# Google DNS vs OpenDNS vs ISP DNS



## Capt

I'm sure this question gets asked quite a lot but which one do you guys prefer? Some articles on the web strongly recommend to stick with your ISP's DNS servers while others recommend switching to either Google Public DNS or OpenDNS. I have used Namebench to check which DNS servers are close to me and it tells me that if I switch to OpenDNS, my internet speed will improve by 9.8%. I have also seen a ton of articles that say that Google Public DNS servers and OpenDNS servers constantly go down and it's just better to stick with your ISP's DNS.


----------



## xNovax

I have never had any problems with Google DNS.


----------



## Capt

Quote:


> Originally Posted by *xNovax*
> 
> I have never had any problems with Google DNS.


When you switched to Google DNS, did it feel faster than your ISP'S DNS?


----------



## coachmark2

I switched off of 75.75.75.75 and 75.75.76.76 (Comcast DNS) after they got poisoned and corrupted for the third time in a month.

Typing www.overclock.net dropped me on a REALLY sketchy site that was most definitely not OCN. Switching over to Level3's public DNS (4.2.2.2) solved the problem instantly.

Comcast DNS sucks.

EDIT: Level3 owns the following and operates them as public DNS:

4.2.2.1
4.2.2.2
4.2.2.3
4.2.2.4
4.2.2.5
4.2.2.6
209.244.0.3
209.244.0.4


----------



## beers

I'd stay away from ISP DNS if at all possible. They generally don't provide the box with enough resources to be either available or reliable.
Quote:


> Originally Posted by *Capt*
> 
> it tells me that if I switch to OpenDNS, my internet speed will improve by 9.8%.


This is a misconception. DNS entries will receive a reply ~9.8% faster, but you won't get any additional bandwidth.


----------



## tompsonn

I get geographically closer IP addresses (which is what you want) when I use my ISP DNS (but I use their business DNS, not the consumer one, the consumer one does not handle NXDOMAIN properly). They are also much quicker than OpenDNS and Google's DNS. But I run local DNS servers and use ISP as forwarders.


----------



## DuckieHo

Quote:


> Originally Posted by *beers*
> 
> This is a misconception. DNS entries will receive a reply ~9.8% faster, but you won't get any additional bandwidth.


This DNS lookup also generally only occurs when you first visit a site... the additional lookups are against a local cache.


----------



## Capt

Switched to Google Public DNS servers and my internet speed dropped quite a bit. Going back to my ISP's DNS for now since it seems to provide the fastest downloading speed.


----------



## tompsonn

Quote:


> Originally Posted by *Capt*
> 
> Switched to Google Public DNS servers and my internet speed dropped quite a bit. Going back to my ISP's DNS for now since it seems to provide the fastest downloading speed.


If you're seeing less bandwidth I'd wager its because you're getting IP addresses not geographically close to you from Google's public DNS.


----------



## Capt

Quote:


> Originally Posted by *tompsonn*
> 
> If you're seeing less bandwidth I'd wager its because you're getting IP addresses not geographically close to you from Google's public DNS.


I know but what can you do? Should I use something else besides 8.8.8.8 and 8.8.4.4?


----------



## tompsonn

Quote:


> Originally Posted by *Capt*
> 
> I know but what can you do? Should I use something else besides 8.8.8.8 and 8.8.4.4?


My question is why are you changing this? Is there a problem with your ISP DNS? If not and they handle NXDOMAIN properly... just use them.


----------



## Plan9

I really dislike OpenDNS and my ISP DNS because they inject pages into failed DNS lookups (which really winds me up rotten). I assume Google DNS would do the same since it's an advertising company, but I refuse to use Google DNS simply because I value my privacy.

