Best DNS choice for a financial institution?
-
@travisdh1 said in Best DNS choice for a financial institution?:
@dave247 OpenDNS is just fine to use, like the other major DNS providers they will probably be a step up from your ISP provided service.
What they don't do is filtering of any kind unless you add a paid service on. I've started running my own DNS server now that does block known advertising IP addresses called Pi-Hole (Yes, I've seen many names that are better.)
I like Pi-hole because they tell advertisers to shut their piehole.
-
@dashrender said in Best DNS choice for a financial institution?:
@reid-cooper said in Best DNS choice for a financial institution?:
OpenDNS is good. Or just use Google, it's not bad.
For pure DNS probably so - but the OP is claiming (and JB is refuting) that OpenDNS provides filtering for free that no one else does.
And from my own testing about 3 years ago, I agree with the OP, OpenDNS did provide a free level of filtering, but I don't recall what the limitations were.
IIRC the filtering was free for home use only.
-
@penguinwrangler said in Best DNS choice for a financial institution?:
@dashrender said in Best DNS choice for a financial institution?:
@reid-cooper said in Best DNS choice for a financial institution?:
OpenDNS is good. Or just use Google, it's not bad.
For pure DNS probably so - but the OP is claiming (and JB is refuting) that OpenDNS provides filtering for free that no one else does.
And from my own testing about 3 years ago, I agree with the OP, OpenDNS did provide a free level of filtering, but I don't recall what the limitations were.
IIRC the filtering was free for home use only.
https://www.opendns.com/home-internet-security/
That looks to be right. They offer a free tier for home use.
-
@penguinwrangler said in Best DNS choice for a financial institution?:
@dashrender said in Best DNS choice for a financial institution?:
@reid-cooper said in Best DNS choice for a financial institution?:
OpenDNS is good. Or just use Google, it's not bad.
For pure DNS probably so - but the OP is claiming (and JB is refuting) that OpenDNS provides filtering for free that no one else does.
And from my own testing about 3 years ago, I agree with the OP, OpenDNS did provide a free level of filtering, but I don't recall what the limitations were.
IIRC the filtering was free for home use only.
Has that always been the case or did this change with the purchase by Cisco?
-
It's always been that way. Not that it's stopped anyone from using it anyway. I 2nd local Pi-hole installation. Add OpenDNS on top and you have a nice extra layer of filtering.
-
I just reverted my DNS settings to what they were before. Screw it.
-
@dave247 Why? ISP DNS servers are the worst thing you can pick. If you don't want to mess with OpenDNS, go with Google servers.
-
@marcinozga said in Best DNS choice for a financial institution?:
It's always been that way. Not that it's stopped anyone from using it anyway. I 2nd local Pi-hole installation. Add OpenDNS on top and you have a nice extra layer of filtering.
Actually, it was free for business at one time.
-
That's 5 years ago, probably before I even bothered with DNS filtering. Squid used to do the job before. HTTPS everywhere changed all that.
-
@marcinozga said in Best DNS choice for a financial institution?:
@dave247 Why? ISP DNS servers are the worst thing you can pick. If you don't want to mess with OpenDNS, go with Google servers.
Got any good info to back that statement up? I'm not saying I don't believe you, but I've always just heard that via word of mouth.. not sure if it's really true or not
-
@dave247 said in Best DNS choice for a financial institution?:
I just reverted my DNS settings to what they were before. Screw it.
That's the one thing I would not do. If you are concerned about speed or security, you never use ISP DNS. That's been a best practice for over a decade (since the advent of free, enterprise DNS options like Google.) The one option that should never get considered is ISP DNS.
-
@marcinozga said in Best DNS choice for a financial institution?:
@dave247 Why? ISP DNS servers are the worst thing you can pick. If you don't want to mess with OpenDNS, go with Google servers.
Exactly.
-
@dave247 said in Best DNS choice for a financial institution?:
@marcinozga said in Best DNS choice for a financial institution?:
@dave247 Why? ISP DNS servers are the worst thing you can pick. If you don't want to mess with OpenDNS, go with Google servers.
Source on that?
This has been an industry best practice for so long it would be like asking doctors to provide a source on why not to use leeches any more. It's the same as any other bundling rule, we actually use this as one of the references for other things, constantly. Same as you never use email or VoIP from your ISP, no services at all from your ISP other than the ones necessary because they are your ISP.
-
@dashrender said in Best DNS choice for a financial institution?:
@reid-cooper said in Best DNS choice for a financial institution?:
OpenDNS is good. Or just use Google, it's not bad.
For pure DNS probably so - but the OP is claiming (and JB is refuting) that OpenDNS provides filtering for free that no one else does.
And from my own testing about 3 years ago, I agree with the OP, OpenDNS did provide a free level of filtering, but I don't recall what the limitations were.
OpenDNS does provide a free service. But that is not what was stated, nor what I refuted.
What was stated was to simply put the OpenDNS servers in as your DNS. That does nothing. It is a public DNS service. To make use of the basic filtering you have to create an account and link everything up.
But all of that said, you are also using the service against the ToS. There is no free service available for commercial use. There is only a trial for Umbrella.
For OpenDNS Home, it specifically states that it is for home use in the ToS.
-
@scottalanmiller said in Best DNS choice for a financial institution?:
@dave247 said in Best DNS choice for a financial institution?:
I just reverted my DNS settings to what they were before. Screw it.
That's the one thing I would not do. If you are concerned about speed or security, you never use ISP DNS. That's been a best practice for over a decade (since the advent of free, enterprise DNS options like Google.) The one option that should never get considered is ISP DNS.
Why is that?
-
@jaredbusch said in Best DNS choice for a financial institution?:
@dashrender said in Best DNS choice for a financial institution?:
@reid-cooper said in Best DNS choice for a financial institution?:
OpenDNS is good. Or just use Google, it's not bad.
