For whatever reason, my ISP seems to have regular issues with their server that does DNS, so I configured my router to use Google’s 8.8.8.8 and 8.8.4.4. I haven’t had any issues since making the change while I know that my neighbors have (with our ISP, not Google). Are there any downsides or potential risks that I need to know about by making this change?
Also, would it make sense to use Google for one DNS and maybe Cloudflare for the other?
The downside is that another party besides your ISP, namely google, gets information about any website you’re connecting to. I don’t know what they do with it, but given their usual greed for data, I suspect they use it.
Here’s what Google says about DNS privacy:
Thank you. I hadn’t expected such restrain from Google.
Well, it’s either restraint … or they’re flat-out lying to us.
That’s of course a possibility I wouldn’t exclude.
You’re probably fine, you’re probably not going to generate enough traffic. But another drawback other than the potential privacy issues is: if you do a LOT of DNS queries, they’ll throttle you. In the case of DNS over UDP, this just amounts to DNS queries failing, which is less than ideal.
This probably won’t be an issue for someone’s home network unless there’s something horrible going on, such as a compromised machine. But I’ve seen enough times that a lazy fool didn’t want to look up the actual DNS servers their email server was supposed to use, and just used 8.8.8.8 (email servers usually do a LOT of DNS lookups). When the email server gets busy, the free DNS server throttles them, and sadness ensues because now email doesn’t work and it’s hard to access because a large number of it’s DNS queries are failing.
I usually lack sympathy for these guys, but try to be nice when explaining what is going on the first time I see 8.8.8.8 in their email server’s config. Most accept my diagnosis, use a DNS server that was already set up for them and move on. I actually took the time to prove it to the first couple who challenged me on whether it behaved that way. Now, I’m bored with that and don’t even entertain demonstrating it to them anymore. Use the DNS server we provide or don’t bug me about your stupid problems.
Sorry about the semi-rant, but it’s a never-ending sore spot that wastes a ton of time with truly idiotic arguments. Like I said, you’re probably fine, Nars, unless there’s a lot more people on your home network than I think there is, or one of them is infected by something nasty and scanning the internet for passwords.
I have found Google’s DNS servers to be much more reliable that Comcast’s servers that I would otherwise default to.
But I have discovered a few odd things that I eventually traced back to using non-default DNS servers. I don’t know the full technical explanation for these behaviors, but here they are:
(1) Setting up a Netgear router with Comcast as ISP has numerous quirks, for which each blames the other. One of the more minor quirks is that setup and initial connection to the internet doesn’t work unless you leave it on the default DNS server. You can change it later.
(2) If you have non-default DNS servers set on your laptop rather than just your router, you may have trouble connecting to some external WiFi (I had a problem at a couple of hotels that I eventually traced back to this).
(3) I have on a couple of rare occasions encountered a weird behavior where I could only connect to google-related pages (gmail, google searches). Flushing the DNS cache sorted this out.
Most normal computers only actually use one DNS. any others listed are only fall back if the primary DNS stops replying.
The hotel usually wants to redirect you to an initial landing page when you connect to their wifi to make you accept terms of use and to entice you to book your next stay with them. If your custom DNS prevents this the hotel wifi might not work.
There’s no real downside except that you’re missing out on features found on other Free DNS providers. An example is CleanBrowsing DNS Free DNS Filtering | Block Online Porn with CleanBrowsing the DNS servers below are 100% free to use:
Security Filter 185.228.168.9: Malicious domains blocked (phishing, malware).
Adult Filter 185.228.168.10: Adult domains blocked; Search Engines set to safe mode; +Security Filter
Family Filter 185.228.168.168: Proxies, VPNs & Mixed Adult Content blocked; Youtube to safe mode; +Adult Filter
I suggest using a DNS server which blocks known malicious sites. CleanBrowsing and OpenDNS both offer free DNS services to do this and I’m sure there are others out there as well.
