Running VyOS as my edge router and currently have the DNS forwarding service pointing at Cloudflare (1.1.1.1 and 1.0.0.1). Works fine for the most part but I picked those without much thought when I first set it up.
Couple of questions for the community:
What upstream DNS do you forward to and why did you pick it?
Has anyone done actual latency testing to find the fastest resolver from their location rather than just going with the default recommendations?
Is there a decent public list of DNS servers that gets kept up to date? The ones I keep finding online are full of dead servers.
I know running a recursive resolver (Unbound) is an option but for a small network the forwarding setup is simpler and I’d rather just pick the right upstream.
This is a general DNS resolver question rather than being VyOS related.
When using external resolvers, resilience would (within reason) seem to be more important than speed. As you mentioned yourself, running a local caching resolver (or two) is probably the best approach, but it is also harder work than using public resolvers.
I have not found any reliable list of public resolvers, which is kept up to date.
There are the three obvious public resolvers, which all have good coverage and would all be reasonably quick:-
Cloudflare 1.1.1.1
Google 8.8.8.8
Quad9 9.9.9.9
and my personal approach would be to list two, but from different providers.
All of them do DNSSEC.
But there is a potential catch that Quad9 provides additional protection by default and the others do not. Using Quad9 with a different secondary resolver will simply remove Quad9’s protections as blocked queries would simply failover to the secondary resolver. Furthermore, Quad9 advised me (which is not stated clearly on their website) that using 9.9.9.9 & their 149.112.112.112 does not provide any resiliance against their network failure albeit that this is VERY rare. Quad9 does not provide an IP which does DNSSEC validation without protection.
Cloudflare provides (probably different) additional protection but 1.1.1.2.
Thus, if protection is wanted, my thoughts would be 9.9.9.9 & 1.1.1.2, otherwise probably 1.1.1.1 & 8.8.8.8.
In conclusion, this is largely a matter of personal taste…
My ISPs. Picked because they’re very fast vs the public ones.
Yes. Thus why I used them.
Not that I’m aware of.
This myth that’s been pushed that your “ISP is monitoring you!” is such a great one. All it does is mean that send your DNS data to someone that is highly interested in it. I’m sure in the US of A there’s a few giant ISPs that do, truely, mine your DNS data. But I’d suggest that most ISPs couldn’t care less.
If you’re picking Public DNS servers for “privacy” reasons I think you’d be much better off doing what @Apachez suggestions, picking 2+ from a list of public ones. But I’d also be running an AdGuardHome/PiHole or similar caching DNS server which will do much more IMHO to increase privacy that using a “public” DNS server.
You could use a tool such as the GRC DNS Benchmark or dnseval to determine what is best from your endpoint. But for me most of the time I just end up using Quad9 for VyOS itself.
I use my own resolver. If you want a combo with ad/trackblocking then use Adguard Home, PiHole, Technitium or such.
Latency doesnt really matter for DNS resolving. The reply will be cached at the resolver and at your own DNS-client so if the first lookup takes 10ms or 20ms is not something you will notice ever. Only issue is when you pass the default timeout of 2000ms (2 seconds) which you often notice when trying to SSH to a box and then it takes like 4 or 6 seconds before the login prompt shows up. Thats often the cause of missing PTR-record so the SSH-server will first use the 1st DNS-resolver who timeout then use the 2nd and if you got a 3rd configured it will ask that aswell before failing all three and bring the prompt to the client anyway.