Public DNS Servers

Domain Name Resolution (DNS) is one of the services we take for granted every day. It works behind the scenes to resolve name-to-IP addresses. It works so well that we can accept the defaults without clearly understanding how it works. Most ‘computer guys’ or even IT Professionals really don’t have a good grasp on this topic. Simply ask someone to define root-hints and it will clearly demonstrate the knowledge of a technician.

The biggest reason it is overlooked is that it simply works — until it doesn’t. But beyond that, the question exists — can it work better?

This article is about public DNS name resolution — that is, for things outside of your local environment. We’ll save local domain resolution for another day — such as your Active Directory domain name resolution.

So let’s take a quick look at when you type a website name into a browser — perhaps the easiest example of this. What actually happens? Your local computer uses the following method to resolve names, going down the list until it finds a match. At each step its looking for a hit, which is typically a caches result.

  1. Your local computer first checks a local file called the hosts file to see if there is a static IP configured.
  2. Then it checks it’s local DNS cache — so it doesn’t constantly have to ask another source.
  3. It then uses the DNS name configured for your network interface. Which could be your DNS server for your local network (AD server), or perhaps just your home wireless router… (In some very rare cases it is skipping this and using your ISP’s DNS server.) But sticking with the local DNS server it will also check it’s cache first before going out to its upstream server, which is likely your ISP’s DNS server.
  4. Your local ISP is also checking its cache which if that fails, it will likely either source another upstream server, or hopefully, it will use root-hints.
    1. Root hints are the sort of master directory of authoritative servers, which will tell your server who to ask for authoritative information for the TLD, such as .com or .net.
    2. Once it gets the root zone, then it will query those servers to see specifically which DNS servers are authoritative for the next level such as microsoft.com
    3.  Then it will query that server for the actual DNS hostname, such as http://www.microsoft.com

As you can see once you hit step 4, you’re involving talking to a lot more servers, at a distance and latency for each step — which is why we have DNS caching. Each hop along this line introduces latency… Now there is a lot of things which can be said here. But I want to talk about a few things:

  1. Cache is essential for timely name resolution, however, this comes at a cost of stale records. This is especially important for IT Professionals to know because there is inherent latency involved with any DNS change. While local network DNS changes can propagate quickly, especially for AD Integrated AD changes when you’re talking about the public internet, it can take 24-72 hours for a simple hostname change to propagate because each cache location is going to hold on to that data for a certain length of time, often stated as TTL or Time-To-Live.
  2. Public DNS Servers have extremely diverse quality… from the amount of data in their cache to response time. DNS service is really a required afterthought for most internet service providers. As long as it works, they don’t care. As a result, response times can be significant if you need to query your ISP’s DNS information. Additionally, many of the times your ISP doesn’t use a geographically near DNS server so you might be having to traverse the internet to the other side of the continent to get your simple DNS response. Regional ISPs might not have a very good cache of DNS names causing them to reach into the Root Hints, which is time consuming, to build their cache.

There can be a huge performance improvement by migrating away from your ISP’s DNS servers. I have been experiementing with many different options over the decades.

  • Many years ago Verizon had some public DNS servers at 4.4.4.4 that was extremely popular, fast and reliable. However, they became flooded with a bunch of IT professionals directing their networks to 4.4.4.4 which impacted performance, so they closed it to just Verizon customers. It was such an easy IP address number to remember it was often used over ISP DNS servers just because it was easy to remember.
  • In 2009 Google released their set of public DNS servers at 8.8.8.8 and 8.8.4.4 which quickly became a popular replacement for the Verizon servers. As of this writing they’re still publically available.
  • Around the same time, I became introduced to OpenDNS which was recently acquired by Cisco for being awesome at DNS Resolution. Beyond just being a very fast, reliable, responsive DNS server, they also provided very basic DNS filtering. This helped IT professionals by keeping the really, really bad stuff from properly resolving. It also provides options for DNS based content filtering as well, which permitted businesses to get basic content filtering for objectionable content for low cost.
  • Starting in 2018, another company which are experts at DNS resolution, CloudFlare entered the public DNS space with their DNS servers at 1.1.1.1 and 1.0.0.1. They are ANYCAST addresses and you’ll automatically be routed to the geographically closes DNS servers to you. Benchmark testings show that the 1.1.1.1 servers are significantly faster than anything else within North America. Not only for caches records but also for non-caches results.

Today when choosing a public DNS server for my clients, it comes down to either CloudFlare or OpenDNS. In environments where we have no other source of content filtering, then I prefer to use OpenDNS but if the client has some form of content filtering on their firewall then the answer is the CloudFlare 1.1.1.1 network.

