Public DNS providers?

GasBandit

Staff member
Reactions
1,824 384 8
#1
For a long time in the past, I used OpenDNS. For a number of reasons, it became necessary to discontinue that, and for a while since then I've been using Google's public DNS servers (8.8.8.8).

In the last week or two, though, I've been noticing an irritating increase in domain name resolution turnaround time ("Looking up soandso.com..." messages in the browser and whatnot), and it's reached the point where I'm ready to move on again, but I don't know what the next step would be.

I'm leery of using my ISP's dns, because cable companies are evil (not that Google isn't) and have been known to hijack DNS resolution for their own purposes in the past (which at least Google hasn't done, to my knowledge)... I'd rather use another DNS server that I can reasonably count on to get me where I am actually trying to fucking go, and not delay the lookup by 10-15 seconds every other time.

Sooo, I guess the question is, what's the next big thing in DNS servers?
 

GasBandit

Staff member
Reactions
1,824 384 8
#3
Seems like this list would be a good place to start. I'm tempted to use Level3's DNS.

https://www.lifewire.com/free-and-public-dns-servers-2626062

Free & Public DNS Servers (Valid June 2017)

ProviderPrimary DNS ServerSecondary DNS Server
Level31 209.244.0.3 209.244.0.4
Verisign2 64.6.64.6 64.6.65.6
Google3 8.8.8.8 8.8.4.4
DNS.WATCH4 84.200.69.80 84.200.70.40
Comodo Secure DNS 8.26.56.26 8.20.247.20
OpenDNS Home5 208.67.222.222 208.67.220.220
Norton ConnectSafe6 199.85.126.10 199.85.127.10
GreenTeamDNS7 81.218.119.11 209.88.198.133
SafeDNS8 195.46.39.39 195.46.39.40
OpenNIC9 96.90.175.167 193.183.98.154
SmartViper 208.76.50.50 208.76.51.51
Dyn 216.146.35.35 216.146.36.36
FreeDNS10 37.235.1.174 37.235.1.177
Alternate DNS11 198.101.242.72 23.253.163.53
Yandex.DNS12 77.88.8.8 77.88.8.1
UncensoredDNS13 91.239.100.100 89.233.43.71
Hurricane Electric14 74.82.42.42
puntCAT15 109.69.8.51[DOUBLEPOST=1497468352,1497468318][/DOUBLEPOST]The fineprint on the various DNS providers:

[1] The free DNS servers listed above as Level3 will automatically route to the nearest DNS server operated by Level3 Communications, the company that provides most of the ISPs in the US their access to the internet backbone. Alternatives include 4.2.2.1, 4.2.2.2, 4.2.2.3, 4.2.2.4, 4.2.2.5, and 4.2.2.6. These servers are often given as Verizon DNS servers but that is not technically the case. See discussion above.

[2] Verisign says this about their free DNS servers: "We will not sell your public DNS data to third parties nor redirect your queries to serve you any ads." Verisign offers IPv6 public DNS servers as well: 2620:74:1b::1:1 and 2620:74:1c::2:2.

[3] Google also offers IPv6 public DNS servers: 2001:4860:4860::8888 and 2001:4860:4860::8844.

[4] DNS.WATCH also has IPv6 DNS servers at 2001:1608:10:25::1c04:b12f and 2001:1608:10:25::9249:d69b. In an uncommon but much-appreciated move, DNS.WATCH publishes live statistics for both of their free DNS servers. Both servers are located in Germany which could impact performance if used from the US or other remote locations.

[5] OpenDNS also offers DNS servers that block adult content, called OpenDNS FamilyShield. Those DNS servers are 208.67.222.123 and 208.67.220.123. A premium DNS offering is also available, called OpenDNS Home VIP.

[6] The Norton ConnectSafe free DNS servers listed above block sites hosting malware, phishing schemes, and scams, and is called Policy 1. Use Policy 2 (199.85.126.20 and 199.85.127.20) to block those sites plus those with pornographic content. Use Policy 3 (199.85.126.30 and 199.85.127.30) to block all previously mentioned site categories plus those Norton deems "non-family friendly." Be sure to check out the list of things blocked in Policy 3 - there are several controversial topics in there that you may find perfectly acceptable.

[7] GreenTeamDNS "blocks tens of thousands of dangerous websites which include malware, botnets, adult related content, aggressive/ violent sites as well as advertisements and drug-related websites " according to their FAQ page. Premium accounts have more control.

[8] Register here with SafeDNS for content filtering options in several areas.

