OpenDNS vs ISP DNS Question

Topic

New Reply

In the past when I managed my own network with Cisco networking gear, I always used OpenDNS for my DNS, and it was generally rock-solid and speedy.

Now that my ISP cloud-manages my network with Cambium networking gear, they have everything set to their own DNS servers. There haven’t been any major issues with them (although my ISP speeds have been slow in general due to congestion they’re working to alleviate).

However, I’m wondering if I’d still see slightly better performance, as well as overall better security (since I am not sure how my ISP handles security on their DNS servers) by going back to OpenDNS. My ISP likely won’t flip my router DNS to OpenDNS since they prefer their servers, so I’d have to make the flips at the device level. I know how to do it for Mac and iOS. Has anyone attempted to make DNS changes to devices such as: Apple TV, Fire TV, NAS devices (I have a Drobo), Amazon Echo/Alexa devices, Kindle eReaders (not the tablet but the eInk readers), etc.?

Also, I’m a little confused on OpenDNS’s chart here: https://www.opendns.com/home-internet-security/. If I wanted to invest in OpenDNS VIP Home or OpenDNS Prosumer, would I use the standard OpenDNS servers or the Family Shield servers in my configurations, and does anyone know if the OpenDNS Prosumer $20/user is per month or per year, and had anyone tried it with iOS devices ? Has anyone signed up for either of these services using an existing Cisco ID, or does it require its own ID, and has anyone tried any of their premium services before?

Nathan Parker

Reply | Quote

Replies

[wavy]

The pic says it all, or at least mostly. First selection is “change adapter options”

 

🍻

Just because you don't know where you are going doesn't mean any road will get you there.

• This reply was modified 5 years, 9 months ago by wavy.

1 user thanked author for this post.

Nathan Parker

Reply | Quote

Thanks! I’m actually on a Mac, iPhone, and iPad, plus the other devices I’ve mentioned. I know how to change it on a Mac, iPhone, and iPad, but not sure about Apple TV, Fire TV, NAS devices, etc. I’m also curious if it’d actually benefit me to do this.

Nathan Parker

Reply | Quote

As you probably did at work, just change your router’s DNS settings to the numbers you may already be familiar with, 208.67.222.222 and 208.67.220.220, and let your router take it from there!

As a non-business entity, your use of OpenDNS is completely free, of course. If you want any additional protections or services as those you’ve described, then those  come with a fee as described on their web site.

As far as the services you describe, you would still use their standard DNS servers, but they would add those services to your connection, and you’d have to sign in to an account to manage those services to your liking.

I’ve been using OpenDNS (completely for free by just making the change I described above) for about a decade now, ever since I heard about it and made the switch, away from my ISP at the time, Comcast. Comcast never once complained that I wasn’t using their DNS servers, and I’ve always enjoyed very fast connections to any website of my choosing, and have had NO downtime that I can recall at this moment. My current ISP, also a cable company but in a different part of the country, has also never once complained about my not using their DNS servers.

BTW, as a “backstop”, I have not only changed the DNS settings of my router to OpenDNS, but of all my attached devices as well! That way, they should still use OpenDNS in the event the router’s DNS settings get changed somehow.

Hope this helps you!

1 user thanked author for this post.

Nathan Parker

Reply | Quote

Thanks for the info. In terms of changing to OpenDNS at the router level, that’s actually an issue since my router is cloud-managed from my ISP, and they haven’t provided me with the local admin password to make any changes to the configuration. I can certainly ask them about changing it to OpenDNS, but since they’re a fan of their own DNS servers, my request may go down a black hole.

So the simplest solution would be to change to OpenDNS at each attached device level (as you did for a backup). Have you ever changed any TV streaming boxes, NAS devices, etc., to OpenDNS or just computers, smartphones, and tablets? I know how to do it on a Mac iOS devices, but I also own an Apple TV, Amazon Fire TV, Drobo NAS, multiple Amazon Echos, a Kindle eReader, a home security system, weather station, network printer, etc., so I wasn’t sure how I’d flip all of those to OpenDNS.

Sounds good about using the standard DNS servers. Have you used any of the premium services that require a login, or have you just did the DNS flip (the DNS flip is all I’ve done in the past)?

