What DNS servers to use?

Forums › LAN (ethernet/Wifi/routers/Bluetooth) › What DNS servers to use?

PANiCnz

999 posts

Ultimate Geek
+1 received by user: 161

#240750 24-Sep-2018 11:40

I'm looking for some feedback and insights into what DNS servers people are using, and in particular what DNS servers to use in balancing performance vs privacy.

In recent times there has been a number of privacy focused DNS services launched, Quad9 and Cloudfare's offering spring to mind, and to this laymen they look like a good option. BUT I recall historical comments on Geekzone that using these third party DNS services, in particular Google, can bypass any caching your ISP does and potentially impact performance. For example when downloading games from Steam the requests would likely go to Sydney based Steam servers rather than local ISP cache's and consequently impact performance.

These comments are probably a few years old if I recall correctly, so was keen to get more up to date thoughts from some of the more informed members as to what DNS servers they use and why?

Personally I'm running Pi-hole at home which is configure to forward DNS requests to the Spark DNS servers (Bigpipe customer). Recent reading has brought Unbound to my attention and the option of configuring Pi-hole as a recursive DNS server. It appears to be a straightforward installation.

1 | 2

1634 posts

Uber Geek
+1 received by user: 1041

#2095438 24-Sep-2018 12:38

Im running PiHole forwarding to Cloudfare DNS (not yet configured for DNS over HTTPS).

Works great. Dont notice any adverse affects at all.

Since you're running PiHole why not try an alternative provider and switch back if it doesnt work out for you.

sbiddle

30853 posts

Uber Geek
+1 received by user: 9996

Retired Mod

Trusted

Biddle Corp

Lifetime subscriber

#2095501 24-Sep-2018 13:42

Using your RSP's DNS servers will always deliver the best end user experience.

The days of 3rd party DNS causing issues primararily with CDN content are largely a thing of the past, but can still cause some CDN issues.

timmmay

20858 posts

Uber Geek
+1 received by user: 5350

Trusted

Lifetime subscriber

#2095623 24-Sep-2018 16:25

I use my ISPs DNS servers just so if they have a cache for media we get it locally. Plus it works fine, and I can change to CloudFlare / Google if I need to for any reason - haven't needed to yet though.

CB_24

371 posts

Ultimate Geek
+1 received by user: 33

#2095688 24-Sep-2018 17:54

Using Pi Hole configured for CloudFlare first and Google DNS second, general web browsing is noticeably faster now.

ANglEAUT

altered-ego
2436 posts

Uber Geek
+1 received by user: 841

Trusted

Lifetime subscriber

#2095770 24-Sep-2018 20:04

sbiddle: Using your RSP's DNS servers will always deliver the best end user experience.

Maybe sometimes, but not always.

For me the question also includes DNSSec support and privacy. Do I want my ISP to know about every domain that I visit?

PS I also like my PiHole.

Edit: smaller image

Please keep this GZ community vibrant by contributing in a constructive & respectful manner.

sbiddle

30853 posts

Uber Geek
+1 received by user: 9996

Retired Mod

Trusted

Biddle Corp

Lifetime subscriber

#2095811 24-Sep-2018 20:59

IcI:

Do I want my ISP to know about every domain that I visit?

Your ISP really couldn't care less.

Quic Broadband

Move to New Zealand's best fibre broadband service (affiliate link). Free setup code: R587125ERQ6VE. Note that to use Quic Broadband you must be comfortable with configuring your own router.

Linux

12173 posts

Uber Geek
+1 received by user: 8469

Trusted

Lifetime subscriber

#2095812 24-Sep-2018 21:01

sbiddle:
IcI:

Do I want my ISP to know about every domain that I visit?

Your ISP really couldn't care less.

I reckon,

John

MichaelNZ

1594 posts

Uber Geek
+1 received by user: 485

Trusted

Net Trust Ltd

#2103050 7-Oct-2018 21:48

IcI:

For me the question also includes DNSSec support and privacy. Do I want my ISP to know about every domain that I visit?

DNSSEC does not offer privacy!

In very simple terms it's a mechanism to assure the returned response from a DNS server is authentic.

Secondly, I work for an ISP and I absolutely, totally and unquestionably do not monitor nor care what you are looking at on the internet.

