Page 1 of 2

Comparisons of DNS Resolvers

Posted: Mon Apr 02, 2018 9:25 pm
by DAMIEN1307
i thought that this might be of interest to most linux users here since we tend to set our own DNS and not trust the ISP to do this for us...DAMIEN

https://medium.com/@nykolas.z/dns-resol ... 9e803734e5

Cloudflare, Mozilla, and DNS-over-HTTPS (DoH)

Posted: Tue Apr 03, 2018 4:56 am
by Voltron
Hello, everyone:

I have been reading on Cloudflare's launch of their public DNS servers, 1.1.1.1 and 1.0.0.1 and was interested to get others' opinions on the matter. Here are some articles I have found, to get everyone started:

https://www.cnet.com/news/cloudfare-new ... ternet-too

https://blog.cloudflare.com/dns-resolver-1-1-1-1

https://blog.cloudflare.com/announcing-1111

This may affect users around the world, differently, given different local, regional, and national laws. I can only speak as someone in the United States and for those in the States and other locations, what do you think? Do you trust your ISP? How do you feel about changing your DNS provider to a third party? Do you do this, already? What ideas/issues do these and other related articles suggest, regarding who should be your DNS provider and/or around switching your DNS provider from some organization other than your ISP? And, what concern, if any, do you have, in moving away from your ISP's network, to a third-party DNS provider?

Re: Cloudflare, Mozilla, and DNS-over-HTTPS (DoH)

Posted: Tue Apr 03, 2018 5:28 am
by Meeshka
I just switched to Cloudfare's DNS service. Thought I would give it a try, based on their reports of increased performance and better privacy. So far, so, good, although my perceived faster browsing might be a bit of a placebo effect. As for security, I know that requires believing everything Cloudfare says about audits and wiping logs every 24 hours. How can one really be certain? I am very interested in learning more about DNS-over-HTTPS, however.

What's the verdict on this new DNS service?

Posted: Fri Apr 06, 2018 3:16 pm
by Charlie
https://1.1.1.1/ Glad to hear your thoughts about this.

Re: What's the verdict on this new DNS service?

Posted: Fri Apr 06, 2018 3:19 pm
by Pepi
I’m using it without any problems. I also see some faster surfing with it. NOW, is it safe ?????

Re: What's the verdict on this new DNS service?

Posted: Fri Apr 06, 2018 3:32 pm
by Charlie
Pepi wrote:
Fri Apr 06, 2018 3:19 pm
I’m using it without any problems. I also see some faster surfing with it. NOW, is it safe ?????
Hoping to get some expert opinions so we can all make a decision on using it maybe.

Re: What's the verdict on this new DNS service?

Posted: Fri Apr 06, 2018 4:13 pm
by JoeFootball
Charlie wrote:Hoping to get some expert opinions so we can all make a decision on using it maybe.
I was coincidentally just reading these two related articles...

How to use Cloudflare's DNS service to speed up and secure your internet

What are the fastest DNS providers?

Joe

Re: What's the verdict on this new DNS service?

Posted: Fri Apr 06, 2018 9:11 pm
by Mattyboy
Question is... can I use DNScrypt?

Re: What's the verdict on this new DNS service?

Posted: Fri Apr 06, 2018 10:40 pm
by phd21
HI Charlie,

I just read your post and the good replies to it. Here are my thoughts on this as well.

I just heard about this from your post and decided to try it. It works well on my system. I usually use "dns.watch", "opennic", "OpenDNS", etc... Now I can add this to that list.

Cloudflare Launches a New Privacy-Focused DNS Server, But Should You Use It? YES 04/2018
https://www.howtogeek.com/fyi/cloudflar ... ou-use-it/



Hope this helps ...

Re: What's the verdict on this new DNS service?

Posted: Sat Apr 07, 2018 2:50 am
by DAMIEN1307
I did post this under open chat with zero response when 1.1.1.1, 1.0.0.1 became available...im using it with great results myself...DAMIEN

https://medium.com/@nykolas.z/dns-resol ... 9e803734e5

Re: What's the verdict on this new DNS service?

