DNS resolver 9.9.9.9 will check requests against IBM threat database

[ColinTaylor]

Interesting article on The Register.

https://www.theregister.co.uk/2017/11/20/quad9_secure_private_dns_resolver/

 

[Audio-catalyst]

Interesting article on The Register.

https://www.theregister.co.uk/2017/11/20/quad9_secure_private_dns_resolver/

Yep, and are undercontrole of a few 3 letter agencies too, ibm is just fascitating..

Thanks, but no thanks

Verstuurd vanaf mijn SM-G850F met Tapatalk

 

[sfx2000]

Interesting article on The Register.

https://www.theregister.co.uk/2017/11/20/quad9_secure_private_dns_resolver/

Might be useful for some as a backup to another public DNS like Google's public DNS.

They do support DNSSEC, and return NXDOMAIN rather than an intercept page with adverts.

I'm reasonably certain that some may have privacy concerns (as mentioned above), but it's the same concerns that would be in place for any public DNS server (or ISP's DNS server).

 

[RMerlin]

My usual go-to DNS when I need one (and I don't need geolocalisation, for instance for a server) is usually Level3's.

 

[Cake]

dnscrypt is looking for a maintainer. Hope someone with the skills steps up.

 

[coxhaus]

When I ping 9.9.9.9 the response time is twice as long as google 8.8.8.8. So I would not use it.

I don't use google either because Spectrum's DNS response time is the quickest. Since DNS is used all the time you want the quickest 1 you can find. It makes for a faster network.

 

[kvic]

@coxhaus
I've been telling people to be patient. Eventually a quad9 server will be near you around the corner. Hey! The wait for me is over at least. quad9 used to have >200ms ping time vs google's 15ms. Now quad9 is 40ms for me.

Absolute ping time matters less on such time scale. The actual DNS response time is about the same in my case..about 50ms total on both. I can't resist to switch now.

 

[coxhaus]

If my DNS server goes above 21ms my network is not as snappy on response time to web pages.

 

[kvic]

If my DNS server goes above 21ms my network is not as snappy on response time to web pages.

You have a point but your LAN's DNS forwarder as well as browsers will cache recent requests. Hence, the effect might not be noticeable. quad9 has added benefit but I think I'll lose some edge on dns benchmarks. Will see how it goes in real word experience.

Hey, if you're worrying about sub 100ms delays, you shall definitely try my pixelserv-tls on your LAN. It'll give you a smoother browsing experience. See the benchmark here and here. *grin*

 

[coxhaus]

I have not seen big improvements using cache on my small home network. We did years ago at work. But at the places I go at home are all over the place and caches die out before I get repeats.

 

[RMerlin]

Also, a ping does not evaluate how quickly that resolver will do its own recursive lookups (if the response isn't already cached by them). That's why pinging a DNS server only gives you one element out of the whole performance aspect.

 

[coxhaus]

The time to live on a cache is very short. But yes if cached it is faster. Ping is giving you real world time to get to the site. Usually your local ISP's DNS is faster because you do not need to go offsite which causes lag. And every internet access is translated by DNS so it adds up on performance.

 

[RMerlin]

And every internet access is translated by DNS so it adds up on performance.

Only the initial query. The result then gets cached by your browser (some of them have their own DNS cache), your operating system, and also your router (if using the router's dnsmasq as your caching resolver).

That's why in general, performance in reaching a DNS server isn't so important. What it returns is - and to avoid breaking CDNs, you generally want to use one that is local, or that has EDNS support implemented.

So in short: DNS performance is much more complex than just the ping time to the DNS itself

 

[coxhaus]

It is very easy to test. Just change DNS servers and over time you will get a feel for it how it works.

 

[System Error Message]

latency of a DNS server does not matter, your own router tends to cache requests speeding things up where possible. What matters is the capacity and security of the DNS server itself. Offering secure options can help bypass DNS hijacking done by some ISPs while a DNS server that is fast enough to handle the request with enough memory if being a primary DNS server will make sure that requests are done faster.

For example you could have a DNS server that is 1ms away, but it could be slower than a DNS server that is 100ms away if it has to query other DNS servers. DNS is actually a distributed service and sometimes the database can be so big that the servers query other servers. This is where google DNS wins over ISP DNS servers because they have all the entries available locally that are also kept up to date as google is a search engine.

If IBM can do the same as google does with their DNS server in keeping it fast, its pretty much a good option, way better than your ISP DNS and many other DNS servers. Secure DNS can prevent info gathering via metadata and domain requests as these can be seen easily.

 

[RMerlin]

This is where google DNS wins over ISP DNS servers because they have all the entries available locally that are also kept up to date as google is a search engine.

Would actually be interesting comparing the cache size of a typical major ISP DNS with that of Google. Will also depend on the size both allocate to their local caches.

I suppose a large DNS infrastructure could potentially implement multiple servers, each caching only specific TLDs, with the frontend DNS querying those backend caches, which are responsible for doing the recursive lookups. Fascinating idea...

 

[coxhaus]

latency of a DNS server does not matter, your own router tends to cache requests speeding things up where possible.

I think you guys are wrong with latency. Cache requests die within seconds. You can make static entries which live forever. For home routers latency matters in my opinion. To each his own.

You do need to use a big name DNS like AT&T or Time Warner. Google is just in the last couple of years getting fast enough to consider. When I did all my tests years ago it always seemed the ISP like AT&T DNS or Time Warner DNS was fastest depending on whether I was using AT&T or Time Warner.

Maybe Quad9 will get faster in the future.

 

[System Error Message]

I think you guys are wrong with latency. Cache requests die within seconds. You can make static entries which live forever. For home routers latency matters in my opinion. To each his own.

You do need to use a big name DNS like AT&T or Time Warner. Google is just in the last couple of years getting fast enough to consider. When I did all my tests years ago it always seemed the ISP like AT&T DNS or Time Warner DNS was fastest depending on whether I was using AT&T or Time Warner.

Maybe Quad9 will get faster in the future.

Thats because what google does is have a distributed system for DNS. Each DNS name like .com and so on its owned by a perspective DNS service/server which is queried by another DNS server. What google could be doing is querying these servers everytime the entry expires without a user request, thus maintaining a consistent and updated cache through its network which makes it very fast.

 

[RMerlin]

I think you guys are wrong with latency. Cache requests die within seconds.

They shouldn't. They're expected to obey the record's TTL. If they don't, then they're doing it wrong, or are using a cache that's too small for their workload.

 

[coxhaus]

They shouldn't. They're expected to obey the record's TTL. If they don't, then they're doing it wrong, or are using a cache that's too small for their workload.

So how long are we talking?

We are talking about routers not full blown DNS servers right?

Here is a link on Microsoft's tech site. Notice TTL is measured in seconds.
https://technet.microsoft.com/en-us/library/cc958972.aspx