Here is what I do care about-

1. Developing new services and improving existing ones

2. Updating server software

3. Keeping an eye on server health and operation

4. Responding to escalated requests

5. Obtaining new SSL certs (a lot of that lately) and renewing existing ones.

6. Advising and implementing non-standard customer service configs.

WFH Linux Systems and Networks Engineer in the Internet industry | Specialising in Mikrotik | APNIC member | Open to job offers | ZL2NET

MichaelNZ

1594 posts

Uber Geek
+1 received by user: 485

Trusted

Net Trust Ltd

#2103051 7-Oct-2018 21:52

PANiCnz:

BUT I recall historical comments on Geekzone that using these third party DNS services, in particular Google, can bypass any caching your ISP does and potentially impact performance. For example when downloading games from Steam the requests would likely go to Sydney based Steam servers rather than local ISP cache's and consequently impact performance.

All the caching DNS servers I have ever deployed all respect source TTL - ie: do not override what the authorative DNS server has the record set at.

But these days it's quite common to set short TTL's - 5 minutes or less. GeoDNS and high availability deployments commonly.

WFH Linux Systems and Networks Engineer in the Internet industry | Specialising in Mikrotik | APNIC member | Open to job offers | ZL2NET

michaelmurfy

meow
13579 posts

Uber Geek
+1 received by user: 10910

Moderator

ID Verified

Trusted

Lifetime subscriber

#2103053 7-Oct-2018 22:12

I'm using Pi-Hole with Cloudflare DNS over HTTPS. Works incredibly well.

As a side-note - as I've said multiple times. If you're using a DNS-based ad-blocker then consider a subscription on Geekzone too if you get value out of it.

Michael Murphy | https://murfy.nz
Referral Links: Quic Broadband (use R122101E7CV7Q for free setup)

Are you happy with what you get from Geekzone? Please consider supporting us by subscribing.
Opinions are my own and not the views of my employer.

ANglEAUT

altered-ego
2436 posts

Uber Geek
+1 received by user: 841

Trusted

Lifetime subscriber

#2103066 7-Oct-2018 23:44

MichaelNZ:

IcI:

For me the question also includes DNSSec support and privacy. Do I want my ISP to know about every domain that I visit?

DNSSEC does not offer privacy!

In very simple terms it's a mechanism to assure the returned response from a DNS server is authentic.

Secondly, I work for an ISP and I absolutely, totally and unquestionably do not monitor nor care what you are looking at on the internet.

You are correct with your statements. They are separate issues and I could have worded my post better. The ISP comment only applies to the privacy part of the first sentence.

Please note that while YOU as an ISP only care about what you listed, there are other ISPs that do want that extra info for whatever money or legal reasons they quote as applicable.

Please keep this GZ community vibrant by contributing in a constructive & respectful manner.

Geekzone support

Support Geekzone with one-off or recurring donations Donate via PressPatron.

Handle9

11924 posts

Uber Geek
+1 received by user: 9675

Trusted

Lifetime subscriber

#2103069 8-Oct-2018 00:22

sbiddle:

IcI:

Do I want my ISP to know about every domain that I visit?

Your ISP really couldn't care less.

Mine could....

But I am in the UAE

noroad

1025 posts

Uber Geek
+1 received by user: 675

Trusted

#2103072 8-Oct-2018 07:00

sbiddle:

IcI:

Do I want my ISP to know about every domain that I visit?

Your ISP really couldn't care less.

As someone who has built more than one set of ISP's DNS servers I wholeheartedly second this, ISP's in NZ as a general rule log nothing but errors on their DNS servers.

Tracer

343 posts

Ultimate Geek
+1 received by user: 151

#2105818 10-Oct-2018 18:13

Cloudflare are much more trustworthy than any ISP IMO. I can't think of a company that does more for internet privacy.

neb

11294 posts

Uber Geek
+1 received by user: 10018

Trusted

Lifetime subscriber

#2975613 30-Sep-2022 17:22

Restarting an old thread, using things like Google DNS (which was hardcoded into something I ran into somewhere) was an absolute no-no because it was totally oblivious to geolocation and would always return servers in California rather than local ones, leading to really hard-to-diagnose breakage all over the net where CDNs were concerned.

Is this still the case with running Unbound locally rather than using your ISP's DNS? Since the breakage was really hard to diagnose, just random glitches and slowdowns, I'd prefer not to determine it by trial and error.

1 | 2