Today's article might have also fit in the security sub-forum...

K

KGIII

Super Moderator
Staff member
Gold Supporter
Joined
Jul 23, 2020
Messages
11,792
Reaction score
10,356
Credits
97,550
Though, it might have done even better in the privacy sub-forum, but we don't have one of those. It wasn't necessarily security - though it could be - related. It depends on how and why you're using it. Kinda like how a hammer is a tool or a weapon, depending on what you're doing with it at the time!

What is it? Changing your DNS servers. If you want to change DNS servers, it's not all that complicated. I even used ChatGPT to write a couple of paragraphs to explain what DNS was, though I usually just sum it up as being similar to a telephone book. ChatGPT did a much better job than I do, so I included it.

How To: Change DNS Servers • Linux Tips

Today's article shouldn't be all that difficult for even our newest users, but is limited to those who want to change DNS servers.
linux-tips.us linux-tips.us

I do love me some feedback, but I'll be in and out today. On top of that, my connection to the web is a bit touchy today.
 


As usual, I have a few things to say about this.
  • Some DNS Servers are Malicious. Know Which DNS Servers You Use -
    Hackers setup public DNS servers and use them for malicious intent.
    • You are not likely to encounter them unless your system is infected ... but ...
    • -> ... You should know which DNS services you use. Check the settings. Be sure they are familiar and what you expected to see.
  • It May Be Worth Your Time to Benchmark DNS Servers -
    • Small improvements can result in better DNS responsiveness. Systems will seem "snappier."
    • Even if you don't bother to run a benchmark tool, take the time to ping the DNS servers you use, to see their round trip times.
    • I have always used the tool from GRC. It is old and clunky, but it works. I know it and it is free: https://www.grc.com/dns/benchmark.htm
      • If you don't like the GRC tool, you can probably find something easier and better on the internet. I never bothered to look.
    • Be wary, DNS benchmark tools send a flood of DNS requests to many DNS servers. They can trigger firewalls, including upstream ones beyond YOUR firewall. It can trigger alerts, alarms, automatic blocks, and panic attacks ... be smart about how you use it.
      • Honestly, I am exaggerating (a lot). It is not nearly as bad as that, but just be aware. The worst I've seen was the local firewall blocked the test machine. The firewall was easily adjusted for the test, then returned to its original setting.
    • Before you run the benchmarks, remember to add the DNS servers that the local ISP instructs you to use. If you have a dynamic public IP address, learn which DNS servers they offer to you via DHCP. Dynamic IP addresses are common for most residential internet services and many others.
      • Don't assume that the ISP-provided DNS servers are "best for you" or even "fastest response". It is not always true.
      • Caveat: ISP-recommended DNS servers (from DHCP) change more often than I expected. At least the ones offered by our ISP do.
    • When you are done, you should have a selection of public DNS servers that you can choose from.
      • -> Choose the ones with fast responses for the best performance, but think about other considerations like availability or "family friendly". If one or two of the "too big to fail" DNS servers is high on the list, you may want to include them to maintain availability in case your other DNS server choices are down.
      • More than once people have come to me to say that the performance boost was "amazing!" or "fantastic!". In fairness, they started out with poorly configured DNS.
  • Special DNS Filtering Features for Families and Others -
    • The typical ones block DNS lookups that are inappropriate for children.
    • Others may preferentially block objectionable websites based on categories that the user selects to allow or reject. Those are only as good as the databases behind them and how well they are maintained.
    • For most families, those special filters are a mere speed bump except for the youngest family members. Your children know how to bypass whatever automated solutions you deploy. Just ask, and watch their expressions when they answer.
    • ... Some governments filter DNS on behalf of their citizens to make sure that they see only "appropriate" content. I will not opine on that.
  • Public DNS Servers Come and Go. Check Your Settings Periodically -
    The last time I checked, I was surprised to notice that two of the DNS servers in my list were no longer operating public DNS services. It doesn't help to send out DNS requests to servers that do not respond.
  • The Linux Tip (above) Does Not Apply to Some Linux Servers -
    • I have an OpenVZ VPS. The DNS is configured differently for them. (It is currently running Debian 10, but this hint applies to many distros on OpenVZ.)
      • Editing /etc/resolv.conf or /etc/network/interfaces does no good because they are overwritten at startup.
      • There are comments in the resolv.conf and interfaces files with a warning NOT to edit them. They also provide very sparse instructions.
    • It is not only OpenVZ VPS servers. The same issue may appear on other types of servers, too.
I would have added a bullet related to DNS security and who can monitor your DNS lookups. That could easily be another thread. More important - it is already discussed in the Linux Tip.

Edit: Fixed typo.
 
Last edited:
sphen said:
I would have added a bullet related to DNS security and who can monitor your DNS lookups.
Click to expand...

These days, folks might want to do DNS over HTTPS. That'll help with that.
 
For many, if not most home computers running through a router, the /etc/resolv.conf nameservers are the router address, so DNS is provided by the ISP which parcels off a lot of possible issues.
 
osprey said:
For many, if not most home computers running through a router, the /etc/resolv.conf nameservers are the router address, so DNS is provided by the ISP which parcels off a lot of possible issues.
Click to expand...
That is a very good point.

Many of my comments above apply more to the DNS settings in your router. If you run benchmarks or want to try to improve DNS performance by finding faster public DNS servers to use, then most likely your new DNS selections would be updated in your router using its interface. The router goes to the public DNS servers on behalf of your devices for DNS lookups that it does not already have in its cache.

As @osprey points out, the computers and devices in your home use the router itself as their DNS server, so you make only one change to update public DNS server selections (in the router), rather than configuring every device behind the router.

You can always configure your Linux computer as described in the Linux Tip to try different DNS settings before you decide to change them in your router. There is no reason that a device in your home is required to use the router for DNS unless you decide to enforce such a rule yourself.
 
We have DNS Blocking where I am...so changing my DNS is the first thing I do. I did this until a few years ago (2018)...now I encrypt my DNS every time I do a clean install.
https://www.linux.org/threads/do-you-encrypt-your-dns.42045/
m1212.gif
 
You must log in or register to reply here.

Staff online

Members online

Total: 731 (members: 4, guests: 727)

Latest posts

Top