• Patch Lady – DNS anyone?

    Home » Forums » Newsletter and Homepage topics » Patch Lady – DNS anyone?


    For anyone remember my benchmark things to do on a Windows system that I used to do (hey I need to do that over here don’t I?) I was (and still am) a
    [See the full post at: Patch Lady – DNS anyone?]

    Susan Bradley Patch Lady

    9 users thanked author for this post.
    Viewing 22 reply threads
    • #180830

      Here are two useful articles on DNS, one by Tim Fisher over at Lifewire: https://www.lifewire.com/free-and-public-dns-servers-2626062 (updated 2018.04.02) and one from How-To Geek, which also discusses Steve Gibson’s free tool DNS Benchmark: https://www.howtogeek.com/342330/how-to-choose-the-best-and-fastest-alternative-dns-server/ (updated 2018.02.19).  (I’ve been using OpenDNS since 2005; they were bought by Cisco in 2015.)

      6 users thanked author for this post.
    • #180852

      There have been a large number of articles published on in the last 2 or 3 days. This is a helpful one from zdnet.com:

     How to use Cloudflare’s DNS service to speed up and secure your internet
      Cloudflare’s new Domain Name System promises to both speed up your internet access and protect your privacy.

      By Steven J. Vaughan-Nichols | April 2, 2018

      3 users thanked author for this post.
    • #180851

      I personally could not AGREE more.

      I personally favor opennic (non 5 eyes location prefered) and change it around every week or so.

      A little trick and FREE that goes a long way in securing your PC and online fingerprint. This is active self-protection, as oppose to passively sheepishly rely and trsut their ‘pathching’ and oppppsssss… ‘we’ll get to the fix of the fix… later.’ yeah and that one way back we promised in 2015…. life goes on hey??? 🙂

      After all MS promise us a grp W so very soon right??? 😉

      Good to learn a few more self-help self-protection clean online and offline computing habits, like the old days 🙂

      anyway just 2c

      back to fishing for better dreams

    • #180861

      Further details can be found at labs.apnic.net/?p=1127.

    • #180869

      A quick and easy way to swap between DNS providers is to use Nir Sofer’s QuickSetDNS. The GUI shows you your current and alternate settings, allowing you to switch in the blink of an eye:


      Hope this helps…


      6 users thanked author for this post.
    • #180868 is worth the try
      “CloudFlare was the fastest DNS for 72% of all the locations. It had an amazing low average of 4.98 ms across the globe”
      From the east, its about 6-7ms avg – pretty good 🙂
      though dnsleaktest.com was unable to pick up the DNS test after a few minute (and I gave up)
      Still as per APNIC,
      ‘This joint project has an initial period of five years and may be renewed’
      5 years worth of free fast dns 🙂

      p/s Thanks Susan – thuoght I am not keen on the patching-business you nevertheless have my respect here
      I wonder if there be a day, in our life itme, when we all will have our own personal quantum computer 😀 😛
      back to fishing for better dreams

    • #180882 does not work in my region, does

      3 users thanked author for this post.
    • #180889

      I found Steve Gibson’s DNS Benchmark very useful over the years (as with a lot of his other utilities on offer)


      I also check Lifewire every so often, as it’s updated every week or so to reflect options.


      EDIT: Additional Info for Firefox and derivatives:

      Within your about:config, check and edit if rquired depending on FF version the following if applicable:

      network.proxy.socks_remote_dns set to TRUE

      Discription of action:

      When using SOCKS have the proxy server do the DNS lookup – potential dns leak issue.


      Keeping IT Lean, Clean and Mean!
      2 users thanked author for this post.
    • #180899

      At the moment, I’m using Simple DNSCrypt to prevent DNS leaks.


    • #180915

      Forget the speed, go for the security. Quad9 – – is the “go to” DNS setting for privacy.

      4 users thanked author for this post.
      • #180918


        Have been using Quad 9 for a few months now and find it excellent albeit not the fastest. I just love their set-up of mitigating malware at DNS level with no logs. The security aspect was a winner for me which is backed by IBM.

        edit: https://www.quad9.net/

        Keeping IT Lean, Clean and Mean!
        3 users thanked author for this post.
        • #189265

          If Quad9 isn’t the fastest from your location, please send a traceroute to support@quad9.net, so the support folks can figure out what the problem is and address it.  There are 180 locations around the world, so either you’re closer to the location of a different recursive resolver than a Quad9 one, which is possible but statistically unlikely, or there’s a BGP peering problem, which can be fixed.  Thanks.

