Patch Lady – DNS anyone?

Topic

New Reply

For anyone remember my benchmark things to do on a Windows system that I used to do (hey I need to do that over here don’t I?) I was (and still am) a
[See the full post at: Patch Lady – DNS anyone?]

Susan Bradley Patch Lady

9 users thanked author for this post.

Ascaris, Fred, SueW, Norio, EspressoWillie, Elly, abbodi86, woody, AJNorth

Reply | Quote

Replies

Here are two useful articles on DNS, one by Tim Fisher over at Lifewire: https://www.lifewire.com/free-and-public-dns-servers-2626062 (updated 2018.04.02) and one from How-To Geek, which also discusses Steve Gibson’s free tool DNS Benchmark: https://www.howtogeek.com/342330/how-to-choose-the-best-and-fastest-alternative-dns-server/ (updated 2018.02.19).  (I’ve been using OpenDNS since 2005; they were bought by Cisco in 2015.)

6 users thanked author for this post.

RDRguy, SueW, BobbyB, Elly, anita.yk, woody

Reply | Quote

There have been a large number of articles published on https://1.1.1.1 in the last 2 or 3 days. This is a helpful one from zdnet.com:

 
1.1.1.1: How to use Cloudflare’s DNS service to speed up and secure your internet
Cloudflare’s new Domain Name System promises to both speed up your internet access and protect your privacy.

By Steven J. Vaughan-Nichols | April 2, 2018

3 users thanked author for this post.

RDRguy, SueW, Elly

Reply | Quote

I personally could not AGREE more.

I personally favor opennic (non 5 eyes location prefered) and change it around every week or so.

A little trick and FREE that goes a long way in securing your PC and online fingerprint. This is active self-protection, as oppose to passively sheepishly rely and trsut their ‘pathching’ and oppppsssss… ‘we’ll get to the fix of the fix… later.’ yeah and that one way back we promised in 2015…. life goes on hey??? 🙂

After all MS promise us a grp W so very soon right??? 😉

Good to learn a few more self-help self-protection clean online and offline computing habits, like the old days 🙂

anyway just 2c

back to fishing for better dreams

Reply | Quote

Further details can be found at labs.apnic.net/?p=1127.

Reply | Quote

A quick and easy way to swap between DNS providers is to use Nir Sofer’s QuickSetDNS. The GUI shows you your current and alternate settings, allowing you to switch in the blink of an eye:

Hope this helps…

 

6 users thanked author for this post.

AlphaCharlie, RDRguy, HiFlyer, Kirsty, EspressoWillie, Elly

Reply | Quote

1.1.1.1 is worth the try
“CloudFlare was the fastest DNS for 72% of all the locations. It had an amazing low average of 4.98 ms across the globe”
From the east, its about 6-7ms avg – pretty good 🙂
though dnsleaktest.com was unable to pick up the DNS test after a few minute (and I gave up)
Still as per APNIC,
‘This joint project has an initial period of five years and may be renewed’
5 years worth of free fast dns 🙂

p/s Thanks Susan – thuoght I am not keen on the patching-business you nevertheless have my respect here
I wonder if there be a day, in our life itme, when we all will have our own personal quantum computer 😀 😛
back to fishing for better dreams

Reply | Quote

1.1.1.1 does not work in my region, 1.0.0.1 does

3 users thanked author for this post.

Kirsty, EspressoWillie, Elly

Reply | Quote

I found Steve Gibson’s DNS Benchmark very useful over the years (as with a lot of his other utilities on offer)

https://www.grc.com/dns/benchmark.htm

I also check Lifewire every so often, as it’s updated every week or so to reflect options.

 

EDIT: Additional Info for Firefox and derivatives:

Within your about:config, check and edit if rquired depending on FF version the following if applicable:

network.proxy.socks_remote_dns set to TRUE

Discription of action:

When using SOCKS have the proxy server do the DNS lookup – potential dns leak issue.

 

Keeping IT Lean, Clean and Mean!

2 users thanked author for this post.

RDRguy, SueW

Reply | Quote

Microfix said:
network.proxy.socks_remote_dns set to FALSE (default is TRUE)

Discription of action:
When using SOCKS have the proxy server do the DNS lookup – potential dns leak issue.

The default value for network.proxy.socks_remote_dns is FALSE. This means that Firefox itself carries out DNS lookups, & this may potentially lead to SSH SOCKS DNS leaks.

