How should I choose my DNS?

112

71

When I have to choose my DNS I think that I should consider:

  • Speed
  • Reliability
  • Privacy
  • Control (reports and stats)

The main options that come to my mind, and how I weigh them according to the above factors, are:

  • My ISP = faster (closer to me) but less privacy (they can associate my DNS requests to myself)
  • OpenDNS and such = more control and more privacy (all they have is one of my e-mail addresses)
  • Google = less privacy (they can associate my DNS requests to my Google Account and my searches)

What weighting factors, or other options, have I missed?

Jader Dias

Posted 2012-02-07T14:37:03.827

Reputation: 13 660

14

Associating DNS queries to accounts based only on the IP address is nonsense and Google would know that. They also claim that no identifiable information is logged for more than two days. On the other hand, OpenDNS can associate your IP addr to an email address based on the information you gave when signing up for "stats". Finally, whichever DNS provider you choose, your ISP still sees the requests made. (A few ISPs even silently redirect all DNS queries...)

– user1686 – 2012-02-07T14:44:50.417

5

You're missing an option, using your own DNS resolver, Unbound is a good example of a multi-platform one.

– Shadok – 2012-02-07T14:46:34.393

@Shadok eventually my own DNS resolver will have to make requests to another DNS. – Jader Dias – 2012-02-07T14:52:52.090

@grawity From the information you provided I concluded that my ISP is the best option in terms of speed, privacy and perhaps reliability. – Jader Dias – 2012-02-07T14:54:11.730

11@JaderDias: Your own resolver, when put in recursive mode, can send requests to the content DNS servers directly, which does not create privacy issues. – user1686 – 2012-02-07T14:57:52.987

@grawity you just beat me to it, Unbound does recursive requests (beside caching them). – Shadok – 2012-02-07T16:03:53.923

3Google do not associate DNS requests to your Google Account - their privacy statement and FAQ are very clear on this. – BrianEss – 2012-02-07T20:29:35.113

3My ISP = faster (closer to me) but less privacy (they can associate my DNS requests to myself) Precisely the opposite in my experience and why I chose OpenDNS, it was faster. – Fiasco Labs – 2012-02-07T20:41:50.693

I have no idea how this got so many views. Who cares about what DNS you use? Fight for choice in ISPs!! – surfasb – 2012-02-07T22:07:15.143

@surfasb: It has been Jeff Atwood'd.

– user1686 – 2012-02-07T23:11:57.957

I've added a piece about the "My ISP = faster (closer to me)" in my answer. – Tamara Wijsman – 2012-02-08T00:41:23.937

If you want OpenDNS with basic filtering and no software or account necessary consider their family shield option https://store.opendns.com/familyshield/setup/

– Dennis – 2012-02-08T09:53:48.720

Answers

89

My ISP = faster (closer to me)

This is a common misconception, distance does not make up speed on its own. Compare using the old single network cables out of metal to the newer multiple glass fibre cables systems, like EuroDOCSIS 3.0.

Other than propagation delay, you also have a processing delay on the server; I'm pretty sure that the DNS server at an ISP is less powerful to a DNS server hosted by Google, hence it is completely possible or a server that's at a much greater distance to actually be faster than your ISP's DNS server...

Hosting your DNS router/server might be the fastest, though it doesn't have all the DNS records stored!

namebench by Google can help you pick out a better DNS server, the rest in your question is subjective.

Are you a power-user with 5 minutes to spare? Do you want a faster internet experience?

Try out namebench. It hunts down the fastest DNS servers available for your computer to use. namebench runs a fair and thorough benchmark using your web browser history, tcpdump output, or standardized datasets in order to provide an individualized recommendation. namebench is completely free and does not modify your system in any way. This project began as a 20% project at Google.

namebench runs on Mac OS X, Windows, and UNIX, and is available with a graphical user interface as well as a command-line interface.

Here are the screens you will go through while using this program:

There is also a command line version there:

Final list of nameservers considered:
------------------------------------------------------------------------------
130.85.1.5      UMBC 5 US          56  ms | 
208.67.222.220  OpenDNS-3          56  ms | www.google.com is hijacked: google.navigation.opendns.com
209.244.0.4     Level3-R2          62  ms | 
216.146.35.35   DynGuide           63  ms | NXDOMAIN Hijacking
204.9.56.9      BroadAspect US     63  ms | 
8.8.4.4         Google Public DNS- 64  ms | Replica of Google Public DNS [8.8.8.8]
208.67.220.220  OpenDNS            65  ms | www.google.com is hijacked: google.navigation.opendns.com
156.154.70.1    UltraDNS           67  ms | NXDOMAIN Hijacking
127.0.0.1       Localhost IPv4     68  ms | NXDOMAIN Hijacking (www)
209.18.47.61    RoadRunner NC US   68  ms | Replica of RoadRunner NC-2 US [209.18.47.62], NXDOMAIN Hijacking (www)
156.154.71.22   Comodo Secure DNS- 80  ms | NXDOMAIN Hijacking
209.18.47.62    RoadRunner NC-2 US 104 ms | (excluded: Slower replica of RoadRunner NC US [209.18.47.61])

- Sending 250 queries to 11 servers...

Mean response (in milliseconds):
--------------------------------
Google Public DN ################# 64.85
Comodo Secure DN ################### 72.84
RoadRunner NC US ####################### 91.19
UltraDNS         ####################### 91.61
Localhost IPv4   ########################### 108.66
OpenDNS          ############################ 110.69
OpenDNS-3        ###################################### 149.85
DynGuide         ####################################### 156.60
Level3-R2        ########################################### 169.81
UMBC 5 US        ########################################### 172.63
BroadAspect US   ##################################################### 214.19

Response Distribution Chart URL (200ms):
----------------------------------------
http://chart.apis.google.com/chart?cht=lxy&chs=720x415&chxt=x,y&chg=10,20&chxr=0,0,200|1,0,100&chd=t:0,8,8,9,10,1...

