Hacker News new | more | comments | ask | show | jobs | submit login
mataug on Oct 13, 2014 | hide | past | web | favorite

For those willing to set up DNSCrypt, I strongly recommend it. DNSCrypt.eu is my current favourite provider (OpenDNS has been pretty worthless) and is available over ipv6 too!


As far as I can see on their page, they're just not competing in the same spot. DNSCrypt is a DNS, OpenDNS is a DNS + DNS Usage Monitor + DNS whitelist/blacklist + whatever

I for one has been pretty happy as a home user with OpenDNS: dead simple DNS filters to make sure kids don't surf on youporn and youreligion

To use DNSCrypt you have to add an additional third party to the list of third parties who can potentially see and log and MITM what you are doing on the Internet. A better (and easier) thing to do would be to run your own local caching recursive resolver.

Could you comment more on what you don't like about OpenDNS?

I abandoned OpenDNS because they kept trying to shove down my throat parental and paid services, for which I have no use. Their use their free service as a vehicle to get you to buy stuff isn't a problem - but highjacking the free service to shove down ads in your pages, thanks but no thanks.

Especially when works so smoothly, with a backup on my ISP's service.

I re-evaluated my DNS provider choice a couple days ago (good timing, apparently, as I was using Google before then). Switched back to OpenDNS because their servers responded faster than Google's, and they no longer do the ad/search page redirection thing, as of June 6 2014.


I used GRC's DNS benchmark tool to discover this. Also the particular OpenDNS servers which responded faster were different from the two that they tell you to use, so the fast response is probably helped by low load (fewer people using these undocumented servers). Going from memory because I'm at work, I think they ended in 202.222 and 222.202 and 202.123, whereas the officially listed ones end in 222.222 and 220.220.

Interesting. I've been using OpenDNS for years, and I've never noticed it doing anything at all besides providing a DNS service. My only complaint is that they used to serve a Guide page (with ads) for NXDomains, but they don't do that any more.

I've recently switched my ISP at home to one that's an actual proponent of network neutrality and which also provides synchronous 1GBit/s via ethernet over fiber.

Since I've done that, DNS latency has become the actual limiting factor of TCP connection setup as I've been using Google DNS too (my previous provider started to lie about NXDOMAIN), so I've switched to my new ISPs DNS which happily responds in < 10ms for most queries.

My point being: Try your ISPs DNS too - it might actually not suck.

If DNS latency is such a limiting factor wouldn't it be better if you ran a caching DNS server on your local network?

Unbound is particularly good for this because you can configure it to populate your cache with responses before you even ask for them (kind of).

Essentially if you do a DNS lookup and the result is in the cache, it returns the cached result straight away. It will then check to see if the response is due to expire from the cache soon, and if it is, then it will refetch it at that point. So if you visit a site regularly, it should always be in your cache.

How useful is prepopulating a DNS cache on a home network? How often do you expect OP is going to reboot the caching dns box?

DNS records contain an expiry, unbound will go update the record so that the expiration never reaches 0.

This can be very handy even on a home network, as you avoid the whole WAN trip to fetch records for sites you visit often, such as Google and others.

That would be mostly redundant as the user's machine will do a lot of internal caching.

Re: the root comment of this thread, it's usually optimal to use your ISP's DNS resolvers as they're right there on your same ISP network which means your requests don't have to go out to the broader internet and are thus faster (99% of the time anyway if the hostname requested is cached on those resolvers). Using a more external resolver like Google or what-have-you means your requests have to leave your local network, leave the ISP network, and travel some distance across the internet to wherever that resolver resides.

Edit: IP anycast can allow for many resolvers to respond to one IP (such as so it's not as if the request will have to travel the world to get an answer, but it's still generally faster to key off a resolver you know is within your same ISP.

The OS DNS cache is usually crap. Caching on your own network often results in significantly lower latency than your ISP. This is due to several factors:

1. You can use multiple name servers on multiple networks and generally the first to respond wins. 2. The local caching resolver can be configured to be more aggressive, lookup more efficiently in parallel and keep more records for an extended period of time. 3. Not all DNS requests are cached by the OS, but by providing your own caching resolver, you can cache all requests used by any application on your network. 4. You can provide your own ranges and domains for internal hosts so that resolving names for private IPs reduces resolution time in local apps. 5. You can control negative caching and TTLs. 6. You can prevent unscrupulous DNS providers from redirecting NX lookups to internal [ad-supported] services. 7. You can actually implement proper DNSSEC validating resolution, if you care about that sort of thing. 8. DNSRBLs can speed up resolution of pages by ignoring advertisement and malware domains.