To prevent DNS leaks, the setting should be set to TRUE instead, such that the system’s configured proxy server performs DNS lookups.

References:

1. https://support.vpnsecure.me/articles/ssh-tunnelling-proxy-troubleshooting/ssh-socks-dns-leaks-in-mozilla-firefox
2. http://kb.mozillazine.org/Network.proxy.socks_remote_dns
3. https://github.com/ghacksuserjs/ghacks-user.js/blob/3bae3ed5ba515a02879edf2bec06c4ce85f20997/user.js#L468
   /* 0704: enforce the proxy server to do any DNS lookups when using SOCKS
   => user_pref(“network.proxy.socks_remote_dns”, true)

2 users thanked author for this post.

RDRguy, Microfix

Reply | Quote

Thank you anon #181165 for the correction, now ammended.

Keeping IT Lean, Clean and Mean!

Reply | Quote

At the moment, I’m using Simple DNSCrypt to prevent DNS leaks.

https://www.ghacks.net/2018/02/19/encrypt-your-dns-traffic-with-simplednscrypt-for-windows/

Reply | Quote

Forget the speed, go for the security. Quad9 – 9.9.9.9 – is the “go to” DNS setting for privacy.

4 users thanked author for this post.

RDRguy, HiFlyer, anita.yk, Microfix

Reply | Quote

+1

Have been using Quad 9 for a few months now and find it excellent albeit not the fastest. I just love their set-up of mitigating malware at DNS level with no logs. The security aspect was a winner for me which is backed by IBM.

edit: https://www.quad9.net/

Keeping IT Lean, Clean and Mean!

3 users thanked author for this post.

RDRguy, HiFlyer, anita.yk

Reply | Quote

If Quad9 isn’t the fastest from your location, please send a traceroute to support@quad9.net, so the support folks can figure out what the problem is and address it.  There are 180 locations around the world, so either you’re closer to the location of a different recursive resolver than a Quad9 one, which is possible but statistically unlikely, or there’s a BGP peering problem, which can be fixed.  Thanks.

Reply | Quote

For years I’ve used OpenDNS rather than my ISP and have been happy with the speed. With recent developments around privacy and leaks (e.g., Equifax, Facebook/Cambridge, yada, yada) I’ve been hardening my privacy systems, so to speak.

Having discovered that OpenDNS logs queries, I wanted to change servers when not using my VPN. Cloudflare and Quad9 both seem to fill the bill. Using DNS Benchmark and running multiple passes yesterday, I found Cloudflare, Quad9 and OpenDNS to all be nearly equal in speed – often swapping places on different passes.

Based on online reasearch, it seems Quad9 and Cloudflare both do not keep logs. So, toss of the coin: it’s Cloudflare for the moment.

Win10 Pro x64 22H2, Win10 Home 22H2, Linux Mint + a cat with 'tortitude'.

4 users thanked author for this post.

SueW, AlexEiffel, AJNorth, Elly

Reply | Quote

Steven S. said:
Based on online reasearch, it seems Quad9 and Cloudflare both do not keep logs. So, toss of the coin: it’s Cloudflare for the moment.

Anon #180915 said:
Quad9 – 9.9.9.9 – is the “go to” DNS setting for privacy.

Cloudflare & Quad9 aren’t as private as hyped by some media reports. Both of them do keep logs of DNS requests (IP addresses or geographic location, & DNS query data).

See my other comment (to Steven S.) for details, & 3 examples of truly non-logging DNS servers:
https://www.askwoody.com/forums/topic/patch-lady-a-little-paranoia-goes-a-long-way/#post-181738

Quad9 can perhaps be regarded as more private (relatively speaking) than Cloudflare, because it apparently does not share any part of its logs with third parties, whilst Cloudflare shares DNS query data.

Security-wise, Quad9’s primary DNS server (9.9.9.9) supports DNSSEC (which prevents DNS spoofing/ poisoning) for all DNS requests, while Cloudflare’s free DNS servers support “DNSSEC validation when possible” & will “temporarily disabl[e] DNSSEC validation for a specific misconfigured domain“.

1 user thanked author for this post.