I too have always used OpenDNS until my ISP took over management of my router (I used it in Georgia when I had DSL and used it here with my current ISP when I managed my own network with Cisco gear), and it was always reliable. I haven’t had any major issues with my ISP’s DNS either, but I have had a few congestion issues with my ISP in general lately, so I wonder if at least taking back control over DNS would give me increased reliability in the event they’re slacking on some infrastructure upgrades. It won’t improve my congestion issue (that’s something they’ll have to do on my connection), but at least they wouldn’t have 100% control over everything (on one hand it has been nice not having to worry about managing my network, but on the other hand, I was generally more on top of network management than they have been overall).

Nathan Parker

Reply | Quote

Nathan Parker wrote:

In terms of changing to OpenDNS at the router level, that’s actually an issue since my router is cloud-managed from my ISP, and they haven’t provided me with the local admin password to make any changes to the configuration.

Wait, what?

That’s a thing?

I’ve never heard of an ISP issuing a router and not allowing the customer to access the settings.  It’s… weird.  I certainly wouldn’t tolerate that!  At the very least, you need to be able to change the SSID of the wifi network(s) and the password, assuming it has a WLAN function.

If there is no other choice, I would supply my own router and daisy-chain it.  I can’t imagine not being able to control the router options!

 

Dell XPS 13/9310, i5-1135G7/16GB, KDE Neon 6.2
XPG Xenia 15, i7-9750H/32GB & GTX1660ti, Kubuntu 24.04
Acer Swift Go 14, i5-1335U/16GB, Kubuntu 24.04 (and Win 11)

1 user thanked author for this post.

Nathan Parker

Reply | Quote

Ascaris wrote:

Wait, what?

That’s a thing?

I’ve never heard of an ISP issuing a router and not allowing the customer to access the settings.  It’s… weird.  I certainly wouldn’t tolerate that!

Not at all uncommon over here for certain kinds of connectivity, for business. But those usually don’t do NAT… or look like they don’t.

This is typical if you buy redundant connectivity, as in multi-link with a single outside address.

In that situation, the multi-link part may be implemented using any of several methods, the ISP is supposed to keep the setup updated so that at least one of the links always stays up even during routing changes, AND your external IP doesn’t drop during a changeover between links.

(The business then usually has their own router behind that one, and it’s *this* one which does site-to-site VPNs with branch offices and such, and NAT.)

1 user thanked author for this post.

Nathan Parker

Reply | Quote

Daisy chaining routers introduces double NAT. To get around that you need to set the primary router to use a DMZ, then set the second router internet port as the DMZ and connect your stuff to the second router – and any rubbish you don’t care about can be connected to the primary router for complete isolation.

cheers, Paul

1 user thanked author for this post.

Nathan Parker

Reply | Quote

Paul T wrote:

Daisy chaining routers introduces double NAT. To get around that you need to set the primary router to use a DMZ,

That works if you have access to the settings in the WAN-facing router, but in that case, I’d suggest bridging the modem (assuming it is a router/modem combined device like the one my ISP supplied) and letting the customer-supplied router handle DHCP, NAT, etc., if the option exists.  I have my ISP-supplied router/modem set that way, so its router portion is inactive.

I suggested the inelegant solution of daisy-chaining in the event that I had no choice but to use an ISP-supplied router whose settings I could not change, which I would find intolerable– which is why daisy-chaining would at least be an improvement.

 

Dell XPS 13/9310, i5-1135G7/16GB, KDE Neon 6.2
XPG Xenia 15, i7-9750H/32GB & GTX1660ti, Kubuntu 24.04
Acer Swift Go 14, i5-1335U/16GB, Kubuntu 24.04 (and Win 11)

1 user thanked author for this post.

Nathan Parker

Reply | Quote

Bridging doesn’t allow you to control the DNS settings for clients, so it’s only of use to add wifi to a router that doesn’t have it, or to extend wifi.

cheers, Paul

1 user thanked author for this post.

Nathan Parker

Reply | Quote

I think you’re thinking of another kind of bridging.  Router/modems also have a mode called bridged mode that turns off the router functionality and allows the router/modem to function as a modem.  It does no DNS or NAT in that mode… that’s all done by the router or client, as it would be with a standalone modem.

Dell XPS 13/9310, i5-1135G7/16GB, KDE Neon 6.2
XPG Xenia 15, i7-9750H/32GB & GTX1660ti, Kubuntu 24.04
Acer Swift Go 14, i5-1335U/16GB, Kubuntu 24.04 (and Win 11)

1 user thanked author for this post.

Nathan Parker

Reply | Quote

Thanks everyone for the comments. Here’s some additional info…

1. Indeed it is a thing. They installed the new equipment, but didn’t give me an admin password to check on anything since network cloud management is included in my ISP plan, and they told me to call/email in when I needed changes made, and they’d handle them all (which on one hand has the potential to be luxurious, but sometimes my email tickets go unanswered for a length of time which is problematic).
2. My current setup is a point-to-point WISP (it’s the only somewhat reliable connection, even though lately the congestion has brought my connection to its knees, even though I live in the middle of a city, our infrastructure here is the worst I’ve seen in broadband. Instead of a modem I have a Cambium Networks antenna on the roof which hits a tower to provide the connection. Then I have a Cambium Networks router in my office which handles DHCP and the router. I have my own Cisco switch for extra ethernet ports. For Wi-Fi, there isn’t a router on the market that if installed in my office on one end of my home will cover my entire home (I tried ASUS AC1900, Cisco WAP, even mesh networking with the Linksys Velop so I could extend the range, still it was unreliable). So my ISP installed a Cambium Networks WAP in my ceiling that they also cloud-manage included in my plan.
3. Any other router I’d install would introduce issues, as my ISP’s router also handles my phone’s VOIP ATA, plus I need a clean NAT for my work to access my weather station and HD weather camera remotely (since we have TV stations remote into them). Plus any Wi-Fi router isn’t going to give me the coverage of the WAP in my ceiling.

So my solutions would likely be as follows:

1. If I decide I’d want to take back control of DNS, I could ask my ISP to flip to OpenDNS and see if they’ll do it.
2. I could ask my ISP to give me an admin password to my router and WAP so I can make management changes myself, then only bring them in for larger tasks.
3. If 1-2 fails, I’d either then manually switch my devices to OpenDNS at the device level or just keep running with their DNS servers and still rely on them for any network management until situations change where I’d be in a position to take back over my own network management again (my router needed a firmware update recently, and my ISP forgot to apply the firmware update to the router, so my confidence in their management skills is starting to decrease).

Nathan Parker

Reply | Quote

Nathan Parker wrote:

Indeed it is a thing. They installed the new equipment, but didn’t give me an admin password to check on anything since network cloud management is included in my ISP plan, and they told me to call/email in when I needed changes made, and they’d handle them all (which on one hand has the potential to be luxurious, but sometimes my email tickets go unanswered for a length of time which is problematic)

They may have presumed that you didn’t want the burden of handling that stuff yourself, and acting under the belief that having them administer your network is a service they are providing for you, not that they are exercising authority over you.  I’d hope that they will tell you the login credentials if you asked.

As I see it, my LAN is separate and distinct from the internet.  It’s a network of my computers in my house for my benefit, and it would be so even without internet access.  As such, it is beyond the scope (and the reach) of an internet service provider.  Everything outside the house is theirs, but the LAN is inside my house, which is my domain (no pun intended).  They have no more business managing my LAN than they do decorating my living room or selecting what I have for dinner.  All I really need from the ISP is to provide internet access to the LAN that was already here.

If I were to come into possession of a router that was better than my existing one, I might be willing to rebuild my network around it.  Otherwise, I already have a router and a network, and if all I need is to add internet access, that’s all I’ll do.

Dell XPS 13/9310, i5-1135G7/16GB, KDE Neon 6.2
XPG Xenia 15, i7-9750H/32GB & GTX1660ti, Kubuntu 24.04
Acer Swift Go 14, i5-1335U/16GB, Kubuntu 24.04 (and Win 11)

1 user thanked author for this post.

Nathan Parker

Reply | Quote

By the way, I did also hear from Cisco OpenDNS on some of my questions. Here’s their answers:

1. OpenDNS Prosumer is $20/year, so same billing as OpenDNS Home VIP.
2. Prosumer only protects Macs and PC’s, so since I use all desktops at the moment (except for my super-old PowerBook G4 for hobbyist stuff), no sense in the extra cost for Prosumer. I’d either stick with free or Home VIP if I wanted those perks.
3. Cisco accounts and OpenDNS accounts are under separate ID’s.
4. Standard DNS is best way to go since Family Shield has pre-configured settings which can’t be changed.

Nathan Parker

Reply | Quote

Ascaris wrote:

They may have presumed that you didn’t want the burden of handling that stuff yourself, and acting under the belief that having them administer your network is a service they are providing for you, not that they are exercising authority over you.  I’d hope that they will tell you the login credentials if you asked. As I see it, my LAN is separate and distinct from the internet.  It’s a network of my computers in my house for my benefit, and it would be so even without internet access.  As such, it is beyond the scope (and the reach) of an internet service provider.  Everything outside the house is theirs, but the LAN is inside my house, which is my domain (no pun intended).

I’ll definitely ask, and good info. They might offer this service included in their plans for those without a lot of network management education, to ensure customers will have their issues resolved no matter what (some customers likely didn’t know the difference between WAN and LAN and kept bugging support for issues they didn’t have the ability to resolve, so now that their routers have cloud-management LAN capabilities, they threw it into the plans). For geeks like us, we’re used to managing our own stuff (I’ve worked with more complex gear than this).

That is also how I see the LAN as well. It’s “my” network, versus the Internet is the “ISP’s” network. Some of their customers may not know the difference hence the extra service offering, but those of us who have been around tech long enough get it.

Nathan Parker

Reply | Quote

There’s been a few issues with congestion with my ISP, so I haven’t had a chance to take this further. It may finally be ironing out. Once it does, I’ll see if I can get a router login from them.

Nathan Parker

Reply | Quote

Update on all of this…

I’ve finally had it with relying on my ISP in terms of LAN management. I’m taking back over management of my LAN around March when I have a free afternoon to transition out my equipment.

I will be swapping out their router (a Cambium Networks router) for my Cisco RV345 that I’ve been using as a 16 port switch. I’ll jack a paperclip in the back of the Cisco, factory reset it (since I disabled the router features a while back), and use that as my router. That’ll put me back in control of my LAN. I still have an active service contract on it, so I can still get support from Cisco as well if need be.

For VOIP, I was using the ATA built into my ISP’s router connected to an analog phone. I’m replacing it with a Cisco SPA122 ATA that I have, and I’ll have my VOIP provider ensure it’s provisioned correctly. The only issue I’ve had in the past is when I’ve plugged the SPA122 ATA into the RV345, the router firewall caused the ATA to drop the connection and drop any active VOIP call after about 20 minutes, so I’d need to see how to resolve that.

Cisco is also working with me to recommend a WAP I can install to replace the Cambium Networks e410 my ISP installed, allowing me to be 100% on Cisco gear after the transition.

I signed up for a free OpenDNS account, and I was going to signup for OpenDNS VIP Home, but I may not need it and may need to close out my consumer OpenDNS account. It seems I can get the business version of Cisco Umbrella for my RV345 instead with this Cisco Product ID: UMB-BRAN-RV. It’s about half the cost of VIP Home from my Cisco dealer.

To provide me with a little more reliable DNS at the moment, I’ve moved the DNS servers to as many devices on my network to 208.67.222.222 and 208.67.220.220 (since my ISP’s DNS servers have been flakey). After I make the DNS change at the router level when I move to the RV345 (since my ISP never did make the DNS change I requested, nor would they hand me a login to my router with them), I’m not sure if I need to go back and remove the DNS changes at the device level, or since the DNS servers numbers will be the same, if everything will just sync up.

Since my ISP has also been somewhat unreliable lately (and there are no other reliable options until 5G comes along), and since the Cisco RV345 has a dual WAN feature that can support 4G LTE modems, I could stick a Verizon 4G LTE modem in it to use as a backup in the event my connection goes down. It wouldn’t be good enough to run everything for a long time on it, but it’d work for a decent backup.

So that’s the latest here!

Nathan Parker

Reply | Quote

[Bob99]

Just to be thorough, Open DNS has a third IPv4 DNS server address of 208.67.222.220 according to their instructions for Linksys routers. Although it’s listed in the Linksys instructions on OpenDNS’s site, since it’s a generic IPv4 address, it should work in all routers. I have the 222.220 address listed as the third one in my router’s location for DNS servers. By having all three entries filled with entries, it really minimizes the chances of my router using my ISP for DNS resolution.

