MacInTouch Amazon link...

DNS (Domain Name System)

Channels
Security, Troubleshooting
The commercial firewall product I use, Kerio Connect from GFI (disclosure: I am a GFI Partner), includes a web content filter, allowing me to block access to certain categories of websites. Over the last three weeks, the web filter tool has become disabled in my firewall, due to DNS timeouts, according to the system logs. I have one firewall installed at one site connected to AT&T Fiber and another firewall for another site connected to Comcast Business cable.

I have long been using OpenDNS' DNS servers [208.67.222.222 · 208.67.220.220] as the DNS source for the DNS forwarding service in the firewall. GFI support had me try Google's servers (8.8.8.8 · 8.8.4.4) instead. After clearing the DNS-forwarding cache in the firewall and re-enabling the web filter service, the service would time out again in about 5 minutes.

I switched to AT&T's DNS (12.127.17.72 & 12.127.16.68) on the AT&T fiber network and to Comcast's (75.75.75.75 & 75.75.76.76) on the Comcast network. The problem disappeared.

I can also see much longer transmission times reported by a traceroute when accessing OpenDNS or Google DNS compared to AT&T DNS from the AT&T network.

So, my cynical mind is wondering if both AT&T and Comcast are punishing traffic headed for a third-party DNS server instead of AT&T's server.

My skepticism and inkling to using a DNS like OpenDNS is based in part on my prior experience with AT&T Wireless intercepting traffic when viewing MacInTouch.com from my iPhone: A few years ago, I traded emails with Ric when I found random "&" symbols inserted into the content of MacInTouch posts when on AT&T Wireless (and it was not a display glitch: I could copy-paste the "&" and Ric confirmed the "&" was not there in the source): if I re-enabled WiFi and went over Comcast or Sonic.net and refreshed the page, the "&" went away. Turn off WiFi to switch back to AT&T and the "&" returned.
 


Ric Ford

MacInTouch
A few years ago, I traded emails with Ric when I found random "&" symbols inserted into the content of MacInTouch posts when on AT&T Wireless (and it was not a display glitch: I could copy-paste the "&" and Ric confirmed the "&" was not there in the source): if I re-enabled WiFi and went over Comcast or Sonic.net and refreshed the page, the "&" went away. Turn off WiFi to switch back to AT&T and the "&" returned.
At the time, we did extensive testing to confirm that AT&T Wireless was, in fact, changing the content transmitted from the macintouch.com server to the customer en route. (And AT&T wasn't alone in performing such dirty tricks.)
 


I have long been using OpenDNS' DNS servers [208.67.222.222 · 208.67.220.220] as the DNS source for the DNS forwarding service in the firewall. GFI support had me try Google's servers (8.8.8.8 · 8.8.4.4) instead. After clearing the DNS-forwarding cache in the firewall and re-enabling the web filter service, the service would time out again in about 5 minutes.
I had used OpenDNS service for a long time, configured in my router to serve my LAN, but a month ago I switched to Cloudflare's 1.1.1.1 service due to issues with slow-loading web pages, and that seems to have fixed things. I didn't run any analysis tools to get a deeper insight into what's happening. My ISP is WOW - WideOpenWest. Maybe give Cloudflare a try?
 


Ric Ford

MacInTouch
Here's software for checking DNS integrity, access, and performance:
Google said:
Namebench
It hunts down the fastest DNS servers available for your computer to use. Namebench runs a fair and thorough benchmark using your web browser history, tcpdump output, or standardized datasets in order to provide an individualized recommendation. Namebench is completely free and does not modify your system in any way. This project began as a 20% project at Google.

Namebench runs on Mac OS X, Windows, and UNIX, and is available with a graphical user interface as well as a command-line interface.
Gibson Research said:
DNS Benchmark
A unique, comprehensive, accurate & free Windows (and Linux/Wine) utility to determine the exact performance of local and remote DNS nameservers ...
  • Compatible with Wine (Windows emulation) running on Linux and Macintosh.
 


Here's software for checking DNS integrity, access, and performance:
Namebench has not been updated in over eight years so does not include many of the currently available public DNS name servers and also gives a lot of bad information about bad IP addresses. I also found the results to vary greatly depending on conditions at the time it was run, getting different results almost ever time I checked.

