
DNS servers that offer privacy and filtering - petercooper
https://danielmiessler.com/blog/dns-servers-you-should-have-memorized/
======
skrause
The best tip is in the sidebar on that page:

> 1.0.0.1 abbreviates to 1.1, so you can literally test by typing "ping 1.1"

~~~
geocar
You can also ping 16843009 and 16777217 -- perhaps less memorable, but if your
dot key is broken…

------
krylon
I know this is not for everyone, but I strongly prefer to run my own recursive
resolver at home. Performance is great, plus I get regular DNS for the
machines on my home network. Also, it was a fun little project. :)

~~~
acranox
That's great and all, but you still need to pick an upstream DNS server. The
conventional advice is to use one of these public services, or your ISP's
resolvers, to avoid hitting the root servers constantly. A lot of services
these days have very short TTLs, so running your own recursive resolver still
causes a lot of requests to get forwarded.

Also, as counterintuitive as it might seem, when I use namebench (
[https://code.google.com/archive/p/namebench/](https://code.google.com/archive/p/namebench/)
) it still says cloudflare and google are faster than my local resolver. (not
by a lot though)

~~~
blattimwind
> That's great and all, but you still need to pick an upstream DNS server.

No, you don't, that's the whole point of a recursive resolver. I've been
running against the root servers and neither query statistics nor observed
performance match frequent issues due to short TTLs, or excessive number of
external queries.

~~~
acranox
In that case you are using the root servers as your upstream. That’s the point
I was trying to make, but I guess I didn’t explain it well. :/

------
nykolasz
I need to point out that Norton DNS has been retired and is not supported
anymore (and never offered any privacy).

"On November 15, 2018, Norton ConnectSafe service is being retired or
discontinued meaning the service will no longer be available or supported. You
may continue to use ConnectSafe until November 15, 2018. However, we do
recommend that you take a moment to review important details related to this
announcement below."

Some alternatives: [https://medium.com/@nykolas.z/norton-connectsafe-dns-is-
shut...](https://medium.com/@nykolas.z/norton-connectsafe-dns-is-shutting-
down-this-is-what-you-need-to-do-3e70432697d9)

I am actually surprised he didn't mention CleanBrowsing in their list, which I
would recommend as good alternative to Norton and OpenDNS.

------
darrmit
I made the jump to CleanBrowsing a few months ago from OpenDNS because OpenDNS
caches records really aggressively and was just generally stagnant in terms of
feature set. I've been really happy with performance and privacy.

I configured DNScrypt on Tomato and I also use Tomato to redirect all DNS
requests so it can't be bypassed by simply re-pointing DNS. VPN obviously
bypasses it.

[https://cleanbrowsing.org/how-it-works](https://cleanbrowsing.org/how-it-
works)

------
auslander
> Logs are kept for 24 hours for debugging purposes, then they are purged

Legalese is very hard to learn language. Do they keep aggregate data,
_derived_ from those raw logs? It is not said. Trusting Cloudflare? It is a
profit driven company, to start with ...

~~~
zackbloom
I work at Cloudflare. We don't sell data of any form, and we don't keep
anything which could map queries back to the individual who made them.

When we talk about aggregate data it's things like total number of queries
made to 1.1.1.1, number made by AS, and geographic region. Its purpose is only
to show us if people are using 1.1.1.1 and how that changes over time.

------
palijer
DNS servers should not be used as "internet connectivity tests" by pinging
them. They are not maintained as ICMP test servers, and that is not their
purpose. While many do not block ICMP packets, there are typically rate
limiting systems in place, and other reasons why they would not respond to
ping requests.

Pinging DNS servers is a shitty inconclusive test for internet connectivity,
or SLA measurements etc etc.

~~~
johnchristopher
So, what should we ping for testing Internet connectivity ?

~~~
teddyh
There’s ping.sunet.se as maintained by the Swedish University Network (i.e.
the network connecting Swedish Universities; there is no single “Swedish
University”).

~~~
snazz
The advantage of pinging IPs is that you don’t have to have a working DNS
setup to test your connection. If DNS does work, then your connection probably
works, too.

~~~
1_player
In this case one should run "ping -n", otherwise ping will hang trying to
resolve the IP into an hostname, if the DNS is misbehaving or not responding.

~~~
sathackr
what default(included in OS) ping utility tries to reverse-lookup an address
before pinging, and hangs if it can't.

I've never observed this in any version of Windows nor Linux.