Response Distribution Chart URL (Full):
---------------------------------------
http://chart.apis.google.com/chart?cht=lxy&chs=720x415&chxt=x,y&chg=10,20&chxr=0,0,3500|1,0,100&chd=t:0,0,0,1,1,1...

Recommended configuration (fastest + nearest):
----------------------------------------------
nameserver 8.8.4.4         # Google Public DNS-2  
nameserver 127.0.0.1       # Localhost IPv4  
nameserver 209.18.47.62    # RoadRunner NC-2 US

Tamara Wijsman

Posted 2012-02-07T14:37:03.827

Reputation: 54 163

1Very cool! Would you be interested in writing a blog post summarizing some of these tools and options? – nhinkle – 2012-02-07T22:57:30.280

@nhinkle: You've got me! I can combine it with this answer and look what else we have on DNS and then sum it up under a title like "The working behind DNS and picking the right server". Could you look into the two points assigned to you on Trello? I want to have the drafts on the blog sorted out, I'm now trying to contact tombull about his blog post...

– Tamara Wijsman – 2012-02-07T23:02:29.473

1This answer does not take into account the impact on CDN services that Max's answer does. You might find that with a super fast non-ISP DNS server, your DNS will be fast/private, but you might not be able to stream anything and downloads from various online services may be ridiculously slow. – bbum – 2012-02-07T23:50:44.873

2@bburn: I see a claim without a back-up in his post, here is my claim: While using the Google DNS which is nowhere near the Belgium Telenet ISP DNS I still receive my files from the sstatic CDN in 40 ms; hence, the DNS you are using does not matter towards CDN services. Now we only need proofs to back up either claim. But well, for me the timings say enough... ;) – Tamara Wijsman – 2012-02-08T00:26:32.520

32

Another freeware tool for testing and finding a good DNS server is DNS-Benchmark by GRC

enter image description here

It comes with a top customised top 50 list (which both Google and OpenDNS are usually listed) that will find the best 50 servers to test based on your IP.

It does a very thorough test and will tell if the server supports DNSSEC and if they redirect bad domains to their own landing page instead of giving a "Invalid Domain" response.

Scott Chamberlain

Posted 2012-02-07T14:37:03.827

Reputation: 28 923

9yay for Steve Gibson! I can't believe he wrote that completely in assembly language :O – BlueRaja - Danny Pflughoeft – 2012-02-07T22:45:45.847

12

Many Content Distribution Networks use your DNS server to route you to an optimal location, using Google or OpenDNS means that they may not be able to route you optimally - Using Google DNS for Google content will get you GREAT performance from them, but not anyone's DNSLB, or a cdn like Limelight, Level3 or others, using OpenDNS damns you with everyone. Google put out an RFC about some suggested fixes for this but they are not implemented so you stay screwed by using non local name servers.

Max

Posted 2012-02-07T14:37:03.827

Reputation: 129

7can you please link to the relevant RFC? Also, most CDN geographical routing (you are in France, therefore your request should be served by a French server, etc) is done via your IP address, not DNS. – Jeff Atwood – 2012-02-07T20:11:23.870

8While it’s possible for CDNs to route based on IP address, this is not the norm. For example, dig google.com gives different results based on your location. Note that Google’s DNS servers do not know your IP address. All they know is the IP address of the DNS server that is contacting them. (OpenDNS, Google Public DNS, your ISP’s DNS server). To route based on YOUR IP address would require, e.g., a web server to have logic that puts a different CDN host name into the page based on where your HTTP request was coming from (e.g. us-east-1.somecdn.com). – Nate – 2012-02-07T20:22:23.203

I should add, this is not a problem if you are using your ISP’s DNS servers since, by definition, they are located on the same (or a very close) network to your location. – Nate – 2012-02-07T20:24:25.447

4

The DNS proposal is here: http://tools.ietf.org/html/draft-vandergaast-edns-client-subnet-00 - effectively adding the equivalent of X-Forwarded-For style HTTP headers into DNS. It proposes to solve a real problem for large DNS providers and CDNs, though it is unsavory for DNS purists.

– BrianEss – 2012-02-07T20:25:54.183

3+1 I loved google DNS, for everything except Netflix and Hulu streaming, for which I had tons of buffering problems during peak hours. For the skeptics, I proved it was a DNS problem using a wireshark capture. – Karl Bielefeldt – 2012-02-08T20:56:29.460

6

Consider configuring your own caching DNS server with dnsmasq or another project like named. I find that having control over this greatly speeds up my browsing past the first request. Your OS may also allow you to control its own built-in cache.

gtrak

Posted 2012-02-07T14:37:03.827

Reputation: 211

5

One thing you missed is..

How compliant are they? (Or perhaps, how vanilla are they?)

You can perceive of a DNS service doing some of the following.

  1. Filtering out certain things. (Censorship)
  2. Replacing certain requests with results that serve themselves.
  3. Throttled service concerning parties that don't benefit them.

For instance, The reason I would never use OpenDNS is because they resolve all unresolvable addresses to a special OpenDNS ip address which, if I recall correctly, opens a search for the unresolved request with advertising by OpenDNS.

I find this incredibly annoying, because I want my search engine to provide it's own behavior for when an address is unresolvable and this makes all unresolvable address impossible to detect.

user606723

Posted 2012-02-07T14:37:03.827

Reputation: 1 217

Asked: 2012-02-07T14:37:03.827

Viewed: 18 076 times

Active: 2012-12-04T16:53:25.893