I've never had a need to run Wine, so can't report anything about DNS Benchmark.

I found Namehelp from Northwestern University to be a better solution, since it runs periodically and switches to the fastest found each time. It, too, was abandoned for a few years, but I see that v2.0.1 has since been released in beta for Sierra+. I'll give it a try when I have the time.
Namehelp
improves web performance by obtaining more accurate redirections to nearby content delivery networkservers.
Basically, namehelp improves your web performance when either you or your ISP uses a remote DNS service.
The latest tool I'm aware of is DNS Performance Test, a shell script to test the performance of the most popular DNS resolvers from your location.
 


I added a DNS server test to my WhatRoute app a few months back. The test measures the time taken to do lookups at a bunch of name servers. You can easily add or delete servers from the list, though the defaults cover all the common ones. My conclusion after using it a few times was that the Linux caching name server on my LAN gave the best results.
 


Ric Ford

MacInTouch
I added a DNS server test to my WhatRoute app a few months back. The test measures the time taken to do lookups at a bunch of name servers. You can easily add or delete servers from the list, though the defaults cover all the common ones. My conclusion after using it a few times was that the Linux caching name server on my LAN gave the best results.
That's very cool! I just downloaded the new version and found the DNS test under the menu Window > DNS Server Performance with some options and a Measure button.

My first test run showed times on the order of 230, while subsequent runs were an order of magnitude faster (even after quitting and restarting the app). I assume that's due to DNS caching in the macOS.... [Update: These tests were misleading, because I had a special networking system in place, and should be run again in a normal network environment.]
 


My first test run showed times on the order of 230, while subsequent runs were an order of magnitude faster (even after quitting and restarting the app). I assume that's due to DNS caching in the macOS....
That's interesting. The tests make direct queries to the remote name servers and deliberately avoid using the macOS resolver. Maybe there's some local linkage going on that I have yet to find, but I was pretty careful in the design to avoid any macOS caching. Maybe the queries are intercepted by your ISP through some kind of transparent proxy (LOL - not trying to introduce a conspiracy theory here)

Also - if anyone has 'favourite' public servers that are not in WhatRoute's default list, I can easily add them.
 



My conclusion after using it a few times was that the Linux caching name server on my LAN gave the best results.
I don't see how that would be surprising, as it most certainly would be the case for anybody using a local DNS cache server. The only remaining question would be what's best for the times you need to access a new site. Depending on how often you do so, it probably isn't worth knowing.
 


Ric Ford

MacInTouch
For what it's worth from Apple:
Apple Support said:
Non-responsive DNS server or invalid DNS configuration can cause long delay before webpages load
If your webpages aren't loading as quickly as expected, it might be related to your DNS configuration.

If there's an issue with your DNS configuration, trying to access a website by its DNS name, such as www.apple.com, might seem slower than accessing the same site by its numerical IP address, such as https://17.172.224.47. Two causes of the issue are described below.
There have long been issues with Apple's DNS software, too. Here are instructions for clearing Apple's DNS cache:
iGeeksBlog said:
And here's more about an earlier DNS debacle:
Ars Technica said:
Networking: mDNSResponder
Turns out, the mDNSResponder daemon that is in charge of discovering services running on other systems connected to the local network (and responsible for handling DNS requests required to connect to the Internet) was replaced with a new discoveryd daemon. Naturally, replacing code that has been refined over a decade with something completely new would introduce some bugs, but the number and severity of the issues caused by the change was surprising to say the least. It's particularly strange considering that discoveryd doesn't actually power any of the new Continuity features, as we learned when we replaced discoveryd with the old OS X 10.9 mDNSResponder. This made all of the new issues disappear while Continuity continued to work. A few months later, in true Steve Jobs-ian fashion, the daemon that founded Bonjour network service discovery and then got kicked out was brought back to turn the sinking ship around.

Word on the street is that going back to mDNSResponder allowed Apple to close 300 separate bug reports.
 



Lately I've been having a DNS problem. I've set the DNS server to the OpenDNS IP numbers a long time ago in my Mac. However recently the settings are being reverted to my ISPs IP numbers. I change them back to OpenDNS and the cycle repeats. How can I make the OpenDNS IP numbers stick? I even used Malwarebytes to look for any malware and it comes up clean.