I'd love to find a decent DNS service which doesn't inject search results into failed look ups _and_ values my privacy; but I fear the chances of that are remote


----------



## tompsonn

Quote:


> Originally Posted by *Plan9*
> 
> I really dislike OpenDNS and my ISP DNS because they inject pages into failed DNS lookups (which really winds me up rotten). I assume Google DNS would do the same since it's an advertising company, but I refuse to use Google DNS simply because I value my privacy.
> 
> I'd love to find a decent DNS service which doesn't inject search results into failed look ups _and_ values my privacy; but I fear the chances of that are remote


Google handles NXDOMAIN properly - there's none of that crap for failed lookups. But they are probably snooping on your queries.

The closest you might get is rolling your own server locally and using only the root servers with no forwarders.


----------



## Plan9

Quote:


> Originally Posted by *tompsonn*
> 
> Google handles NXDOMAIN properly - there's none of that crap for failed lookups. But they are probably snooping on your queries.
> 
> The closest you might get is rolling your own server locally and using only the root servers with no forwarders.


I do have a local DNS running anyway, so this sounds tempting


----------



## theyummyfood

I switched from my ISPs DNS to googles 8.8.4.4 and noticed a minor increase in speed, mainly when connecting to a web page for the first time. I would suggest that people use namebench them selves to see which DNS will be fastest for them. Different factors come into play here so don't go thinking that there is an end all be all fastest for every one.


----------



## Plan9

Changing DNS servers for performance reasons is a bit like the Emperors New Clothes. Not only do browsers cache domain name lookups, but so does the OS as well, so you'll only see a performance boost once every blue moon.

What's more, the latency differences between difference domain name servers is so negligible that you'll spend more time benchmarking and configuring your system than the grand total of time you'll save with your new settings.

Don't get me wrong, I'm not against people switching DNS and there are definitely some benefits in doing so - however switching purely for performance is a wasted effort.


----------



## Capt

Quote:


> Originally Posted by *tompsonn*
> 
> My question is why are you changing this? Is there a problem with your ISP DNS? If not and they handle NXDOMAIN properly... just use them.


Quote:


> Originally Posted by *Plan9*
> 
> Changing DNS servers for performance reasons is a bit like the Emperors New Clothes. Not only do browsers cache domain name lookups, but so does the OS as well, so you'll only see a performance boost once every blue moon.
> 
> What's more, the latency differences between difference domain name servers is so negligible that you'll spend more time benchmarking and configuring your system than the grand total of time you'll save with your new settings.
> 
> Don't get me wrong, I'm not against people switching DNS and there are definitely some benefits in doing so - however switching purely for performance is a wasted effort.


Just tried OpenDNS and that also dropped my internet speed. Sticking with my ISP DNS for now since I seem to be getting the fastest speed.


----------



## DuckieHo

Quote:


> Originally Posted by *Capt*
> 
> Just tried OpenDNS and that also dropped my internet speed. Sticking with my ISP DNS for now since I seem to be getting the fastest speed.


I don't understand why that would happen....

A DNS lookup for a specific URL just needs to occur once. Any DNS lookup should be relatively fast as well.


----------



## anywhere

Quote:


> Originally Posted by *Capt*
> 
> I'm sure this question gets asked quite a lot but which one do you guys prefer? .


/etc/resolv.conf

I use all 3. Plus my openbsd router caches past 36hrs. Along with some pf.conf tuning, makes for dependable resolving.

Sent from my rooted HTC Supersonic using Tapatalk 2 Pro


----------



## tompsonn

Quote:


> Originally Posted by *DuckieHo*
> 
> I don't understand why that would happen....
> 
> A DNS lookup for a specific URL just needs to occur once. Any DNS lookup should be relatively fast as well.


I've already explained why its possible you can actually get less bandwidth with changing a DNS server but it depends what servers depend on being geographically close to provide better bandwidth.

For example, with my ISP DNS I get Google servers that are closest to me geographically. With some other DNS provider, I get ones that could be halfway across the world and it is much slower.

Whether or not this is actually happening for the OP and its not just some placebo thing well we can't say until he gives us some numbers and servers he is downloading from.


