Sidebar

Q&A Which DNS Server do you use? /DNS Tunnelling

Which DNS Server(s) do you use?

  • Total voters
    166
conceptualclarity

conceptualclarity

Level 20
Content Creator
Trusted
Verified
kuttan said:
I am using Adguard DNS (Beta) so far so good. Adguard DNS offers not only security but also does blocking of Ads and Trackers as a bonus feature:cool:. Since the service is in Beta stage at the moment some may face issues.

Adguard DNS SERVERS:

Default
Use these servers to block ads, trackers and phishing websites.

176.103.130.130

176.103.130.131

Family Protection
"Default" + blocking adult websites.

176.103.130.132

176.103.130.134
Click to expand...
Is Adguard DNS fast? I'm interested. I'm using Yandex DNS and I wonder how switching to Adguard DNS would impact performance.
 
Reactions: Andytay70 and Sunshine-boy
show-Zi

show-Zi

Level 16
Verified
I use NortonDNS.

Via GoogleDNS
Browse the web with Google Chrome
Search on Google site ...

I have a little resistance.
 
Reactions: bribon77
DeepWeb

DeepWeb

Level 21
Verified
I use this: GRC's | DNS Nameserver Performance Benchmark  
It will find DNS servers closest to me and then run a benchmark to compare their speeds. I pick the two fastest on the list and test them with the spoofability test:
GRC | DNS Nameserver Spoofability Test  

Once they do well and they are fast, I add them to the config file of my local resolver Deadwood DNS. I found that there are servers that are actually faster than running my own recursion so why not use those instead and have my local resolver cache the results? That way I get the best of both worlds. The cache is instant and if it's not in cache, let another computer somewhere else look it up for me at a much faster speed than my computer. The best thing is that I am finally being pointed at the correct CDNs.
 
Reactions: Faybert and harlan4096
E

Evjl's Rain

Level 40
Content Creator
Trusted
Malware Hunter
Verified
I use Norton DNS although they are not the fastest
it gives you the best malware and phishing protection and more importantly, coinmining protection, which is not seen in other DNS services, like Quad9

I don't like my ISP DNS because they are indeed very fast with local websites but slower than google DNS for foreign websites, and they have higher chance of DNS disconnection/maintainance
I used to use 8.8.8.8 and 208.67.222.222 together. When google DNS server fails, openDNS will takeover so I never get disconnected
 
Reactions: bribon77, Azure Phoenix and Faybert
TairikuOkami

TairikuOkami

Level 21
Content Creator
Verified
conceptualclarity said:
Is Adguard DNS fast? I'm interested. I'm using Yandex DNS and I wonder how switching to Adguard DNS would impact performance.
Click to expand...
Note, that Adguard does not have its own DNS servers, it routes through whichever are the closest, like Yandex, Google, OpenDNS, etc. So the speed is comparable.

EDIT: I have recently started to use UltraDNS Family (Level 3 servers) in Windows and I also use OpenDNS Family via browser's dnscrypt.
 
Last edited:
Reactions: Sunshine-boy and conceptualclarity
Kuttz

Kuttz

Level 12
Verified
conceptualclarity said:
Is Adguard DNS fast? I'm interested. I'm using Yandex DNS and I wonder how switching to Adguard DNS would impact performance.
Click to expand...
Since I haven't tried Yandex DNS unable to give a comparison. To give you a rough idea about its performance I felt Adguard DNS almost as fast as NortonDNS but lags behind GoogleDNS slightly. Performance of a DNS service varies from location though. Its recommended to try out each DNS services and settle on the best one you like.
 
Daviworld

Daviworld

Level 2
Slyguy said:
Most/Many have logging of some type. To be honest, logging DNS is a bigger problem than people think. Once again, setup a Pi-Hole then you can see the intrusive logging and what it can accomplish. Essentially a full profile of your network, security, programs, and even some vulnerabilities can be gathered from DNS logging.

The problem is, most non-logging, very private DNS have poor pings for me. The sweetspot for DNS is to get your pings to their servers under 50. Anything higher and you will notice some page load latency which can be frustrating. Virtually all of the private ones are 100-175ms for me rendering them useless.
Click to expand...
This is true, After trying out various privacy & no logging DNS server's, trying to get the speed to match close to a well known, logging DNS server's speed. The sweet spot for me since I run various security set-up's depending on what I am doing, I force all my client's to request look-ups from the router so it can build a local cache of my most visited site's(such as this one). My router request its look-ups from tenta OpenNIC name resolver's.

