What's your preferred DNS?

I lost connectivity about an hour ago and a bit of detective work tied it down to PlusNet dns servers being down. My Hub2 was set to allocate dns servers automatically so, having managed eventually to find where I could change the setting to manual, I've set 8.8.8.8 as my primary server so I'm back online.

This made me wonder what other people do, what do others prefer?

9.9.9.9 for Quad 9
https://www.quad9.net/

Or 1.1.1.1 for Cloudflare
https://1.1.1.1/dns/

I avoid google (8.8.8.8) for privacy reasons.

Cloudflare 1.1.1.1

A combination of Quad9 and OpenDNS, Both have dual-stack support (servers operating on IPv6 and IPv4 addresses) and both can optionally provide a basic level of blocking on known malware domains by filtering the DNS results returned.

I try to avoid relying on a single DNS provider, but if you are a registered user customising their DNS blocking you may need to do this.

I mostly only configure DNS at the network (router or DHCP server) level rather than per device, as I expect devices to request their DNS config from the network (DHCP and/or RDNSS).

When using VPN tunnels to other systems I factor in whether only certain domains should be queried to an remote LAN DNS server over the tunnel such as where it's a private DNS namespace (e.g. Split DNS).

A router or gateway device is often best placed to determine whether a particular DNS query should use a LAN server or forward to an external service or use the root servers, unless you have a dedicated DNS server on your LAN.

Note that indiscriminately setting all your individual devices to use an external DNS service may result in lookups for your LAN hostnames or FQDNs being inadvertently visible to the wider Internet, unless your router filters outgoing DNS requests for private resources.

For similar reasons it's important for users on domain-joined work computers not to mess with their DNS settings as they almost always need to favour domain-controlled DNS services so that internal services resolve correctly and without timeouts.

Edited by prlzx (Mon 15-Jan-24 20:59:26)

Ta everyone. Avoiding a single source seems sensible and the way to go so I've opted for Quad9 and Cloudflare.

Note that quad9 does Malware filtering. You can get the equivalent service from Cloudflare by using 1.1.1.2. Or if you use 1.1.1.3 then you get malware + "adult content" filtering.

Self-hosted Bind 9 server in the cloud, I connect via dns-over-https. Un-filtered queries forwarded to VM's resolver and returned to me, filtered queries return nxdomain.

Annoyingly I can only use it for web browsers due to Windows 10's lack of DoH support, but browsing is 99% of my queries anyway. Windows is using Google DNS due to Sky's lack of DNSSEC support on their resolvers.

I noticed yesterday when Plusnet DNS went pop that the default IP lease time in the Hub 2 is 1 day which means waiting a long time for devices to automatically pick up the new DNS servers (thats if you don't want to run round to each device), I have reduced the lease time down to 1 hour so I can have a coffee and relax.

Cloudflare 1.1.1.1 for me after last September's PN outage. My wife lost her connection last night so I switched her PN to 1.1.1.1 and connected at once. These downtimes were the first in many years with Plusnet, I wonder are its systems being wound down in preparation for switch to BT/EE?

In reply to a post by Malwaremike:

These downtimes were the first in many years with Plusnet

Same here. I've always just stuck with the automatic settings until now on the basis of 'if it aint broke.....' and it was a very easy fault to diagnose so no harm done.

In reply to a post by Banger:

Cloudflare 1.1.1.1

Same for me.......

Filter Mode: Fast DNS
Service Name: Google
DNS Server: 8.8.8.8, 8.8.4.4

Set on the router.

edit:
But after reading this thread I'm going to start using 1.1.1.1 as I've not tried before.

Edited by BuckleZ (Tue 16-Jan-24 13:31:37)

In reply to a post by Oliver341:

Annoyingly I can only use it for web browsers due to Windows 10's lack of DoH support,

Any use?
https://winaero.com/how-to-enable-dns-over-https-in-...

In reply to a post by jchamier:

Any use?
https://winaero.com/how-to-enable-dns-over-https-in-...

Sadly not, DoH in Windows 10 never left preview, and was dropped altogether in Windows 10 when Windows 11 came along.

This is why, if you can, you run your DNS on your router or pihole etc and all clients point to that.

In reply to a post by smouty:

This is why, if you can, you run your DNS on your router or pihole etc and all clients point to that.

I prefer my cloud-hosted solution. At the very least, resolving DNS locally has privacy implications, since all recursive DNS requests are sent in the clear to every nameserver you need to use to resolve something.

In reply to a post by Oliver341:

Sadly not, DoH in Windows 10 never left preview, and was dropped altogether in Windows 10 when Windows 11 came along.

DoH is available on Windows 10 here.

Windows 10 Home and it doesn't appear to be available. May only be applicable to grown up versions of W10.

In reply to a post by j0hn83:

DoH is available on Windows 10 here.

I'm using Win10 build 19045 according to winver, and DoH only became available from the now discontinued build 19628.