RDRguy

Reply | Quote

I’ll plagiarize a Reddit post I wrote on the topic:

Quad9 does not collect IP addresses, so, depending how what you wrote were interpreted, it might be seen as incorrect.  We don’t have a concept of a “user” to hang any data on. The data we do collect are these:

For all queries:

• We add to a tally of the query type, whether it was IPv4 or IPv6, for an A record or an AAAA record, etc., but not what the query was for nor where it was from. So, that’s protocol type, but not payload.
  • We also implicitly know which of our servers we’re tallying on, and we only aggregate those to the city level. So, for instance, we know if a DDoS that’s composed primarily of IPv4 A queries is hitting Frankfurt more than Munich.
• For the subset of queries which want malware blocking:
  • For the subset of those which match one of the malware-blocked domains
  • We also add to a tally of how many times that blocked domain has been matched. Unlike the more general protocol-type data above, this tally is counted globally, not retained on a per-city level.

If you see an privacy or security issue with any of that, please say so. None of us could see any issue with any of that, but everyone has different perspectives and insights.

What the web site says desperately needs to be updated, and we have a workstream to get that done, plugging away. Unfortunately lots of higher priorities, mostly people wanting us to deploy in new locations, turn up crossconnects, or move feature-combinations from beta to production.

2 users thanked author for this post.

RDRguy, Elly

Reply | Quote

Running Debian Stretch on my PC, my ISP is Spectrum and I use their email (@charter.net). I get all my email using Thunderbird. If I use a DNS other than the Spectrum default, such as OpenDNS, Thunderbird is much slower connecting to and downloading (and uploading) my emails, 2 or 3 seconds slower! From a speed perspective surfing the web seems to be the same speed for me regardless of which DNS server I use except for email. If I used gmail or some other email service, I would use OpenDNS but for now I will stick with the Spectrum default.

Reply | Quote

This was why a few years ago, I switched away from email services provided by ISP’s. I only use it for ISP billing at webmail level, nothing else. On my email client I use various satellite email providers, big names and more obscure.

The handy thing in the future being that, if I change fibre/ broadband suppliers, it doesn’t affect email settings when switched 😉

Keeping IT Lean, Clean and Mean!

Reply | Quote

Microfix,

All your points are well taken. My issues are that I wont use any Google products, not because some of them are not outstanding, but because of Google’s business practices. So gmail is out of the question. And being a Linux user, I am addicted to FREE applications. So if I could find a free and secure email server that respects my privacy. I would jump on it immediately. Havent found one yet. So I have settled on my ISP’s email service.

Reply | Quote

@ Susan Bradley, aka Patch Lady

If not mistaken, this quote:

In the settings of the internal modem I have placed the DNS settings I want:

Shouldn’t *modem* be *router*–or am I reading this wrong?

Reply | Quote

Thanks for the great information. Will need to test with my colleages and see the pros/cons with it.

Cheers!!
Willie McClure
“We are trying to build a gentler, kinder society, and if we all pitch in just a little bit, we are going to get there.” Alex Trebek

Reply | Quote

“1.1.1.1 does not work in my region”

It might be your equipment, not your region.   1.1.1.1 used to be non-routable, so certain router vendors used it as an internal assignment.   I’m hearing a lot about Cisco with this issue.

With my ISP, using 1.1.1.1 depends on the modem/router that the subscriber has.  It works for me and doesn’t work for others.

Reply | Quote

Maybw, but i just change DNS on os level (network adapter) not router

Reply | Quote

Sheldon88 wrote:

At the moment, I’m using Simple DNSCrypt to prevent DNS leaks. https://www.ghacks.net/2018/02/19/encrypt-your-dns-traffic-with-simplednscrypt-for-windows/

When I enable Simple DNSCrypt 0.5.4 (x64) and check with ipconfig/all
it reveals 2 entries for DNS Servers:
::1
127.0.0.1

and the ipv4 test at dnsleak.com says this:

<li class=”user_ip”>Your IP: xxxxxxxxxxxxx
<li class=”ip”>DNS IP: 144.202.15.131
<li class=”hostname”>Hostname: us2.evilvibes.com
<li class=”country”>Country: United States
<li class=”city”>City: Piscataway

So have I set it up incorrectly somehow?  Any advice appreciated.

Reply | Quote

The Register Article on Cloudflare DNS Service.

“Ironically for a project predicated on privacy, Cloudflare is sharing DNS query data with APNIC Labs”

Cloudflare touts privacy-friendly 1.1.1.1 public DNS service. Hmm, let’s take a closer look at that
We’ll share query data, but only with these really trustworthy researchers

https://www.theregister.co.uk/2018/04/03/cloudflare_dns_privacy/

3 users thanked author for this post.

