IP addresses are fundamentally 32 bit numbers. The a.b.c.d format is just for ease of use on humans and as the tip in the sidebar shows has its own shortcuts. But there are several formats that most operating systems support such as decimal, binary, hex, octal:
I know this is not for everyone, but I strongly prefer to run my own recursive resolver at home. Performance is great, plus I get regular DNS for the machines on my home network. Also, it was a fun little project. :)
I recently switched my home network DNS forwarder from Bind to DNS Crypt Proxy (https://github.com/jedisct1/dnscrypt-proxy). You can get ad/content filtering lists along with some little privacy enhancements like DNS Crypt and DNS over HTTPS support for encrypted DNS queries to supported services, like CloudFlare.
I really like the flexibility of CoreDNS for that. I use Cloudflare with dnscrypt as my resolver and still get to use intranet things at work because I can just forward the zones I need there elsewhere.
I like to share the cache of the DNS resolver with as many people as possible because that's what gives you the best performance. A local resolver just for me can't really do that.
Most home routers already do this for you, it's a bit abstracted but there, just need to specify the network and have it in the list of networks to resolve for DHCP. Or you can DIY it on another box.
I find it's still best to defer to an upstream forward server vs. root resolution. Most of the providers mentioned have multiple points of presence and will likely be closer and resolve MUCH faster for most cases. DNS resolution time can be a huge factor in web responsiveness.
I use pdnsd as a local cache. It used to make browsing lightning fast. Although I might have messed up something since because dns resolution seems laggy. But in theory it is of great benefits.
That's great and all, but you still need to pick an upstream DNS server. The conventional advice is to use one of these public services, or your ISP's resolvers, to avoid hitting the root servers constantly. A lot of services these days have very short TTLs, so running your own recursive resolver still causes a lot of requests to get forwarded.
Also, as counterintuitive as it might seem, when I use namebench ( https://code.google.com/archive/p/namebench/ ) it still says cloudflare and google are faster than my local resolver. (not by a lot though)
I need to point out that Norton DNS has been retired and is not supported anymore (and never offered any privacy).
"On November 15, 2018, Norton ConnectSafe service is being retired or discontinued meaning the service will no longer be available or supported. You may continue to use ConnectSafe until November 15, 2018. However, we do recommend that you take a moment to review important details related to this announcement below."
I made the jump to CleanBrowsing a few months ago from OpenDNS because OpenDNS caches records really aggressively and was just generally stagnant in terms of feature set. I've been really happy with performance and privacy.
I configured DNScrypt on Tomato and I also use Tomato to redirect all DNS requests so it can't be bypassed by simply re-pointing DNS. VPN obviously bypasses it.
> Logs are kept for 24 hours for debugging purposes, then they are purged
Legalese is very hard to learn language. Do they keep aggregate data, derived from those raw logs? It is not said. Trusting Cloudflare? It is a profit driven company, to start with ...
I work at Cloudflare. We don't sell data of any form, and we don't keep anything which could map queries back to the individual who made them.
When we talk about aggregate data it's things like total number of queries made to 1.1.1.1, number made by AS, and geographic region. Its purpose is only to show us if people are using 1.1.1.1 and how that changes over time.
DNS servers should not be used as "internet connectivity tests" by pinging them. They are not maintained as ICMP test servers, and that is not their purpose. While many do not block ICMP packets, there are typically rate limiting systems in place, and other reasons why they would not respond to ping requests.
Pinging DNS servers is a shitty inconclusive test for internet connectivity, or SLA measurements etc etc.
But a great test for “am I getting out to the net” that’s ok to have a low specificity.
So it is not smart to make a lot of decisions based on “ping 1.1” timing out, it is so quick it’s a good first step in trying to debug a network issue.
>DNS servers should not be used as "internet connectivity tests" by pinging them.
Not true.
>They are not maintained as ICMP test servers, and that is not their purpose.
Irrelevant.
>While many do not block ICMP packets, there are typically rate limiting systems in place, and other reasons why they would not respond to ping requests.
8.8.8.8 and 1.1.1.1 and all the major ones don't care.
Pinging DNS servers is highly productive and easy. There is nothing bad with using them as internet connectivity tests or SLA measurements.
Please, for the love of all that is holy, stop blocking ICMP! It's needed for things like Path MTU Discovery. With the increasing use of VPNs and tunnels (IPSec, Wireguard, GRE, etc) PMTUD is more important than ever.
At a minimum, any node on the internet routing or serving traffic needs to keep ICMP open. If you're running a DNS server, ICMP should be working.