Posted: Sat Apr 07, 2018 6:15 am
by Pierre
whilst that sounds great - in theory - at least:
most of these "hacks" really only work well if you reside in CONUS . . :(

you'll have to Test this Stuff yourself - - to see if will work for you:
ie: From a Unix/Linux shell, you'll want to run dig with the following syntax: dig @IP address of DNS router test.site.com.
So, to see how fast Google Public DNS responds to a DNS request for zdnet.com's IP address, you'd run:

dig @8.8.8.8 zdnet.com

That's it. What you care about in the results is the line giving you the "Query time".
This measures, in milliseconds, how long it takes for the DNS resolver to give you the answer.
- The lower this number, the better. ..

;; Query time: 212 msec
;; SERVER: 8.8.8.8#53 ( 8.8.8.8 )
;; WHEN: Sat Apr 07 18:20:58 AWST 2018
;; MSG SIZE rcvd: 54

;; Query time: 276 msec
;; SERVER: 1.1.1.1#53 (1.1.1.1)
;; WHEN: Sat Apr 07 18:18:35 AWST 2018
;; MSG SIZE rcvd: 54

& your response time should be Much Better . . . than mine.

from this article:
https://www.zdnet.com/article/what-are- ... providers/

Re: What's the verdict on this new DNS service?

Posted: Sat Apr 07, 2018 6:20 am
by catweazel
Pierre wrote:
Sat Apr 07, 2018 6:15 am
dig @8.8.8.8 zdnet.com
dig @1.1.1.1 google.com

9ms over a no-external DNS VPN isn't bad at all.

I run VyprVPN over openVPN. It's configured to not use any external DNS, so if I send a DNS request then it gets routed over the VPN. This result is from Australia.

Code: Select all

; <<>> DiG 9.10.3-P4-Ubuntu <<>> @1.1.1.1 google.com
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 20578
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1536
;; QUESTION SECTION:
;google.com.                    IN      A

;; ANSWER SECTION:
google.com.             209     IN      A       172.217.25.46

;; Query time: 9 msec
;; SERVER: 1.1.1.1#53(1.1.1.1)
;; WHEN: Sat Apr 07 20:19:22 AEST 2018
;; MSG SIZE  rcvd: 55

Re: What's the verdict on this new DNS service?

Posted: Sat Apr 07, 2018 7:21 am
by Pierre
if you redo it a few time,, you will find that it does vary a bit:

Code: Select all

~ $ dig @8.8.8.8 google.com

; <<>> DiG 9.9.5-3ubuntu0.13-Ubuntu <<>> @8.8.8.8 google.com
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 28554
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 512
;; QUESTION SECTION:
;google.com.			IN	A

;; ANSWER SECTION:
google.com.		52	IN	A	216.58.199.78

;; Query time: 228 msec
;; SERVER: 8.8.8.8#53(8.8.8.8)
;; WHEN: Sat Apr 07 19:17:02 AWST 2018
;; MSG SIZE  rcvd: 55

; <<>> DiG 9.9.5-3ubuntu0.13-Ubuntu <<>> @8.8.8.8 google.com
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 25724
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 512
;; QUESTION SECTION:
;google.com.			IN	A

;; ANSWER SECTION:
google.com.		57	IN	A	216.58.196.142

;; Query time: 82 msec
;; SERVER: 8.8.8.8#53(8.8.8.8)
;; WHEN: Sat Apr 07 19:17:17 AWST 2018
;; MSG SIZE  rcvd: 55

; <<>> DiG 9.9.5-3ubuntu0.13-Ubuntu <<>> @8.8.8.8 google.com
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 18734
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 512
;; QUESTION SECTION:
;google.com.			IN	A

;; ANSWER SECTION:
google.com.		90	IN	A	216.58.199.46

;; Query time: 104 msec
;; SERVER: 8.8.8.8#53(8.8.8.8)
;; WHEN: Sat Apr 07 19:17:21 AWST 2018
;; MSG SIZE  rcvd: 55

