Vanilla ISP DNS servers or third party DNS servers. The final debate

So here is the thing. I use OpenDNS, I use them cause Comcast DNS always fails at peak hours. So does anyone here use the vanilla DNS servers for your network? Am I harming my internet browsing experience using a third party DNS provider?

Generally your ISP DNS server will be the fastest (in terms of latency atleast), so your browsing responsiveness will potentially be better when using your ISP's DNS server. But if you're ISP's DNS server is unreliable, or malicious (is used to block or redirect lookups) then you're better off using some other DNS server. There are tests you can do to find the fastest DNS servers you can use.

Also, often if your ISP has caching servers it will use the DNS to redirect you to a local cache rather than the actual server for that site. In theory this caching should improve performance of these services but sometimes can have the opposite effect. So that's something else to consider.

1 Like

I'm curious to know this as well, currently I use OpenDNS and it's working really well for me.

With my ISP's DNS however, whenever I type some web address wrong, I sometimes get redirected to these phishing links implying I can be a millionaire within weeks and what not, what is even more interesting is all of these websites are always in my language. I did nmap the servers behind them and they are not on a local network, all of them have a public IP.

I have this, common places like google and youtube come from a private network starting with 172.* , I would assume thats a caching server somewhere. I may be wrong, but don't you have to do some sort of MITM to cache https?

That's if you're using some sort of caching proxy, in this case it's using the DNS lookup to send it to a caching server. CDNs work in a similar way except this is done on the services DNS (presumably, I don't really know how CDNs work) but in the case of your ISP if they have a netflix cache for example they will have their DNS server configured to send to their caching server.

Also, just because an IP starts with 172 does not mean that it's a private address, - is a private range, everything else is public.

Some ISPs will send invalid requests to an advertising server, which is why you get spammy sites, it's probably not run by your ISP but just the advertising company that paid them the most to redirect to them.

At the end of the day it comes down to do you want performance or (some degree of) certainty that the domain you are connecting to is the real one.

1 Like

It seems I didn't even check the second octet indeed, just did a quick ping and it's a public address yep, thanks for the reminder. I guess I can just stick to OpenDNS or run my own DNS with bind and add my own filters. In the future I will build my own pfSense box and look into Unbound and packages to block all of the spammy stuff.

Running your own DNS server is definitely the slowest option but you at least know that no one is messing with your results, unless they've managed to cache poison the top level DNS servers.

Perhaps it would be slower if you were to configure it to hit the root hint servers directly, instead of just being a forwarder so your requests go to some other DNS server like Google's, I haven't done this so far, but I'm guessing you can cache all of those requests so there is no delay the next time you do lookups, a DNS cache essentially.

I'm not sure if there is such a term or how it is called, but I assume there is a lease period, a time interval in which you keep the information that this IP is for this A record and so forth, so if you have that information readily available you only have to request DNS info once before the next time cycle for that lease period.

It's the TTL or time to live.

Configuring a DNS server as a forwarder is what setting the DNS on your router does, and it's generally faster than resolving yourself as the server you're forwarding to (if it's a big server like your ISP or openvpn) will have most common things in cache which keeps the latency low. If you run your own server you won't have enough active users to keep the cache fresh so you won't get a lot of benefit from that as the queries will expire before you need to get them again.

1 Like

Good point on the amount of users using it to make it worthy, I think this is won't be needed for me with my 2-3 users home usage. Knowing how to implement this and doing it would be probably best applied if you have an environment with 500+ users. I will still experiment with making my own DNS server as a forwarder for some VMs for the fun of it :D

Yes, use all of the above. Your ISP is usually the fastest, but it is not always reliable, or well behaved.
Fortunately, there are a lot of other resolvers from which to choose.

GRC's DNS benchmark tool can help you to select 4, or 5 DNS resolvers to use. Your DNS forwarder (usually DNSMASQ) will simultaneously query all of the specified servers and then use the first response that it receives.

1 Like

Slower? Yes, that is technically true, but honestly, it's not all that much slower. And, If I get a cache hit, it's way speedy. Most importantly, I have a lot more peace of mind.

I'm running pfSense with the Unbound package. I have DNSSEC enabled and prefetch support keeps my cache up to date. I can assure you that I don't have any complaints about Unbound's responsiveness.

I'm just saying, if we're comparing DNS servers, latency and trust is really all there is to it.

Agreed. I'm willing to trade a couple of milliseconds for significantly more trust.

Trust and DNS aren't often associated, it's such an insecure protocol that if for some reason your DNS request gets routed through somewhere like china it will get picked up and modified by the chinese government. It's completely possible for your ISP to just hijack your DNS regardless of which server you use and put whatever they want in the returned query. DNSSEC solves this problem but unfortunately not many domains use it and it will probably never become significantly widespread. But as long as important stuff like banks and whatever use it that's at least something.

On my network I use DNScrypt to encrypt the DNS traffic between me and the DNS server, which protect from MITM attacks but you have to trust the server and it's still vulnerable to cache poisoning and the usual DNS server problems.

I personally just use Google's DNS. It's slightly faster than my ISP's one, and has never gone down whilst i've been using it for the past couple years.

The DNS situation is just a microcosm of the Internet at large. It was never intended to be either secure, or anonymous. There is only so much than can be done by tacking on "security" features after the fact. IPv6 will help with some issues, but it certainly isn't a cure all.

So while some concerns can be mitigated against, if someone wants you bad enough, it's only a matter of time ...

Also, let's not forget that social engineering hacks are often among the most reliable and effective.One has to be on their game 100% of the time, while the bad guys only have to get lucky once.

1 Like

IPv6 is so nice.. My ISP doesn't give me any access to their fiber optic modem, no http, no ssh, nothing. I can't do anything, want to forward a port? Nope. Want to use a different DNS? Nope. What I did is I made an IPv6 tunnel(Hurricane Electric) so I'm able to reach my devices from anywhere now. I'm running a dual IP stack, everything that is IPv6 reachable uses the IPv6s stack by default, funny thing is most ads automatically get pwned, because the advertising servers behind them don't run on IPv6, I guess.
Anyway this isn't about DNS, but it's an interesting example nonetheless about why you shouldn't probably trust any of your ISP's stuff:

Imagine if someone managed to hijack your ISP's DNS and redirect all those invalid requests to a bunch of malicious webpages that serve the JS exploit that bypasses ASLR.

And then again, some folks don't even make a pretense of tacking on any security. They leave everything in plain text for all to see.

Of course, if they ever get hacked, it would be because of the evil Chinese, or the evil Russians, or North freakin' Koreans and it wouldn't have anything to do with them leaving their front door wide open for all and sundry to just waltz right in.

Might also want to check your router from time to time if you're using your ISP's poop. Couple years ago I noticed all DNS queries routed via Taiwan, not fun.
F-Secure provides a hijack check on their website but any test will do, like dnsleaktest to name 1. is always a safe bet. Or if you're privacyconcious check out opennic, there's also dnscrypt servers available there.

1 Like

The thing is, I can't even check it via ssh or an http gui, nmap says there are telnet and http services listening on port 23 and 80, it reports them as filtered and I can't open anything. I did find a serial pinout on the circuit though, so I'm going to solder some wires and hook up an UART board to see if I can get a console and enable an ssh daemon from there.

I don't understand why some ISP's lock you down like this without any documentation, do they automatically assume every client is a noob user?

What I plan to do is to go full pfSense in the near future and call my ISP to put this modem in bridge mode, at least the Internet VLAN, this should give me more control of my network, I really can't wait to get rid of this crappy box to be honest.