Initially after changing from DNS.WATCH to Tenta OpenNIC I noticed a huge increase in latency loading page's I normally visit as my router was trying to resolve the names with its new name revolver's. After maybe 4-6hr's of browsing and junk, my page loading speed as least for the website's I normally visit is roughly about what it was before changing the DNS to Tenta.

I work in networking & security and as you said it is scarily creepy what some fundamental internet component's can be used for if abused. blocking miner's, script's, approving page element's, blocking ad's, etc also helped in speeding up the page load times since the encryption and security method's I use also cut my performance by a decent amount.
 
Slyguy

Slyguy

Level 40
It depends on where your DNS is cached and how much is cached. Many routers don't offer any significant DNS caching - I've seen some with 12 or less entries but most seem to be higher, I've seen them range from 100-2000 entries but rarely do they cap off DNSMasq maximum. I am a firm advocate of disabling Windows DNS Caching so having a snappy forwarder is important.

DNSMasq has a hard coded maximum of 10,000 DNS cache entries, which Pi-Hole uses and defaults it to the maximum cache. So after 24 hours of use it will speed resolution even on one of the slower, privacy forwarders. So provided your caching of forwards is sufficient, a slower DNS resolution won't be a bit impact after it develops it's cache.
 
Reactions: Daviworld
redsworn

redsworn

Level 3
Verified
My ISP implemented transparent DNS proxy for censorship purpose. So, my only option is using DNSCrypt-proxy to avoid my ISP from meddling with the queries.
 
Slyguy

Slyguy

Level 40
redsworn said:
My ISP implemented transparent DNS proxy for censorship purpose. So, my only option is using DNSCrypt-proxy to avoid my ISP from meddling with the queries.
Click to expand...
Many ISP's now do this. Also remember the CIA front NebuAD which a lot of ISPs implemented to spy on their customers. Then there are their hosted mirrors of GoogleDNS, Paxfire Redirects, NX redirects on bad domains. Some ISP's still have old Paxfire DNS MiTM gear from 2012-2014 range still in operation. Paxfire was basically another Intelligence front in Reston VA that made MiTM appliances to capture data/intel on ISP customers.

Many ISP's use L7 DPI inspection and redirect DNS unless you encrypt it. Run a trace and you might find your GoogleDNS resolving to just a couple hops off your gateway. That's a L7 DPI grab of your DNS resolver. Then you have clever firms directing non-DNS traffic over DNS to bypass your inspection, content filters and IPS. Malformed DNS is usually how it is found.

Evasion is becoming much harder as DNS is very ripe for spying and essentially gives up everything you do.

VPN's tend to work pretty well.
Encryption of DNS can sometimes work.
Another common method is to use IPTABLES and redirect your DNS over Port 54 rather than the normal Port 53 of DNS, thus bypassing any monitoring/MiTM activity of your ISP (or others). (but this can get ugly, really fast, unless you know what you are doing)

Bottom line for me.. I do DNS traffic inspection at the L7 level to look for anomalies and use Pi-Hole for local resolution and caching.. Anything else is troublesome and at times, problematic. Unfortunately DNS security is an incredibly neglected thing these days. Most firewall/UTM don't even inspect DNS traffic.
 
Reactions: upnorth
redsworn

redsworn

Level 3
Verified
Slyguy said:
VPN's tend to work pretty well.
Encryption of DNS can sometimes work.
Another common method is to use IPTABLES and redirect your DNS over Port 54 rather than the normal Port 53 of DNS, thus bypassing any monitoring/MiTM activity of your ISP (or others). (but this can get ugly, really fast, unless you know what you are doing)
Click to expand...
Obviously. VPN is the best possible option. I do have a couple of them. But I only use them as a last resort.
I don't know what other "magic" my ISP have. Any VPN will cause massive slowdown of my internet speed.
DNSCrypt-proxy works wonder for me so far. And I think I'll settle with it until it stopped working.
 
D

Darrin

Level 1
@Slyguy


Two I like to use;

Fortinet Secure DNS (malware/phishing/malvertising/botnet blocking)
208.91.112.53
208.91.112.52

You can add Fortinet DNS to your list of secure, malware blocking dns. Anyone can use it, you don't need a Fortigate appliance to use it.

Hey do you know if Fortinet supports DNSSEC, and also if they log DNS queries? Do they use Anycast like Google? Thanks for the info.​
 
You must log in or register to reply here.

Similar Threads

Similar Threads

New Posts Log In

Latest Posts

Latest Threads