The DNS IP numbers that are coming up are:
68.105.28.11
68.105.29.11
68.105.28.12

I'm perplexed. Thank you.
 


Lately I've been having a DNS problem. I've set the DNS server to the OpenDNS IP numbers a long time ago in my Mac. However recently the settings are being reverted to my ISPs IP numbers. I change them back to OpenDNS and the cycle repeats. How can I make the OpenDNS IP numbers stick?
Try changing them in your router, and point your Mac at the router for DNS.
 


Lately I've been having a DNS problem. I've set the DNS server to the OpenDNS IP numbers a long time ago in my Mac. However recently the settings are being reverted to my ISPs IP numbers.
How did you "set the DNS server", and how do you know "the settings are being reverted"?

Usually, DNS is set using DHCP. That means that your computer periodically asks all devices on your local network what DNS servers to use. Usually a local network has one device that provides the information; this device is your router and the DHCP DNS address it provides is the local address of the router, typically 192.168.1.1. In this situation, the router will act as a caching DNS server and use other DNS servers to get DNS. It may use DHCP to get the DNS servers that it will use, by querying your ISP's network (that is, one level up from your local network). Often you can override this in the settings for your router and specify the DNS servers your router will use.

The most common alternative is to set DNS manually, in which case your computer will always use the specified DNS servers. You can set DNS manually by entering the desired DNS server addresses in the System Preferences > Network > Advanced > DNS > DNS Servers.

Notes:
  1. No matter what DNS your computer and/or router ask for, your ISP can intercept DNS requests and send them wherever they want, unless you are using DNSSEC or something similar. This isn't common, however.
  2. Using a VPN typically involves changing your DNS servers while the VPN is connected, usually to use the VPN providers's or third-party DNS servers.
 


Speaking of breaches, the Network Solutions breach one really got me mad. They sent an email (4 days after it was disclosed) with a link (I'm not clicking it) to login and change password. But their disclosure says no passwords were compromised. Yeah, right. This is why I took Ric's advice and moved most of my domains to Hover. One more remains and it's up in 10 months, but I will move it sooner. Network Solutions (a.k.a. Web.com out of Florida) is sleazy with their constant emails that your "web domain is about to expire" and you have 6-9 months before it does. Then their web pages are like billboards for services (hosting, domain protection, etc.).

Worse, they are so expensive, I don't think anyone realizes how great Hover's prices are!
(I was in shock that NetSolutions was charging me $75 for two years for just a domain!)
 


I have signed up our company for a two-week free trial with DNSfilter.com. But now I'm hearing a lot of buzz about DNS over HTTPS ("DoH") and some comments that this will render a service like DNSfilter useless / obsolete. Can anyone with knowledge offer some feedback on this?
 


I have signed up our company for a two-week free trial with DNSfilter.com. But now I'm hearing a lot of buzz about DNS over HTTPS ("DoH") and some comments that this will render a service like DNSfilter useless / obsolete.
Mozilla / Firefox is in the forefront of implementing privacy enhancing DNS over HTTPS. It will be under user / system administrator control.
Mozilla said:
What’s next in making Encrypted DNS-over-HTTPS the Default
Sept. 6, 2019
We found that OpenDNS’ parental controls and Google’s safe-search feature were rarely configured by Firefox users in the USA. In total, 4.3% of users in the study used OpenDNS’ parental controls or safe-search
  • Respect user choice for opt-in parental controls and disable DoH if we detect them;
  • Respect enterprise configuration and disable DoH unless explicitly enabled by enterprise configuration;
 


Ric Ford

MacInTouch
Speaking of breaches, the Network Solutions breach one really got me mad. They sent an email (4 days after it was disclosed) with a link (I'm not clicking it) to login and change password. But their disclosure says no passwords were compromised. Yeah, right. This is why I took Ric's advice and moved most of my domains to Hover. One more remains and it's up in 10 months, but I will move it sooner. Network Solutions (a.k.a. Web.com out of Florida) is sleazy with their constant emails that your "web domain is about to expire" and you have 6-9 months before it does. Then their web pages are like billboards for services (hosting, domain protection, etc.).
Worse, they are so expensive, I don't think anyone realizes how great Hover's prices are!
(I was in shock that NetSolutions was charging me $75 for two years for just a domain!)
Register.com also failed its customers with another security breach:
Register.com said:
Important Security Information
October 30, 2019