      • #181084

        For years I’ve used OpenDNS rather than my ISP and have been happy with the speed. With recent developments around privacy and leaks (e.g., Equifax, Facebook/Cambridge, yada, yada) I’ve been hardening my privacy systems, so to speak.

        Having discovered that OpenDNS logs queries, I wanted to change servers when not using my VPN. Cloudflare and Quad9 both seem to fill the bill. Using DNS Benchmark and running multiple passes yesterday, I found Cloudflare, Quad9 and OpenDNS to all be nearly equal in speed – often swapping places on different passes.

        Based on online reasearch, it seems Quad9 and Cloudflare both do not keep logs. So, toss of the coin: it’s Cloudflare for the moment.

        Win10 Pro x64 22H2, Win10 Home 22H2, Linux Mint + a cat with 'tortitude'.

        4 users thanked author for this post.
        • #181930

          Steven S. said:
          Based on online reasearch, it seems Quad9 and Cloudflare both do not keep logs. So, toss of the coin: it’s Cloudflare for the moment.

          Anon #180915 said:
          Quad9 – – is the “go to” DNS setting for privacy.

          Cloudflare & Quad9 aren’t as private as hyped by some media reports. Both of them do keep logs of DNS requests (IP addresses or geographic location, & DNS query data).

          See my other comment (to Steven S.) for details, & 3 examples of truly non-logging DNS servers:

          Quad9 can perhaps be regarded as more private (relatively speaking) than Cloudflare, because it apparently does not share any part of its logs with third parties, whilst Cloudflare shares DNS query data.

          Security-wise, Quad9’s primary DNS server ( supports DNSSEC (which prevents DNS spoofing/ poisoning) for all DNS requests, while Cloudflare’s free DNS servers support “DNSSEC validation when possible” & will “temporarily disabl[e] DNSSEC validation for a specific misconfigured domain“.

          1 user thanked author for this post.
          • #189340

            I’ll plagiarize a Reddit post I wrote on the topic:

            Quad9 does not collect IP addresses, so, depending how what you wrote were interpreted, it might be seen as incorrect.  We don’t have a concept of a “user” to hang any data on. The data we do collect are these:

            For all queries:

            • We add to a tally of the query type, whether it was IPv4 or IPv6, for an A record or an AAAA record, etc., but not what the query was for nor where it was from. So, that’s protocol type, but not payload.
              • We also implicitly know which of our servers we’re tallying on, and we only aggregate those to the city level. So, for instance, we know if a DDoS that’s composed primarily of IPv4 A queries is hitting Frankfurt more than Munich.
            • For the subset of queries which want malware blocking:
              • For the subset of those which match one of the malware-blocked domains
              • We also add to a tally of how many times that blocked domain has been matched. Unlike the more general protocol-type data above, this tally is counted globally, not retained on a per-city level.

            If you see an privacy or security issue with any of that, please say so. None of us could see any issue with any of that, but everyone has different perspectives and insights.

            What the web site says desperately needs to be updated, and we have a workstream to get that done, plugging away. Unfortunately lots of higher priorities, mostly people wanting us to deploy in new locations, turn up crossconnects, or move feature-combinations from beta to production.

            2 users thanked author for this post.
    • #180927

      Running Debian Stretch on my PC, my ISP is Spectrum and I use their email (@charter.net). I get all my email using Thunderbird. If I use a DNS other than the Spectrum default, such as OpenDNS, Thunderbird is much slower connecting to and downloading (and uploading) my emails, 2 or 3 seconds slower! From a speed perspective surfing the web seems to be the same speed for me regardless of which DNS server I use except for email. If I used gmail or some other email service, I would use OpenDNS but for now I will stick with the Spectrum default.

      • #180936

        This was why a few years ago, I switched away from email services provided by ISP’s. I only use it for ISP billing at webmail level, nothing else. On my email client I use various satellite email providers, big names and more obscure.

        The handy thing in the future being that, if I change fibre/ broadband suppliers, it doesn’t affect email settings when switched 😉

        Keeping IT Lean, Clean and Mean!
        • #181253


          All your points are well taken. My issues are that I wont use any Google products, not because some of them are not outstanding, but because of Google’s business practices. So gmail is out of the question. And being a Linux user, I am addicted to FREE applications. So if I could find a free and secure email server that respects my privacy. I would jump on it immediately. Havent found one yet. So I have settled on my ISP’s email service.

    • #180944

      @ Susan Bradley, aka Patch Lady

      If not mistaken, this quote:

      In the settings of the internal modem I have placed the DNS settings I want:

      Shouldn’t *modem* be *router*–or am I reading this wrong?