----------



## DuckieHo

Quote:


> Originally Posted by *tompsonn*
> 
> I've already explained why its possible you can actually get less bandwidth with changing a DNS server but it depends what servers depend on being geographically close to provide better bandwidth.
> 
> For example, with my ISP DNS I get Google servers that are closest to me geographically. With some other DNS provider, I get ones that could be halfway across the world and it is much slower.
> 
> Whether or not this is actually happening for the OP and its not just some placebo thing well we can't say until he gives us some numbers and servers he is downloading from.


I don't understand your case here...... how would a DNS lookup taking longer lower throughput or non-DNS lookup latency?

Higher latency DNS lookups just mean..... slower DNS lookups? Once the IP has been resolved, why would the DNS server matter?

UNLESS.... you are talking about the geographically remote DNS server is resolving to an IP of a site that is more local to it rather than another IP that might be closer to the user.


----------



## tompsonn

Quote:


> Originally Posted by *DuckieHo*
> 
> *UNLESS.... you are talking about the geographically remote DNS server is resolving to an IP of a site that is more local to it rather than another IP that might be closer to the user*.


Uh yes.


----------



## Plan9

But even then, that's still just a latency issue as you're downloading the same content. I don'treally understand why. A further away server would use more or less bandwidth

Sent from phone at 7an so excuse the random formatting. Need caffeine


----------



## DuckieHo

Quote:


> Originally Posted by *tompsonn*
> 
> Uh yes.


OK... the confusing part was "I've already explained why its possible"..... but where did you already explain this? If you go to all posts prior, you never did.


----------



## Capt

I just did a quick test on speedtest.net with different DNS providers. When I did the test in speedtest.net, I picked the closest server in my area which is the one in Hudson, NY.

*ISP DNS*
DL: ~37 Mbps - UP: ~21Mbps - Ping 28ms

*Google DNS*
DL: ~14 Mbps - UP: ~17Mbps - Ping 34ms

*OpenDNS*
DL: ~13 Mbps - UP: ~16Mbps - Ping 33ms


----------



## Plan9

Quote:


> Originally Posted by *Capt*
> 
> I just did a quick test on speedtest.net with different DNS providers. When I did the test in speedtest.net, I picked the closest server in my area which is the one in Hudson, NY.
> 
> *ISP DNS*
> DL: ~37 Mbps - UP: ~21Mbps - Ping 28ms
> 
> *Google DNS*
> DL: ~14 Mbps - UP: ~17Mbps - Ping 34ms
> 
> *OpenDNS*
> DL: ~13 Mbps - UP: ~16Mbps - Ping 33ms


DNS wouldn't even affect speedtest.net.

I suggest you try doing several speed tests per DNS provider; you'll find they all work out the same.


----------



## aHumanBeing

I have tried my verizon DNS, Google DNS and Open DNS. Google had their DNS hijacked recently, a simple "google dns hijacked" as a search will show you what I mean. I saw that happen and went back to open DNS for now and have had no issues. Also OpenDNS has most of their servers right down the street from me lol. I've done some DNS benches and Open DNS shows as the fastest but it really doesn't make much of a difference, it's just name resolving.


----------



## killabytes

THIS is why I no longer use Google's DNS.

OpenDNS all the way.


----------



## DuckieHo

Quote:


> Originally Posted by *killabytes*
> 
> THIS is why I no longer use Google's DNS.
> 
> OpenDNS all the way.


With DNS lookups, I know that most implementation will attempt primary and then secondary if no response.

Is there a way to do any casting instead? Request the lookup from OpenDNS, GoogleDNS, IP DNS, etc simultaneously and just use the first to respond?


----------



## Plan9

Quote:


> Originally Posted by *DuckieHo*
> 
> With DNS lookups, I know that most implementation will attempt primary and then secondary if no response.
> 
> Is there a way to do any casting instead? Request the lookup from OpenDNS, GoogleDNS, IP DNS, etc simultaneously and just use the first to respond?