For pure DNS probably so - but the OP is claiming (and JB is refuting) that OpenDNS provides filtering for free that no one else does.
And from my own testing about 3 years ago, I agree with the OP, OpenDNS did provide a free level of filtering, but I don't recall what the limitations were.
OpenDNS does provide a free service. But that is not what was stated, nor what I refuted.
What was stated was to simply put the OpenDNS servers in as your DNS. That does nothing. It is a public DNS service. To make use of the basic filtering you have to create an account and link everything up.
But all of that said, you are also using the service against the ToS. There is no free service available for commercial use. There is only a trial for Umbrella.
For OpenDNS Home, it specifically states that it is for home use in the ToS.
Still not really helping the convo..
-
@danp We are referring to the post made by @dave247 "Yeah I was just trying OpenDNS out because someone mentioned that they seem to filter out some "bad"/spam sites and things of that nature. Example: I've had some people accidentally type the wrong URL (off by a letter) and it takes them to a malicious website."
-
@dave247 said in Best DNS choice for a financial institution?:
@jaredbusch said in Best DNS choice for a financial institution?:
@dashrender said in Best DNS choice for a financial institution?:
@reid-cooper said in Best DNS choice for a financial institution?:
OpenDNS is good. Or just use Google, it's not bad.
For pure DNS probably so - but the OP is claiming (and JB is refuting) that OpenDNS provides filtering for free that no one else does.
And from my own testing about 3 years ago, I agree with the OP, OpenDNS did provide a free level of filtering, but I don't recall what the limitations were.
OpenDNS does provide a free service. But that is not what was stated, nor what I refuted.
What was stated was to simply put the OpenDNS servers in as your DNS. That does nothing. It is a public DNS service. To make use of the basic filtering you have to create an account and link everything up.
But all of that said, you are also using the service against the ToS. There is no free service available for commercial use. There is only a trial for Umbrella.
For OpenDNS Home, it specifically states that it is for home use in the ToS.
Still not really helping the convo..
How, You are using a home service in a business right? I completely am helping you learn that you need to find a new solution.
-
@dave247 said in Best DNS choice for a financial institution?:
@scottalanmiller said in Best DNS choice for a financial institution?:
@dave247 said in Best DNS choice for a financial institution?:
I just reverted my DNS settings to what they were before. Screw it.
That's the one thing I would not do. If you are concerned about speed or security, you never use ISP DNS. That's been a best practice for over a decade (since the advent of free, enterprise DNS options like Google.) The one option that should never get considered is ISP DNS.
Why is that?
Because ISPs have these issues:
- It is not a service that they make money or clout on. They provide it because they have to for consumers. They don't care about making it good or safe, this is not in their interest. So it makes no business sense for them to do it well, or for customers to expect it to be a good service.
- ISP DNS is famously slow and risky, for exactly the reasons above. It is where attacks happen because ISPs aren't DNS specialists, they just throw up free DNS servers and ignore them. So DNS Injection attacks happen here. That entire, and very major, attack vector exists solely for companies that use ISP DNS. Google and Cisco have never been hacked like this, it's not a realistic attack on them.
- Propagation is notoriously problematic and unknown. Causing delays in failover or outages as other services change and you do not.
- You are unnecessarily tied to the ISP, even in a very trivial way.
- You make things non-standard for no reason. Why make things extra hard for negative benefits?
- You will have to have discussions like this every time you talk about DNS internally or externally. Making it a financial loss without benefit. Just use Google like everyone else and be done and eliminate having to explain the use of ISP DNS anytime someone looks at the system.
- Multiple sites can share configuration.
- Services like Google and OpenDNS take pride in their high availability, your ISP does not.
- If you switch ISPs, have an outage, etc. you get to keep configuration instead of needing to manually change anytime anything else changes.
-
@scottalanmiller said in Best DNS choice for a financial institution?:
@dave247 said in Best DNS choice for a financial institution?:
@scottalanmiller said in Best DNS choice for a financial institution?:
@dave247 said in Best DNS choice for a financial institution?:
I just reverted my DNS settings to what they were before. Screw it.
That's the one thing I would not do. If you are concerned about speed or security, you never use ISP DNS. That's been a best practice for over a decade (since the advent of free, enterprise DNS options like Google.) The one option that should never get considered is ISP DNS.
Why is that?
Because ISPs have these issues:
- It is not a service that they make money or clout on. They provide it because they have to for consumers. They don't care about making it good or safe, this is not in their interest. So it makes no business sense for them to do it well, or for customers to expect it to be a good service.
- ISP DNS is famously slow and risky, for exactly the reasons above. It is where attacks happen because ISPs aren't DNS specialists, they just throw up free DNS servers and ignore them. So DNS Injection attacks happen here. That entire, and very major, attack vector exists solely for companies that use ISP DNS. Google and Cisco have never been hacked like this, it's not a realistic attack on them.
- Propagation is notoriously problematic and unknown. Causing delays in failover or outages as other services change and you do not.
- You are unnecessarily tied to the ISP, even in a very trivial way.
- You make things non-standard for no reason. Why make things extra hard for negative benefits?
- You will have to have discussions like this every time you talk about DNS internally or externally. Making it a financial loss without benefit. Just use Google like everyone else and be done and eliminate having to explain the use of ISP DNS anytime someone looks at the system.
- Multiple sites can share configuration.
- Services like Google and OpenDNS take pride in their high availability, your ISP does not.
- If you switch ISPs, have an outage, etc. you get to keep configuration instead of needing to manually change anytime anything else changes.
So then what good/safe/secure/reliable/free DNS servers should I be using?? All I know of right now is google and DNSwatch..