[9] The DNS servers listed here for OpenNIC are just two of many in the US and across the globe. Instead of using the OpenNIC DNS servers listed above, see their complete list of public DNS servers here and use two that are close to you or, better yet, let them tell you that automatically here. OpenNIC also offers some IPv6 public DNS servers.

[10] FreeDNS says that they "never log DNS queries." Their free DNS servers are located in Austria.

[11] Alternate DNS says that their DNS servers "block unwanted ads" and that they engage in "no query logging." You can sign up for free from their signup page.

[12] Yandex's Basic free DNS servers, listed above, are also available in IPv6 at 2a02:6b8::feed:0ff and 2a02:6b8:0:1::feed:0ff. Two more free tiers of DNS are available as well. The first is Safe, at 77.88.8.88 and 77.88.8.2, or 2a02:6b8::feed:bad and 2a02:6b8:0:1::feed:bad, which blocks "infected sites, fraudulent sites, and bots." The second is Family, at 77.88.8.7 and 77.88.8.3, or 2a02:6b8::feed:a11 and 2a02:6b8:0:1::feed:a11, which blocks everything that Safe does, plus "adult sites and adult advertising."

[13] UncensoredDNS (formerly censurfridns.dk) DNS servers are uncensored and operated by a privately funded individual. The 91.239.100.100 address is anycast from multiple locations while the 89.233.43.71 one is physically located in Copenhagen, Denmark. You can read more about them here. IPv6 versions of their two DNS servers are also available at 2001:67c:28a4:: and 2a01:3a0:53:53::, respectively.

[14] Hurricane Electric also has an IPv6 public DNS server available: 2001:470:20::2.

[15] puntCAT is physically located near Barcelona, Spain. The IPv6 version of their free DNS server is 2a00:1508:0:4::9.
 
Reactions
474 124 6
#4
Maybe it's time to develop a DNS server that visits all the servers in the DNS pool and points out any discrepancies. Probably set up to return an answer as soon as two queries came back the same, but in the background checked the rest and kept metrics on which ones diverge from the rest regularly. It would have some issues with round robin DNS, but that should be resolvable.
 
Reactions
840 219 9
#5
Hey, something I can actually contribute to!

Here's what I do in my house:
Step 1: Use GRC's Benchmark Tool to get a list of the fastest DNS providers from your current location. The GRC tool will rank them in order of speed and will also let you know if any of them try to redirect you. Write down the top 5 providers who are NOT related to your current ISP (or any other ISP, really).
Step 2: Have a local caching DNS server running on your network (I use the same machine that hosts our local 7 yr-old Minecraft world).
Step 3: Input the top 4 fastest into your caching DNS server as forward lookups.
Step 4: In your router (or whatever you have providing DHCP services), enter the IP address of your local caching DNS server as the primary lookup, and enter the #5 candidate from Step 1 as the secondary. That way, if you ever have to take the caching server down for any reason (or even just restart it), lookups by the rest of the machines on your network will still go through. Can't tell you how much fun I had whenever I serviced the server until I thought to do this.

Step 5: Every 3-6 months, run the benchmark again and rebalance as necessary.

I haven't tried using IPv6 yet, mainly because the TA provided by my ISP can't handle IPv6 because they're a bunch of cheapskates.

--Patrick
 
Last edited:
Reactions
840 219 9
#7
I had a feeling this would be right up Pat's alley.
It didn't used to be, but considering where we live, I'm gonna take advantage of whatever speeds up our service.
Also this means new lookups are only done once, so the outside DNS machine doesn't get to know how many times I hit that particular address, since all subsequent lookups will never exit my caching server until the TTL expires.

Doing the local server thing means my initial lookup is about half normal speed (probably due to waiting for the reply from the forwarder), so latest benchmark shows fastest outside server is 15ms while local (handoff) lookup takes 29ms, but all subsequent lookups are cached locally, so fastest outside cached lookup is 14ms BUT cached lookups to my local server come in at <1ms, so low that it actually doesn't even register because the benchmark only shows the first 4 significant figures.

--Patrick
 
Last edited:
Reactions
418 41 0
#8
Hey, something I can actually contribute to!

Step 1: Use GRC's Benchmark Tool to get a list of the fastest DNS providers from your current location. The GRC tool will rank them in order of speed and will also let you know if any of them try to redirect you. Write down the top 5 providers who are NOT related to your current ISP (or any other ISP, really).
OMG GRC..I haven't thought of them in 25 years (at least since I last used SpinRite)
 

GasBandit

Staff member
Reactions
1,824 384 8
#11
dns.png


Interesting. I guess I'll give NTT America's DNS a spin.

