OpenDNS

[Afasoas]

Hallo,

I've used OpenDNS as a forwarder to resolve DNS queries eminating from my local network. In fact I've done this for eons without so much of a sniff. Ergo, arriving home today to some rather upset cohabitees who couldn't access neither their facebook or twitter accounts was quite a surprise. And then I found I couldn't use serverfault either. Instead I saw a nice OpenDNS page informing me that said content was blocked.

I double checked the OpenDNS IP addresses I'd configured and they were the standard ones, not their "family friendly" brethren. What gives? Anyone else experienced the same/similar? I've even resorted to searching with Google for news of any folk suffering similar misfortunes.

I've swapped out OpenDNS for Level3. Who do you use*? Any recommendations for an open public DNS server that's not evil? (N.B. doesn't log queries and doesn't fling advertising at you instead of NXDOMAINs etc?)



*Before anyone suggests my ISPs DNS servers, they take weeks to start resolving new or changed domain names!

[Andrew]

Nope, not experienced anything like that.

My DNS is hard configured by the ISP provided router BUT I have each connected device (desktops, servers, tablets, etc) configured to route via my own local DNS forwarder (that runs ad blocking). The resolve on that is one of the 2 OpenDNS IP addresses and I have no issues whatsoever.

[Feanor]

Edit:
Do you mean you have a local DNS server on your LAN, and all your clients point to that,
(and if you don't, my advice would be to set one up ), and it is in turn forwarding to an external forwarder?

In that case, why use any forwarder at all?

I let mine use Root Hints and let it get on with it.

[Afasoas]

DNS queries, first to OpenDNS and then to one of Google's public DNS Servers.
Note how facebook and twitter resolve to 146.112.61.106


afasoas@colnago ~ $ nslookup www.facebook.com 208.67.222.222
Server:      208.67.222.222
Address:   208.67.222.222#53

Non-authoritative answer:
Name:   www.facebook.com
Address: 146.112.61.106

afasoas@colnago ~ $ nslookup www.facebook.com 8.8.8.8
Server:      8.8.8.8
Address:   8.8.8.8#53

Non-authoritative answer:
www.facebook.com   canonical name = star-mini.c10r.facebook.com.
Name:   star-mini.c10r.facebook.com
Address: 179.60.192.36

afasoas@colnago ~ $ nslookup www.twitter.com 208.67.222.222
Server:      208.67.222.222
Address:   208.67.222.222#53

Non-authoritative answer:
Name:   www.twitter.com
Address: 146.112.61.106

afasoas@colnago ~ $ nslookup www.twitter.com 8.8.8.8
Server:      8.8.8.8
Address:   8.8.8.8#53

Non-authoritative answer:
www.twitter.com   canonical name = twitter.com.
Name:   twitter.com
Address: 199.16.156.38
Name:   twitter.com
Address: 199.16.156.102
Name:   twitter.com
Address: 199.16.156.230
Name:   twitter.com
Address: 199.16.156.6

I let mine use Root Hints and let it get on with it.

The thought crossed my mind, but I thought it wasn't thought of as 'best practice' on account of increasing traffic to root servers? I thought best advice was to pick a DNS server you can resolve with minimal hops - which is why I chose the link3 one, It resolved quickly.

[Andrew]

I'd not heard of 'Root Hints' before. A quick Google suggests I might be able to integrate it into my DNS forwarder. That'll give me something to do  tomorrow! 

[Feanor]

There's so much caching that you really won't bother the root servers very much at all.
Only to get your local DNS server's cache of TLD and various sub-domains NS records populated.

Looking at my  local DNS server, the .COM tld NS records have a TTL of about 4 hours.
The .UK tld NS records have a TTL of 24 hours.

Sub-domains will have varying TTLs too.

So it depends on what you have in your local recursive resolver's cache, and then in the caches of all the steps on the way up towards the root.