One important thing to note is that after ClouldFlare started using the 1.1.1.1 address, it exposed that some hardware vendors were improperly using 1.1.1.1 as a local address, against RFC standard. So in some isolated cases 1.1.1.1 doesn’t work for some clients — but this is because the systems they’re using are actually violating the RFC standards. So this isn’t CloudFlare’s causing but rather vendors disregarding RFC standards when they built their systems to use this unregistered space for their own purposes.

As far as how I personally use this as an individual, at home we use OpenDNS with content filtering to keep a bunch of bad stuff off of our home network, it even helps by filtering ‘objectionable ads’ from popping up often.

On my mobile devices, I have a VPN Tunnel which I use on any network which will let me use a VPN, like at Starbucks, etc., and you can find more about this config at this Roadwarrior VPN Configuration article. But sometimes I cannot connect to the VPN due to firewall filtering, such as at Holiday Markets or at my kids school guest network, so in those cases, I use the 1.1.1.1 DNS Profile for my iPhone.

One other closing issue — there have been various ISPs in the past which force all DNS resolution through there servers. In fact, there is one which on each subsequent request for a record, it will artificially increase the TTL number on each request. Basically trying to get your system to cache the results. In this case, your pretty stuck if you run into this but I would suggest you complaining to your sales rep for that ISP. Also you can look into using the DNS over TLS or DNS over HTTPS but as of right now Windows doesn’t natively support it without third party software, some very modern routers might support it, and I know that the DD-WRT aftermarket wireless firmware supports it. So you might have a bit more work to do to get it working.

 

The tools I use…

Here are some of my favorite applications I have installed on my computer, and often install right away, in no particular order:

  1. Microsoft Office Professional Plus – This is the obvious must have software for anyone interacting with other businesses. I really enjoy the seamless operation between products and how it makes interacting with the business world so much easier. I have tried Open Office, and it is a faster, less bloated office productivity suite and significantly less expensive. However, it is still only 90% real-world compatible with Microsoft Office, and thus can be a real pain. This is especially true when it comes to situations where page formatting is critical. When you factor that in, in many cases, the time I would spend working around the compatibility issues, Microsoft Office is actually less-expensive — something I think people need to consider a bit more often when looking at free tools… But alas, this list is filled with free tools!
  2. Microsoft Acrobat Professional – Yes, I have used (and continue to use) a number of low cost PDF creation tools such as pdf995 – which I really enjoy – and often recommend for users looking for simple print-to-pdf features; but I really appreciate all of the features which come in the full fledged product such as the ability to optimize scanned documents, perform OCR to make a scanned document searchable, and the ability to create interactive forms.
  3. Notepad++ is probably the best text editor I have used in a long time. It is a great improvement over the built in Notepad. The color coding when viewing code such as HTML, PHP or Java is very helpful, and there are additional plug-ins available.
  4. CuteHTML is a no longer a developed application but I have used it for so long I am simply used it’s interface and appreciate the built-in FTP application. I use it frequently to edit HTML and PHP code. I know there are better applications out there, but this is simply used out of familiarity and habit.
  5. CuteFTP is my preferred paid for FTP application for ages, but I have honestly stopped installing it on new systems and simply use Filezilla which features match close enough to meet 99% of my needs. This program permits multiple FTP downloads from mutliple FTP server at the same time and supports FTP, sFTP and FTPS. It is mature and actively developed.
  6. Virtual Drive Clone – my favorite application for mounting ISO images as optical media.
  7. Microsoft One Note – while technically part of the Microsoft Office Suite above, I call this one out for two tools that a lot of people don’t know about. First is that there is a screen clipping tool built into it. There are a lot of screen clipping tools available, both free and paid for, but this one is already built into a Microsoft Office application, so there is no extra software to download, install, patch or even take up system resources. A simple press of windows-S enables you to clip any part of the visible windows. I use this frequently for creating documentation or power point presentations. The second part is that it is slowly replacing my trusty physical paper notepad. And using One Note 2010 with Microsoft Skydrive, it keeps my laptop, desktop and work computers all sync’ed. Love it!
  8. Drop Box – along the lines of syncing data, I am starting to use Drop Box for non sensitive data. They can help keep your data synced between multiple devices including mobile devices. Due to a recent security flaw, there was the potential for your data to be accessed by other users. As with any technology like this, I discourage the use for anything sensitive.
  9. Keepass safe – A password manager which helps you to manage your passwords in a secure way. You can put all your passwords in one database, which is locked with one master key or a key-disk.
  10. VLC – A highly portable multimedia player for various audio and video formats (MPEG-1, MPEG-2, MPEG-4, DivX, mp3, ogg, …) as well as DVDs, VCDs, and various streaming protocols.
  11. Log me in – Each of my systems has this installed, and I really appreciate that even after you logon to the website, to access your system, it still requires you to enter whatever password you use on your computer to access it.
  12. Trillian – While I rarely use instant messenger anymore, Trillian is a fantasic,  fully featured, stand-alone, skinnable chat client that supports AIM, ICQ, MSN, Yahoo Messenger, and IRC – all in one application and interface.
  13. CCleaner – A system optimization and privacy tool that removes unused files from your system and allowing Windows to run faster and freeing up valuable hard disk space.
  14. Google Picasa – A free software that helps you locate and organize all the photos on your computer, edit and add effects to your photos with a few simple clicks and share your photos with others through email, prints and on the web.
  15. Remote Desktop Manager – If you are freqently connecting to remote resources such as via RDP or VNC, this is the tool for you. It offers built-in support for Microsoft Remote Desktop, Terminal Services, VNC, LogMeIn, Team Viewer, Ftp, SSH, Telnet, Dameware, X Window, VMware, Virtual PC, PC Anywhere, Hyper-V, Citrix, Radmin, Microsoft Remote Assistance, Oracle Virtual Box and more.
  16. PuTTY – is probably the most common, versatile multi-protocol client application which is our longtime favorite choice for all our SSH needs. To many PC power-users an SSH client is absolutely vital to their everyday operations, and PuTTY’s the most popular windows client for a reason.

