1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.
Dismiss Notice

Welcome To SNBForums

SNBForums is a community for anyone who wants to learn about or discuss the latest in wireless routers, network storage and the ins and outs of building and maintaining a small network.

If you'd like to post a question, simply register and have at it!

While you're at it, please check out SmallNetBuilder for product reviews and our famous Router Charts, Ranker and plenty more!

DNS Choice?

Discussion in 'General Network Security' started by RBJ32, Apr 6, 2019.

  1. RBJ32

    RBJ32 Occasional Visitor

    Joined:
    Apr 22, 2017
    Messages:
    48
    I realize this may be a loaded question depending on the ISP thereof. But generally speaking does a free public DNS like Google (8.8.8.8) or Quad 9 (9.9.9.9) offer better protection than most large ISP DNS?
     
  2. L&LD

    L&LD Part of the Furniture

    Joined:
    Dec 9, 2013
    Messages:
    9,624
    Better protection against what?
     
  3. ColinTaylor

    ColinTaylor Part of the Furniture

    Joined:
    Mar 31, 2014
    Messages:
    9,124
    Location:
    UK
    Exactly.

    DNS in and of itself doesn't provide "protection" against anything. It's not meant to be a security system, it merely resolves names to IP addresses. That said, there are some DNS servers that won't return addresses for known malware/porn/whatever sites.
     
    Paliv and L&LD like this.
  4. RBJ32

    RBJ32 Occasional Visitor

    Joined:
    Apr 22, 2017
    Messages:
    48
    Oh sorry for the ambiguity. From what I read some (like Quad 9) offer more malicious domain threat intelligence and block access if your system attempts to contact them. Of course it appears some security apps running on a pc can do the same. I surmise all DNS (ISP and Public) sell some of your traffic data.
     
  5. EmeraldDeer

    EmeraldDeer Very Senior Member

    Joined:
    Dec 22, 2017
    Messages:
    503
    Location:
    Massachusetts
    Only come across one test
    https://medium.com/@nykolas.z/phishing-protection-comparing-dns-security-filters-9d5a09849b91

    CleanBrowsing did better than Quad9.

    I do not think that Cloudflare or Google return NXDOMAIN for malware DNS lookups.
     
    RBJ32 and L&LD like this.
  6. RMerlin

    RMerlin Super Moderator

    Joined:
    Apr 14, 2012
    Messages:
    30,860
    Location:
    Canada
    Google's DNS does no filtering at all. Don't think Cloudflare does, but my memory may be wrong.

    OpenDNS, Quad9 and the lesser-known CleanBrowsing are probably the best solutions right now if you are looking for DNS-based filtering. Yandex apparently does a fairly good job as well if you are in Russia.
     
    isometimestinker and umarmung like this.
  7. RBJ32

    RBJ32 Occasional Visitor

    Joined:
    Apr 22, 2017
    Messages:
    48
  8. coxhaus

    coxhaus Part of the Furniture

    Joined:
    Oct 7, 2010
    Messages:
    2,748
    Location:
    texas
    I like Quad9 but it is a little slow compared to my ISP's DNS. I have it setup on my guest VLAN. I am back and forth on using it with the main LAN. Quad9 for me is California and I am in Texas.
     
    RBJ32 likes this.
  9. RBJ32

    RBJ32 Occasional Visitor

    Joined:
    Apr 22, 2017
    Messages:
    48
    Thanks, while you're here I have a newbee question on your Vlan. Is all your LAN wired (?) or if not do you run a wifi AP wired back to a Vlan Smart Switch and/or a Vlan gateway wired router?

    I have a cheap Dlink Vlan Smart Switch I wanted to play around with Vlan tags but I only have my main Wifi router going to the ISP modem. And for the most part I run all my Laptops off wifi, unless I hand carry one into the router room. So I figured I'd have to put the Vlan Smart Switch in between a wifi AP and the Gateway router (with the gateway wifi turned off).

    I.e. it appears to me the physical logistics of Vlan requires wired cables. Otherwise I surmise one would just use a wifi router that had separated guest accounts so you'd kinda get similar separation via SSIDs instead of PVIDs.

    But I'm just learning so feel free to correct where I've missed the concept.
     
  10. Natey2

    Natey2 Occasional Visitor

    Joined:
    Jun 27, 2018
    Messages:
    24
    Benchmark the DNS servers too. My ISP's DNS was faster than OpenDNS or Google. And they're probably using the data they get for marketing purposes.


