How to choose public DNS provider for an ISP
-
As some of you know, I am working on building a WISP. One thing that I have decided to do is go all private IP addresses to cut down costs and to protect my system and subs a little more.
One thing I have a concern about is who do I want to point to for my upstream DNS? Default answer is Google or OpenDNS. Don't really trust big companies.
Without beating around the bush too much, should I consider a DNS provider that doesn't track queries but could also be blocking some of the Internet to the subscriber or a DNS provider that gives them full reign over the Internet without concern about the sub's privacy?
-
If it were me, I'd just provide full internet access. If you really feel strongly about helping people help themselves, then maybe offer an option to use a DNS service provided by you through something like Pi-Hole, but that would have to be optional. People get all kinds of cranky when they can't use the "coupon" websites and applications, where coupon is actually malware of course.
-
You are going to use private IP addresses, so all of you subs will be double nat'ed ?
-
@travisdh1 said in How to choose public DNS provider for an ISP:
If it were me, I'd just provide full internet access. If you really feel strongly about helping people help themselves, then maybe offer an option to use a DNS service provided by you through something like Pi-Hole, but that would have to be optional. People get all kinds of cranky when they can't use the "coupon" websites and applications, where coupon is actually malware of course.
Thank you. I could setup a pi-hole system. I tell the sub about this alternative DNS. If they opt-in, I change their DNS to point to my pi-hole. But they have to choose to be a part of it, otherwise they get straight Internet.
-
@brianlittlejohn said in How to choose public DNS provider for an ISP:
You are going to use private IP addresses, so all of you subs will be double nat'ed ?
That's what I'm considering. What are the potential problems with this?
-
@nerdydad said in How to choose public DNS provider for an ISP:
As some of you know, I am working on building a WISP. One thing that I have decided to do is go all private IP addresses to cut down costs and to protect my system and subs a little more.
One thing I have a concern about is who do I want to point to for my upstream DNS? Default answer is Google or OpenDNS. Don't really trust big companies.
Without beating around the bush too much, should I consider a DNS provider that doesn't track queries but could also be blocking some of the Internet to the subscriber or a DNS provider that gives them full reign over the Internet without concern about the sub's privacy?
I'd prefer one with no tracking whatsoever (to protect privacy), but that also is 100% open (as in no dns blocking). It's not your job to be an malware choke point.
At most, and probably preferrably, use a DNS service with zero tracking, and only potentially blocks known infection vectors.
-
@nerdydad said in How to choose public DNS provider for an ISP:
@brianlittlejohn said in How to choose public DNS provider for an ISP:
You are going to use private IP addresses, so all of you subs will be double nat'ed ?
That's what I'm considering. What are the potential problems with this?
It will work for most things, but what if a sub wants incoming traffic?
-
@travisdh1 said in How to choose public DNS provider for an ISP:
If it were me, I'd just provide full internet access. If you really feel strongly about helping people help themselves, then maybe offer an option to use a DNS service provided by you through something like Pi-Hole, but that would have to be optional. People get all kinds of cranky when they can't use the "coupon" websites and applications, where coupon is actually malware of course.
"Coupon malware is the best kind of malware. I love printing out a $1 off milk coupon online and then buying a new computer for hundreds of dollars" - Standard User
-
@brianlittlejohn said in How to choose public DNS provider for an ISP:
@nerdydad said in How to choose public DNS provider for an ISP:
@brianlittlejohn said in How to choose public DNS provider for an ISP:
You are going to use private IP addresses, so all of you subs will be double nat'ed ?
That's what I'm considering. What are the potential problems with this?
It will work for most things, but what if a sub wants incoming traffic?
I guess they can submit a request and I'll just forward it to their IP address only.
-
@nerdydad said in How to choose public DNS provider for an ISP:
@brianlittlejohn said in How to choose public DNS provider for an ISP:
@nerdydad said in How to choose public DNS provider for an ISP:
@brianlittlejohn said in How to choose public DNS provider for an ISP:
You are going to use private IP addresses, so all of you subs will be double nat'ed ?