Though it looks like I was almost right about Level3.
 

GasBandit

Staff member
Reactions
1,824 384 8
#12
Well, so far, I gotta say, NTT America seems pretty great. I know they're a telecom, but seems to me they're not the same thing as verizon et al, so I feel a little better about that.
 
Reactions
840 219 9
#13
Red ones are ones that refused your query, brown ones are ones that attempted to redirect (rather than just returning "not a valid address"), ones that have that red stain along the left side are ones that had packet loss. On the right side, the fat red bar is time for cached lookups, green bar is the time for uncached lookups, and blue bar is the "look-through" time for ones it doesn't know (I think).

Here's mine:
20070614.png

Purple marks show 4 of the 5 ones my server is using as forwarding servers, one of 'em isn't even on the list any more. Hmm...looks like I need to rebalance. Well, it has been since before Xmas, I think.
You can see the cached response time for my local server, though...IF you look carefully. I assume the green and blue times will come down some once I rebalance the forwarding servers.

One other thing I forgot to mention. When you are choosing your forwarding servers, try to pick the single fastest one from 4 different servers. "First Communications, LLC" may appear twice in my top 5 up there, but I still want to only pick one of them because if they go down (or start refusing queries) I don't want that to break my DNS lookups.

--Patrick
 
Last edited:
Reactions
840 219 9
#15
So, for dummies on WinX, how'd I use this info to speed up my net connection?
In its most simple form:
Step 1: Run the DNS bench test and mark down the fastest two servers that have green lettering and that are not both run by the same company. Also try to pick ones that are NOT run by your ISP.
Step 2: Open your Settings -> Network and Internet -> Change adapter options and find the connection you have plugged into your main Internet connection, then double-click it.
Step 3: Press the "Properties" button and grant access if it asks.
Step 4: Select "Internet Protocol Version 4 (TCP/IPv4)" from the list. Don't check/uncheck the box, just select the line, itself, and then press the "Properties" button.
Step 5: Select the radio button next to "Use the following DNS server addresses:," enter the IP addresses of your top two from Step 1, and then press the "OK" button.

Just remember that there might be times when doing this will actually break your ability to access the Internet. If you ever find that you suddenly can't access the Internet for some reason, try changing the setting back to "Obtain DNS server address automatically." If that fixes it, then it's probably time to hunt for fresh new manual DNS servers with the tool again (or else the network you are attached to is refusing to allow you to use anyone else's DNS).

--Patrick
 

GasBandit

Staff member
Reactions
1,824 384 8
#16
So, just for shits and giggles, after switching my DNS over to NTT, I decided to run google's namebench utility.

First of all, it takes SO MUCH LONGER than GRC.

Second of all, I nearly shit my pants when my results told me that NTT was hijacking paypal, facebook, google, windows update, and that a bunch of other common urls were "incorrect."

But then I scrolled down to its test of 8.8.4.4 and realized it threw the same flags on them. I highly doubt google's own DNS is hijacking google.

Anyway, the graphs are kinda neat.
 
Reactions
318 104 5
#17
In its most simple form:
Step 1: Run the DNS bench test and mark down the fastest two servers that have green lettering and that are not both run by the same company. Also try to pick ones that are NOT run by your ISP.
Step 2: Open your Settings -> Network and Internet -> Change adapter options and find the connection you have plugged into your main Internet connection, then double-click it.
Step 3: Press the "Properties" button and grant access if it asks.
Step 4: Select "Internet Protocol Version 4 (TCP/IPv4)" from the list. Don't check/uncheck the box, just select the line, itself, and then press the "Properties" button.
Step 5: Select the radio button next to "Use the following DNS server addresses:," enter the IP addresses of your top two from Step 1, and then press the "OK" button.

Just remember that there might be times when doing this will actually break your ability to access the Internet. If you ever find that you suddenly can't access the Internet for some reason, try changing the setting back to "Obtain DNS server address automatically." If that fixes it, then it's probably time to hunt for fresh new manual DNS servers with the tool again (or else the network you are attached to is refusing to allow you to use anyone else's DNS).

--Patrick
Amazingly, as soon as I found the "use the following DNS server address" option, it came back to me what to do.

Haven't noticed a huge difference, TBH.
 
Reactions
190 15 3
#19
It didn't used to be, but considering where we live, I'm gonna take advantage of whatever speeds up our service.
Also this means new lookups are only done once, so the outside DNS machine doesn't get to know how many times I hit that particular address, since all subsequent lookups will never exit my caching server until the TTL expires.