------
tyingq
Dnsperf.com is worth a look as well, to compare performance of all of these.

Public DNS resolvers: [https://www.dnsperf.com/#!dns-
resolvers](https://www.dnsperf.com/#!dns-resolvers)

DNS services for your own domain:
[https://www.dnsperf.com/](https://www.dnsperf.com/)

------
miyuru
> If you care about privacy and speed and maximum memorability, I recommend
> CloudFlare

I disagree with the speed part, because cloudflare doesn't support EDNS. This
is great for privacy but not for speed.

Here is proof:
[https://pastebin.com/raw/QnbWXU1a](https://pastebin.com/raw/QnbWXU1a)

If he meant speed in the DNS resolution context, I somewhat agree with him.

------
userbinator
Surprised that 4.2.2.x (Level3) is not on the list --- it's also unfiltered
DNS, and run by a company that focuses only on networking.

~~~
Nux
At some point a few years back they started to redirect some of the traffic to
some dodgy ad sites, that's when I stopped using them.

------
wtmt
I used OpenDNS long ago, even though it wasn't as easy to remember as the ones
that came later. Then I shifted to Google DNS and stayed with it, albeit with
some discomfort (even if the policies state it doesn't track, it's still a
leap of faith for me). Then last year I switched to Cloudflare DNS and also
learned about Quad9 DNS.

I haven't done local benchmarking using a tool like namebench for a long time,
and it looks like that tool has not been updated for several years. Any
alternatives for it that are cross platform?

~~~
jlgaddis
> _I haven 't done local benchmarking using a tool like namebench for a long
> time, and it looks like that tool has not been updated for several years._

In fairness, the DNS protocol that it's testing hasn't really changed in that
time either. namebench is still sufficient for general testing.

------
3xblah
His blog post pays no mention of users whose DNS queries are being redirected.
Isn't that a privacy concern?

Hotels and ISPs sometimes set up captive portals that intercept and redirect
port 53 to their own choice of DNS servers.

As such, users might want memorise the addresses of some resolvers that listen
on non-standard ports (not port 53).

A user behind one of these captive portals who pings any of the resolvers in
this blog post will not be pinging those servers; she will be pinging the
hotel/ISP's chosen DNS servers and she may be none the wiser.

~~~
Tor3
In a hotel I always first thing direct everything through a VPN server (work
or home, depending on what I want to do). Some hotels block UDP, in that case
I switch the VPN to go via TCP port 443. But some hotels (really!) block port
443.. fortunately not that many anymore.

~~~
3xblah
When you use a home VPN server, is the VPN server running on a computer
located at your home and reachable on the open internet? If yes, do you have
fixed address or do you use dynamic DNS?

~~~
Tor3
I could have set it up at home (the address is stable), but I have a server on
a hosting facility which I use as my "home central".

------
gmac
Another option here is DNS servers that block ads. I can't vouch for the
company itself, but I have found AdGuard DNS reliable and effective, if not
memorable:

176.103.130.130, 176.103.130.131

[https://adguard.com/en/adguard-
dns/overview.html](https://adguard.com/en/adguard-dns/overview.html)

~~~
theandrewbailey
Run your own: [https://pi-hole.net/](https://pi-hole.net/)

~~~
gmac
Genuine question: what benefits does this have over using a service provided
for free by someone else? Privacy?

~~~
theandrewbailey
Yes, privacy, plus it's a DNS cache that's running on your local network, so
your DNS resolution is faster. Its also customizable (you can
add/blacklist/whitelist specific domains from the control panel).

------
rndomsrmn
Or setup your own very lightweight filtering and caching DNS at home using
Dnsmasq and [https://github.com/notracking/hosts-
blocklists/](https://github.com/notracking/hosts-blocklists/)

------
WiredShark
Quality, latency, and uptime are also factors:

[https://www.dnsperf.com/#!dns-
resolvers,World,quality](https://www.dnsperf.com/#!dns-
resolvers,World,quality)

------
jcims
Anybody remember 128.146.1.7?

------
tw1010
Do I have to?

~~~
JdeBP
(You are referring to the original title.)

Actually, no. Even if one _does_ accept the premise that one should use these
third-party non-contracted services, challenged elsewhere in this very
discussion, there's no reason that one need have these things _memorized_.
Written in a handy pocketbook, perhaps. But not necessarily _memorized_.

------
sangaya
[https://pi-hole.net/](https://pi-hole.net/) is a project to consider for home
and small business networks that you're looking to protect via DNS without
sending all your requests to a third party.

