Better DNS Resolvers



One of the most important pieces in the Internet that most people take for granted is DNS. The Domain Name Service is responsible for converting the addresses you enter in easy to remember text (www.google.com) to its IP address equivalent (either IPv4 or IPv6, depending on your ISP’s *cough*investment*cough*).

Today, most people are most probably using their ISPs DNS resolvers by default. Reason being that upon connecting to the network the ISP’s DHCP server assigns their own DNS servers. Most people don’t care what servers are resolving their addresses. Most people don’t realize the vulnerability however of using their ISP’s DNS servers.

Many ISPs do not care how well configured and secure their DNS servers are. After all, compared to their main service (provide you with a fat pipe) DNS seems like something so small. Yet so dangerous…

One of the most serious DNS vulnerabilities is known as “cache poisoning“. Simply, imagine that a site you use (let’s say google.com) resides on the server 123.231.123 (this is the legitimate server). A hacker, worm or virus infects the DNS server you are using (not your computer!) and “poisons” the DNS cache to forward google.com to the IP address 66.66.66, which is actually hosting a malicious version, capturing your password and who knows what else.

As a result, many people these days do not trust on their ISP’s DNS and prefer to try out some other resolvers. Below I have listed some of the most popular ones, and the best one working in my country with my ISP (Batelco).

Level 3:
4.2.2.1
4.2.2.2
4.2.2.3
4.2.2.4

Likely to be the one known by most, simply because it is easy to remember! Location depends on where and which IPs you use. Trace routes I performed had some located in the US and others in Europe. They do not have a specific page on their DNS resolvers, and I am not even sure if they were meant to be public, but A LOT of people use them (search online and you will probably see it mentioned in order to troubleshoot DNS problems).

OpenDNS:
208.67.222.222
208.67.220.220

OpenDNS offers more than just DNS. Its mission was to solve the problem of slow ISP resolvers by having a LARGE cache. Instead of the few thousand domains cached at your ISP, OpenDNS probably caches millions if not more! If you register for an account you can get extra features such as web filtering, stats on what domains you visit, record types and more. There is a free and paid version. Many large organizations around the world use them, my university is one (although not part of their case studies). A slight problem is that they redirect typos and NX replies to ad supported pages. This may break functionality of some programs that require NX to know that something isn’t supposed to exist. This can be easily turned off if you have an account and use a dynamic updater to notify them whenever you IP address changes. Servers located in several locations.

ScrubIT:
67.138.54.100
207.255.209.66

I haven’t heard much about them and never used them because they’re a bit far to me. They preform some filtering of DNS requests, such as adult and malicious sites. However you are the visitor have no control over this since there is no control panel to customize your options. Although a beta was around for that purpose.

DNS Advantage:
156.154.70.1
156.154.71.1

DNS Advantage was the my 2nd best choice for a while. I replaced OpenDNS with DA for a while to test them out and they were quicker. They seem to only block malicious sites hosting phishing schemes and botnets. The parent company is UltraDNS. Servers located in several locations.

Comodo Secure DNS
156.154.70.22
156.154.71.22

I have no idea what relationship they share with DNS Advantage. I wouldn’t be surprised if they are simply using DNS Advantage and adding their own Comodo brand to it. Trace routes indicate that they end up at the same place, and UltraDNS is on one of the hops.

Google Public DNS
8.8.8.8
8.8.4.4


Well it seems that Google as well have decided to join the DNS resolvers market. They have enough resources to handle the load, plus all the data centers spread around the world. However, they were pretty bad in my tests and in some cases further than ScrubIT’s servers. So not exactly fast. Some people think Google are taking over the world, so they decide not to use them for DNS (but continue using them for search and/or email :-P!).

DynDNS Internet Guide
216.146.35.35
216.146.36.36

DynDNS is probably the most popular DNS service provider out there that provides dynamic DNS that gives you the ability to host stuff at home without having to know your constantly changing IP address. What I did not know was that they provided DNS resolvers as well. They have their paid enterprise resolvers that simply resolve whatever you give it and their Internet Guide services aimed at the home user. They are the best resolvers I have used so far in terms of speed and performance. Like some of the others, they do forward you to an ad page if the domain does not resolve. This can also be turned off if you signup for an account. The best part is that it is much easier to keep your IP address updated, most routers have DynDNS as a choice (sometimes the only choice!) of dynamic DNS providers in their configuration. They have free and paid plans.