That's what I'm considering. What are the potential problems with this?
It will work for most things, but what if a sub wants incoming traffic?
I guess they can submit a request and I'll just forward it to their IP address only.
So long as your terms of service has the standard "You're not allowed to run a server" in it, who cares. Personally I'd like an online form I could fill out for any exceptions, even better to have it linked to in the TOS.
-
@nerdydad said in How to choose public DNS provider for an ISP:
@brianlittlejohn said in How to choose public DNS provider for an ISP:
You are going to use private IP addresses, so all of you subs will be double nat'ed ?
That's what I'm considering. What are the potential problems with this?
It's confusing at best for the users and breaks lots of software.
-
@nerdydad said in How to choose public DNS provider for an ISP:
@brianlittlejohn said in How to choose public DNS provider for an ISP:
@nerdydad said in How to choose public DNS provider for an ISP:
@brianlittlejohn said in How to choose public DNS provider for an ISP:
You are going to use private IP addresses, so all of you subs will be double nat'ed ?
That's what I'm considering. What are the potential problems with this?
It will work for most things, but what if a sub wants incoming traffic?
I guess they can submit a request and I'll just forward it to their IP address only.
So if I put in a request for a port, no other customer can have it? How will that work? Say I want to have a PBX, I'm the only person that can make calls?
-
@brianlittlejohn said in How to choose public DNS provider for an ISP:
@nerdydad said in How to choose public DNS provider for an ISP:
@brianlittlejohn said in How to choose public DNS provider for an ISP:
You are going to use private IP addresses, so all of you subs will be double nat'ed ?
That's what I'm considering. What are the potential problems with this?
It will work for most things, but what if a sub wants incoming traffic?
Like a VPN for example.
-
@nerdydad said in How to choose public DNS provider for an ISP:
@travisdh1 said in How to choose public DNS provider for an ISP:
If it were me, I'd just provide full internet access. If you really feel strongly about helping people help themselves, then maybe offer an option to use a DNS service provided by you through something like Pi-Hole, but that would have to be optional. People get all kinds of cranky when they can't use the "coupon" websites and applications, where coupon is actually malware of course.
Thank you. I could setup a pi-hole system. I tell the sub about this alternative DNS. If they opt-in, I change their DNS to point to my pi-hole. But they have to choose to be a part of it, otherwise they get straight Internet.
Just let them do their own at that point.
-
@nerdydad said in How to choose public DNS provider for an ISP:
@brianlittlejohn said in How to choose public DNS provider for an ISP:
You are going to use private IP addresses, so all of you subs will be double nat'ed ?
That's what I'm considering. What are the potential problems with this?
Think about it conceptually. No ISP puts a global firewall in front of its clients. You are building a single corporate LAN environment here rather than an ISP WAN network, basically. Nothing will work as expected. And you will guarantee that at least one private range that they should be able to use will be broken.
You are thinking of this as an SMB IT department trying to control employees, rather than an ISP trying to provide service to customers.
-
@scottalanmiller said in How to choose public DNS provider for an ISP:
@nerdydad said in How to choose public DNS provider for an ISP:
@brianlittlejohn said in How to choose public DNS provider for an ISP:
You are going to use private IP addresses, so all of you subs will be double nat'ed ?
That's what I'm considering. What are the potential problems with this?
Think about it conceptually. No ISP puts a global firewall in front of its clients. You are building a single corporate LAN environment here rather than an ISP WAN network, basically. Nothing will work as expected. And you will guarantee that at least one private range that they should be able to use will be broken.
You are thinking of this as an SMB IT department trying to control employees, rather than an ISP trying to provide service to customers.