~~~
snazz
Your requests are still forwarded to a third party with a Pi-hole. They are
sometimes cached and sites you have blocked do not resolve, but choosing a DNS
provider is still required.

~~~
prepend
Only non-cached requests go to a third party. And I don’t think there’s an
easy way to prevent this unless you get a hold of all the zone files and copy
in bulk.

What’s nice about pi-hole is that you get one request to sites like google.com
until the record expires in the cache. If you use 8.8.8.8 as your dns you
might end up requesting the same domain name a bunch of times depending on how
your client caches and the caching is at 8.8.8.8. So dns will see lots of
requests to the same domain.

~~~
dx034
In a network of just a few computers, are there really that many cached
requests? Local DNS caches will already cache short term and TTL of most
domains is probably too short to get much caching beyond that.

~~~
snazz
Looking at my dnsmasq statistics, only 16.3% of 10,776 queries in the last 24
hours have been answered by the cache. Another 21.7% never left the device,
since they were in the block lists, but that still leaves 62.0% of queries to
be returned by 1.1.1.1 and 1.0.0.1, which is my external DNS provider.

Although this doesn’t count on-client caching, it still seems to back up your
guess and my original comment.

------
flox25
So the author is a security expert who recommends two companies that are
notorious for their security flaws (Norton, Cisco), two companies that track
your DNS queries for profiling (Google, Cloudflare) and IBM...

Yeah, this sounds totally legit...

~~~
throwaway9d0291
> two companies that track your DNS queries for profiling (Google, Cloudflare)

Can you elaborate? Neither Google nor CloudFlare seem to collect information
for profiling.

Google: [https://developers.google.com/speed/public-
dns/privacy](https://developers.google.com/speed/public-dns/privacy)

CloudFlare: [https://developers.cloudflare.com/1.1.1.1/commitment-to-
priv...](https://developers.cloudflare.com/1.1.1.1/commitment-to-
privacy/privacy-policy/privacy-policy/)

~~~
flox25
What? How do you come to that conclusion? Google actually tells you what it is
collecting, if you cannot see how, say, city of origin, cannot be used to
target you with specific search result, then I really cannot explain it to
you.

Cloudflare does not store any information, but they are pretty frank about
passing it on to APNIC for "research" as part of the deal where APNIC lend the
1.0.0.1 and 1.1.1.1 address to them. This is pretty well established and
actually openly communicated by both entities, so should be easy to DDG. You
are of course free to believe that this data is totally anonymized and not
used for profiling / targeting at all, but imo that is pretty naive.

~~~
zackbloom
I work at Cloudflare. APNIC absolutely does not get individual DNS query logs.
Their primary interest is in studying the other junk traffic which ends up
hitting 1.1.1.1.

For the record, we don't build any sort of profile of DNS queryiers, map them
back to any existing profile we have, or even keep the data you would need to
have to do that.

~~~
flox25
Well, for me to believe that there still is such a thing as a free lunch,
you'll have to be better than that.

If the data sent to APNIC is so safe and non-personal, why not make it
transparent? Instead, when contacting APNIC about it, you get a typical one
liner stating that

> ... the access to the primary data feed will be strictly limited to the
> researchers in APNIC Labs, and we will naturally abide by APNIC's non-
> disclosure policies.

Clearly, someone thinks there is something to hide. Maybe not Cloudflare, but
then it's someone else.

~~~
judge2020
> why not make it transparent?

I'm not with CF or APNIC, but it's likely due to issues with sensitive data.

Say a web service is hitting
`[http://internal.example.com:5220`](http://internal.example.com:5220`) with
basic authentication, or there's a misconfigured jira trying to access
`internal.example.com:3306`, but the DNS admins have retired
`internal.example.com` and decided to make it return `1.1.1.1` for some
reason. Showing all traffic that hits the service would expose a little too
much sensitive information.

~~~
flox25
I have worked in a lot of companies and never have I seen anyone treat a DNS
name as security relevant information. If you rely on DNS names not to be
known as a measure of privacy and/or security, you clearly are doing it wrong.
As a matter of fact, DNS names supposed to be known, it's their one and only
purpose.

In addition, if "internal.example.com" is not already resolvable publicly
(which would mean that it's known) CF could not guarantee the privacy of that
query anyways because their DNS is not part of the root zone, which means they
need to forward it to someplace beyond their control, meaning they leak it no
matter what.

