DNS servers.

I have not really noticed before, but Zzoomm uses Cloudflare and Google DNS servers, as soon as I noticed I changed them to Open DNS, but are there anything better than OpenDNS?

Personal decision but I use Quad9.

In reply to a post by zyborg47:

I have not really noticed before, but Zzoomm uses Cloudflare and Google DNS servers, as soon as I noticed I changed them to Open DNS, but are there anything better than OpenDNS?

Bit difficult to answer if we don't know what criteria you use to define "better".

What problem is there with Google and Cloudfare that you want to solve? They are generally regarded as amongst the best public DNS servers. And, considering all the unknown routers that Internet requests pass through, privacy worries about these particular servers are unreasonable.

I'd have a little experiment with one of the quads. Take your pick. They're all fine really.

Edited by Pheasant (Thu 28-Dec-23 16:59:17)

There is a utility you can download to benchmark your access to DNS servers. Released years ago it still works.
https://www.grc.com/dns/benchmark.htm

In reply to a post by GonePostal:

Bit difficult to answer if we don't know what criteria you use to define "better".

Exactly, with some services if you use your ISP hosted DNS you get faster performance.

Who I use depends on the ISP I am with.

My minimum ping with Talktalk over Openreach FTTP was 16ms.
All the big DNS providers would respond in 16ms except cloudflare, who were only 11ms. So I used cloudflare DNS.

Some DNS providers work better with certain networks, or can even have caches within their network.

I trust all of the big 4 mentioned, Google, cloudflare, quad9 and opendns. I'll use the 1 that supports my preferred dns settings with the lowest latency.

Thanks peeps, yes it is a bit difficult to answer. I have been using Google and Cloudflare since June, and it has been ok, but then I did not look at the DNS servers before. I thought Zzoomm used their own. I know I use Google for my phone as it is Android, but not sure if I want to go through their servers for everything and Cloudflare, not sure what to think of them.

I used to use Open DNS a few years ago, for some reason and that is what I have changed to now, seems to be working ok

Thanks Moto, I did not think Gibson research was still around, windows only, so I will have to turn the PC on, but thanks anyway.

and TinyMongomery, maybe you are right.

I will stay with Open DNS I think.

Once again, thanks peeps.

Edited by zyborg47 (Thu 28-Dec-23 22:24:11)

In reply to a post by jchamier:

Exactly, with some services if you use your ISP hosted DNS you get faster performance.

Which is fine if you do not mind them harvesting your browsing habits and selling the data on.

Unbound is best for privacy but not so easy to setup for people with a consumer type router.

I use Adgard home with a few downstream DNS providers and there is little difference in speed between the major ones with Adgard's own being a bit faster for me.

Edited by smouty (Fri 29-Dec-23 08:25:39)

In reply to a post by smouty:

Which is fine if you do not mind them harvesting your browsing habits and selling the data on.

That happens in the USA, but do we know if that is legal in the UK ? I'm certainly not a lawyer, but a lot of the US centric "internet security" marketing we are inflicted with may not have this in mind.

Unbound is best for privacy but not so easy to setup for people with a consumer type router.

Agreed, I use unbound on my hosted servers.

In reply to a post by smouty:

Which is fine if you do not mind them harvesting your browsing habits and selling the data on.

But all your packets go through your ISP’s routers. They could easily harvest your browsing habits if they wanted to.

In reply to a post by j0hn83:

All the big DNS providers would respond in 16ms except cloudflare, who were only 11ms. So I used cloudflare DNS.

After years of using Google I thought I'd try Cloudfare, and it pinged 1ms more than Google!

In reply to a post by ParksidePeter:

In reply to a post by j0hn83:

All the big DNS providers would respond in 16ms except cloudflare, who were only 11ms. So I used cloudflare DNS.

After years of using Google I thought I'd try Cloudfare, and it pinged 1ms more than Google!

Are you going to notice this in real-world browsing?