Not really no. You could easily write an proxy name server to do this, though you'd obviously be adding latency in doing so which might mitigate the benefits of parallel queries - depending on where the proxy sat (ie localhost? server inside the LAN?)

Or if you're feeling brave, you could rewrite the OS DNS resolver (in fact it might be pretty trivial to do this in Linux since you can pick and choose which stacks to use to resolve domain names and the order in which to use them.


----------



## ozlay

i use a DNS benchmark tool https://www.grc.com/dns/benchmark.htm wroks pretty well and helped me find a closer DNS server and my new DNS lowered my ping by 60ms or so for the game servers i use


----------



## killabytes

Quote:


> Originally Posted by *ozlay*
> 
> i use a DNS benchmark tool https://www.grc.com/dns/benchmark.htm wroks pretty well and helped me find a closer DNS server and my new DNS lowered my ping by 60ms or so for the game servers i use


No it didn't.

DNS is to look up the name of a server. It will not affect your ping.


----------



## ozlay

Quote:


> Originally Posted by *killabytes*
> 
> No it didn't.
> 
> DNS is to look up the name of a server. It will not affect your ping.


perhaps but i did get better ping to servers as a side effect not sure why


----------



## killabytes

Quote:


> Originally Posted by *ozlay*
> 
> perhaps but i did get better ping to servers as a side effect not sure why


It's not perhaps. Its fact.

Correlation does not imply causation.


----------



## ozlay

Quote:


> Originally Posted by *killabytes*
> 
> It's not perhaps. Its fact.
> 
> Correlation does not imply causation.


It maybe fact but its also fact that my ping is better then what it was after switching my DNS so what ever factored in the change in my ping idk i cant explain why as I know little on the subject but i know for a fact my ping is better then what it was but what ever the reason the dns benchmark tool I posted is a pretty interesting tool so i do recommend others giving it a try if they are looking for a new DNS


----------



## Mrzev

I am just really confused with some of the results people are getting.

One thing that is possible is that the ISP's prioritize the traffic from their DNS servers over 3rd party. So, when they get a DNS request to a different server, they put it lower on their QOS stack?
Another possibility is the DNS is just further away. If the DNS i am targeting is near my city vs one across the country.

What i do not know, is if the DNS translations are region based. IE, if comcast has a server in Texas that i use now, that says Netflix is 69.53.236.17 , but in California it says 69.53.236.18 . Depending on how Nexflix coded their stuff, it will either try to find a server based on the region of my IP , or since I hit ther .17 server that it must be that location.

For anyone testing with ping.... try their domain name and their IP. DNS is just going to translate Netflix.com to 69.53.236.17 , so if you ping 69.53.236.17 , it bypasses the DNS server. In reality there should be no difference. The only thing that should alter this is the delay for the initial start time. When doing the IP, it will start pinging right away, with the domain name, it may take a split second longer if it needs to do a DNS request. Also make sure that your not accidentally pining with IPv6 because that could easily cause some additional delays (This has happened to me 1x when pining Google.com).

With PC, in CMD, type IPCONFIG /displaydns to see what your cache looks like, and /flushdns to clear it. I dont think your gateway would have a cache, but who knows.

EDIT: I'm also willing to bet that people who use a different DNS will get flagged by the ISP and have their traffic monitored more closely. At least that's why i would do if i were them.


----------



## Malebar

One thing we have to remember is how the Internet itself is cobbled together along with how DNS resolution actually works and how CDN (Content Delivery Network) technologies such as Akamai and Amazon cloud massage DNS to force users to a specific edge service hopefully based on their geographic location.

