Yet Another Cycling Forum
General Category => The Knowledge => Ctrl-Alt-Del => Topic started by: Ham on 28 April, 2020, 07:17:35 am
-
This subject is likely to be of limited interest to most, but actually that's at odds with the reaction you get when asking people about the protection of their systems and data. Whatever your choice, you really should take an interest in the subject.
Why? Simply because it's the DNS service that translates your request into IP language. For example, you know you must type in "www.mybank.com" rather than clicking a link, but you depend on your DNS service to turn that into an IP address that you hope (!) is not www.bankrobbers.com (actually DNSSec may improve matters, but that is not necessarily in place or supported at client end). Whether this is a malicious attack or an ISP related substitution (eg your ISP search page for a "not found") it is un-asked for behaviour.
Then, your DNS provider is also tracking you (or at least, able to) by IP address - at this stage in the transaction the sites you are visiting are in clear, not encrypted.
Also, you may (?) get better service, DNS servers are potential targets for DoS attacks, ISP DNS rarely have capacity to manage. Large DNS farms may give better performance. Open DNS provides better protection against malware and BotNets, too.
All this brought about by Cisco's Open DNS (208.67.222.222 208.67.220.220) going down last night and me having to fail back to Google (8.8.8.8 and 8.8.4.4 so nice and easy to remember)
-
I like Open DNS but often end up using Google as its easy to remember.
-
I need to point all my clients at my internal DNS server in order for my AD Domain to work.
So it's then a choice as to whether I then forward external lookups to a forwarder like Google, or just let it use Root Hints and do a full recursive lookup.
I've chosen to let it use the Root Hints.
-
Hurricane Electric. Free, easy to use, supports ipv6, no problems for years.
-
Cloudflare's public DNS is faster than Google and they don't log anything (I don't trust google not to).
Even easier to remember than Googles:-
1.1.1.1
-
That's an interesting development, ta, I hadn't noticed it.
(and as far as remembering odd IP addresses is concerned, I still use Dircon's DNS as my ping test target, I'm fairly sure I used them @ 300, and definitely as 1200/75.... those were the days. Bad days, but at least you could get free t-shirts)
-
My DNS server just forwards to AAISP's. They're trustworthy from a privacy / not breaking the internet[1] perspective, and if it stops working, I can just reconfigure it to query the root servers directly.
[1] While sometimes useful, IMHO DNS servers shouldn't be doing web-oriented filtering. It breaks non-web things in unintuitive ways. If you want to do naughty things with DNS, do it locally so you're fully aware of what's going on.
-
AAISPs here too...
-
I need to point all my clients at my internal DNS server in order for my AD Domain to work.
So it's then a choice as to whether I then forward external lookups to a forwarder like Google, or just let it use Root Hints and do a full recursive lookup.
I've chosen to let it use the Root Hints.
Snap!
-
My Pi fleet uses cloudflare, everything else has no configuration set so will just go to plusnet.
-
Frankly, if you people have this much time on your hands you should go make me a cup of tea.
-
Frankly, if you people have this much time on your hands you should go make me a cup of tea.
Or get a better ISP.
When I was a PSO, we had an unlimited[1] freephone dialup account with an ISP so low-budget that they were frequently incapable of providing a working DNS server. This was actually an advantage, because whenever the DNS went down most of the customers would give up dialling in, freeing plenty of capacity for those of us with the patience to configure BIND.
As a grown up, most of my DNS jibbling is on the authoritative server side of things. Resolvers are something that should Just Work.
[1] Other than by extreme congestion.