So, if you have space for three entries in your Cisco router’s firmware for DNS entries, feel free to fill them all with 208.67.220.220, 208.67.222.222 and 208.67.222.220 instead taking a chance of using your unreliable ISP’s DNS server(s)!

EDIT: I just found an article that gives yet a fourth entry for OpenDNS, 208.67.220.222! It’s listed in an article for generic Linksys router configuration, saying that

If you need to add a third and fourth entry, please use the following:

• 208.67.222.220
• 208.67.220.222

I added the bolding to the words third and fourth in the above quote.

BTW, while looking into this, I stumbled across the fact that OpenDNS has instructions for how to use them for DoH, or DNS over HTTPS. But, that’s a subject for another post in another location. 🙂

• This reply was modified 5 years, 2 months ago by Bob99. Reason: Added another DNS entry

1 user thanked author for this post.

Nathan Parker

Reply | Quote

Thanks for the info. I believe on my Cisco it just has the space for two, but it’s been a while since I’ve been in the firmware, and I’ll need to update the firmware anyway, so I can check.

Mine has the ability to connect Cisco Umbrella to it as well, so I can get a few fancier features with my DNS setup. My Cisco Partner has a version of Umbrella for $10/year, half of the $20/year for OpenDNS VIP Home, so I may take it for a spin.

Nathan Parker

Reply | Quote

Nathan Parker wrote:

I’m not sure if I need to go back and remove the DNS changes at the device level, or since the DNS servers numbers will be the same, if everything will just sync up.

Setting the DNS servers on the router or direct makes no difference to the the machines, but moving it back to the router will result in less DNS traffic externally. The router will cache DNS requests from all machines and will respond to new requests from its cache instead of the individual machine having to query the DNS itself.

cheers, Paul

1 user thanked author for this post.

Nathan Parker

Reply | Quote

Paul T wrote:

Setting the DNS servers on the router or direct makes no difference to the the machines

I need to understand which setting of the two is used when they differ.

Reply | Quote

Side question: If I enable “DNS Crypt” on browsers such as Firefox, will it still route DNS over my own computer/router’s DNS settings, or does it route DNS over something browser-specific?

Nathan Parker

Reply | Quote

carpintero wrote:

I need to understand which setting of the two is used when they differ.

The machine will use whatever is in its network settings, automatic via DHCP or manual.
Use “ipconfig /all” to see what is set.

Nathan Parker wrote:

If I enable “DNS Crypt”, will it still route DNS over my own computer/router’s DNS settings

Unlikely. DNScrypt  needs a DNS host that supports crypt and most don’t, yet. Firefox uses Cloudflare for DNScrypt.

Personally, I see no benefit in using DNScrypt as it really only hides lookups, not your browsing. If you want to hide your browsing use a VPN – it won’t be hidden from the VPN provider.

cheers, Paul

1 user thanked author for this post.

Nathan Parker

Reply | Quote

First off, any discussion of DNS needs to be very clear if its about old unencrypted DNS or the new encrypted DNS. They are drastically different.

For old DNS, some routers can force all devices connected to them to use the DNS servers the routers wants to use, regardless.

What is DNS crypt? Are you referring to the new encrypted DNS, the DoH and DoT flavors?

Get up to speed on router security at RouterSecurity.org and Defensive Computing at DefensiveComputingChecklist.com

Reply | Quote

Paul T wrote:

Unlikely. DNScrypt  needs a DNS host that supports crypt and most don’t, yet. Firefox uses Cloudflare for DNScrypt.

Good to know. I’ll make sure it’s disabled. Do you know where in Firefox settings I can check to ensure it’s disabled? My router is behind Cisco Umbrella, so I need to route all traffic through Umbrella/OpenDNS unless I specifically need to route something over a VPN.

Nathan Parker

Reply | Quote

Gear > General. Scroll to the bottom, Network Settings > Enable DNS over HTTPS.

Alternatively: about:preferences#general

cheers, Paul

1 user thanked author for this post.

Nathan Parker

Reply | Quote

Done. It has sneaked enabled on my Macs.

Nathan Parker

Reply | Quote

Found out you can set to enable Firefox to use Cisco Umbrella/OpenDNS with DNSCrypt if anyone needs it. Instructions here: https://support.umbrella.com/hc/en-us/articles/360043574271-Using-DNS-over-HTTPS-DoH-with-Umbrella

Nathan Parker

Reply | Quote