - to buy wine for example.
It will undoubtedly give some a false sense of security, but I just look at it as a useful measure to make bad stuff a bit harder to stumble upon.
:)
[Moderator edited to remove a stray [list] tag.]
-
I said ‘they’re all pretty good’ meaning in performance terms, something which I now have doubts about. I have a reasonably high latency because of my DSL itself, minimum 42 ms to bottomless.aa.net.uk (over IPv6), and distance to London in any case, so this rather overwhelms the individual DNS provider differences.
-
At the end of the day, the biggest bottleneck (assuming you aren't using adblock) tends to be looking up adverts and rendering the page. Makes it pretty hard to notice any difference from DNS. Plus like I said, routers cache the results and they have a lot more RAM than they used to so likely maintain a larger cache.
-
I have ditched google and am giving cloudflare another go seems quite snappy and as the cat said earlier
Google. (Stopped using due to their obsession in documenting and archiving everything.)
-
At the end of the day, the biggest bottleneck (assuming you aren't using adblock) tends to be looking up adverts and rendering the page. Makes it pretty hard to notice any difference from DNS. Plus like I said, routers cache the results and they have a lot more RAM than they used to so likely maintain a larger cache.
My router caches, and acts as DNS server for the home network, because I have specifically enabled and configured that function. DNS caching isn't necessarily an inherent function of routers in general, or not of any that I have worked with.
-
My router caches, and acts as DNS server for the home network, because I have specifically enabled and configured that function.
Likewise.
-
My router caches, and acts as DNS server for the home network, because I have specifically enabled and configured that function. DNS caching isn't necessarily an inherent function of routers in general, or not of any that I have worked with.
Most routers in my experience run dnsmasq for DHCP and DNS caching as its a lightweight solution to both problems.
Easy enough to tell, if the router issues you a DNS of its own IP then its almost certainly got some amount of DNS caching going on, vs if it issues your ISPs DNS directly then obviously not.