As we all know, the Internet itself is just a collection of loosely connected networks with a few backbone carriers forming the mass of the connectivity between them. General consumer ISP's like Comcast, Windstream, etc. will typically have multiple peer points with major backbone carriers such as Level3, Verizon (VzB), AT&T, Sprint (who owns the old MCI transports). Companies like Google are also getting in on the game with their Google fiber projects. And Amazon is building it's own private backbone in an attempt to maintain control of it's own content.

So, in the olden days, a user sitting in Maine trying to get to a Google server in Mountain View would have to bounce around inside his local ISP, reach his ISP's local peer then get forwarded to his ISP's regional data center where it would pick-up a connection to his ISP's ISP. From there he would ride to the regional NAP in New York, NY. and pick up one of the primary east-west backbones - most likely AT&T at this point. His traffic would route across the US to the AT&T's regional NAP in LA where it would then hop off onto Google's local carrier and finally hit the server he wanted.

Today, 70-80% of all traffic if served via a CDN - the majority of which is either Akamai with Amazon catching up quickly. What happens is that a CDN will have an agreement with regional ISP's (with some services they're pushing it even closer to the user) where they establish an Edge network at that carrier. They also have agreements with content providers such as Google, Netflix, etc. which they then push cached content for those content providers to these Edge networks that is used to feed traffic to the ISP's users.

By massaging the DNS hierarchy they CDN ensures that all users on ISP xxx will directed to Edge network xxx for content xxx. There's actually 3 or 4 ways these work and the details are complex, but if you're interested here's some good slides that covers a few.

Using my example above, that same guy tries to go to Netflix - which has an agreement with one of the CDN's. The guys PC does a DNS call to his ISP's DNS servers who through DNS Black Magic returns the IP of the ISP's local Edge network and the content is served.

Now lets suppose that user changed his DNS to point to Level3's 4.2.2.4 server. His "perceived" download speeds appear slower. I say perceived and appears because DNS does nothing to your actual bandwidth - but it can do a ton for optimization downstream. What has happened is that now when his PC attempts to resolve for Netflix he is bypassing his local ISP and sending it to L3. This server may be sitting in Seattle for all we know. If so, then instead of the cached content at his local ISP's Edge network he's now getting cached content for Level3's edge network in Seattle. Also, we have to keep in mind that now his media stream is competing with the traffic of the millions of other users flowing between east and west coasts. And given that most carriers rely on CDN's to serve content locally/regionally most carriers will put classify streaming media lower than other traffic to force users to use local CDN copies.

Now if that same user up and moved to Seattle and kept his DNC pointed to 4.2.2.4 his problems would go away because his geographical proximity to the content he's forcing his PC to pull from has changed. This is why some people have different experiences with stuff like Google DNS and OpenDNS. It's all relative.

I hope this cleared some things up a bit and didn't just make things more confusing. But, I've seen this problem countless times in my consulting gig's and it's a very hard concept for some folks to grasp.


----------



## Curleyyy

Essentially, from what I've previous read, a DNS acts as an index of sorts, like an address book, where Googles address book is bigger. The quicker the lookup, the quicker you're provided with results. To be honest, it's hardly noticeable, however there are few instances where Googles DNS has "indexed" websites and provided a faster lookup. They've also now moved a DNS server to Australia, so anyone down under should benefit from this. Then again, I've got no idea what I'm talking about


----------



## Malebar

I would say you're 50/50 right.

DNS is an index of hostnames to IP addresses; but it actually isn't an automated process like one would think of a Google Search index.

Here's a goog like to explain how DNS works.

But, it's a more of a hierarchical look up scheme with name registrars acting as the data input. (IE when someone registered overclock.net the company they registered with began advertising data about the server the site lives on to other DNS servers, etc.).

The biggest problems with small local ISP's is that they tend to undersize their DNS servers and have very little security around them - hence they are suspect to DNS poisoning. Google DNS usually works so well because Google has loads of $$$'s to dump into their infrastructure and have huge bandwidth agreements with almost every major telecom.


