How should I choose my DNS?

Question

When I have to choose my DNS I think that I should consider:

• Speed
• Reliability
• Privacy
• Control (reports and stats)

The main options that come to my mind, and how I weigh them according to the above factors, are:

• My ISP = faster (closer to me) but less privacy (they can associate my DNS requests to myself)
• OpenDNS and such = more control and more privacy (all they have is one of my e-mail addresses)
• Google = less privacy (they can associate my DNS requests to my Google Account and my searches)

What weighting factors, or other options, have I missed?

Answer 1

My ISP = faster (closer to me)

This is a common misconception, distance does not make up speed on its own. Compare using the old single network cables out of metal to the newer multiple glass fibre cables systems, like EuroDOCSIS 3.0.

Other than propagation delay, you also have a processing delay on the server; I'm pretty sure that the DNS server at an ISP is less powerful to a DNS server hosted by Google, hence it is completely possible or a server that's at a much greater distance to actually be faster than your ISP's DNS server...

Hosting your DNS router/server might be the fastest, though it doesn't have all the DNS records stored!

---

namebench by Google can help you pick out a better DNS server, the rest in your question is subjective.

Are you a power-user with 5 minutes to spare? Do you want a faster internet experience?

Try out namebench. It hunts down the fastest DNS servers available for your computer to use. namebench runs a fair and thorough benchmark using your web browser history, tcpdump output, or standardized datasets in order to provide an individualized recommendation. namebench is completely free and does not modify your system in any way. This project began as a 20% project at Google.

namebench runs on Mac OS X, Windows, and UNIX, and is available with a graphical user interface as well as a command-line interface.

Here are the screens you will go through while using this program:

---

There is also a command line version there:

Final list of nameservers considered:
------------------------------------------------------------------------------
130.85.1.5      UMBC 5 US          56  ms | 
208.67.222.220  OpenDNS-3          56  ms | www.google.com is hijacked: google.navigation.opendns.com
209.244.0.4     Level3-R2          62  ms | 
216.146.35.35   DynGuide           63  ms | NXDOMAIN Hijacking
204.9.56.9      BroadAspect US     63  ms | 
8.8.4.4         Google Public DNS- 64  ms | Replica of Google Public DNS [8.8.8.8]
208.67.220.220  OpenDNS            65  ms | www.google.com is hijacked: google.navigation.opendns.com
156.154.70.1    UltraDNS           67  ms | NXDOMAIN Hijacking
127.0.0.1       Localhost IPv4     68  ms | NXDOMAIN Hijacking (www)
209.18.47.61    RoadRunner NC US   68  ms | Replica of RoadRunner NC-2 US [209.18.47.62], NXDOMAIN Hijacking (www)
156.154.71.22   Comodo Secure DNS- 80  ms | NXDOMAIN Hijacking
209.18.47.62    RoadRunner NC-2 US 104 ms | (excluded: Slower replica of RoadRunner NC US [209.18.47.61])

Sending 250 queries to 11 servers...

Mean response (in milliseconds):
Google Public DN ################# 64.85
Comodo Secure DN ################### 72.84
RoadRunner NC US ####################### 91.19
UltraDNS         ####################### 91.61
Localhost IPv4   ########################### 108.66
OpenDNS          ############################ 110.69
OpenDNS-3        ###################################### 149.85
DynGuide         ####################################### 156.60
Level3-R2        ########################################### 169.81
UMBC 5 US        ########################################### 172.63
BroadAspect US   ##################################################### 214.19
Response Distribution Chart URL (200ms):
http://chart.apis.google.com/chart?cht=lxy&chs=720x415&chxt=x,y&chg=10,20&chxr=0,0,200|1,0,100&chd=t:0,8,8,9,10,1...
Response Distribution Chart URL (Full):
http://chart.apis.google.com/chart?cht=lxy&chs=720x415&chxt=x,y&chg=10,20&chxr=0,0,3500|1,0,100&chd=t:0,0,0,1,1,1...
Recommended configuration (fastest + nearest):
nameserver 8.8.4.4         # Google Public DNS-2

nameserver 127.0.0.1       # Localhost IPv4

nameserver 209.18.47.62    # RoadRunner NC-2 US

Answer 2

Another freeware tool for testing and finding a good DNS server is DNS-Benchmark by GRC

It comes with a top customised top 50 list (which both Google and OpenDNS are usually listed) that will find the best 50 servers to test based on your IP.

It does a very thorough test and will tell if the server supports DNSSEC and if they redirect bad domains to their own landing page instead of giving a "Invalid Domain" response.

Answer 3

Many Content Distribution Networks use your DNS server to route you to an optimal location, using Google or OpenDNS means that they may not be able to route you optimally - Using Google DNS for Google content will get you GREAT performance from them, but not anyone's DNSLB, or a cdn like Limelight, Level3 or others, using OpenDNS damns you with everyone. Google put out an RFC about some suggested fixes for this but they are not implemented so you stay screwed by using non local name servers.

Answer 4

Consider configuring your own caching DNS server with dnsmasq or another project like named. I find that having control over this greatly speeds up my browsing past the first request. Your OS may also allow you to control its own built-in cache.

Answer 5

One thing you missed is..

How compliant are they? (Or perhaps, how vanilla are they?)

You can perceive of a DNS service doing some of the following.

1. Filtering out certain things. (Censorship)
2. Replacing certain requests with results that serve themselves.
3. Throttled service concerning parties that don't benefit them.

For instance, The reason I would never use OpenDNS is because they resolve all unresolvable addresses to a special OpenDNS ip address which, if I recall correctly, opens a search for the unresolved request with advertising by OpenDNS.

I find this incredibly annoying, because I want my search engine to provide it's own behavior for when an address is unresolvable and this makes all unresolvable address impossible to detect.