Mark Minasi's Tech Forum
Register Calendar Latest Topics Chat
 
 
 


Reply
  Author   Comment  
Pieter

Avatar / Picture

Senior Member
Registered:
Posts: 158
Reply with quote  #1 
Is it a good idea to point my internal DNS servers to the Google DNS servers ?
Are they still in beta ?
Any security thoughts ?

Up till now I've always used the DNS servers of the provider where the internal DNS server has its connection to Internet.

__________________
Pieter Demeulemeester
0
donoli

Senior Member
Registered:
Posts: 522
Reply with quote  #2 
https://blog.checkpoint.com/2016/11/30/1-million-google-accounts-breached-gooligan/

A million Google accounts were breached awhile ago. That doesn't mean that the DNS was hijacked but who knows?  I never trusted google, on other issues.
0
wkasdo

Avatar / Picture

Administrator
Registered:
Posts: 194
Reply with quote  #3 
Question is: who are you going to call when you have a problem with DNS? Not google, that's for sure. If you are satisfied with the DNS service of you ISP, why not stick with it?
__________________
[MSFT]; Blog: https://blogs.technet.microsoft.com/389thoughts/
0
Pieter

Avatar / Picture

Senior Member
Registered:
Posts: 158
Reply with quote  #4 
>> If you are satisfied with the DNS service of you ISP, why not stick with it?                 

No complains about the DNS services of our providers.  It's about manageability
I have about 25 sites and about 5 different Internet providers.  For each site I have to check the provider and have to config the DCs and the firewalls accordingly.
Sometimes people change there providers without letting me know...
So I figured if I could use one and the same external DNS for all our internal DNS servers, it would be easier for me.


__________________
Pieter Demeulemeester
0
wobble_wobble

Avatar / Picture

Associate Troublemaker Apprentice
Registered:
Posts: 825
Reply with quote  #5 
As per Willem local ISP DNS.
Add in Google DNS as well or OpenDNS if you want more.



__________________
Have you tried turning it off and walking away? The next person can fix it!

New to the forum? Read this
0
Phil-n-JaxFL

Avatar / Picture

Grumpy Old Men
Registered:
Posts: 82
Reply with quote  #6 
With all of the IANA root DNS servers, why would you use Google?
__________________
Phil
0
cj_berlin

Avatar / Picture

Senior Member
Registered:
Posts: 239
Reply with quote  #7 
Quote:
Originally Posted by Phil-n-JaxFL
With all of the IANA root DNS servers, why would you use Google?

Phil,

it's not the same. Google's is a caching resolver so if you ask for a well-visited hostname such as newforum.minasi.com chances are it will give you an up to date address without having to ask anybody else.

Root servers only hold information about the DNS servers for TLDs. So if you ask an IANA root for newforum.minasi.com it will only give you the DNS servers that serve .com:
dnsroot.PNG 

You then have to ask one of those to get a list of servers who serve minasi.com:
dnscom.PNG 

Only by asking one of those you will get the address you are after. Whereas at Google's you get the results directly:
dnsgoo.PNG 



__________________
Evgenij Smirnov

My personal blog (German): http://www.it-pro-berlin.de/
My stuff on PSGallery: https://www.powershellgallery.com/profiles/it-pro-berlin.de/
0
Pieter

Avatar / Picture

Senior Member
Registered:
Posts: 158
Reply with quote  #8 
Thanks for the replies and the thoughts.

Concerning cj_berlin's reply :
- Forwarders = recursive = less work for the internal DNS server
- Root hints = iterative = more work for the internal DNS server
see https://technet.microsoft.com/en-us/library/cc961401.aspx
That's why I prefer Forwarders.


And what about the Beta status ? Are the Google DNS servers still beta and thus less reliable ?

__________________
Pieter Demeulemeester
0
dennis-360ict

New Friend (or an Old Friend who Built a New Account)
Registered:
Posts: 58
Reply with quote  #9 
My personal opionion (but I dobn't use facebook/whattsapp for that reason, so im a bit extreme) is not to use the google DNS because i'm sure they are using it for tracking (no proof, also an opinion). I would use the OpenDNS servers which are mentioned previsously. But as I said, it's only my opinion.
__________________
-----
Home is where is sleep
0
cj_berlin

Avatar / Picture

Senior Member
Registered:
Posts: 239
Reply with quote  #10 
+1 for openDNS. Fast, reliable (so far) and, if you are willing to pay, you can get some additional security features.
__________________
Evgenij Smirnov

My personal blog (German): http://www.it-pro-berlin.de/
My stuff on PSGallery: https://www.powershellgallery.com/profiles/it-pro-berlin.de/
0
donoli

Senior Member
Registered:
Posts: 522
Reply with quote  #11 
Dennis, I agree about the tracking thing.
0
anthonymaw

Avatar / Picture

New Friend (or an Old Friend who Built a New Account)
Registered:
Posts: 13
Reply with quote  #12 
Google's DNS servers are the fastest public DNS available but if you want better security you should use the Cisco OpenDNS servers:

208.67.222.222

208.67.220.220

__________________
Anthony Maw, B.Sc., MCSE, Vancouver, Canada, Earth, Solar System, Milky Way Galaxy.....
Tel/SMS: +1 604-318-9994
http://www.anthonymaw.com
0
wobble_wobble

Avatar / Picture

Associate Troublemaker Apprentice
Registered:
Posts: 825
Reply with quote  #13 
Anthony

Why do you say the OpenDNS server more secure?

Found this - Method and system for detecting and responding to attacking networks published in 2013 but filed in 2006.

I'm paranoid, but am I paranoid enough?
Interesting book to read

__________________
Have you tried turning it off and walking away? The next person can fix it!

New to the forum? Read this
0
cj_berlin

Avatar / Picture

Senior Member
Registered:
Posts: 239
Reply with quote  #14 
Joe,

for a paying customer, they *can* be *somewhat* more secure because you can utilize their community cataloguing and rating at name resolution time. So you can, for instance, say, any domain tagged 'p0rn' or 'h@t3' by openDNS is to be blocked, i.e. the asking resolver will get an NXDOMAIN.

__________________
Evgenij Smirnov

My personal blog (German): http://www.it-pro-berlin.de/
My stuff on PSGallery: https://www.powershellgallery.com/profiles/it-pro-berlin.de/
0
wobble_wobble

Avatar / Picture

Associate Troublemaker Apprentice
Registered:
Posts: 825
Reply with quote  #15 
I've not used the OpenDNS paid solution.
...ScanSafe and their wonderful solution that relies on both pac/ gpo and tight integration to get you to go to their towers....
and the openings in that...

I've not used the full Umbrella solution yet, but I have a huge difficulty with Scansafet.

I've seen Chrome stop access or make it real difficult to get at bad sites, one very recently, that did manage to get through the above mentioned solution.

__________________
Have you tried turning it off and walking away? The next person can fix it!

New to the forum? Read this
0
Previous Topic | Next Topic
Print
Reply

Quick Navigation:

Easily create a Forum Website with Website Toolbox.