    Sent using Tapatalk
     
    RBJ32 likes this.
  11. coxhaus

    coxhaus Part of the Furniture

    Joined:
    Oct 7, 2010
    Messages:
    2,748
    Location:
    texas
    Two of my VLANs extend across my wireless with SSIDs. One SSID for each VLAN. I have 4 or 5 VLANs so some are wired only. I also have 3 wireless APs in my home running off wire. All 3 wireless APs carry the same SSIDs so I can roam around my house.
     
    RBJ32 likes this.
  12. RBJ32

    RBJ32 Occasional Visitor

    Joined:
    Apr 22, 2017
    Messages:
    48
    That's quite a setup. With all 3 APs having same SSID makes it convienient but yet still being sent thru any pertinent Vlan switch down the wire. On a setup like that does the wifi AP have to be Vlan capable (?) otherwise I'm kinda wondering how the PVID tag works when connecting via an SSID. Possibly is it the MAC of the connecting device that's actually tagged on the PVID so if that's the case it matters not whether it connects by wifi or wire so long as it gets to the Vlan switch on the way (?).

    (edit add -> Also do you have any problem with the 3 APs trampling over each other's signals?)

    Any input you can give me would be appreciated.
     
  13. coxhaus

    coxhaus Part of the Furniture

    Joined:
    Oct 7, 2010
    Messages:
    2,748
    Location:
    texas
    The AP are VLAN aware. They are Cisco WAP371 APs. I don't have problems with APs trampling over each other as I turned off 2.4GHz. I think 2.4 GHz is the center of most problems. Plus 5GHz is faster. The main rooms where we reside you get as high as 880 connection on the wireless. There are a few places where you only get as low as 330 connection speed. With 5GHz it seems to vary based on distance and walls. My wife likes to sit out on out picnic table in the back yard and facetime with her friends. Sometimes she walks to the front of out house where the kitchen is and mixes a drink and then out back to the picnic table. There is no problem with the call dropping. Her iPad just roams from back to front and back again.
     
    Last edited: Apr 9, 2019
    RBJ32 likes this.
  14. RMerlin

    RMerlin Super Moderator

    Joined:
    Apr 14, 2012
    Messages:
    30,860
    Location:
    Canada
    DNS benchmarks for resolution time are useless. If a DNS server takes 20 ms less to resolve an IP it won't be visible to the end user. But if it makes you use a Youtube server at the other end of the country instead of a local one, your video streaming may suffer, and that will be far more visible.
     
    vdemarco and coxhaus like this.
  15. Natey2

    Natey2 Occasional Visitor

    Joined:
    Jun 27, 2018
    Messages:
    24
    I've seen a significant number of hits per day when I used OpenDNS. One would think they would be cached somewhere after the first resolution...

    Sent using Tapatalk
     
  16. RMerlin

    RMerlin Super Moderator

    Joined:
    Apr 14, 2012
    Messages:
    30,860
    Location:
    Canada
    Correct. If using a router with dnsmasq, it will get cached by the router. Many clients also have their own cache at the OS level. And some applications (like web browsers) ALSO have their own cache.

    Yeah, a bit overkill... But there's definitely some caching in there.
     
  17. Authority

    Authority Regular Contributor

    Joined:
    Jul 9, 2015
    Messages:
    157
    ADgurd DNS blocks ads in browser and on all devices. Love it.


    Sent from my iPhone using Tapatalk
     
  18. coxhaus

    coxhaus Part of the Furniture

    Joined:
    Oct 7, 2010
    Messages:
    2,748
    Location:
    texas
    Cisco is finding there are bad things happening with DNS. There is nothing you can do to stop a DNS hijack if your DNS goes south. I am now leaning more toward QUAD9. QUAD9 has the most protection you can get for free. I have several bad web pages not resolved. Cisco has a DNS umbrella system but it is for a fee.

    https://blog.talosintelligence.com/2019/04/seaturtle.html
     
  19. RMerlin

    RMerlin Super Moderator

    Joined:
    Apr 14, 2012
    Messages:
    30,860
    Location:
    Canada
    The Internet needs to increase its adoption of DNSSEC, as it's one key element in limiting the amount of domain hijackings.
     
  20. coxhaus

    coxhaus Part of the Furniture

    Joined:
    Oct 7, 2010
    Messages:
    2,748
    Location:
    texas
    If the DNS record is changed encryption is not going to help.

    I sticking with QUAD9 for now.