Also this: https://www.grc.com/dns/benchmark.htm
It can also find the fastest DNS servers for you. Takes ages, so leave it running overnight.

The reasons you mention are exactly why I went with this setup indeed, when you unravel it logically, on performance grounds, it makes sense to do it that way. Except I don't use facebook and twitter though

I actually benchmarked it using the GRC tool at the time too, the differences were quite non-trivial when using root hints compared to a forwarder. I tried a few ISPs forwarders actually and most of them were still quicker than using root hints. The main reason is going to be geographical, using root hints is going to result in lots more queries to the US and other countries, like you say using Zen as a forwarder - most of them will be cached, and if it does need to go and grab a new one, it is better their server in a datacentre doing the legwork contacting DNS servers around the world etc rather than my 8Mbps ADSL connection

And yes, the most important assumption is that Zen are running their DNS servers properly, so far I've not seen anything to the contrary, but if they do pull any stunts like redirection, filtering, etc I would be the first to move it away rest assured!

If both of Zen's forwarders aren't available mine is set to fall back to root hints, though if both of Zen's DNS servers were down there is a good chance my brodband connection with them might also be too

I also run DHCP on that server too... Things just work so much nicer.

Edited by Pipexer (Tue 24-Dec-13 22:11:37)

Good ideas there, so I've gone with them.

I run dnsmasq on my Linux router. I've reworked that with a list of forwarding nameservers it should use (AAISP in this case, both IPv4 and IPv6 addresses). On the end of those, I've stuck ::1 and 127.0.0.1 as a fall back (my root/hint caching server, which is unbound, bound to the IPv4 and IPv6 localhost interfaces of the router).

So the upshot is, dnsmasq will now query AAISP DNS servers, and cache results. If they go down, it will fall back to unbound (root/hint caching server), by querying on the localhost interfaces.

I also have some other funky custom firewall configuration which I've applied onto the router. Anything on port 53 is caught and is redirected to dnsmasq. So if I have some nasty piece of malware that decides to try and take over a device by placing malicious DNS server entires into the device, that will get caught, and redirected to dnsmasq on the router, regardless of what those malware DNS servers are. A nice safety net to have I reckon.

I also have some further fancy custom configuration where I can, on a per client MAC address basis, round robin forward requests (directly using the Linux firewalling sub-system this time) to one or more DNS servers. So for example, I can force my iPhone to use OpenDNS (round robin-ing requests to all 4 IP addresses they have) and have my laptop forced to use Google DNS. Basically, I can customise each device to use what ever DNS service required. I suspect not many people have this level of granularity, but it is a pretty cool feature.