News, tips, advice, support for Windows, Office, PCs & more. Tech help. No bull. We're community supported by donations from our Plus Members, and proud of it
Home icon Home icon Home icon Email icon RSS icon
  • OpenDNS vs ISP DNS Question

    Posted on Nathan Parker Comment on the AskWoody Lounge
    Viewing 9 reply threads
    • Author
      Posts
      • #1874248 Reply
        Nathan Parker
        AskWoody_MVP

        In the past when I managed my own network with Cisco networking gear, I always used OpenDNS for my DNS, and it was generally rock-solid and speedy.

        Now that my ISP cloud-manages my network with Cambium networking gear, they have everything set to their own DNS servers. There haven’t been any major issues with them (although my ISP speeds have been slow in general due to congestion they’re working to alleviate).

        However, I’m wondering if I’d still see slightly better performance, as well as overall better security (since I am not sure how my ISP handles security on their DNS servers) by going back to OpenDNS. My ISP likely won’t flip my router DNS to OpenDNS since they prefer their servers, so I’d have to make the flips at the device level. I know how to do it for Mac and iOS. Has anyone attempted to make DNS changes to devices such as: Apple TV, Fire TV, NAS devices (I have a Drobo), Amazon Echo/Alexa devices, Kindle eReaders (not the tablet but the eInk readers), etc.?

        Also, I’m a little confused on OpenDNS’s chart here: https://www.opendns.com/home-internet-security/. If I wanted to invest in OpenDNS VIP Home or OpenDNS Prosumer, would I use the standard OpenDNS servers or the Family Shield servers in my configurations, and does anyone know if the OpenDNS Prosumer $20/user is per month or per year, and had anyone tried it with iOS devices ? Has anyone signed up for either of these services using an existing Cisco ID, or does it require its own ID, and has anyone tried any of their premium services before?

        Nathan Parker

      • #1874616 Reply
        wavy
        AskWoody Plus

        The pic says it all, or at least mostly. First selection is “change adapter options”

         

        Capture-2

        🍻

        Just because you don't know where you are going doesn't mean any road will get you there.
        • This reply was modified 8 months, 4 weeks ago by wavy.
        Attachments:
        1 user thanked author for this post.
      • #1874734 Reply
        Nathan Parker
        AskWoody_MVP

        Thanks! I’m actually on a Mac, iPhone, and iPad, plus the other devices I’ve mentioned. I know how to change it on a Mac, iPhone, and iPad, but not sure about Apple TV, Fire TV, NAS devices, etc. I’m also curious if it’d actually benefit me to do this.

        Nathan Parker

        • #1874735 Reply
          Bob99
          AskWoody Plus

          As you probably did at work, just change your router’s DNS settings to the numbers you may already be familiar with, 208.67.222.222 and 208.67.220.220, and let your router take it from there!

          As a non-business entity, your use of OpenDNS is completely free, of course. If you want any additional protections or services as those you’ve described, then those  come with a fee as described on their web site.

          As far as the services you describe, you would still use their standard DNS servers, but they would add those services to your connection, and you’d have to sign in to an account to manage those services to your liking.

          I’ve been using OpenDNS (completely for free by just making the change I described above) for about a decade now, ever since I heard about it and made the switch, away from my ISP at the time, Comcast. Comcast never once complained that I wasn’t using their DNS servers, and I’ve always enjoyed very fast connections to any website of my choosing, and have had NO downtime that I can recall at this moment. My current ISP, also a cable company but in a different part of the country, has also never once complained about my not using their DNS servers.

          BTW, as a “backstop”, I have not only changed the DNS settings of my router to OpenDNS, but of all my attached devices as well! That way, they should still use OpenDNS in the event the router’s DNS settings get changed somehow.

          Hope this helps you!

