The author of Best practices for DNS forwarding [petri.com] recommends using the ISP's DNS servers as forwarders instead of doing the recursive lookups yourself, the main reason being performance. This makes sense as you're only doing one query, getting the response probably right away, given a big enough cache at the ISP and a popular enough website.

A downside of using your ISP's DNS servers might be their stability. It used to be the case that ISP's often had not-very stably DNS servers. However, this can be solved by simply forwarding to name servers such as,, or

What are the benefits of doing the lookups yourself?

Edit: Using public name servers like Quad9 also adds in security as it filters out known malicious domains.

  • 5,547
  • 2
  • 11
  • 45
  • 2
    Some ISP resolvers return A records for non-existent hostnames for advertising purposes, which is one reason why you might not want to use ISP resolvers. – Torin Aug 18 '18 at 21:46

2 Answers2


Benefits to resolving yourself include not being dependent on, or trusting, a third party to do so. This includes ISPs that may change, and public DNS that collect your data or impose their idea of filtering.

If a DNS service meets your needs, certainly forward to it.

John Mahowald
  • 30,009
  • 1
  • 17
  • 32
  • 4
    Also if you want to validate DNSSEC records the most sensible way is to do it yourself which means retrieving all the records yourself, not delegating that role to another entity. Things may change drastically once DNS over HTTPS and DNS over TLS take over the world. – Patrick Mevzek Aug 21 '18 at 05:26

To answer my own question...

John is correct in stating that "if a DNS service meets your needs, certainly forward to it." A few reasons why it may not meet your needs:

  • The DNS provider might block certain websites (e.g. torrent sites) by returning an IP address they - or the government - owns, hosting a website stating the website is banned for illegal activities.
  • The DNS provider might return A records for non-existent domain names for advertising purposes (comment from Torin Carey).

A reason for running your own resolvers:

  • If your company is dual-homed to two different ISPs, it might not be possible to use the DNS servers from ISP1 when traffic leaves your network via ISP2. In this case you should either use public DNS servers (e.g. or run your own resolvers.
  • If the latency from the ISP's or a public DNS server is too high, you should run your own resolvers.

If both options (own resolvers or public ones) both are valid options for your company, you can chose which to want, depending on personal or architectural preferences. Of course, running your own resolvers means more systems to manage, you need to have system administrators with DNS knowledge in your team, etc.

  • 5,547
  • 2
  • 11
  • 45