Should I switch my current DNS server?
If you are just a regular Internet user (not self-hosting anything), and you are currently using your ISP’s DNS server, I would switch to a 3rd party DNS service (e.g. Cloudflare).
However if you are self-hosting anything (e.g. email), then I would opt for running my own DNS resolver for reliability.
Here are my opinions on the three typical ways to get DNS.
ISP DNS Resolver: usually ok performance / no privacy
- Works out-of-the-box with your Internet service.
- Since you are using servers they control, always assume your ISP is logging your DNS requests (no privacy).
- Sometimes an ISP actually has worse DNS servers (slower, less secure) than a 3rd party DNS service.
- Many years ago, I made use of my ISP’s DNS resolving services. They would occasionally go down – every few months. It made it look like the Internet was “down”, but it was just their DNS resolvers that were down.
Third-Party DNS Resolver (e.g. Cloudflare, OpenDNS): good-to-excellent performance / potentially less private
- Can be faster than your ISP’s DNS resolvers. This is due to 3rd party DNS services having a very large network infrastructure. They can handle large amounts of traffic with ease.
- Cloudflare does support DNS-over-TLS. However this is just encrypting your connection to Cloudflare. When Cloudflare retrieves the DNS records for you – assuming they do not have a cached copy – that connection of theirs is unencrypted. This means the DNS records Cloudflare gets for you can be manipulated by a 3rd party, outside of Cloudflare’s control.
- Any server hosting a website using SNI (Server Name Identification) – without using the TLS 1.3 protocol – will give the domain name you are accessing in plain-text for anyone to see. This defeats the purpose of using an encrypted DNS service.
- Can help get around DNS blacklists your ISP may have implemented.
- Unless you are using a VPN service, your ISP will still have to route your connection to the website. This may give away where you are going on the Internet, even if your ISP cannot read your DNS queries.
Self-Hosted DNS Resolver (e.g. Unbound DNS): ok-to-good performance / potentially more private
- Useful if you want to have reliable lookups, since your are cutting out the middle-man handling your DNS requests.
- If you are self-hosting web services (e.g. web and email), it is recommended to run your own DNS resolver. While not necessary, this will help prevent interruptions to your services.
- While there is no worry about the DNS server keeping logs (you are running it, after all), there still is the possibility of your ISP and/or other entities sniffing your DNS lookups and keeping a log that way. This is because DNS is inherently insecure (not encrypted).
- Unbound runs on FreeBSD, OpenBSD, NetBSD, MacOS, Linux and Microsoft Windows.
- Unbound DNS does require some knowledge of DNS to be setup properly.
Posted in Computers, Internet and Servers, Operating Systems, Security