    • #181023

      Thanks for the great information. Will need to test with my colleages and see the pros/cons with it.

      Willie McClure
      “We are trying to build a gentler, kinder society, and if we all pitch in just a little bit, we are going to get there.” Alex Trebek
    • #181075

      “ does not work in my region”

      It might be your equipment, not your region. used to be non-routable, so certain router vendors used it as an internal assignment.   I’m hearing a lot about Cisco with this issue.

      With my ISP, using depends on the modem/router that the subscriber has.  It works for me and doesn’t work for others.

    • #181090

      At the moment, I’m using Simple DNSCrypt to prevent DNS leaks. https://www.ghacks.net/2018/02/19/encrypt-your-dns-traffic-with-simplednscrypt-for-windows/

      When I enable Simple DNSCrypt 0.5.4 (x64) and check with ipconfig/all
      it reveals 2 entries for DNS Servers:

      and the ipv4 test at dnsleak.com says this:

        <li class=”user_ip”>Your IP: xxxxxxxxxxxxx
        <li class=”ip”>DNS IP:
        <li class=”hostname”>Hostname: us2.evilvibes.com
        <li class=”country”>Country: United States
        <li class=”city”>City: Piscataway

      So have I set it up incorrectly somehow?  Any advice appreciated.

    • #181308

      The Register Article on Cloudflare DNS Service.

      “Ironically for a project predicated on privacy, Cloudflare is sharing DNS query data with APNIC Labs”

      Cloudflare touts privacy-friendly public DNS service. Hmm, let’s take a closer look at that
      We’ll share query data, but only with these really trustworthy researchers


      3 users thanked author for this post.
    • #181413

      I use Namebench to benchmark DNS servers from my location:


      Download link for Windows version 1.3.1:


      The Windows EXE file doesn’t modify your system.

    • #181483

      As I expected, Cloudflare DNS is EXTREMELY SLOW for us in Hawaii.  According to DNS Benchmark which I have used since its inception there are 10 public DNS servers faster than Cloudflare.  The fastest are, and have always been, LOCAL ones provided by my ISP.  Open DNS and Google are slow also but not as bad as Cloudflare which pings at 62ms indicating it is located on the West Coast.  My ISP’s LOCAL DNS servers ping at 9 to 14ms.

      • #181533

        It’s even slower if their DNS resolvers are within the same data center as the DNS client. Also, it seems they conduct probes (i.e. TCP SYN-ACK) on IP addresses sending DNS queries.

    • #181550

      This is a very interesting thread.

      Please clarify:

      1) Is already and automatically DoH (using https for the connection), or is that something to come in the future, or does it require some special setting in my router or PC?

      2) One of my PCs (WIn 7 Pro 64-bit) already runs Simple DNSCrypt [C:\Program Files (x86)\bitbeans\Simple DNSCrypt\dnscrypt-proxy\dnscrypt-proxy.exe], current version 2.0.8. Is compatible with that, or will they conflict, or will one override the other (and which one will override which one)?

      3) I am getting Verizon FIOS in the next few business days (1Gbps home, in NYC). I will have their ONT and their Quantum router. I think I’ve seen somewhere the instructions how to put as the selected DNS in that router. But please repeat that link if you have it.

      4) If DoH for is already available, do I need to do something in the FIOS Quantum router to make DoH (https) happen? Is there anything else I need to do to have my DNS queries confidential and not trackable by Verizon?

      5)  One of my PCs is still XP Pro SP3, which I keep updated using the POS hack.  If I change my router to for DNS, will the XP machine get blocked because it can’t use whatever is using (including some version of TLS)?



      • #181651

        UPDATE –

        1 – 4)  A ZDNet reporter advises that while has the capability for DoH, my SOHO PCs and router are not yet set up for that, and it would be very difficult today for a non-tech such as myself to set up DoH.

        2)  Not sure.

        5)  My XP machine still works even though my router is now set to and its clone


        • #181756

          Regarding my question 2) —

          I have inserted into my router for DNS lookups, but my Win 7 Pro 64-bit machine is also running Simple DNSCrypt 0.5.4 with its latest dnscrypt-proxy service version 2.0.8.  It seems that this new version has a varying list of secure DNS resolver servers built in.

          Now, when I go to http://www.dnsleaketst.com and hit the Extended Test, I get differing DNS resolvers with each test, but none of them is Google.  I have attached an example.

          However, if I turn off Simple DNSCrypt (but still have in my router), the ONLY result is a single line:

 — Hostname none — ISP Cloudflare — Country United States.

          I’m not a tech, but it seems that both are working.  I like!

