
Use other DNS servers than your ISP's - bigbugbag
http://www.chaz6.com/files/resolv.conf
======
chimeracoder
I see that Level 3 is on the list. Please don't use Level 3 DNS[0].

They have no obligation to provide DNS services except to Level 3
customers[1], they don't like providing those services, and they have been
known to hijack DNS requests to inject ads and other services[2] for
unauthorized users.

[0] [http://www.tummy.com/articles/famous-dns-
server/](http://www.tummy.com/articles/famous-dns-server/)

[2] And if you're a Level 3 customer, you're probably not using this list

[2] [http://james.bertelson.me/blog/2014/01/level-3-are-now-
hijac...](http://james.bertelson.me/blog/2014/01/level-3-are-now-hijacking-
failed-dns-requests-for-ad-revenue-on-4-2-2-x/)

~~~
userbinator
See this post, where the VP of Level 3 says they're providing open DNS:
[http://blog.level3.com/level-3-network/a-flawed-study-of-
cdn...](http://blog.level3.com/level-3-network/a-flawed-study-of-cdns-and-
dns/)

The request hijacking briefly appeared earlier this year, but they seem to
have stopped doing it.

------
bigbugbag
WARNING: This config file is not to be used as is. Read it attentively and
only activate a handful of servers from the list.

------
alternize
can someone explain why using your ISP's DNS server is not recommended as
hinted by the submissions' title?

seems to me that it really depends on the service quality of the ISP. if
you're lucky and have a good ISP, wouldn't using its servers be faster (less
hops)? are there other arguments for using different servers?

~~~
justizin
EDIT: fixed DNS IP.

Technically, there may be an advantage to using a 'closer' DNS server with
'less hops', but many national ISPs don't push DNS servers to all POPs. DNS
infrastructure at large ISPs tends to be heavily loaded and is scaled based on
demand.

It's common, and many wifi routers do this for you by default, to run a local
caching nameserver which uses some other ISP nameservers as 'forwarders'. You
create less demand upstream as well as getting faster response if you do this.

Obviously you should also be concerned about creating load on DNS services
provided by someone you have no relationship with. Some might even consider it
rude.

In addition to OpenDNS, Google runs free DNS servers at 8.8.8.8 and 8.8.4.4,
but obviously there are concerns with relying upon Google to provide all of
the internet's infrastructure.

What we should really all be talking about is decentralized, peer-to-peer DNS,
or a system of forwarders we all provide from places like Linode and
DigitalOcean, both of which I've used to provide off-site secondary and
tertiary DNS for large networks. We should be looking at NameCoin, not just
leeching off some other random ISP.

~~~
mclarke
8.8.4.4 should be the second google ip address.

~~~
justizin
thanks, fixed.

------
dfc
Personally I think that the only reasonable choice for DNS is to use a local
caching dns like unbound or dnscache.

~~~
bigbugbag
I concur, but this raises a quite serious issue due to the suboptimal DNS is
designed. If it was a common and global practice and everyone on the the
Internet ran his/her own local unbound dns cache, how would the root DNS
servers fare with the additional load?

A better solution would be to have a distributed p2p DNS instead of the
current one.

~~~
justizin
DNS is designed to keep the root server load relatively low, and before there
were "ISPs", yes, DNS was designed for every "network" to have at least one
DNS server. Before that, you see, everyone just exchanged copies of a massive
/etc/hosts file.

Anyway, I am totally all for a distributed p2p DNS, at least as a replacement
for root servers.

~~~
simoncion
> Anyway, I am totally all for a distributed p2p DNS

DNS _is_ a distributed, p2p system. The ability to add records that can be
globally retrieved is not ad-hoc, but you didn't mention that in your
requirement. </obligatory_pedantry>

------
sp332
Doesn't have the Swiss Privacy Foundation servers.
[http://www.privacyfoundation.ch/de/service/server.html](http://www.privacyfoundation.ch/de/service/server.html)
77.109.138.45, 77.109.139.29

Rough translation of the reason some of it is crossed-out: _Due to a software
error, DNSSEC validation is currently disabled. The DNS server with the IP
address 87.118.85.241 is (currently) no longer available. In the future, there
will certainly be three servers again._

------
Florin_Andrei
One of the advantages of having a Linux front router on your home network is
the ability to run your own caching nameserver for the whole network.

And if you install a VPN server there, and VPN clients on your mobile
equipment, then you can also access that nameserver from anywhere.

------
Pwntastic
you can use namebench[0] to help decide which dns server to use. it will run
speed tests against various servers and give you some insight into them.

[0]
[https://code.google.com/p/namebench/](https://code.google.com/p/namebench/)

------
therealmarv
One of the best approaches I know is to use something like dnscrypt with e.g.
OpenDNS. It bypasses the DNS more easily by not using a typical DNS port

------
jedisct1
And a list of servers supporting DNSCrypt, to authenticate queries and
responses sent to the resolvers: [https://github.com/jedisct1/dnscrypt-
proxy/blob/master/dnscr...](https://github.com/jedisct1/dnscrypt-
proxy/blob/master/dnscrypt-resolvers.csv)

Some of these support DNSSEC and Namecoin.

------
steanne
for verizon, replace the last octet with 14 to opt out of verizon's landing
pages for unresolved domains.

[http://www.verizon.com/support/residential/internet/highspee...](http://www.verizon.com/support/residential/internet/highspeedinternet/troubleshooting/network/questionsone/99051.htm)

------
X-Istence
Great resource if you want to start a DNS reflection attack ;-)

Sorry, that's a terrible joke, let's hope people filter egress traffic with
IP's that don't match their network from their ISP's.