Doing the local server thing means my initial lookup is about half normal speed (probably due to waiting for the reply from the forwarder), so latest benchmark shows fastest outside server is 15ms while local (handoff) lookup takes 29ms, but all subsequent lookups are cached locally, so fastest outside cached lookup is 14ms BUT cached lookups to my local server come in at <1ms, so low that it actually doesn't even register because the benchmark only shows the first 4 significant figures.

--Patrick
What's the advantage here? I thought that Windows by default cached DNS entries. It's always a local lookup first anyways (hence why changing the "hosts" file does anything in the first place), so you're just putting another server in your chain that needs to do the lookup, in addition to your "local" lookup already.

So why? Does it keep the records around longer than windows does or something? I'm assuming Windows clears them on reboot or something by default. Even then, is the maintenance of another whole server JUST for this worth the trouble, on-average, real-world usage?
 

GasBandit

Staff member
Reactions
1,824 384 8
#20
Amazingly, as soon as I found the "use the following DNS server address" option, it came back to me what to do.

Haven't noticed a huge difference, TBH.
It's generally only something you need to worry about if there's already a noticeable problem, like there was for me. Since I switched away from google, I haven't had the "resolving host..." problems.

Which is kind of a shame, as I kind of (ironically) trust Google to not do shenanigans with DNS more than I do a telecom or cable company. And NTT is definitely a telecom.
 
Reactions
840 219 9
#21
What's the advantage here? I thought that Windows by default cached DNS entries. It's always a local lookup first anyways (hence why changing the "hosts" file does anything in the first place), so you're just putting another server in your chain that needs to do the lookup, in addition to your "local" lookup already.

So why? Does it keep the records around longer than windows does or something? I'm assuming Windows clears them on reboot or something by default. Even then, is the maintenance of another whole server JUST for this worth the trouble, on-average, real-world usage?
Let me try and answer them in order:
-Windows (and macOS) do cache DNS lookups, but that's local to the machine only, and we have almost 20 devices on our network. Any DNS lookups done by one device are therefore available to all devices.
-I was already maintaining another server for Minecraft, adding DNS to it was almost trivial (once I figured out how). There was a time in the past where I added a squid proxy to it as well, but that was a couple of servers ago. I keep meaning to set it back up again, because caching the content itself made a HUGE difference in browsing speed, but I guess that's a lower priority now that we have 60Mb/s service instead of the 6Mb/s service we used to have back then.
-As has already been mentioned, many DNS providers (especially the default ones for your ISP) like to redirect your failed lookups to locations of their choosing. Additionally, your DNS provider (whoever it is) by definition gets to know all of the websites you visit, since you ask it to go and find them all for you. Spreading your lookups over forwarders that do not redirect lookups and that are not connected to your ISP make it harder for your ISP to build a profile of your browsing habits and cuts down on the noise/spam.
-Also, since I never thought to check before, I looked it up. Windows stores successful lookups for 1 day and failed ones for 5 minutes. All values are cleared on restart, of course. A caching DNS server will store the records for as long as the TTL is set to, which is specified by the authoritative name server for that domain.

--Patrick
 
Reactions
413 84 3
#22
Something is up with Comcast's DNS. Some file downloads were taking up to 20 minutes to complete, but changing DNS to Google or OpenDNS they'd finish in just a few seconds. Odd that.
 
Reactions
512 79 1
#23
Something is up with Comcast's DNS. Some file downloads were taking up to 20 minutes to complete, but changing DNS to Google or OpenDNS they'd finish in just a few seconds. Odd that.
It's like how activating a VPN on my Verizon Mobile account suddenly makes YouTube videos load instantly. Strange
 
Reactions
413 84 3
#24
It's like how activating a VPN on my Verizon Mobile account suddenly makes YouTube videos load instantly. Strange
That was how I found the problem. IPVanish uses their own DNS, and even though the overall connection speed was cut significantly, downloads were orders of magnitude faster than when the default DNS was set on the normal connection. Switched to Google DNS and the same file that took 20 minutes now took 20 seconds.
 
Reactions
474 124 6
#27
Given that they’re billing themselves as a secure option, I doubt they’re trying to compete on speed, particularly for the uncommon websites.
 
Reactions
840 219 9
#28
Given that they’re billing themselves as a secure option, I doubt they’re trying to compete on speed, particularly for the uncommon websites.
They are, sorta. They're an "anycast" provider, which means it will always try to respond from the server closest to your physical location.

--Patrick
 
Top