I used OpenDNS long ago, even though it wasn't as easy to remember as the ones that came later. Then I shifted to Google DNS and stayed with it, albeit with some discomfort (even if the policies state it doesn't track, it's still a leap of faith for me). Then last year I switched to Cloudflare DNS and also learned about Quad9 DNS.
I haven't done local benchmarking using a tool like namebench for a long time, and it looks like that tool has not been updated for several years. Any alternatives for it that are cross platform?
His blog post pays no mention of users whose DNS queries are being redirected. Isn't that a privacy concern?
Hotels and ISPs sometimes set up captive portals that intercept and redirect port 53 to their own choice of DNS servers.
As such, users might want memorise the addresses of some resolvers that listen on non-standard ports (not port 53).
A user behind one of these captive portals who pings any of the resolvers in this blog post will not be pinging those servers; she will be pinging the hotel/ISP's chosen DNS servers and she may be none the wiser.
In a hotel I always first thing direct everything through a VPN server (work or home, depending on what I want to do). Some hotels block UDP, in that case I switch the VPN to go via TCP port 443. But some hotels (really!) block port 443.. fortunately not that many anymore.
Another option here is DNS servers that block ads. I can't vouch for the company itself, but I have found AdGuard DNS reliable and effective, if not memorable:
Actually, no. Even if one does accept the premise that one should use these third-party non-contracted services, challenged elsewhere in this very discussion, there's no reason that one need have these things memorized. Written in a handy pocketbook, perhaps. But not necessarily memorized.
https://pi-hole.net/ is a project to consider for home and small business networks that you're looking to protect via DNS without sending all your requests to a third party.
Your requests are still forwarded to a third party with a Pi-hole. They are sometimes cached and sites you have blocked do not resolve, but choosing a DNS provider is still required.
So the author is a security expert who recommends two companies that are notorious for their security flaws (Norton, Cisco), two companies that track your DNS queries for profiling (Google, Cloudflare) and IBM...
[+] [-] skrause|7 years ago|reply
> 1.0.0.1 abbreviates to 1.1, so you can literally test by typing "ping 1.1"
[+] [-] geocar|7 years ago|reply
[+] [-] 300bps|7 years ago|reply
https://www.abuseipdb.com/tools/ip-address-converter?ip=1.1....
[+] [-] krylon|7 years ago|reply
[+] [-] kingo55|7 years ago|reply
I recently switched my home network DNS forwarder from Bind to DNS Crypt Proxy (https://github.com/jedisct1/dnscrypt-proxy). You can get ad/content filtering lists along with some little privacy enhancements like DNS Crypt and DNS over HTTPS support for encrypted DNS queries to supported services, like CloudFlare.
[+] [-] sascha_sl|7 years ago|reply
[+] [-] skrause|7 years ago|reply
[+] [-] tracker1|7 years ago|reply
I find it's still best to defer to an upstream forward server vs. root resolution. Most of the providers mentioned have multiple points of presence and will likely be closer and resolve MUCH faster for most cases. DNS resolution time can be a huge factor in web responsiveness.
[+] [-] agumonkey|7 years ago|reply
[+] [-] acranox|7 years ago|reply
Also, as counterintuitive as it might seem, when I use namebench ( https://code.google.com/archive/p/namebench/ ) it still says cloudflare and google are faster than my local resolver. (not by a lot though)
[+] [-] dbg31415|7 years ago|reply
* Pi-hole®: A black hole for Internet advertisements – curl -sSL https://install.pi-hole.net | bash || https://pi-hole.net/
[+] [-] dspillett|7 years ago|reply
[+] [-] nykolasz|7 years ago|reply
"On November 15, 2018, Norton ConnectSafe service is being retired or discontinued meaning the service will no longer be available or supported. You may continue to use ConnectSafe until November 15, 2018. However, we do recommend that you take a moment to review important details related to this announcement below."
Some alternatives: https://medium.com/@nykolas.z/norton-connectsafe-dns-is-shut...
I am actually surprised he didn't mention CleanBrowsing in their list, which I would recommend as good alternative to Norton and OpenDNS.
[+] [-] darrmit|7 years ago|reply
I configured DNScrypt on Tomato and I also use Tomato to redirect all DNS requests so it can't be bypassed by simply re-pointing DNS. VPN obviously bypasses it.
https://cleanbrowsing.org/how-it-works
[+] [-] auslander|7 years ago|reply
Legalese is very hard to learn language. Do they keep aggregate data, derived from those raw logs? It is not said. Trusting Cloudflare? It is a profit driven company, to start with ...