Google has been caught lying about data collection before, such as when their self-driving cars war driving around stealing wifi info. Google admits collecting Wi-Fi data through Street View cars | Google Street View | The Guardian
They are an advertising company, after all, and their usual take on privacy is to do as much as possible before a watchdog (usually European) shuts down some offense a decade too late.
That said, if you’re using Chrome or searching on Google.com anyway, eh, they already know a lot about you. Privacy is mostly an illusion these days.
But if you don’t want to trust Google, 1.1.1.1 is run by Cloudflare, whose business model is based on network security/caching and not advertising. It also has incredibly fast DNS updates, meaning domain changes come to you extremely quickly (a few seconds rather than the minutes with Google or hours with other providers).
Either choice would be far better than the default DNS servers used by Comcast, AT&T, etc., which do capture your traffic, show you ads when you try to go to a wrong page, and then use all that data to further lobby the government to make your internet shittier in favor of the telecoms.
Don’t most computers mostly rely on their own DNS cache, before consulting an external server at all? Like, when I access boards.straightdope.com (to pick a random example of a domain that I access frequently), doesn’t my computer just assume that the IP will be the same as it was the last 17 times I visited the site?
I don’t about computers but my iPhone doesn’t seem to. When my ISP’s DNS server is down, I can’t get anywhere.
The response to a DNS query contains not only the IP address of the requested target, but also a Time-To-Live value, which is like an expiration date for that data. Typically the TTL is on the order of a few hours. So if your computer makes a DNS query and gets the response with a TTL of 2 hours, it is supposed to cache the response for 2 hours. If it needs to map the domain to an IP address within the next 2 hours it will use the cached value; after that it will make another DNS query to the server.
The TTLs are determined by the person who configures the server; this is a balancing act because short TTLs will increase load on the server, but long TTLs will make it harder to make changes to the DNS mapping when necessary. I once was using a DNS server which was (mis?)configured to use a TTL of 7 days. When I changed ISPs and needed to change my DNS, for a week some clients were going to my old site and some were going to my new one, depending on whether they had cached the query, and it was a royal pain in the butt.
Windows has a DNS cache (unless recent updates to Windows 10 have removed it). Most Linuxes I know do not have that set up by default. I don’t know if macOS has one or not–I know it doesn’t come built into Unix, but Apple added a lot of stuff.
And, yes, even if the cache does exist, it doesn’t last very long. Though, in my experience, it usually lasts more like 24 hours or so, which is a reasonable amount of time for a new name to have actually propagated. Two hours seems way too short when sites go down for at least a day if the DNS gets messed up.
From windows, open a command prompt and type
ipconfig / displayDNS
86400 is 24 hours (606024), which is what a lot of DNS records are set to.
Back in the day 7 days or longer was normal, and 8 days before you wanted to make a change, you’d change it to something like 1 day. Since nobody really went anywhere more frequently than daily, that was good enough. Or on the day before, you could change it to 20 minutes.
You can empty the the DNS cache with:
ipconfig /flushdns
Yes, for a while. There are usually several. Some browsers (like Chrome) have their own, your operating system will almost always have one, your ISP has one or more, and various other ISPs on the net will also cache things all the way back to whoever is deemed authoritative for a particular domain DNS entry. That’s why, in the old days, it would take 2 or 3 days to propagate. These days, a few hours is normal with the shitty ISP default DNS servers, a few minutes with a good one like Google’s, and a few seconds with an excellent one like Cloudflare’s.
Your local computer’s cache, however, will probably live up to the TTL value, as others have stated. In Chrome you clear it by going to chrome://net-internals/#dns
There were issues in the past (several years) when using a 3rd party DNS server could cause problems with CDN’s like Aakamai, and ones used by Netflix, YouTube, and social media sites. Your local ISP’s DNS server would correctly route your traffic through the local CDN, giving faster loading and download times. However, 3rd party DNS servers couldn’t determine your location and would route traffic through a very far away network, if not the originating server thousands of miles away, rather than the local cache a few miles down the road.
This doesn’t seem to be the case anymore as far as I can tell. I’m curious how that’s been resolved, or at least mitigated.