First 10 things I do to a new computer

If you’re like me, anytime you get your hands on a new computer there are a handful of things you do to it. That could be if the computer is for your use or for someone else. Here is my top 10 things I do:

  1. If there is trialware software, I remove it – especially if it is anti-virus software! Clean up all of the unneeded software
  2. Run Microsoft Updates to ensure the operating system is fully patched. Even newly shipped computers can need 10’s to over 100 updates!
  3. Visit the hardware manufacture’s website such as the Dell Support Website and check for updates to the BIOS and other hardware. As with #2 above, the vast majority of computer shipped directly from the manufacture is running old software such as BIOS and firmware.
  4. Install a web browser of choice – for me I install both Chrome and Firefox.
  5. Install a handful of standard apps every user needs:
    1. Adobe Acrobat Reader
    2. Java for Desktop Computers
    3. Adobe Flash Player (but you’ll need to do this for each browser you use)
    4. Adobe Shockwave Player (old, but some sites still require it)
    5. Adobe AIR Player (used on some sites)
    6. VLC (plays just about any media)
    7. Open Office (if you don’t own a copy of Microsoft Office)
    8. Virtual Drive Clone (lets you mount ISO as if they were CDs)
  6. Install any purchased or commercial software
  7. Download and CCleaner, and run the registry cleanup utility – during the install, I uncheck virtually all of the install options. I like this tool hidden, not actively running, and not even viewable on the start menu. I will execute it from the “Program Files” directory manually. I prefer an un-cluttered Start menu, so many utilities, especially for other people, I keep un-linked in the start menu.
  8. Install Anti-virus software:
    1. I prefer commercial Anti-virus software, and never recommend a consumer grade AV software for anyone
    2. If you don’t have access to a commercial/business AV software, choose Microsoft Security Essentials – a lightweight, free, non-ad driven Anti-virus software
  9. Run a disk defragmentation software, either Microsoft’s built in utility, or Diskkeeper (highly recommend)
  10. Setup a non-administrative user account. If this is a domain based workstation, then this is likely already taken care of but for small work groups, friends or family personal computers, I always setup two accounts. Their “user” account and their “adminsitator account”. Both have passwords, typically the same password to make it easy for them. I have them always use the “user account”. And if appropraite setup the computer to auto login to that account.

In the next article I will discuss some of the software tools I install on my own workstations as an administrator and power user.

Enjoy!

Any user can unlock now with this custom GINA

From the folks over at Paralint, there is now a utility to help you with shared computered access. Often you will have a shared computer in an office space, and the problem is that you want each user to have their own username and password, however, that doesn’t always workout so well. Once you add a password locked screen saver, and that user forgets to logoff, that computer is now unusable to any other normal user.

What are your options…. Typically we have be forced into one of the following options:
1) Users know eachothers passwords;
2) Reduce the security by removing the password requirement or granting other users administrator permissions;
3) Users simply power off/on the machine to work around the issue;
4) Or they can use the windows based “winexit.scr” which will effectively forcefully logoff the user when the screen saver kicks on.

However, now with this custom GINA, you can now enable any user to logoff that offending user without requiring administrative permissions or changing your security routine. Aucun is a replacement GINA that wraps Microsoft’s own MSGINA.DLL to allow any given group of users to unlock or force logoff a locked session on a Windows machine, unless the currently loggon on user is a member of a group you specify.

