top | item 24887488

(no title)

fwr | 5 years ago

Neat, this helped me realize I haven't switched away from my provider's default DNS when I moved in, which is something I usually do.

How to choose a DNS server? I usually just go with 8.8.8.8/8.8.4.4, I used to always test this with Namebench (https://en.wikipedia.org/wiki/Namebench) and these always turned out as the fastest - but it looks like it hasn't been updated since 2010 - are there any better tools for this, or any considerations in general? I prefer performance over privacy here, I think privacy should be on a different layer.

discuss

Fileformat|5 years ago

Someone else in this thread suggested GRC's benchmark utility [1]. It sounds pretty comprehensive, but I haven't tried it yet.

[1] https://www.grc.com/dns/benchmark.htm

formerly_proven|5 years ago

Just run your own recursive resolver, it's very easy and reliable (e.g. knot-resolver).

t0astbread|5 years ago

Performance over privacy is a fine tradeoff but if you have the means to, I would recommend avoiding unencrypted unauthenticated DNS over UDP/53. It's probably not a big threat in practice but if someone were to intercept your DNS traffic, they could redirect your internet connections to a different server. TLS (or other forms of authentication) should handle authenticity issues but (probably) not everything on your system mandates TLS.

If I'm not mistaken you can use DNSSEC to authenticate, but not encrypt, your DNS requests. For me however, the simpler way was to just use DoT/DoH. I haven't noticed any slowdowns.

If you care about performance, you could check if your system caches DNS responses and configure that cache accordingly.

tptacek|5 years ago

You are not mistaken; DNSSEC doesn't encrypt records, and DoH does. DoH also authenticates the channel between you and your name server. It's likely that DoH will ultimately obviate the need for DNSSEC anywhere.

dheerajvs|5 years ago

> I think privacy should be on a different layer.

Can you elaborate which layer?

fwr|5 years ago

Client devices, I think - filtering that happens transparently and without an easy way to disable is just asking for problems - I couldn't deal with having to log in to the DNS management console every time when a website notices that ads didn't load and therefore doesn't display content. I don't think we're at a point where privacy can be guaranteed by technology choices - it's all about behavior of end users (like avoiding websites which block content if ads don't load ;-)

Is it possible these privacy/filtering DNS services like NextDNS come without a performance hit? Imagine setting it up and forgetting about it, and discovering later that all your DNS queries happened with a substantial lag - it's like realizing you've been driving with a hand brake on