RDRguy, AJNorth, Microfix

Reply | Quote

I use Namebench to benchmark DNS servers from my location:

https://code.google.com/archive/p/namebench/

Download link for Windows version 1.3.1:

https://code.google.com/archive/p/namebench/downloads

The Windows EXE file doesn’t modify your system.

Reply | Quote

As I expected, Cloudflare DNS is EXTREMELY SLOW for us in Hawaii.  According to DNS Benchmark which I have used since its inception there are 10 public DNS servers faster than Cloudflare.  The fastest are, and have always been, LOCAL ones provided by my ISP.  Open DNS and Google are slow also but not as bad as Cloudflare which pings at 62ms indicating it is located on the West Coast.  My ISP’s LOCAL DNS servers ping at 9 to 14ms.

Reply | Quote

It’s even slower if their DNS resolvers are within the same data center as the DNS client. Also, it seems they conduct probes (i.e. TCP SYN-ACK) on IP addresses sending DNS queries.

Reply | Quote

► This is a very interesting thread.

Please clarify:

1) Is 1.1.1.1 already and automatically DoH (using https for the connection), or is that something to come in the future, or does it require some special setting in my router or PC?

2) One of my PCs (WIn 7 Pro 64-bit) already runs Simple DNSCrypt [C:\Program Files (x86)\bitbeans\Simple DNSCrypt\dnscrypt-proxy\dnscrypt-proxy.exe], current version 2.0.8. Is 1.1.1.1 compatible with that, or will they conflict, or will one override the other (and which one will override which one)?

3) I am getting Verizon FIOS in the next few business days (1Gbps home, in NYC). I will have their ONT and their Quantum router. I think I’ve seen somewhere the instructions how to put 1.1.1.1 as the selected DNS in that router. But please repeat that link if you have it.

4) If DoH for 1.1.1.1 is already available, do I need to do something in the FIOS Quantum router to make DoH (https) happen? Is there anything else I need to do to have my DNS queries confidential and not trackable by Verizon?

5)  One of my PCs is still XP Pro SP3, which I keep updated using the POS hack.  If I change my router to 1.1.1.1 for DNS, will the XP machine get blocked because it can’t use whatever 1.1.1.1 is using (including some version of TLS)?

Thanks.

 

Reply | Quote

UPDATE –

1 – 4)  A ZDNet reporter advises that while 1.1.1.1 has the capability for DoH, my SOHO PCs and router are not yet set up for that, and it would be very difficult today for a non-tech such as myself to set up DoH.

2)  Not sure.

5)  My XP machine still works even though my router is now set to 1.1.1.1 and its clone 1.0.0.1.

 

Reply | Quote

Regarding my question 2) —

I have inserted 1.1.1.1 into my router for DNS lookups, but my Win 7 Pro 64-bit machine is also running Simple DNSCrypt 0.5.4 with its latest dnscrypt-proxy service version 2.0.8.  It seems that this new version has a varying list of secure DNS resolver servers built in.

Now, when I go to http://www.dnsleaketst.com and hit the Extended Test, I get differing DNS resolvers with each test, but none of them is Google.  I have attached an example.

However, if I turn off Simple DNSCrypt (but still have 1.1.1.1 in my router), the ONLY result is a single line:

172.68.53.168 — Hostname none — ISP Cloudflare — Country United States.

I’m not a tech, but it seems that both are working.  I like!

Reply | Quote

I’ve tested 1.1.1.1 in Ireland and any Office 365 autodiscover requests are being routed via autodiscover-ca-nameast.outlook.com (looks like eastern US or Canada by the name) with a ~100ms ping time. My ISP’s DNS uses Dublin and Google DNS uses Amsterdam. So I can’t see this being usable here.

Reply | Quote

These new DNS options are interesting.

The new DNS service offered at 1.1.1.1 by Cloudflare and APNIC is fast, and private in the sense that they do not log the user’s DNS queries, but it does not block anything.

The new DNS service offered at 9.9.9.9 by IBM and Packet Clearing House, is slower than Cloudflare, and is equally private, but it adds the equivalent of a blacklist of malware sites that are identified by a consortium of cybersecurity companies.

So there is a tradeoff of speed vs. security – is this correct?

Thank you.

Edit to remove HTML: Please use the ‘text’ tab in the post entry box when you copy/paste.

Reply | Quote

So there is a tradeoff of speed vs. security – is this correct?