It would be mostly redundant if the user has only one machine on the local network. Otherwise it's a pretty decisive win, as you now have the results cached locally and that's useful for all devices on the LAN.

Of course. That's what I'm running (configured to use the ISPs DNS if it doesn't have valid data in its cache).

But the first request of the OS within the TTL of the record in question is likely still much faster served by a DNS server used by more people than just me because the server might already have answered a query before me.

Stopped using my provider's DNS service because they have respond with some 404 site when a domain is not found. Not a big fan of that.

Most ISPs do their filtering at the DNS level - at least in India and I guess a few other countries.

That's one reason not to use them.

I switched back to my ISPs DNS servers (Virgin Media in the UK). I noticed that almost anything I downloaded from a big company was orders of magnitude faster, mainly because Virgin Media have on network Akamai edge cache servers and you only get their addresses if you resolve via Virgin's own DNS servers.

I'm talking 1.5mb/s download vs. 45mb/s - a massive difference.

They hijack NXDOMAIN - but you can turn that off. https://my.virginmedia.com/advancederrorsearch/settings

It's as if millions of Chromecasts suddenly cried out in terror and were suddenly silenced.

This is why I run Tomato and DNSmasq with a local cache and I send DNS queries to multiple DNS servers at once and accept whichever one replies the fastest. It basically uses the "all-servers" dnsmasq option in config. I then have (level3) and and as servers.

The local cache speeds things up but also ensures that even if DNS is down, I still have most of my most used domains cached. Usually, I average 10,000 domains per day, so I have a cache of 15,000 records. The "all-servers" tends to help with redundancy but also speeds things up because no single server can consistently respond fast without having some queries take 100ms or more.

PS Technically you shouldn't be using since Level3 expressively discourages it's public use. But the idea here is that you shouldn't rely on one provider even if they provide you with separate IPs

PS2 why was this post deleted?

Works from here.

Did you test the secondary (

Edit: twitter says the secondary was down aswell. So I guess I'll have (OpenDNS) as the second DNS on my systems from now.

100ms latency is a little much for DNS (Google DNS is ~12ms, my ISP's is only 8ms).

Honestly curious - why OpenDNS versus like Level3?

"apt-get install unbound" - Why rely on somebody elses DNS service when you can run your own?

And if that reason is you want to take advantage of a third parties cache, you can configure Unbound to forward requests onto another resolver, but also for it to fallback to doing it's own resolution if that third party resolver times out.

Unbound is easy to set up, and runs on Linux, OSX and Windows.

because if everyone did it you would bring down the root servers.

the caching mechanism is not there for show...

This is simply not true - it assumes that everyone's forwarding server for an unknown record is the root servers directly, which isn't the case.

If this were true, my life would be much easier because DNS propagation would be much more predictable than it is today. One bad server in the chain serving obnoxiously high and invalid TTLs can ruin your day. It's not very common percentage-wise, but it certainly happens every time we switch DNS over for Stack Overflow.

"because if everyone did it you would bring down the root servers."

What figures are you basing that on? The TTL for the NS records for '.' is 6 days. Or are you just guessing? I think it would be perfectly feasible for everyone to run a local recursive resolver. As long as the change was gradual rather than over night.

Yep. As is google search - a little bit, anyway

Confirmed. Its back up from my location now.

Downtime is a fact of life. Prepare for it.

It seems to be working again now.

And I thought that my ISP was acting up as usual. Wow, this is a first.

Pings are still pretty slow - 200ms or so.

Its up now.

and i was just yelling at our system administrators for screwing things up!

It's dick that you just assumed the admin screwed it up with out doing a dig...

For DNS latency... checkout Gibson's utility, DNSBench. Free and the results may surprise you.


And i was shouting what fish going on my 2 Million worth of servers.. N it pops up Google DNS can ever be down.. Damm..

latency quite high yet even its back up..

Can you rewrite this to be more grammatical? It's practically impossible to understand.

"And I was shouting 'what the fish is going on with my 2 million ($?,#?) worth of servers ... then it pops up that Google DNS can in fact be down.

Damn ... latency quite high still, though it is back up."

I used a translator for people who are likely not native speakers and just spent a few hours thinking their many, many servers were inaccessible.

It's a niche dialect.

Southern or Northern Niche?

If you are running $2m of servers without a sysadmin competent enough to set up your own resolvers then you should shop around.

Applications are open for YC Summer 2019

Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | Legal | Apply to YC | Contact