Which DNS do you prefer?

DavidG · July 30, 2019, 10:38am

I’m changing my internet’s DNS (why? see No access to NS via FQDN on LAN ).

I have been using the default one from my ISPin my router. I did a dig at it and found the query time was 40 msec, 8.8.8.8 was 36 msec so not much in it. 1.1.1.1 was a long 100 msec and 208.67.222.222 (OpenDNS) only 20 msec.

I think I might use OpenDNS. They must have a presence near me (unlike CloudFlare).

Any reason not to use OpenDNS (they have been bought by Cisco since I last looked)? Any other favourite servers I should try?

Thanks!

m.traeumner · July 30, 2019, 11:00am

I’ve read something about Quad9

with address 9.9.9.9
It should be the first DNS with a TLS connection.

robb · July 30, 2019, 12:51pm

DNS.Watch seems quite ok too.
https://dns.watch/

Alternatively you could have a look at OpenNIC.
https://www.opennic.org/

Both are true privacy friendly options.

danb35 · July 30, 2019, 1:00pm

Neth really should follow in the footsteps of its ancestor and be its own DNS resolver. Failing that, though, my pfSense router acts as a DNS resolver for my LAN.

robb · July 30, 2019, 1:03pm

On my LAN, NethServer is the DNS resolver for all clients, just for external queries I use an external DNS resolver.

danb35 · July 30, 2019, 2:23pm

Neth acts as a caching DNS server, and only properly “resolves” other hosts on the LAN. Anything it doesn’t know, it asks the one or two servers you give it. By contrast, a proper resolver doesn’t need to be told which DNS servers to use; it queries the roots and builds from there. This is how SME (Neth’s father) works, and how pfSense can work (and how I have it configured). I continue to be surprised that Neth removed this feature when they forked from SME.

robb · July 30, 2019, 2:25pm

@danb35 Thnx for explaining. I am not from the SME time… and never really paid too much attention at the DNS resolve process used by NethServer.

dnutan · July 30, 2019, 3:49pm

Also check the answers of this similar thread:

Andy_Wismer · July 30, 2019, 3:57pm

@robb

Danb35 is quite correct in this sense. The Nethserver DNS (unbound?) works well enough for SOHO environments who don’t need more.
If the environment contains a mailserver (Not the Nethserver) or even worse, more than one mailserver there is NO possibility to add in MX Records. You can’t even add in an Alias. The “Alias” in Nethserver is ONLY for Server aliases.

If I manually add in an alias, example:

myserver.domain.tld = 192.168.20.30
is the server’s FQDN (Not the NethServer!)

and I’d like that server to be reachable with
myalias.domain.tld, then the only option I have is to make a second entry like

myalias.domain.tld = 192.168.20.30

Now, this works, BUT:

The reverse DNS (PTR) now points 192.168.20.30 to myalias.domain.tld instead of the correct myserver.domain.tld.

Also no UI for adding in TXT, SVC or other stuff besides using a custom template.

I love NethServer, but there should be an Option to choose a simple repeater like Unbound-DNS or a full blown BIND or some other DNS.

Sure, there are a few stuff which is VERY simple in Unbound:
Say blocking access to Facebook or whatever:
Make an entry like *.facebook.com = 127.0.0.1 - that simple!

Two years back, one of my clients had the only working UPC Internet Cable connection, as none of the other clients had an internal DNS (mine did, a full BIND without any need for provider DNS…). The complete DNS Services of UPC in Switzerland was down, but the Network was working…

My 2 cents
Andy Wismer