What Happened?
On October 16, 2019, Register.com determined that a third-party gained unauthorized access to a limited number of our computer systems in late August 2019, and as a result, account information may have been accessed.
...
What Information Was Involved?
Our investigation indicates that account information for current and former Register.com customers may have been accessed. This information includes contact details such as name, address, phone numbers, email address and information about the services that we offer to a given account holder.
I agree about Hover.com, and a friend recently made a successful transition at my suggestion from Network Solutions, which had become astoundingly bad.
 


.... This is why I took Ric's advice and moved most of my domains to Hover.... I don't think anyone realizes how great Hover's prices are!
(I was in shock that NetSolutions was charging me $75 for two years for just a domain!)
Two additional points in favor of Hover: their reasonable prices include privacy masking of your registration info, and they support true TOTP two-factor login.
 


Two additional points in favor of Hover: their reasonable prices include privacy masking of your registration info, and they support true TOTP two-factor login.
While I agree that NetworkSolutions is overpriced, they have one service that Hover unfortunately does not support: Catch-all mail boxes. By being careful about names I supply when asked for my email address online, I can track the source of email, and it is especially useful when there has been a data breach: phishes received identify the source of the breach in the To: address field. I'd be interested in moving from NetworkSolutions if I could find Hover pricing + catch-all mail.
 


Ric Ford

MacInTouch
While I agree that NetworkSolutions is overpriced, they have one service that Hover unfortunately does not support: Catch-all mail boxes. By being careful about names I supply when asked for my email address online, I can track the source of email, and it is especially useful when there has been a data breach: phishes received identify the source of the breach in the To: address field. I'd be interested in moving from NetworkSolutions if I could find Hover pricing + catch-all mail.
Email and DNS are completely different services... and most email services offer catch-all mailbox options of various types. I'd recommend using an email provider (e.g. FastMail) for email.

In other words, use Hover to create and manage your domain name, but use an email provider to manage email for that same domain name. Here are some example options and procedures:
Here are some other helpful notes from FastMail on related topics:

#email #dns #domainnames #spam
 


Worse, they are so expensive, I don't think anyone realizes how great Hover's prices are!
(I was in shock that NetSolutions was charging me $75 for two years for just a domain!)
I'll just put in my own plug here again for NameSilo. I've been using them successfully for 3 years now. They have even cheaper prices than Hover, and all the same features (plus more maybe). They support free Whois Privacy, account TOTP, free DNS hosting, free e-mail forwarding, free domain parking or forwarding, DNSSEC, and low-cost web and email hosting (if that's what you want).

Email and DNS are completely different services... and most email services offer catch-all mailbox options of various types. I'd recommend using an email provider (e.g. FastMail) for email.
I'd be interested in moving from NetworkSolutions if I could find Hover pricing + catch-all mail.
Even with Network Solutions, Domain Registration and E-mail hosting are two different services that you're paying for. If you really love Network Solutions' e-mail (or just don't want the hassle of changing it), you can change your domain registration to someone else, and keep your e-mail with NetSol. As it says on their product page:
Network Solutions said:
Do I have to have my domain name registered with Network Solutions to use your email? No. Having your domain registered with Network Solutions is not required.
 


Email and DNS are completely different services... and most email services offer catch-all mailbox options of various types. I'd recommend using an email provider (e.g. FastMail) for email. In other words, use Hover to create and manage your domain name, but use an email provider to manage email for that same domain name. Here are some example options and procedures:
Here are some other helpful notes from FastMail on related topics:
This is what I have done. I moved all domain registration from GoDaddy to Hover, saving a bundle, since Hover includes private registration in their domain price where GoDaddy charged $15.99/domain. Then I got email from FastMail and use their DNS for my domains. The DNS was easy to set up and they handle the MX records for email to any of them and let me route them to whatever FastMail box I want.
 


Amazon disclaimer:
As an Amazon Associate I earn from qualifying purchases.

Latest posts