; <<>> DiG 9.9.5-3ubuntu0.13-Ubuntu <<>> @8.8.8.8 google.com
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 2420
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 512
;; QUESTION SECTION:
;google.com.			IN	A

;; ANSWER SECTION:
google.com.		53	IN	A	216.58.196.142

;; Query time: 102 msec
;; SERVER: 8.8.8.8#53(8.8.8.8)
;; WHEN: Sat Apr 07 19:17:24 AWST 2018
;; MSG SIZE  rcvd: 55

; <<>> DiG 9.9.5-3ubuntu0.13-Ubuntu <<>> @8.8.8.8 google.com
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 41166
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 512
;; QUESTION SECTION:
;google.com.			IN	A

;; ANSWER SECTION:
google.com.		193	IN	A	216.58.220.142

;; Query time: 101 msec
;; SERVER: 8.8.8.8#53(8.8.8.8)
;; WHEN: Sat Apr 07 19:17:27 AWST 2018
;; MSG SIZE  rcvd: 55
and all that does - is show, just how bad my connection - really is.
:(

Re: What's the verdict on this new DNS service?

Posted: Sat Apr 07, 2018 7:29 am
by catweazel
Pierre wrote:
Sat Apr 07, 2018 7:21 am
if you redo it a few time,, you will find that it does vary a bit:
Only by a few milliseconds, between 8 and 13 over about ten attempts. Oh, wait... you're using 8.8.8.8. I used 1.1.1.1. When I use 8.8.8.8 I get about the same as you, ~120ms.

Re: What's the verdict on this new DNS service?

Posted: Sat Apr 07, 2018 8:16 am
by Charlie
I just thought I hadn't seen this discussed and I know there are some seasoned pro's around here that would really know about it. Thanks for the replies. I have tested it and for now I think I will stick to Dnscrypt or Bind9. Unless someone comes up with a tool to improve it, like I am not convinced about DNS leaks from it.

Re: What's the verdict on this new DNS service?

Posted: Sat Apr 07, 2018 12:59 pm
by Pepi
I think I'm going to set my wireless router to these two DNS IPs

Re: What's the verdict on this new DNS service?

Posted: Sat Apr 07, 2018 1:37 pm
by I2k4
Cloudflare, the host for the service, got into political soup last year for hosting some hate sites, but after a bit of libertarian hemming and hawing seems to have dumped them:

https://blog.cloudflare.com/why-we-term ... y-stormer/

No clue whether this or any DNS service has any privacy protection beyond "terms of service" exactly worth the ink they're signed with (none.) For privacy assurance I'd subscribe to a VPN, but I have a bit more confidence in government regulation of my (Canadian) ISP than these DNS services. Last I compared, my ISP internet performance beat OpenDNS and so not too curious about this one.

Re: What's the verdict on this new DNS service?

Posted: Sat Apr 07, 2018 1:43 pm
by majpooper
1.1.1.1 as well as 9.9.9.9 got thumbs up by Steve Gibson - "Security Now" pod cast. Gibson, for my money, is the best there is security wise. 9.9.9.9 will provide more security 1.1.1.1 better performance. Not sure when either will be available in the dnscrypt resolver fies.

For now I am sticking with dnscrypt/OpenDNS - I have no performance concerns and get best in class security.

Re: What's the verdict on this new DNS service?

Posted: Sat Apr 07, 2018 2:34 pm
by Faust
I've tried 'em both in Pi-hole .
No noticeable gain in performance over my usual choice ( OpenDNS ) so for me , no good reason to switch
Any claimed security benefits from either aren't really relevant .

Re: What's the verdict on this new DNS service?

Posted: Sun Apr 08, 2018 8:25 am
by Charlie
If I use Bind9 and tell it to use RESOLVCONF by changing the value from "no" to "yes" in /etc/default/bind9

And add 1.1.1.1 and 1.0.0.1 to RESOLVCONF replacing the default, will bind9 now ensure there are no DNS leaks from 1.1.1.1?

I have tested it and it works but I do not know if it is secure.