Cloudflare has some advantages. There's malware filtering on 1.1.1.2, and malware+family filtering on 1.1.1.3. And they do pledge to keep your data private, unlike Google - although which of them you trust the most is up to you, of course.

In reply to a post by TinyMongomery:

In reply to a post by smouty:

Which is fine if you do not mind them harvesting your browsing habits and selling the data on.

But all your packets go through your ISP’s routers. They could easily harvest your browsing habits if they wanted to.

You are able to use encrypted DNS and/or a VPN to avoid this.

Edited by smouty (Fri 29-Dec-23 19:31:27)

A VPN just makes the VPN company see your data.

Again a lot of the marketing around VPNs and privacy from your ISP is based on USA law.

But your web requests to servers still go through their routers. Of course they could track your browsing. And I’d trust my ISP more than I would a VPN provider.

In reply to a post by TinyMongomery:

But your web requests to servers still go through their routers. Of course they could track your browsing. And I’d trust my ISP more than I would a VPN provider.

Then you can see why Google started requiring websites to use HTTPS. The traffic is encrypted, even without a VPN. Google's stance that said sites wouldn't be listed unless they used HTTPS, and when Lets Encrypt appeared making it free for websites to encrypt made this easy.

Now web browsers tell you of sites that are not encrypted, instead of the old days when you were advised to check for padlocks etc.

Edited by jchamier (Sat 30-Dec-23 08:38:26)

HTTPS doesn’t encrypt the destination IP address. Routers still need to know where to route packets to.

True, although if the destination address is a CDN like Cloudflare or Akamai, the IP address doesn't tell you what site is being accessed.

To do that, you either need to do some deep packet inspection for SNI, or you need to look at DNS queries.

In reply to a post by TinyMongomery:

HTTPS doesn’t encrypt the destination IP address. Routers still need to know where to route packets to.

Great, its an AWS or Azure IP or a load balancer. Really tells them nothing.

Depends who “them”is. If it’s Microsoft …

My point is that there is a lot more to worry about, security- and privacy-wise, on the Internet than whether someone can see your DNS queries. Far more important is how reliable the answers to those queries are.

Run a local DNS server and there won’t be so many requests to external servers in the first place.

In reply to a post by TinyMongomery:

Depends who “them”is. If it’s Microsoft …

My point is that there is a lot more to worry about, security- and privacy-wise, on the Internet than whether someone can see your DNS queries. Far more important is how reliable the answers to those queries are.

Run a local DNS server and there won’t be so many requests to external servers in the first place.

Or you can just accept that like 99% of people you're of no interest to anyone and no-one in authority cares what you do

In reply to a post by smouty:

In reply to a post by jchamier:

Exactly, with some services if you use your ISP hosted DNS you get faster performance.

Which is fine if you do not mind them harvesting your browsing habits and selling the data on.

Unbound is best for privacy but not so easy to setup for people with a consumer type router.

How does Unbound prevent your ISP from harvesting DNS queries -- you'll be making unencrypted queries to the authoritative nameservers, which your ISP could snoop on if they wanted. If you don't trust your ISP, wouldn't one of the forms of encrypted DNS be better?

Exactly.

In reply to a post by behuk:

How does Unbound prevent your ISP from harvesting DNS queries -- you'll be making unencrypted queries to the authoritative nameservers, which your ISP could snoop on if they wanted. If you don't trust your ISP, wouldn't one of the forms of encrypted DNS be better?

Or a router that does encrypted from your home to internet, and lets really basic appliances (e.g. your DVD player) query the router over unencrypted DNS.

In reply to a post by behuk:

How does Unbound prevent your ISP from harvesting DNS queries -- you'll be making unencrypted queries to the authoritative nameservers, which your ISP could snoop on if they wanted. If you don't trust your ISP, wouldn't one of the forms of encrypted DNS be better?

Unbound can be encrypted if the root server supports it.
DNS should be be more secure if only for integrity rather than the privacy it offers as as well.