----------



## DragonOmnus

Quote:


> Originally Posted by *killabytes*
> 
> THIS is why I no longer use Google's DNS.
> 
> OpenDNS all the way.


Out of curiosity, did you yourself read the entire article you linked? Google wasn't compromised, it was a major internet router for an ISP down in South America. It isn't certain whether it was an external hijacking or an internal misconfiguration, it simply kept people who used Google's DNS from getting a response. So don't blame Google or say it's a problem with Google if you haven't read the entire article.

OpenDNS supports DNSCrypt but not DNSSEC, whereas Google supports DNSSEC but not DNSCrypt. The only DNS provider I'm aware of supporting both is in Australia.
Both Google and OpenDNS participate in the Global Internet Speedup, so no difference there.

Malebar's response in post #37 has some great info about all this, but ultimately it's each person's decision of which one to use.

Do you want your DNS queries encrypted, which would provide security and possibly some privacy? Use OpenDNS with DNSCrypt, but it does require the DNSCrypt software and configuration. Encrypting DNS queries could also create a small amount of latency on DNS queries.

Do you want your DNS query results validated? Use Google with DNSSEC. While this is probably the more important one for me, it is a near-zero percent of websites who validate themselves with DNSSEC, so in many cases this won't provide any real benefit (where DNSCrypt still would). I would imagine, however, most major companies/websites probably are (or will be) authenticating themselves with DNSSEC, so this is still worthwhile.

Personally, I use Google for DNS. However, I've been considering the DNSCrypt and OpenDNS. I might test it to see how it performs. DNSSEC and DNSCrypt both solve different problems. Just have to decide which is more important for you. From what I can tell, DNSCrypt would probably be much more important for people who use public WiFi/internet spots than personal home/business internet connections, especially with major providers.

Oh, about that Namebench tool... I had never found that before so I decided to test it. It is a very small download with minimal configuration, so I had it going within about a minute using its default settings (though I did check "Upload and share your anonymized results"). It has been running for over 1.5 hours now... I wonder how long it will take. And it isn't my hardware (Core i7 w/hyperthreading).


----------



## DragonOmnus

Quote:


> Originally Posted by *killabytes*
> 
> THIS is why I no longer use Google's DNS.
> 
> OpenDNS all the way.


Actually, thank you. You got me to do a bit more investigating, and now I know I won't bother switching to OpenDNS.

My favorite part of this (more than the question) is the first answer, and some of the comments about the author of DNSCrypt. Read on:
http://security.stackexchange.com/questions/45770/if-dnssec-is-so-questionable-why-is-it-ahead-of-dnscurve-in-adoption

Further, ICANN publicly stated DNSCrypt will never be used on the DNS root zones:
http://www.youtube.com/watch?v=eOGezLjlzFU&feature=youtu.be&t=44m55s

Meaning, the answers OpenDNS gives you may be encrypted between you and OpenDNS, but that in no way means OpenDNS gave you the correct answer. As is stated in various comments about DNSCrypt, unless it undergoes massive changes, it will never be fully adopted by major DNS providers or root zones.

THAT is why I use Google's DNS.


----------



## Plan9

I wont touch either service. But each to their own.


----------



## DragonOmnus

Quote:


> Originally Posted by *Plan9*
> 
> I wont touch either service. But each to their own.


Very true, to each their own.








Who do you use?


----------



## Plan9

Quote:


> Originally Posted by *DragonOmnus*
> 
> Very true, to each their own.
> 
> 
> 
> 
> 
> 
> 
> 
> Who do you use?


My own, which has ad networks, trackers and known dodgy domains blacklisted. I then fallback on BT for any recursive lookups. Though I'm thinking of switching recursive fetches to Level 3.


----------



## caenlen

I have never used DNS before, I just used OPENDNS first time ever, and tested and it did state OpenDNS was working. Well anyways, I can report that going to websites and such is much faster than it used to be.

