11

What situations are you thinking are good candidates for a service like this?

I have been concerned about our ISP's DNS - they are redirecting to advertising pages, and showing other signs of questionable integrity. I was considering OpenDNS - but wasn't feeling that they were going to be much better - and heard mixed things about them.

Our operation is quite small, so I don't want anything too complicated. And I certainly don't want a bunch of extra headaches.

aSkywalker
  • 555
  • 3
  • 9
  • 15

6 Answers6

24

Looks like Google will be a good fit when you want a DNS that conforms to RFC 1034, and when you aren't all tinfoil-hat about Google.

OpenDNS hijacks your unresolved DNS queries and redirects you to advertising. This breaks the NXDOMAIN response. However, their claim to fame is that they provide user-definable filtering at the DNS level.

Frankly, few things piss me off more than a DNS provider that hijacks NXDOMAIN, so I'll probably be switching over to Google for my personal stuff.

And hey, hard to get DNS IPs that are easier to remember! (8.8.8.8 and 8.8.4.4)

phoebus
  • 8,370
  • 1
  • 31
  • 29
  • 1
    I use Google Public DNS and it seems to be quite faster than other open resolvers. – Nirmal Dec 04 '09 at 01:44
  • I've noticed so far that it's pretty fast but I haven't been an open resolver user before so I don't have much basis for comparison. – phoebus Dec 04 '09 at 01:47
  • I mean it's faster than my terrible TWC resolver but that's not saying much. – phoebus Dec 04 '09 at 01:48
  • 2
    Google DNS is a good 300ms from where I am (Australia) which really puts me off using it. Sure their lookups might be faster, but overall it will be slower, especially for a large batch of queries. – Mark Henderson Dec 04 '09 at 03:40
  • That doesn't really surprise me that it would be slower than a more local DNS server...shouldn't really surprise anyone. Of course, if Google ends up with superior cache performance, they will still be as fast or faster than a mediocre caching, but local, server. – phoebus Dec 04 '09 at 04:09
  • I won't be doing any "official" testing until the system has been up and running, and adapted, for at least a few weeks. It's at least partially self-organizing from a performance perspective, afterall, so the real numbers won't be here right away. – phoebus Dec 04 '09 at 04:11
  • 5
    protip: you can disable the OpenDNS redirects. they market that as a "feature" to discourage you from doing it, but you can definitely do it. I needed to in order to get winbind working. – neoice Dec 04 '09 at 08:58
  • Perhaps, but I have a problem with it on principle just as much as practice. – phoebus Dec 04 '09 at 15:25
  • "if you aren't all Tin Foil Hat about Google" – Clay Nichols Feb 16 '10 at 19:01
  • 2
    Any other choices out there for those of us that ARE all tinfoil-hat about Google? – Brian Knoblauch Apr 08 '10 at 17:19
  • @brian: run your own caching recursive resolver. If you want to be ubercore about it, route all your port 53 traffic into the tor network. – chris Apr 08 '10 at 18:36
  • 1
    @chris I used to do that on a NetBSD SPARC box that I had, but it died and I no longer have any servers at home, just a few Windows boxen. Not familiar with trying to do resolvers on Windows. Any tips? – Brian Knoblauch Apr 09 '10 at 14:17
  • You can download a precompiled recursive server from powerdns.com -- it is an older rev that lacks some useful features, but it runs just fine on XP. You'd need to make a couple changes to it (make it run on port 53, mostly) but if you've run netbsd on a sparc, it shouldn't be much of a hill to climb. This won't send stuff through a tor network, though... – chris Apr 09 '10 at 14:57
  • Do note that by using Google DNS you're likely to get slower speeds from some CDNs. – ceejayoz Dec 10 '12 at 14:57
  • Good point @ceejayoz – phoebus Feb 13 '13 at 21:43
  • @MarkHenderson, Google has servers all round the globe. Are you sure you have a 300 ms latency? – Pacerier Jun 05 '15 at 20:21
  • @Pacerier these days, no. These days I am < 1ms from 8.8.8.8 and 8.8.4.4 but 5.5 years ago (when I wrote that comment), this was not the case. – Mark Henderson Jun 06 '15 at 05:51
5

Situations where you're not a long way from a Google datacenter and where you're not heavily dependent upon Akamaized traffic.