    • #181742

      I’ve tested in Ireland and any Office 365 autodiscover requests are being routed via autodiscover-ca-nameast.outlook.com (looks like eastern US or Canada by the name) with a ~100ms ping time. My ISP’s DNS uses Dublin and Google DNS uses Amsterdam. So I can’t see this being usable here.

    • #181889

      These new DNS options are interesting.

      The new DNS service offered at by Cloudflare and APNIC is fast, and private in the sense that they do not log the user’s DNS queries, but it does not block anything.

      The new DNS service offered at by IBM and Packet Clearing House, is slower than Cloudflare, and is equally private, but it adds the equivalent of a blacklist of malware sites that are identified by a consortium of cybersecurity companies.

      So there is a tradeoff of speed vs. security – is this correct?

      Thank you.

      Edit to remove HTML: Please use the ‘text’ tab in the post entry box when you copy/paste.

      • #181923

        So there is a tradeoff of speed vs. security – is this correct?

        Not necessarily; please see this article from The Register (2018.04.03)  — https://www.theregister.co.uk/2018/04/03/cloudflare_dns_privacy/.

        1 user thanked author for this post.
      • #181960

        alphacharlie said:
        The new DNS service offered at by Cloudflare and APNIC is fast, and private in the sense that they do not log the user’s DNS queries, but it does not block anything.

        The new DNS service offered at by IBM and Packet Clearing House, is slower than Cloudflare, and is equally private, but it adds the equivalent of a blacklist of malware sites that are identified by a consortium of cybersecurity companies.

        So there is a tradeoff of speed vs. security – is this correct?

        1) Neither Cloudflare’s nor Quad9’s DNS servers are truly private. Pls see my other comment for more info:

        2) Quad9’s “secure” DNS servers & filter DNS requests against a security blocklist of known malware sites, as well as support DNSSEC to prevent DNS spoofing.

        On the other hand, Quad9’s alternate “non-secure” DNS servers & do not use any malware blocklist or DNSSEC validation, but they support EDNS Client-Subnet (ECS) which helps to route you to a closer server — which might be faster.

        Note: Quad9 indicates that it is not advisable to mix & match secure vs. non-secure servers for your DNS server configuration.

        3) Depending on one’s geographic location, Cloudflare’s DNS servers might not be faster than Quad9, or even fast at all. In my case, Cloudflare ranks below my ISP’s DNS servers, Google DNS, OpenDNS, & Verio / NTT — in that order. Using Cloudflare DNS, there is a noticeable lag of 2-3 secs to resolve each URL domain.

        2 users thanked author for this post.
    • #182203


      Hold on.  I’m in NYC, but when I put in my router, it sends the DNS query to a cloudflare server in Boston –  (I can see the IP by going to https://www.dnsleaktest.com , and then I can see the location by inerting that IP in https://community.spiceworks.com/tools/ip-lookup/ .)

      It’s Boston, not NYC.


      How is that fast?

      Doesn’t cloudflare have a closer server?


      • #182252

        What I wrote above is also true using ping or tracert:

        In NYC, my pings to or are 15 – 17 ms,
        but my pings to or or OpenDNS at are all faster at 10 – 12 ms.

        And I’m seeing the same thing using tracert.

        I already know that or are going to a cloudflare server in Boston, but I’m in NYC.

        So how is this faster?

    • #195043

      4 users thanked author for this post.
      • #195996

        Cloudflare Gets Transparent on DNS Resolver Outage
        by Tara Seals | June 4, 2018

        In a testament to transparency, Cloudflare has explained a 17-minute outage on its resolver service last week: It was a glitch in its own systems, not a cyber-incident.

        The service is a Domain Name System (DNS) resolver that matches up URLs (say, “cloudflare.com”) with their corresponding numerical IP addresses.

        Cloudflare saw a global outage last Thursday, May 31, thanks to a coding oversight in its Gatebot DDoS mitigation pipeline.

        What the coders failed to account for was that Gatebot’s hardcoded list of Cloudflare addresses contained a manual exception for the and recursive DNS resolver IP ranges.

        It’s a cautionary tale for those coding the complex algorithms that go into automated mitigation…

        Read the full article here

        1 user thanked author for this post.
      • #196021

        For those like myself left pondering the meaning of this abbreviation BGP, it is short for Border Gateway Protocol.

        1 user thanked author for this post.
    Viewing 22 reply threads
    Reply To: Patch Lady – DNS anyone?

    You can use BBCodes to format your content.
    Your account can't use all available BBCodes, they will be stripped before saving.

    Your information: