Advice Request Which DNS Server do you use? /DNS Tunnelling

Please provide comments and solutions that are helpful to the author of this topic.

Which DNS Server(s) do you use?


  • Total voters
    167
Status
Not open for further replies.

WinXPert

Level 25
Verified
Honorary Member
Top Poster
Malware Hunter
Well-known
Jan 9, 2013
1,457
I use DnsJumper. I use whichever is the fastest
j805mh.jpg
 

conceptualclarity

Level 21
Verified
Honorary Member
Top Poster
Content Creator
Well-known
Aug 23, 2013
1,076
I am using Adguard DNS (Beta) so far so good. Adguard DNS offers not only security but also does blocking of Ads and Trackers as a bonus feature:cool:. Since the service is in Beta stage at the moment some may face issues.

Adguard DNS SERVERS:

Default
Use these servers to block ads, trackers and phishing websites.

176.103.130.130

176.103.130.131

Family Protection
"Default" + blocking adult websites.

176.103.130.132

176.103.130.134

Is Adguard DNS fast? I'm interested. I'm using Yandex DNS and I wonder how switching to Adguard DNS would impact performance.
 

show-Zi

Level 36
Verified
Top Poster
Well-known
Jan 28, 2018
2,464
I use NortonDNS.

Via GoogleDNS
Browse the web with Google Chrome
Search on Google site ...

I have a little resistance.
 
  • Like
Reactions: bribon77

DeepWeb

Level 25
Verified
Top Poster
Well-known
Jul 1, 2017
1,396
I use this: GRC's | DNS Nameserver Performance Benchmark  
It will find DNS servers closest to me and then run a benchmark to compare their speeds. I pick the two fastest on the list and test them with the spoofability test:
GRC | DNS Nameserver Spoofability Test  

Once they do well and they are fast, I add them to the config file of my local resolver Deadwood DNS. I found that there are servers that are actually faster than running my own recursion so why not use those instead and have my local resolver cache the results? That way I get the best of both worlds. The cache is instant and if it's not in cache, let another computer somewhere else look it up for me at a much faster speed than my computer. The best thing is that I am finally being pointed at the correct CDNs.
 

Evjl's Rain

Level 47
Verified
Honorary Member
Top Poster
Content Creator
Malware Hunter
Apr 18, 2016
3,684
I use Norton DNS although they are not the fastest
it gives you the best malware and phishing protection and more importantly, coinmining protection, which is not seen in other DNS services, like Quad9

I don't like my ISP DNS because they are indeed very fast with local websites but slower than google DNS for foreign websites, and they have higher chance of DNS disconnection/maintainance
I used to use 8.8.8.8 and 208.67.222.222 together. When google DNS server fails, openDNS will takeover so I never get disconnected
 

TairikuOkami

Level 37
Verified
Top Poster
Content Creator
Well-known
May 13, 2017
2,684
Is Adguard DNS fast? I'm interested. I'm using Yandex DNS and I wonder how switching to Adguard DNS would impact performance.
Note, that Adguard does not have its own DNS servers, it routes through whichever are the closest, like Yandex, Google, OpenDNS, etc. So the speed is comparable.

EDIT: I have recently started to use UltraDNS Family (Level 3 servers) in Windows and I also use OpenDNS Family via browser's dnscrypt.
 
Last edited:

Faybert

Level 24
Verified
Top Poster
Well-known
Jan 8, 2017
1,320
I use Google DNS and Open DNS, for me it was always the fastest.
 
Last edited:
  • Like
Reactions: bribon77

Kuttz

Level 13
Verified
Top Poster
Well-known
May 9, 2015
630
Is Adguard DNS fast? I'm interested. I'm using Yandex DNS and I wonder how switching to Adguard DNS would impact performance.
Since I haven't tried Yandex DNS unable to give a comparison. To give you a rough idea about its performance I felt Adguard DNS almost as fast as NortonDNS but lags behind GoogleDNS slightly. Performance of a DNS service varies from location though. Its recommended to try out each DNS services and settle on the best one you like.
 

Daviworld

Level 2
Verified
Feb 19, 2018
60
Most/Many have logging of some type. To be honest, logging DNS is a bigger problem than people think. Once again, setup a Pi-Hole then you can see the intrusive logging and what it can accomplish. Essentially a full profile of your network, security, programs, and even some vulnerabilities can be gathered from DNS logging.

The problem is, most non-logging, very private DNS have poor pings for me. The sweetspot for DNS is to get your pings to their servers under 50. Anything higher and you will notice some page load latency which can be frustrating. Virtually all of the private ones are 100-175ms for me rendering them useless.

This is true, After trying out various privacy & no logging DNS server's, trying to get the speed to match close to a well known, logging DNS server's speed. The sweet spot for me since I run various security set-up's depending on what I am doing, I force all my client's to request look-ups from the router so it can build a local cache of my most visited site's(such as this one). My router request its look-ups from tenta OpenNIC name resolver's.

Initially after changing from DNS.WATCH to Tenta OpenNIC I noticed a huge increase in latency loading page's I normally visit as my router was trying to resolve the names with its new name revolver's. After maybe 4-6hr's of browsing and junk, my page loading speed as least for the website's I normally visit is roughly about what it was before changing the DNS to Tenta.

I work in networking & security and as you said it is scarily creepy what some fundamental internet component's can be used for if abused. blocking miner's, script's, approving page element's, blocking ad's, etc also helped in speeding up the page load times since the encryption and security method's I use also cut my performance by a decent amount.
 
F

ForgottenSeer 58943

It depends on where your DNS is cached and how much is cached. Many routers don't offer any significant DNS caching - I've seen some with 12 or less entries but most seem to be higher, I've seen them range from 100-2000 entries but rarely do they cap off DNSMasq maximum. I am a firm advocate of disabling Windows DNS Caching so having a snappy forwarder is important.

DNSMasq has a hard coded maximum of 10,000 DNS cache entries, which Pi-Hole uses and defaults it to the maximum cache. So after 24 hours of use it will speed resolution even on one of the slower, privacy forwarders. So provided your caching of forwards is sufficient, a slower DNS resolution won't be a bit impact after it develops it's cache.
 
  • Like
Reactions: Daviworld

redsworn

Level 4
Verified
Well-known
Dec 6, 2017
191
My ISP implemented transparent DNS proxy for censorship purpose. So, my only option is using DNSCrypt-proxy to avoid my ISP from meddling with the queries.
 
F

ForgottenSeer 58943

My ISP implemented transparent DNS proxy for censorship purpose. So, my only option is using DNSCrypt-proxy to avoid my ISP from meddling with the queries.

Many ISP's now do this. Also remember the CIA front NebuAD which a lot of ISPs implemented to spy on their customers. Then there are their hosted mirrors of GoogleDNS, Paxfire Redirects, NX redirects on bad domains. Some ISP's still have old Paxfire DNS MiTM gear from 2012-2014 range still in operation. Paxfire was basically another Intelligence front in Reston VA that made MiTM appliances to capture data/intel on ISP customers.

Many ISP's use L7 DPI inspection and redirect DNS unless you encrypt it. Run a trace and you might find your GoogleDNS resolving to just a couple hops off your gateway. That's a L7 DPI grab of your DNS resolver. Then you have clever firms directing non-DNS traffic over DNS to bypass your inspection, content filters and IPS. Malformed DNS is usually how it is found.

Evasion is becoming much harder as DNS is very ripe for spying and essentially gives up everything you do.

VPN's tend to work pretty well.
Encryption of DNS can sometimes work.
Another common method is to use IPTABLES and redirect your DNS over Port 54 rather than the normal Port 53 of DNS, thus bypassing any monitoring/MiTM activity of your ISP (or others). (but this can get ugly, really fast, unless you know what you are doing)

Bottom line for me.. I do DNS traffic inspection at the L7 level to look for anomalies and use Pi-Hole for local resolution and caching.. Anything else is troublesome and at times, problematic. Unfortunately DNS security is an incredibly neglected thing these days. Most firewall/UTM don't even inspect DNS traffic.
 
  • Like
Reactions: upnorth

redsworn

Level 4
Verified
Well-known
Dec 6, 2017
191
VPN's tend to work pretty well.
Encryption of DNS can sometimes work.
Another common method is to use IPTABLES and redirect your DNS over Port 54 rather than the normal Port 53 of DNS, thus bypassing any monitoring/MiTM activity of your ISP (or others). (but this can get ugly, really fast, unless you know what you are doing)

Obviously. VPN is the best possible option. I do have a couple of them. But I only use them as a last resort.
I don't know what other "magic" my ISP have. Any VPN will cause massive slowdown of my internet speed.
DNSCrypt-proxy works wonder for me so far. And I think I'll settle with it until it stopped working.
 

71Hemi

Level 2
Verified
Dec 12, 2015
82
@ForgottenSeer 58943


Two I like to use;

Fortinet Secure DNS (malware/phishing/malvertising/botnet blocking)
208.91.112.53
208.91.112.52

You can add Fortinet DNS to your list of secure, malware blocking dns. Anyone can use it, you don't need a Fortigate appliance to use it.

Hey do you know if Fortinet supports DNSSEC, and also if they log DNS queries? Do they use Anycast like Google? Thanks for the info.​
 
Status
Not open for further replies.

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

User Menu

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top