Suck it ATT DNS.









edit: wish I had done this years ago


----------



## ozlay

I used a DNS benchmark and found the fastest servers in my area and then tested out a few and found which one i liked best https://www.grc.com/dns/benchmark.htm


----------



## Gew

This thread is quite old, but what the story today, comparing these two (OP) public DNS services?
I mean, is there any noticeable lookup speed OpenDNS versus GoogleDNS? Late opinions matter, please.


----------



## beers

Depends on what you're doing. OpenDNS has controls for filtering and can restrict things like known botnet FQDNs and similar, whereas the Google DNS side just provides replies/resolution without any additional features.

Speed wise they are generally comparable and are similarly anycasted out to somewhere vaguely near you.


----------



## retrogamer999

standard ISP DNS tends to suck big time. i have not end of issue with Virgin Media.

Google DNS is good dont get me wrong, but most network guy in the world always tests "ping 8.8.8.8" first to check network connectivity.

OpenDNS is great, you can get free Adult content filters as well.


----------



## the9quad

I find some of the sites I visit take longer on OpenDNS than on google. I just switched back to google last week. More than likely just in my head, but they seem to come up noticeably faster now.


----------



## eduncan911

Sorry all that I missed this thread back years ago...

First, it is not a question... NEVER USE YOUR ISP'S DNS. There are many reasons for this. To recap on a recent few:

*ISPs have been tracking your DNS, the "urls" you type since well before 2001.*

With the recent news about ISPs selling your data, guess where the majority of that data comes from? Your DNS queries (and some cleartext monitoring too). DNS is 100% reliable to track exactly what all websites are being accessed - in your entire household.

Doesn't matter if you are viewing HTTPS or not, the DNS lookup still tells them all they need.

Doesn't matter if you launch that Incognito mode of Chrome and type in that Porn site - your ISP knows you are there, and streamed videos and relays that information to whomever.

*ISPs can take control of your browsing.*

Have Comcrap and over your bandwidth limit? Get ready to "get served" pages that says you are over your limit. They take control over your DNS to change your queries to a server they control to display the message (over HTTPS). Non-HTTPs sites basically get that HTML injected text. (you can strip that too with tools like Privoxy).

Basically, this is exactly what a Man-in-the-Middle attack is - except, they do it to annoy you that you are over your bandwidth. I currently have a friend going through this this very month!

*ISPs limit what sites, especially international sites, that gets resolved*

This is a long-time beef of mine with Verizon FiOS, Comcrap and TimeWanker: none of them can resolve my wife's Japanese pages she visits.

I have had to switch to Google DNS or some other non-ISP DNS just to get to international sites in Russia, Japan and many EU countries. It's ridiculous.

*Man-in-the-Middle Attacks - from the Govt*

Now unless you are doing something illegal, this doesn't normally happen. But ISPs easily work with Govt agencies to redirect your DNS to similar servers they control. This requires a warrant and a lot of time. So if you are reading and are concerned about this particular issue, uh...

Just don't visit any sites that say their is a problem with their certificate. Google Chrome does very good at warning you for this sites (the "Click to Proceed red button").

*Automated Government Requests*

If you visit www.torproject.org, your IP and account is automatically flagged at the NSA for monitoring - starting with ISP dumps of what DNS queries you have performed. (Circa 2014, Snowden leaks). Please visit it, out of spite!

----

*"Ok, so no ISP DNS. What are my options?"*

As mentioned earlier in the thread, the root DNS servers will never have DNScrypt. But, they do support DNSSEC! But, any set of DNS servers you pick are going to be limited to their control of lookups (e.g. Law Enforcement's takeover of domain names, etc).

You can limit your exposure, and anonymize yourself from that control by using a DNS provide that attempts to be open.

Google DNS is one of those.

OpenDNS is another (now under Cisco).