Which build are you using?

In reply to a post by Oliver341:

In reply to a post by j0hn83:

DoH is available on Windows 10 here.

I'm using Win10 build 19045 according to winver, and DoH only became available from the now discontinued build 19628.

Which build are you using?

Oh my 😂
Not as old as 19628 but it's a 21H1 insider release 🤦🏻‍♂️

Don't know if this old laptop will take Windows 11.

In reply to a post by j0hn83:

Not as old as 19628 but it's a 21H1 insider release 🤦🏻‍♂️

I would urge caution then, since Win10 builds 19044 and 19045 are the only ones receiving security updates. 19045 is the final build before retirement.

In reply to a post by jchamier:

9.9.9.9 for Quad 9
https://www.quad9.net/

Or 1.1.1.1 for Cloudflare
https://1.1.1.1/dns/

I avoid google (8.8.8.8) for privacy reasons.

very wise move imo

I was using Cloudflare 1.1.1.1 and 1.0.0.1 until yesterday, when Cloudflare started dropping.
I was getting about 3% packet loss initially, but it's now up to 14%.

I switched to a hyprid Quad9 9.9.9.9 as primary with Cloudflare 1.0.0.1 as secondary.

In reply to a post by RogueAlice:

I switched to a hyprid Quad9 9.9.9.9 as primary with Cloudflare 1.0.0.1 as secondary.

I'm interested to know why you went for 1.0.0.1 for your secondary and not 1.0.0.2 or 1.1.1.2 as I thought that was the Cloudflare equivalent of 9.9.9.9

In reply to a post by RogueAlice:

I switched to a hyprid Quad9 9.9.9.9 as primary with Cloudflare 1.0.0.1 as secondary.

Secondary servers are only used if the first does not respond at all.

In reply to a post by jchamier:

Secondary servers are only used if the first does not respond at all.

Not in my experience. I just packet monitored port 53 while firing some dns queries off via ping requests, and the lookups were spread evenly across both servers defined in Windows.

In reply to a post by Oliver341:

In reply to a post by jchamier:

Secondary servers are only used if the first does not respond at all.

Not in my experience. I just packet monitored port 53 while firing some dns queries off via ping requests, and the lookups were spread evenly across both servers defined in Windows.

A few routers I've checked in the past load balanced across all DNS servers but I can't say that's always the behaviour of all routers/devices.

there is also https://dns.watch for anyone interested (not very fast I think)

In reply to a post by Oliver341:

Not in my experience. I just packet monitored port 53 while firing some dns queries off via ping requests, and the lookups were spread evenly across both servers defined in Windows.

That's interesting.... I wonder if MS has changed behaviour in a recent IP stack.

In reply to a post by jchamier:

That's interesting.... I wonder if MS has changed behaviour in a recent IP stack.

Certainly possible, I couldn't find any official docs on what the behaviour is meant to be.

In reply to a post by Oliver341:

In reply to a post by smouty:

This is why, if you can, you run your DNS on your router or pihole etc and all clients point to that.

I prefer my cloud-hosted solution. At the very least, resolving DNS locally has privacy implications, since all recursive DNS requests are sent in the clear to every nameserver you need to use to resolve something.

Forgive the belated reply, my account was accidentally deleted and now kindly restored by staff.

Your reply assumes the local resolver must run recursively. If you run BIND, you know it's a recursive resolver - or at least that's a primary use-case for it. Running DNS locally, one can instead use a stub resolver and/or a forwarding resolver such as stubby, dnscrypt-proxy, unbound (with forwards to TLS upstream, not recursively), knot-resolver, blocky, AdGuardHome, Pi-Hole, Technitium, powerdns, systemd-resolved and a multitude of others. Any of these will mitigate the privacy issue, as they use any or a mixture of DoH, DoT, DoQ et al on the upstream.

I have two VPS (for redundancy) running *BSD, which themselves forward to encrypted resolvers as well as serving clients over encrypted DNS. All our family devices connect to that, except on the LAN. Locally, I have authoritative and forwarding DNS running on (again) two separate servers for redundancy - Rocky Linux (Proxmox) and Debian (Rock 5 model B).

Just don't forget that, even with encrypted DNS, one needs to be mindful of the client hello. This can be encrypted also, but support is limited to some Cloudflare sites at present. Even with encrypted DNS, the client hello can and will give away your browsing to your ISP. With encrypted client hello (ECH), the ISP is clueless about the SNI of the endpoint. If that's a single IP hosting a single known server, that's not so helpful. If it's Cloudflare, or another large CDN, it becomes basically impossible to tell which site the target (you) visited, because all they have is a CDN IP, encrypted DNS and encrypted client hello. You can see this for yourself in `wireshark`, which is always fun.

Sorry if any of this is teaching you to suck eggs. Your reply suggested you weren't aware, but on further reflection perhaps your choice of words in 'resolving dns locally' was very deliberate.