[+] [-] zackbloom|7 years ago|reply
When we talk about aggregate data it's things like total number of queries made to 1.1.1.1, number made by AS, and geographic region. Its purpose is only to show us if people are using 1.1.1.1 and how that changes over time.
[+] [-] palijer|7 years ago|reply
Pinging DNS servers is a shitty inconclusive test for internet connectivity, or SLA measurements etc etc.
[+] [-] prepend|7 years ago|reply
So it is not smart to make a lot of decisions based on “ping 1.1” timing out, it is so quick it’s a good first step in trying to debug a network issue.
[+] [-] emilfihlman|7 years ago|reply
Not true.
>They are not maintained as ICMP test servers, and that is not their purpose.
Irrelevant.
>While many do not block ICMP packets, there are typically rate limiting systems in place, and other reasons why they would not respond to ping requests.
8.8.8.8 and 1.1.1.1 and all the major ones don't care.
Pinging DNS servers is highly productive and easy. There is nothing bad with using them as internet connectivity tests or SLA measurements.
[+] [-] johnchristopher|7 years ago|reply
[+] [-] blakesterz|7 years ago|reply
https://www.grc.com/dns/benchmark.htm
[+] [-] wahern|7 years ago|reply
At a minimum, any node on the internet routing or serving traffic needs to keep ICMP open. If you're running a DNS server, ICMP should be working.
[+] [-] bluedino|7 years ago|reply
TL;DR: At the risk of repeating myself: Google Public DNS is a Domain Name System service, not an ICMP network testing service.
[+] [-] Pheide1j|7 years ago|reply
[+] [-] agumonkey|7 years ago|reply
[+] [-] tyingq|7 years ago|reply
Public DNS resolvers: https://www.dnsperf.com/#!dns-resolvers
DNS services for your own domain: https://www.dnsperf.com/
[+] [-] miyuru|7 years ago|reply
I disagree with the speed part, because cloudflare doesn't support EDNS. This is great for privacy but not for speed.
Here is proof: https://pastebin.com/raw/QnbWXU1a
If he meant speed in the DNS resolution context, I somewhat agree with him.
[+] [-] userbinator|7 years ago|reply
[+] [-] Nux|7 years ago|reply
[+] [-] becauseiam|7 years ago|reply
[+] [-] wtmt|7 years ago|reply
I haven't done local benchmarking using a tool like namebench for a long time, and it looks like that tool has not been updated for several years. Any alternatives for it that are cross platform?
[+] [-] jlgaddis|7 years ago|reply
In fairness, the DNS protocol that it's testing hasn't really changed in that time either. namebench is still sufficient for general testing.
[+] [-] 3xblah|7 years ago|reply
Hotels and ISPs sometimes set up captive portals that intercept and redirect port 53 to their own choice of DNS servers.
As such, users might want memorise the addresses of some resolvers that listen on non-standard ports (not port 53).
A user behind one of these captive portals who pings any of the resolvers in this blog post will not be pinging those servers; she will be pinging the hotel/ISP's chosen DNS servers and she may be none the wiser.
[+] [-] Tor3|7 years ago|reply
[+] [-] gmac|7 years ago|reply
176.103.130.130, 176.103.130.131
https://adguard.com/en/adguard-dns/overview.html
[+] [-] theandrewbailey|7 years ago|reply
[+] [-] rndomsrmn|7 years ago|reply
[+] [-] WiredShark|7 years ago|reply
https://www.dnsperf.com/#!dns-resolvers,World,quality
[+] [-] jcims|7 years ago|reply
[+] [-] TheForumTroll|7 years ago|reply
[deleted]
[+] [-] tw1010|7 years ago|reply
[+] [-] JdeBP|7 years ago|reply
Actually, no. Even if one does accept the premise that one should use these third-party non-contracted services, challenged elsewhere in this very discussion, there's no reason that one need have these things memorized. Written in a handy pocketbook, perhaps. But not necessarily memorized.
[+] [-] sangaya|7 years ago|reply
[+] [-] snazz|7 years ago|reply
[+] [-] flox25|7 years ago|reply
Yeah, this sounds totally legit...
[+] [-] throwaway9d0291|7 years ago|reply
Can you elaborate? Neither Google nor CloudFlare seem to collect information for profiling.
Google: https://developers.google.com/speed/public-dns/privacy
CloudFlare: https://developers.cloudflare.com/1.1.1.1/commitment-to-priv...