Not necessarily; please see this article from The Register (2018.04.03)  — https://www.theregister.co.uk/2018/04/03/cloudflare_dns_privacy/.

1 user thanked author for this post.

AlphaCharlie

Reply | Quote

alphacharlie said:
The new DNS service offered at 1.1.1.1 by Cloudflare and APNIC is fast, and private in the sense that they do not log the user’s DNS queries, but it does not block anything.

The new DNS service offered at 9.9.9.9 by IBM and Packet Clearing House, is slower than Cloudflare, and is equally private, but it adds the equivalent of a blacklist of malware sites that are identified by a consortium of cybersecurity companies.

So there is a tradeoff of speed vs. security – is this correct?

1) Neither Cloudflare’s nor Quad9’s DNS servers are truly private. Pls see my other comment for more info:
https://www.askwoody.com/forums/topic/patch-lady-dns-anyone/#post-181930

2) Quad9’s “secure” DNS servers 9.9.9.9 & 149.112.112.112 filter DNS requests against a security blocklist of known malware sites, as well as support DNSSEC to prevent DNS spoofing.

On the other hand, Quad9’s alternate “non-secure” DNS servers 9.9.9.10 & 149.112.112.10 do not use any malware blocklist or DNSSEC validation, but they support EDNS Client-Subnet (ECS) which helps to route you to a closer server — which might be faster.

Note: Quad9 indicates that it is not advisable to mix & match secure vs. non-secure servers for your DNS server configuration.

3) Depending on one’s geographic location, Cloudflare’s DNS servers might not be faster than Quad9, or even fast at all. In my case, Cloudflare ranks below my ISP’s DNS servers, Google DNS, OpenDNS, & Verio / NTT — in that order. Using Cloudflare DNS, there is a noticeable lag of 2-3 secs to resolve each URL domain.

2 users thanked author for this post.

RDRguy, AlphaCharlie

Reply | Quote

 

Hold on.  I’m in NYC, but when I put 1.1.1.1 in my router, it sends the DNS query to a cloudflare server in Boston – 172.68.53.180.  (I can see the IP by going to https://www.dnsleaktest.com , and then I can see the location by inerting that IP in https://community.spiceworks.com/tools/ip-lookup/ .)

It’s Boston, not NYC.

Huh?

How is that fast?

Doesn’t cloudflare have a closer server?

 

Reply | Quote

What I wrote above is also true using ping or tracert:

In NYC, my pings to 1.1.1.1 or 1.0.0.1 are 15 – 17 ms,
but my pings to 8.8.8.8 or 9.9.9.9 or OpenDNS at 208.67.222.222 are all faster at 10 – 12 ms.

And I’m seeing the same thing using tracert.

I already know that 1.1.1.1 or 1.0.0.1 are going to a cloudflare server in Boston, but I’m in NYC.

So how is this faster?

Reply | Quote

Today, Cloudflare's 1.1.1.1 DNS service was rerouted through a BGP leak. It lasted for less than 2 minutes and didn’t propagate widely. Here's a statement Cloudflare's PR just sent me. pic.twitter.com/OnQ4y8XNJ0

— Dan Goodin (@dangoodin001) 29 May 2018

4 users thanked author for this post.

Elly, satrow, RDRguy, columbia2011

Reply | Quote

Cloudflare Gets Transparent on DNS Resolver Outage
by Tara Seals | June 4, 2018

 
In a testament to transparency, Cloudflare has explained a 17-minute outage on its 1.1.1.1 resolver service last week: It was a glitch in its own systems, not a cyber-incident.

The 1.1.1.1 service is a Domain Name System (DNS) resolver that matches up URLs (say, “cloudflare.com”) with their corresponding numerical IP addresses.
…
Cloudflare saw a global outage last Thursday, May 31, thanks to a coding oversight in its Gatebot DDoS mitigation pipeline.
…
What the coders failed to account for was that Gatebot’s hardcoded list of Cloudflare addresses contained a manual exception for the 1.1.1.0/24 and 1.0.0.0/24 recursive DNS resolver IP ranges.

It’s a cautionary tale for those coding the complex algorithms that go into automated mitigation…

 
Read the full article here

1 user thanked author for this post.

Elly

Reply | Quote

For those like myself left pondering the meaning of this abbreviation BGP, it is short for Border Gateway Protocol.

1 user thanked author for this post.

AlphaCharlie

Reply | Quote