In reply to a post by RainmakerRaw:

Sorry if any of this is teaching you to suck eggs. Your reply suggested you weren't aware, but on further reflection perhaps your choice of words in 'resolving dns locally' was very deliberate.

Yes. I am aware DNS servers can forward queries, in fact this is exactly how my BIND server in the cloud functions, queries not blocked by the response policy zone are forwarded to the cloud provider's resolver.

Everything you say is sound advice, and I fully agree that ECH is the missing piece of the privacy jigsaw that needs widespread adoption.

In reply to a post by jchamier:

In reply to a post by RogueAlice:

I switched to a hyprid Quad9 9.9.9.9 as primary with Cloudflare 1.0.0.1 as secondary.

Secondary servers are only used if the first does not respond at all.

That isn't true.

In reply to a post by therioman:

That isn't true.

Windows aids the confusion, in the classic control panel, the servers are labelled as "preferred" and "alternative", which is not the case as neither server is preferred.

No such distinction is made within the modern settings panel.

Edit: my mistake, when editing the settings rather than viewing, the labels are still there. So the confusing labels are still there.

Edit2: and to make matters worse, my second IPv6 DNS server is present in the classic settings but missing in the modern settings. What a bugfest Windows is these days.

Edited by Oliver341 (Fri 23-Feb-24 09:49:31)

In reply to a post by therioman:

That isn't true.

It seems not true today, but it was a few years ago on a few different OSes, as I had real issues with a customer. The problem seems to be some resolvers stop on the first NXDOMAIN they receive, rather than waiting for responses from all and giving you the IP.

In reply to a post by Oliver341:

In reply to a post by therioman:

That isn't true.

Windows aids the confusion, in the classic control panel, the servers are labelled as "preferred" and "alternative", which is not the case as neither server is preferred.

No such distinction is made within the modern settings panel.

Edit: my mistake, when editing the settings rather than viewing, the labels are still there. So the confusing labels are still there.

Edit2: and to make matters worse, my second IPv6 DNS server is present in the classic settings but missing in the modern settings. What a bugfest Windows is these days.

The modern interface for setting networking parameters is garbage, it also lies often about the settings. It's best avoided.

In reply to a post by jchamier:

The problem seems to be some resolvers stop on the first NXDOMAIN they receive, rather than waiting for responses from all and giving you the IP.

Nothing wrong with stopping on receipt of NXDOMAIN, that is a valid result.

In reply to a post by therioman:

The modern interface for setting networking parameters is garbage, it also lies often about the settings. It's best avoided.

It should be embarrassing to MS that so many legacy control panels still exist because the modern ones are so bad.

Just chipping in my vote.

Cloudflare malware blocking built in

Malware Blocking
Primary DNS: 1.1.1.2
Secondary DNS: 1.0.0.2

For IPv6 use:

Malware Blocking
Primary DNS: 2606:4700:4700::1112
Secondary DNS: 2606:4700:4700::1002

In reply to a post by ukhardy07:

Just chipping in my vote.

Cloudflare malware blocking built in

If you genuinely want malware blocking, look elsewhere. Cloudflare's "family" service has long been poor at blocking known malware compared to the competition. For example, this test checked a live list of 163,196 known malware sites. Cloudflare blocked a paltry 6.31% of them(!), Quad9 blocked 84.61%, and ControlD Malware blocked 99.94%.

If you run your own DNS, consider adding Hagezi's TIF (Threat Intelligence Feeds) list.

In reply to a post by RainmakerRaw:

ControlD Malware blocked 99.94%.

Control D could do with better peering. There are no intermediate hops between my ISP and Cloudflare, Google and Quad9, the same is not true for Control D.

Edited by Oliver341 (Fri 01-Mar-24 10:05:07)

I've started using NextDNS and although lacking some of the features of Control.D, I like the interface better and is only £18/yr.

In reply to a post by smouty:

I've started using NextDNS and although lacking some of the features of Control.D, I like the interface better and is only £18/yr.

I've never counted my queries, were you hitting the free 300,000 queries/month limit?

I never checked but I really don’t mind supporting at that sort of price.

In reply to a post by smouty:

I never checked but I really don’t mind supporting at that sort of price.

Fair enough, indeed how the free DNS services are funded is an interesting question. For instance some have pointed out that Quad9 is partly funded by the City of London Police, who are quite active in chasing people who infringe copyright through PIPCU.

I have around 30k queries a day. Too many IoT/Alexa devices 😩

Averaging around 110,000 queries per day here, but that's a family of 6 plus servers plus homelab plus IoT plus toys.

In reply to a post by longedge:

Ta everyone. Avoiding a single source seems sensible and the way to go so I've opted for Quad9 and Cloudflare.

Unfortunately this is a bad idea, as what one source might block another will let through, so you will get inconsistent DNS results.