          1 user thanked author for this post.
          • #1874844 Reply
            Nathan Parker
            AskWoody_MVP

            Thanks for the info. In terms of changing to OpenDNS at the router level, that’s actually an issue since my router is cloud-managed from my ISP, and they haven’t provided me with the local admin password to make any changes to the configuration. I can certainly ask them about changing it to OpenDNS, but since they’re a fan of their own DNS servers, my request may go down a black hole.

            So the simplest solution would be to change to OpenDNS at each attached device level (as you did for a backup). Have you ever changed any TV streaming boxes, NAS devices, etc., to OpenDNS or just computers, smartphones, and tablets? I know how to do it on a Mac iOS devices, but I also own an Apple TV, Amazon Fire TV, Drobo NAS, multiple Amazon Echos, a Kindle eReader, a home security system, weather station, network printer, etc., so I wasn’t sure how I’d flip all of those to OpenDNS.

            Sounds good about using the standard DNS servers. Have you used any of the premium services that require a login, or have you just did the DNS flip (the DNS flip is all I’ve done in the past)?

            I too have always used OpenDNS until my ISP took over management of my router (I used it in Georgia when I had DSL and used it here with my current ISP when I managed my own network with Cisco gear), and it was always reliable. I haven’t had any major issues with my ISP’s DNS either, but I have had a few congestion issues with my ISP in general lately, so I wonder if at least taking back control over DNS would give me increased reliability in the event they’re slacking on some infrastructure upgrades. It won’t improve my congestion issue (that’s something they’ll have to do on my connection), but at least they wouldn’t have 100% control over everything (on one hand it has been nice not having to worry about managing my network, but on the other hand, I was generally more on top of network management than they have been overall).

            Nathan Parker

            • #1874846 Reply
              Ascaris
              AskWoody_MVP

              In terms of changing to OpenDNS at the router level, that’s actually an issue since my router is cloud-managed from my ISP, and they haven’t provided me with the local admin password to make any changes to the configuration.

              Wait, what?

              That’s a thing?

              I’ve never heard of an ISP issuing a router and not allowing the customer to access the settings.  It’s… weird.  I certainly wouldn’t tolerate that!  At the very least, you need to be able to change the SSID of the wifi network(s) and the password, assuming it has a WLAN function.

              If there is no other choice, I would supply my own router and daisy-chain it.  I can’t imagine not being able to control the router options!

               

              Group "L" (KDE Neon User Edition 5.18.4).

              1 user thanked author for this post.
              • #1875053 Reply
                mn–
                AskWoody Lounger

                Wait, what?

                That’s a thing?

                I’ve never heard of an ISP issuing a router and not allowing the customer to access the settings.  It’s… weird.  I certainly wouldn’t tolerate that!

                Not at all uncommon over here for certain kinds of connectivity, for business. But those usually don’t do NAT… or look like they don’t.

                This is typical if you buy redundant connectivity, as in multi-link with a single outside address.

                In that situation, the multi-link part may be implemented using any of several methods, the ISP is supposed to keep the setup updated so that at least one of the links always stays up even during routing changes, AND your external IP doesn’t drop during a changeover between links.

                (The business then usually has their own router behind that one, and it’s *this* one which does site-to-site VPNs with branch offices and such, and NAT.)

                1 user thanked author for this post.
      • #1874858 Reply
        Paul T
        AskWoody MVP

        Daisy chaining routers introduces double NAT. To get around that you need to set the primary router to use a DMZ, then set the second router internet port as the DMZ and connect your stuff to the second router – and any rubbish you don’t care about can be connected to the primary router for complete isolation.

        cheers, Paul

        1 user thanked author for this post.
        • #1874877 Reply
          Ascaris
          AskWoody_MVP

          Daisy chaining routers introduces double NAT. To get around that you need to set the primary router to use a DMZ,

          That works if you have access to the settings in the WAN-facing router, but in that case, I’d suggest bridging the modem (assuming it is a router/modem combined device like the one my ISP supplied) and letting the customer-supplied router handle DHCP, NAT, etc., if the option exists.  I have my ISP-supplied router/modem set that way, so its router portion is inactive.