Measuring Which is Best

To measure the best DNS resolver I used a very simple yet powerful tool from a company called GRC (Gibson Research Corporation) called DNS Benchmark. It checks the performance of locally configured DNS (the ones set on your PC) and popular public ones. It even checks if the resolver forwards unresolved requests to a different location (aka ads). As I mentioned I am currently with Batelco. I have configured on my network DynDNS. In my DNS Benchmark tests I have included all the above mentioned DNS resolvers (excluding Comodo, since they are still DNS Advantage). The results, discarding my router or other local resolver, are as follows:

217. 17.233.101 |  Min  |  Avg  |  Max  |Std.Dev|Reliab%|
—————-+——-+——-+——-+——-+——-+
– Cached Name   | 0.012 | 0.017 | 0.040 | 0.006 | 100.0 |
– Uncached Name | 0.138 | 0.276 | 0.500 | 0.085 | 100.0 |
– DotCom Lookup | 0.136 | 0.719 | 2.345 | 0.821 | 100.0 |
—————-+——-+——-+——-+——-+——-+
cust-cache2.batelco.com.bh
Bahrain Telecommunications Company
193.188. 97.212 |  Min  |  Avg  |  Max  |Std.Dev|Reliab%|
—————-+——-+——-+——-+——-+——-+
– Cached Name   | 0.012 | 0.020 | 0.038 | 0.007 | 100.0 |
– Uncached Name | 0.092 | 0.244 | 0.533 | 0.112 | 100.0 |
– DotCom Lookup | 0.094 | 0.196 | 0.364 | 0.079 | 100.0 |
—————-+——-+——-+——-+——-+——-+
ns2.batelco.com.bh
Bahrain Telecommunication Company
216.146. 35. 35 |  Min  |  Avg  |  Max  |Std.Dev|Reliab%|
—————-+——-+——-+——-+——-+——-+
+ Cached Name   | 0.199 | 0.210 | 0.258 | 0.013 |  98.0 |
+ Uncached Name | 0.206 | 0.318 | 0.563 | 0.102 | 100.0 |
+ DotCom Lookup | 0.203 | 0.264 | 0.338 | 0.045 | 100.0 |
—————-+——-+——-+——-+——-+——-+
resolver1.dyndnsinternetguide.com
Dynamic Network Services

Conclusions

As expected my ISP resolvers should be faster on cached since they are right next to me hops wise. However the .com lookup is horrible on average (0.719ms) compared to the other 2 (the others being my ISP’s secondary DNS and 3rd being DynDNS). It is important however that these tests are repeated at different times of the day, this test was performed during peak time around here so international links might be slightly saturated.

I however do not care much about speed, instead I focus on reliability and security. From these tests I have concluded that the best alternative for Batelco Bahrain users are DynDNS Internet Guide resolvers. I do not trust my ISP in terms of overall security (I remember few years ago they had a major flaw in their e-services portal that made me loose some trust in them), so I prefer to let a professional and well known company take care of my DNS requests.

Remember that fast is not always best!


4 thoughts on “Better DNS Resolvers”

  1. Hi – very useful article on alternative DNS.
    I’ve changed the Static DNS on my Linksys ADSL router (I’m using Batelco) to OpenDNS. However, when I check the Internet connection Status page on the router, it shows a DNS of 217.17.233.101.
    Issuing a Tracert command to http://www.yahoo.com doesn’t provide the IP address of OpenDNS.
    Are batelco somehow forcing the alternative DNS not to work?
    Thanks
    Al.

  2. Hello Al,

    I believe some Linksys ADSL routers have a bug with the DNS settings if it contains 3 fields. OpenDNS have solved this problem by adding some extra resolvers. Try filling in all DNS fields with a combination of these (they are all OpenDNS):

    208.67.222.222
    208.67.220.220
    208.67.222.220
    208.67.220.222

    A traceroute should not lead you to OpenDNS. Instead you could try the “nslookup” tool. By default OpenDNS will resolve domains to a specific IP address if they are non-existent. So on the prompt try “nslookup aodkoak45g4dokd.com” and “nslookup idsfijf092fij.com” (basically gibberish domains), if you get the same IP address reply you are probably using OpenDNS. I found a configuration guide on the OpenDNS site for configuring Linksys routers which might help you out: https://store.opendns.com/setup/device/linksys

    Good luck!

  3. Hi

    Excellent – your suggestion worked. I entered three DNS entries and used the nslookup tool.

    Many thanks
    Al.

Leave a Reply