Various big providers try to direct you to servers "near" you on the network, by looking at where the DNS query came from and doing some rough approximation from that. This kinda-sometimes-mostly works, as long as the DNS cache is sufficiently "near" you on the net. This is part of how Akamai works.

None of the open recursors currently provide a way to pass on location information for the querier to the authoritative servers, so using anything like OpenDNS or GoogleDNS will hurt the performance that you experience of services like Akamai. How much? That depends on your local network, how close you are to Google's caches, etc etc.

OTOH, if you're a small operation and have a local web cache (squid?) to lower the utilization of your uplinks, then the traffic which Akamai serves is more likely to hit the caches anyway. Whether or not that balances out, only you can determine based on trial and error and user reports.

As long as you have low ping times to the GoogleDNS servers, it's really a case of "suck it and see" and figure out if it works for you. If it does, great, you can use a free service to your advantage. If not, then you switch back and you're not out anything. It's not like this is a hard config change to revert.

[disclosure: my employer has a stance in this, I'm not an independent voice]

Phil P
  • 3,040
  • 1
  • 15
  • 19
  • Since the DNS server can see the IP address of the incoming request (and hence figure out the rought location/country), why do you say that "none of the open recursors currently provide a way to pass on location information for the querier to the authoritative servers"? – Pacerier Jun 05 '15 at 20:22
  • The authoritative DNS server can see the IP address coming from the recursor, in this case Google or OpenDNS. The recursor can see your IP address and know roughly where you are. With Google and shared caches, you don't know who, in which country, originally requested the content, where that query to the auth DNS originated, or whether a problem inside Google is resulting in them handling your DNS traffic in a different country through route injection. [to be continued] – Phil P Jun 05 '15 at 21:47
  • Note that Google did introduce a means to convey to the auth servers information about where the request comes from and the auth servers to respond back with information about granularity of the answer, to solve issues like this. In 2009, when I wrote the reply, nobody used that, it was shiny new from Google. Today, most still don't use it but the biggest caching providers probably are, because it solves their problems. Ultimately, the only way to be sure is to measure it, or try it and see if it works for you, which is why that's what I recommended. – Phil P Jun 05 '15 at 21:48
3

The main noticeable 'feature' of OpenDNS is an OpenDNS advertising-filled search page whenever you resolve a non-existent domain. If you're not worried about this, or about stats being collected on your DNS query history (read their privacy policy if you're worried) then it's a pretty quick DNS service.

TRiG
  • 1,167
  • 2
  • 13
  • 30
TrXuk
  • 81
  • 2
  • As mentioned above you can manage and change this setting. By default it uses the OpenDNS result, search and NXDOMAIN functions, but you can disable this. – Brent Pabst Dec 10 '12 at 12:40
2

I think a good solution is to run your own local resolver.

It's pretty easy to install and run PowerDNS's local resolver and there is a windows binary as well.

chris
  • 11,784
  • 6
  • 41
  • 51
1

Consider any performance difference between

  • the two open free solutions that you mentioned and
  • the (hopefully) more local DNS service offered by your ISP.

Try a traceroute to 8.8.8.8 and your ISP's DNS server.

Perhaps your impetus for change is around:

  • reliability/stability - this will obviously depend on your ISP. Google widely gets high marks for its uptime. Its DNS service should follow that trend.
  • security - tin foiled hats will question your ISP and Google. Likely the contest is a wash.
  • get less spammy - if users are complaining that OpenDNS or your ISP is serving ads cleverly disguised as suggestions, then Google DNS might be a good choice.

Be sure to give the Google Public DNS Privacy article a read.

p.campbell
  • 4,397
  • 6
  • 40
  • 51
1

The other useful feature of OpenDNS is that it's a quick way to provide (limited) filtering of websites by category. It's not foolproof, but if you configure it to block "Social Media" sites from your network then your users aren't going to be getting to Facebook unless they at least have a basic understanding of DNS and the ability to fiddle settings.

fencepost
  • 972
  • 6
  • 10