I still question the safe guards behind these conglomerates as they both have large inner groups that deal explicitly with mass Government requests under warrants (Google did over 100,000+ in 2015 alone, in case you are wondering).

Twitter, Google and Apple, etc all make a play to fight for your rights. But behind the scenes, they get 100s+ a day of automated requests. They fight for basically PR, and comply with most other orders. IOW, "single out the high profile cases, announce it in the press."

Nothing is going to stop the NSA showing up with an NSL saying, "give us all data from this IP address."

In this regard, this is where Google and Microsoft actually shines. Microsoft happen to be the most complicit (think bureaucratic, in a good way against law mass enforcement requests - must check off all boxes and cross all Ts and dot all Is to be valid). But these two happen to be the most transparent as well. They can't speak to NSLs; but, they can post Metadata:

https://www.google.com/transparencyreport/userdatarequests/countries/

https://www.microsoft.com/about/csr/transparencyhub/lerr/

Just remember, OpenDNS is now under Cisco control - and they also deal with mass government requests (think your Cisco Home Router, that now requires it "talk" back to Cisco, is safe? NOPE!). This is why I always use custom firmware on my routers, usually building my own version.

*Ok, so which DNS to use?!?!*

I personally switch back and forth between OpenDNS and Google DNS. Sometimes I use a 3rd party that I pay for with my domains I host. It's really a gambit. In the past, I actually wrote a script on my router that would switch between OpenDNS, Google DNS and a few others on random days of the month for random periods of time. I may still have that script around here somewhere, now that I think about it...

Besides, I use TorBrowser for most of my protesting which alleviates most everything I've said in this post.

*TorBrowser? You mean the illegal Dark Web?*

It is not illegal. Yes, some illicit users do some horrible things on it. But, I view it as an Activist's Tool for reaching audiences otherwise censored by governments far and wide across the world. I run a hidden service, not to "hide from government" but to Prevent Censorship of my free speech.

Want to know how many legit people use Tor? https://www.torproject.org/about/torusers.html.en

*Which is Faster?*

WHO CARES! Read everything from the beginning of this post again. Saving 50ms from one provider to another isn't going to really matter.

*How can I minimize my risk with OpenDNS and Google?*

Enable DNSSEC and set up a DNScrypt provider. I use DNScrypt on my router, so my entire household benefits.

I also use AdBlock.sh on my router, so my entire household benefits (no more "Condom ads" in the kid games on the kiddo's tablet!).

I should really blog about how to do all of this.

----

*You need DNScrypt!*

A few notes on DNSSEC and DNScrypt. They are not mutually exclusive. As a matter of fact, they work great together!

What a lot of people don't realize though is DNSSEC is *not encrypted* nor does it do anything to prevent prying eyes. *Your ISP will still monitor your DNS requests, and will continue to sell your data to advertisers and government agencies*. All DNSSEC does is it guarantees the DNS query hasn't been tampered with. They use a signature to sign each DNS entry, that can be validated on every request.

DNSSEC is sent in cleartext, for anyone to monitor.

This is what DNScrypt fixes. This actually encrypts, like SSL, your DNS queries and keeps it out of your ISP's prying eyes.

Again, I have had both DNSSEC and DNScrypt enabled on my router, for my entire household.

----

*What are the downsides to not using ISP's DNS?*

There is only one: you can't reach your ISP's "special homepage."

But who cares! Well, you might if you are a newbie or someone not familiar with the inner workings of your router, and constantly rely on "The Technician" to come in and install software on your PC/Mac and "set things up" or call into your ISP often trying to ask why you can't go this or that site, or need a configuration change - then they will always tell you to go this or that Homepage URL, that only works on their DNS.

I have turned Technicians away for years. "I don't need your router, I have my own thank you." Verizon FiOS works best as they can activate the POTS port for my RJ45 for my router. Don't ever route their router, it just sits in the basement collecting dust. Worse case is I have to call into the ISP when turning on service and give them my MAC of my router.


----------