I created this for a friend that needed an unlock feature. By popular demand, I added force logoff and warning display. Here is a more detailed feature list:

 

  • GUI provided by original MSGINA.DLL (no training of end user required)
  • Allows any member of a given group to force logoff a locked session
  • Allows any member of a given group to unlock a locked session
  • Support a exclusion group (to prevent unlocking administrators by regular users)
  • Allows to display a custom message when the workstation is locked
  • Supports 64 bits versions of Windows
  • Supports international versions of Windows
  • Allows chaining multiple Gina’s together

You can learn more about this and download here: http://www.paralint.com/projects/aucun/

Dr Ping

What is the purpose? If you are curious to see how your broadband ISP measures up against competition in terms of latency to many different internet destinations, then Doctorping will help. It calculates a latency benchmark, which you can use to compare to others in your ZIP or state.

How to get your score: Please download the windows-only executable, doctorping.exe. Unpack it onto your desktop, find the doctorping program icon (looks like a bullseye with a red cross in it), and run it. Doctorping will check the latency to a class of internet routers spread through the US, and take your browser back to this page, to display your ping score, and your rank.

How is the score calculated?
The score is the MEDIAN of all the millisecond ping results. Those who remember high school stats know that the median is less sensitive to outliers (extreme results at either end of the spectrum).

What is a good score?
The lower the doctorping score the better. A good score is one that is top in your area (US state). A bad score is one that is bottom in your area.

What does it measure?
The measure is the average of the latency from you to many IP addresses, spread fairly evenly around the US. Some routers are near you, others are far away.

I’ve got a terrible score! What does that mean!
It means that your average latency is measured as relatively high. If others in your area, on the same ISP, score much better, it may indicate a problem with your line or setup. If others in your area, on the same ISP, also score badly, your ISP may not be efficiently routing you, compared to competing companies.

You can find out more about this tool at: http://www.dslreports.com/beta/doctorping

SmokePing

Smoke Ping SampleSmokePing keeps track of your network latency:
  • Best of breed latency visualization.
  • Interactive graph explorer.
  • Wide range of latency measurement plugins.
  • Master/Slave System for distributed measurement.
  • Highly configurable alerting system.
  • Live Latency Charts with the most ‘interesting’ graphs.
  • Free and OpenSource Software written in Perl written by Tobi Oetiker, the creator of MRTG and RRDtool

It has been a great resource I’ve been using for years. It is very helpful in troubleshooting VoIP issues, as well as general WAN latency. For more information on this tool, go to http://oss.oetiker.ch/smokeping/ and you can also find a free copy to use on http://www.dslreports.com

Enjoy

Malware Bytes

I am surprised how many times I run into this from IT consultants, contractors and firms who don’t know this…. Malwarebytes is not free for business use.

Individually the cost of a single user is $25: https://store.malwarebytes.org/342/?scope=checkout&cart=29945

 Alternatives to using Malwarebytes:

Exchange Connectivity Test

For those who ever wanted to test activesync connectivity as well as web connectivity to an exchange here is a great tool that Microsoft has put out there for us.

You can test it but make sure the exchange server you are testing it on is running 2007 or 2010 otherwise you get errors.

https://www.testexchangeconnectivity.com/

Have fun and I’ve been able to use it a couple of times so if you have any questions I’ll be happy to help out with it.  It works really well when you are getting ready to setup smartphones on a network and need to verify settings prior to inputting them and then trying to troubleshoot from the phone.

Blackberry Enterprise Server Express (BESx)

Last month Blackberry released a much anticipated Express version of BES which is targets for Small and Medium Businesses just like the ones Apex supports. This provides all of the key features most of our clients are looking for a absolutely no licensing cost. Here is my quick review/comparison of both BES & Express; along with why I prefer Blackberry over the competition.

Blackberry Enterprise Server Express

  • 100% FREE for both the license and CALS; does not require a SQL Standard license
  • Support Exchange Server 2003/ 2007 and SBS 2003/2008
  • Supports up to 75 users when installed on the Exchange Server
  • Supports up to 2,000 users when installed on a dedicated server
  • Requires ONLY the Standard Data Plan (BIS) from the cell provider, and does not require the more expensive enterprise data plan
  • The biggest feature difference between BES and BES-Express is that there is a limit to 35 policies, versus 450+ policies for management
  • Missing features that we don’t typically use is high availability (multiple BES servers) and advanced monitoring

Continue reading “Blackberry Enterprise Server Express (BESx)”

Powered by WordPress.com.

Up ↑