          I suggested the inelegant solution of daisy-chaining in the event that I had no choice but to use an ISP-supplied router whose settings I could not change, which I would find intolerable– which is why daisy-chaining would at least be an improvement.

           

          Group "L" (KDE Neon User Edition 5.18.4).

          1 user thanked author for this post.
        • #1874886 Reply
          Paul T
          AskWoody MVP

          Bridging doesn’t allow you to control the DNS settings for clients, so it’s only of use to add wifi to a router that doesn’t have it, or to extend wifi.

          cheers, Paul

          1 user thanked author for this post.
          • #1874895 Reply
            Ascaris
            AskWoody_MVP

            I think you’re thinking of another kind of bridging.  Router/modems also have a mode called bridged mode that turns off the router functionality and allows the router/modem to function as a modem.  It does no DNS or NAT in that mode… that’s all done by the router or client, as it would be with a standalone modem.

            Group "L" (KDE Neon User Edition 5.18.4).

            1 user thanked author for this post.
      • #1875006 Reply
        Nathan Parker
        AskWoody_MVP

        Thanks everyone for the comments. Here’s some additional info…

        1. Indeed it is a thing. They installed the new equipment, but didn’t give me an admin password to check on anything since network cloud management is included in my ISP plan, and they told me to call/email in when I needed changes made, and they’d handle them all (which on one hand has the potential to be luxurious, but sometimes my email tickets go unanswered for a length of time which is problematic).
        2. My current setup is a point-to-point WISP (it’s the only somewhat reliable connection, even though lately the congestion has brought my connection to its knees, even though I live in the middle of a city, our infrastructure here is the worst I’ve seen in broadband. Instead of a modem I have a Cambium Networks antenna on the roof which hits a tower to provide the connection. Then I have a Cambium Networks router in my office which handles DHCP and the router. I have my own Cisco switch for extra ethernet ports. For Wi-Fi, there isn’t a router on the market that if installed in my office on one end of my home will cover my entire home (I tried ASUS AC1900, Cisco WAP, even mesh networking with the Linksys Velop so I could extend the range, still it was unreliable). So my ISP installed a Cambium Networks WAP in my ceiling that they also cloud-manage included in my plan.
        3. Any other router I’d install would introduce issues, as my ISP’s router also handles my phone’s VOIP ATA, plus I need a clean NAT for my work to access my weather station and HD weather camera remotely (since we have TV stations remote into them). Plus any Wi-Fi router isn’t going to give me the coverage of the WAP in my ceiling.

        So my solutions would likely be as follows:

        1. If I decide I’d want to take back control of DNS, I could ask my ISP to flip to OpenDNS and see if they’ll do it.
        2. I could ask my ISP to give me an admin password to my router and WAP so I can make management changes myself, then only bring them in for larger tasks.
        3. If 1-2 fails, I’d either then manually switch my devices to OpenDNS at the device level or just keep running with their DNS servers and still rely on them for any network management until situations change where I’d be in a position to take back over my own network management again (my router needed a firmware update recently, and my ISP forgot to apply the firmware update to the router, so my confidence in their management skills is starting to decrease).

        Nathan Parker

        • #1875075 Reply
          Ascaris
          AskWoody_MVP

          Indeed it is a thing. They installed the new equipment, but didn’t give me an admin password to check on anything since network cloud management is included in my ISP plan, and they told me to call/email in when I needed changes made, and they’d handle them all (which on one hand has the potential to be luxurious, but sometimes my email tickets go unanswered for a length of time which is problematic)

          They may have presumed that you didn’t want the burden of handling that stuff yourself, and acting under the belief that having them administer your network is a service they are providing for you, not that they are exercising authority over you.  I’d hope that they will tell you the login credentials if you asked.

          As I see it, my LAN is separate and distinct from the internet.  It’s a network of my computers in my house for my benefit, and it would be so even without internet access.  As such, it is beyond the scope (and the reach) of an internet service provider.  Everything outside the house is theirs, but the LAN is inside my house, which is my domain (no pun intended).  They have no more business managing my LAN than they do decorating my living room or selecting what I have for dinner.  All I really need from the ISP is to provide internet access to the LAN that was already here.

          If I were to come into possession of a router that was better than my existing one, I might be willing to rebuild my network around it.  Otherwise, I already have a router and a network, and if all I need is to add internet access, that’s all I’ll do.

          Group "L" (KDE Neon User Edition 5.18.4).

          1 user thanked author for this post.
      • #1875007 Reply
        Nathan Parker
        AskWoody_MVP

        By the way, I did also hear from Cisco OpenDNS on some of my questions. Here’s their answers:

        1. OpenDNS Prosumer is $20/year, so same billing as OpenDNS Home VIP.
        2. Prosumer only protects Macs and PC’s, so since I use all desktops at the moment (except for my super-old PowerBook G4 for hobbyist stuff), no sense in the extra cost for Prosumer. I’d either stick with free or Home VIP if I wanted those perks.
        3. Cisco accounts and OpenDNS accounts are under separate ID’s.
        4. Standard DNS is best way to go since Family Shield has pre-configured settings which can’t be changed.

        Nathan Parker

      • #1875318 Reply
        Nathan Parker
        AskWoody_MVP

        They may have presumed that you didn’t want the burden of handling that stuff yourself, and acting under the belief that having them administer your network is a service they are providing for you, not that they are exercising authority over you.  I’d hope that they will tell you the login credentials if you asked. As I see it, my LAN is separate and distinct from the internet.  It’s a network of my computers in my house for my benefit, and it would be so even without internet access.  As such, it is beyond the scope (and the reach) of an internet service provider.  Everything outside the house is theirs, but the LAN is inside my house, which is my domain (no pun intended).

        I’ll definitely ask, and good info. They might offer this service included in their plans for those without a lot of network management education, to ensure customers will have their issues resolved no matter what (some customers likely didn’t know the difference between WAN and LAN and kept bugging support for issues they didn’t have the ability to resolve, so now that their routers have cloud-management LAN capabilities, they threw it into the plans). For geeks like us, we’re used to managing our own stuff (I’ve worked with more complex gear than this).

        That is also how I see the LAN as well. It’s “my” network, versus the Internet is the “ISP’s” network. Some of their customers may not know the difference hence the extra service offering, but those of us who have been around tech long enough get it.

        Nathan Parker

      • #1895619 Reply
        Nathan Parker
        AskWoody_MVP

        There’s been a few issues with congestion with my ISP, so I haven’t had a chance to take this further. It may finally be ironing out. Once it does, I’ll see if I can get a router login from them.

        Nathan Parker

      • #2141397 Reply
        Nathan Parker
        AskWoody_MVP

        Update on all of this…

        I’ve finally had it with relying on my ISP in terms of LAN management. I’m taking back over management of my LAN around March when I have a free afternoon to transition out my equipment.

        I will be swapping out their router (a Cambium Networks router) for my Cisco RV345 that I’ve been using as a 16 port switch. I’ll jack a paperclip in the back of the Cisco, factory reset it (since I disabled the router features a while back), and use that as my router. That’ll put me back in control of my LAN. I still have an active service contract on it, so I can still get support from Cisco as well if need be.

        For VOIP, I was using the ATA built into my ISP’s router connected to an analog phone. I’m replacing it with a Cisco SPA122 ATA that I have, and I’ll have my VOIP provider ensure it’s provisioned correctly. The only issue I’ve had in the past is when I’ve plugged the SPA122 ATA into the RV345, the router firewall caused the ATA to drop the connection and drop any active VOIP call after about 20 minutes, so I’d need to see how to resolve that.

        Cisco is also working with me to recommend a WAP I can install to replace the Cambium Networks e410 my ISP installed, allowing me to be 100% on Cisco gear after the transition.

        I signed up for a free OpenDNS account, and I was going to signup for OpenDNS VIP Home, but I may not need it and may need to close out my consumer OpenDNS account. It seems I can get the business version of Cisco Umbrella for my RV345 instead with this Cisco Product ID: UMB-BRAN-RV. It’s about half the cost of VIP Home from my Cisco dealer.

        To provide me with a little more reliable DNS at the moment, I’ve moved the DNS servers to as many devices on my network to 208.67.222.222 and 208.67.220.220 (since my ISP’s DNS servers have been flakey). After I make the DNS change at the router level when I move to the RV345 (since my ISP never did make the DNS change I requested, nor would they hand me a login to my router with them), I’m not sure if I need to go back and remove the DNS changes at the device level, or since the DNS servers numbers will be the same, if everything will just sync up.

        Since my ISP has also been somewhat unreliable lately (and there are no other reliable options until 5G comes along), and since the Cisco RV345 has a dual WAN feature that can support 4G LTE modems, I could stick a Verizon 4G LTE modem in it to use as a backup in the event my connection goes down. It wouldn’t be good enough to run everything for a long time on it, but it’d work for a decent backup.

        So that’s the latest here!

        Nathan Parker

        • #2142127 Reply
          Bob99
          AskWoody Plus

          Just to be thorough, Open DNS has a third IPv4 DNS server address of 208.67.222.220 according to their instructions for Linksys routers. Although it’s listed in the Linksys instructions on OpenDNS’s site, since it’s a generic IPv4 address, it should work in all routers. I have the 222.220 address listed as the third one in my router’s location for DNS servers. By having all three entries filled with entries, it really minimizes the chances of my router using my ISP for DNS resolution.

          So, if you have space for three entries in your Cisco router’s firmware for DNS entries, feel free to fill them all with 208.67.220.220, 208.67.222.222 and 208.67.222.220 instead taking a chance of using your unreliable ISP’s DNS server(s)!

          EDIT: I just found an article that gives yet a fourth entry for OpenDNS, 208.67.220.222! It’s listed in an article for generic Linksys router configuration, saying that

          If you need to add a third and fourth entry, please use the following:

          • 208.67.222.220
          • 208.67.220.222

          I added the bolding to the words third and fourth in the above quote.

          BTW, while looking into this, I stumbled across the fact that OpenDNS has instructions for how to use them for DoH, or DNS over HTTPS. But, that’s a subject for another post in another location. 🙂

          • This reply was modified 1 month, 2 weeks ago by Bob99. Reason: Added another DNS entry
          1 user thanked author for this post.
          • #2145791 Reply
            Nathan Parker
            AskWoody_MVP

            Thanks for the info. I believe on my Cisco it just has the space for two, but it’s been a while since I’ve been in the firmware, and I’ll need to update the firmware anyway, so I can check.

            Mine has the ability to connect Cisco Umbrella to it as well, so I can get a few fancier features with my DNS setup. My Cisco Partner has a version of Umbrella for $10/year, half of the $20/year for OpenDNS VIP Home, so I may take it for a spin.

            Nathan Parker

      • #2141459 Reply
        Paul T
        AskWoody MVP

        I’m not sure if I need to go back and remove the DNS changes at the device level, or since the DNS servers numbers will be the same, if everything will just sync up.

        Setting the DNS servers on the router or direct makes no difference to the the machines, but moving it back to the router will result in less DNS traffic externally. The router will cache DNS requests from all machines and will respond to new requests from its cache instead of the individual machine having to query the DNS itself.

        cheers, Paul

        1 user thanked author for this post.
    Viewing 9 reply threads

    Please follow the -Lounge Rules- no personal attacks, no swearing, and politics/religion are relegated to the Rants forum.

    Reply To: OpenDNS vs ISP DNS Question

    You can use BBCodes to format your content.
    Your account can't use Advanced BBCodes, they will be stripped before saving.