New on LowEndTalk? Please Register and read our Community Rules.
All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.
All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.
Comments
You don't need to build your own resolver. If it'll be internet accessible then you'll be stuck dealing with the security issues around open resolvers.
Diversity your DNS servers.
I personally use 8.8.4.4 (Google) and 74.82.42.42 (HurricaneElectric), but there are tons of other resolvers that aren't google that you can use.
The ISP I work for had Google so kindly start rate limiting our IP ranges, because we use their DNS.
That was...fun. We now run/maintain our own dns server.
howtoforge.com or digitalocean have alot tutorials to do this, you can use unbound, maradns or any dns servers, or use public dns.
OpenDNS all the way, switched from google dns because of several issues a few years back.
Appreciate the suggestions. Added HE resolver (74.82.42.42) into the existing pool of Google and Level3 resolvers and tweaked timeouts, everything is better now.
Regarding opendns, didn't opendns return an IP pointing to a page loaded with ads instead of returning NXDOMAIN? I did a quick check, does not seem to be the case now?
No, it's not the case now.
Feel free to add 208.67.220.220 and 208.67.222.222 to the resolvers and use options like rotate to diversify the lookups.
The 4.2.2.x series to screw with NX domains now. They were good pre-Google, but in the last few years they screw with NX, so I rarely use them.
Level3 resolvers do that.
;; ANSWER SECTION:
notarealdomain.nxdomain. 10 IN A 198.105.244.11
notarealdomain.nxdomain. 10 IN A 104.239.213.7
;; Query time: 39 msec
;; SERVER: 4.2.2.2#53(4.2.2.2)
Sounds like its a great opportunity for you to run namebench and find the best DNS servers for you.
https://code.google.com/archive/p/namebench/
Looks like there have been some major changes recently, L3 hijacking is news to me. Already messing around with namebench, I had no idea there are so many open dns resolvers out there.
No longer the case, not sure this happened before or after Cisco acquisitions though. One thing to keep in mind that opendns is advertised as a home solution, I know they have a VIP version for $20 a year, not sure about business versions.
@TheOnlyDK thanks! I should have mentioned in my OP that we are definitely a "heavy user". I guess we will add it to the pool and see how it goes, I suppose the worst that could happen is we get banned.
I don't see why you would get banned for using a public DNS. They didn't apecifilly say it is for home users only, just the name is called OpenDNS Home (and OpenDNS Home VIP or something for the VIP version). I use OpenDNS for all my boxes, didn't have a single issue, though I'm not that heavy of a user, so don't quote me on that.
Location matters of course. If you're in Europe this is a very good one:
Also, don't forget OpenNIC servers. Their site automatically shows the ones nearest to you.
https://www.opennicproject.org/
There aren't many good public recursors. I had been tracking this situation over the years so I think I can be of help
So my current suggestion is HE + NTT which has been working wonderfully for a long time.
If anyone knows about any other NS which:
Please let me know (but I don't think there are many more, except some regional ones in China for example).
https://blog.uncensoreddns.org/ (as mentioned above) doesn't fit the bill?
Verisign runs one too, if you want https://verisign.com/en_US/innovation/public-dns/index.xhtml
Keep in mind that if you put more than 3 servers into
/etc/resolv.conf
, only the first 3 are actually used.Some others to consider:
DYN:
216.146.35.35 (Dyn 1)
216.146.36.36 (Dyn 2)
Ultra:
156.154.70.1 (Ultra 1)
156.154.71.1 (Ultra 2)
OpenNIC:
128.173.89.246
50.116.38.157
205.185.120.143
74.207.247.4
While I appreciate his effort, the anycast server doesn't PoPs outside of DK.
Very interesting, looks like this was launched recently and they provide an unfiltered NS.
Not really. All you need is a whitelist and your pretty much done.
Using your own DNS will about always be fastest and best.
I guess you say this because either:
Since public recursors have most records already cached, they will usually be faster. Running your own recursor makes waiting more than a full second to retrieve a record not uncommon.
I tried unbound and pdnsd and rarely did experience such long wait.
3/400ms happens (or even more than 1 sec as you say) when it needs to fetch the information on the other side of the world but requests are generally faster. And once the result is cached, well, that's as fast as RAM, and it's pretty secure and there is no blocking
I have been running and managing my own BIND recursor for over 2 years so its safe to say I know what I am talking about.
And yes I compared it with my local ISP's and other DNS services
Like @info_hash said.
That claim is not true at all. Yes first startup will take longer but thats everywhere. Windows, android so yes even DNS but than answers will be about instant.
http://www.tummy.com/articles/famous-dns-server/ ?
-
I run unbound (only accessible by 127.0.0.1) & a custom C prog behind them on many VPS' I have. The program just does some async DNS lookups of domains, privately.
I got accused of it being A DDOS program by Quadranet/Crissic today, though I suspect I just triggered some flagging software & level 0.1 support said it was DDOS.
Apparently VPS can be too low end to do some simple DNS stuff
I'd recommend running something that caches lookups, whatever you use further upstream. FWIW I do have the nameservers of pretty much every domain in existence... doing a count of each unique one would likely lead to a fat list of free public DNS.... though it seems most are listed already.
Then you would've found that you could likely reach your ISP in 1-50 ms while your recursor would struggle a lot to resolve an uncached record in the same time.
You said that using your own DNS would always be faster and that's certainly not true. For a low volume of queries, it's actually the opposite.
I did read that some years ago. Sadly, since they started hijacking, the service is not interesting to me anymore.
Are you sure the NS was secure/private? If so explain that to them and they shouldn't have a problem...
Yes, it binds to 127.0.0.1 and I'm the only user on the server. They did back off when I said my "malicious script" was simply doing DNS lookups, I offered them the source but was just given boilerplate vague responses. unbound obviously helps in politeness as its my nameserver the program uses, and caches anything worth caching.
I should clarify in the case of this thread, its purpose is to lookup thousands of domains and is threaded, but it's not CPU heavy and at maximum is doing around 10 a second. It's deliberately rate-limited to 5 threads and only runs a few days of the month. Its maximum load is around 0.01. To me that's quite low-end, but it's something to be aware of on these low end hosts...
Again. You can't compare cached vs uncached response times when you compare DNS A vs DNS B.
My DNS never struggled to get uncached records and I never waited for more than a few 100 ms before my DNS found and cached the records.
And once its cached its even faster than my ISP and other DNS services.
I suggest you try to run your own so you can see that I am right.
I agree to an extent, but you need to understand that if 99 % of the records are already cached, it will obviously be faster. We are just talking about what is faster.
500+ ms are very common, with 1 second not being very rare depending on the domain NS, TLD, etc...
Yeah, obviously.
Been having issues with Google DNS as well. They've either rate limited some of our more popular servers or they're just having issues. It's been happening the past 72 hours.
ymmv
I switched to opendns yesterday. Internet feels snappier now.