Uhm... just about every ISP is doing carrier grade NAT anymore. It's caused all sorts of headaches in Millersburg because some goofball decided to use 192.168.1.X for their CGNAT. #fail
-
@travisdh1 said in How to choose public DNS provider for an ISP:
@scottalanmiller said in How to choose public DNS provider for an ISP:
@nerdydad said in How to choose public DNS provider for an ISP:
@brianlittlejohn said in How to choose public DNS provider for an ISP:
You are going to use private IP addresses, so all of you subs will be double nat'ed ?
That's what I'm considering. What are the potential problems with this?
Think about it conceptually. No ISP puts a global firewall in front of its clients. You are building a single corporate LAN environment here rather than an ISP WAN network, basically. Nothing will work as expected. And you will guarantee that at least one private range that they should be able to use will be broken.
You are thinking of this as an SMB IT department trying to control employees, rather than an ISP trying to provide service to customers.
Uhm... just about every ISP is doing carrier grade NAT anymore. It's caused all sorts of headaches in Millersburg because some goofball decided to use 192.168.1.X for their CGNAT. #fail
Down here in mexico, almost all cable companies that also provide internet service use CGNAT as well, the downside is they are also some of the worst providers but they do use it.
-
@romo said in How to choose public DNS provider for an ISP:
@travisdh1 said in How to choose public DNS provider for an ISP:
@scottalanmiller said in How to choose public DNS provider for an ISP:
@nerdydad said in How to choose public DNS provider for an ISP:
@brianlittlejohn said in How to choose public DNS provider for an ISP:
You are going to use private IP addresses, so all of you subs will be double nat'ed ?
That's what I'm considering. What are the potential problems with this?
Think about it conceptually. No ISP puts a global firewall in front of its clients. You are building a single corporate LAN environment here rather than an ISP WAN network, basically. Nothing will work as expected. And you will guarantee that at least one private range that they should be able to use will be broken.
You are thinking of this as an SMB IT department trying to control employees, rather than an ISP trying to provide service to customers.
Uhm... just about every ISP is doing carrier grade NAT anymore. It's caused all sorts of headaches in Millersburg because some goofball decided to use 192.168.1.X for their CGNAT. #fail
Down here in mexico, almost all cable companies that also provide internet service use CGNAT as well, the downside is they are also some of the worst providers but they do use it.
It's pretty rare here from what I can tell. I never see people getting non-public IPs.
-
@scottalanmiller - I didn't even know that was a thing.
-
@wrx7m said in How to choose public DNS provider for an ISP:
@scottalanmiller - I didn't even know that was a thing.
It exists, but I had no idea that people were seeing it commonly, so many things break when you do that.
-
If one of the arguments is to increase security, why not simply do a separate management VLAN using private IP addressing? You can have the customer facing network, aka the Internet, on say VLAN A, and then have the private management network on VLAN B? Implement the appropriate firewalling/ACLs so the two VLANs cannot talk to each other.
-
@anthonyh said in How to choose public DNS provider for an ISP:
If one of the arguments is to increase security, why not simply do a separate management VLAN using private IP addressing? You can have the customer facing network, aka the Internet, on say VLAN A, and then have the private management network on VLAN B? Implement the appropriate firewalling/ACLs so the two VLANs cannot talk to each other.
That is the plan anyways. The question here really wasn't about public versus private IP addresses (though that is going to raise my overhead $500/year), but more about whether I should just hand the customer Google dns addresses via dhcp or should I give them something that is more privacy focused but might also restrict their access to the internet.
-
@nerdydad said in How to choose public DNS provider for an ISP:
@anthonyh said in How to choose public DNS provider for an ISP:
If one of the arguments is to increase security, why not simply do a separate management VLAN using private IP addressing? You can have the customer facing network, aka the Internet, on say VLAN A, and then have the private management network on VLAN B? Implement the appropriate firewalling/ACLs so the two VLANs cannot talk to each other.
That is the plan anyways. The question here really wasn't about public versus private IP addresses (though that is going to raise my overhead $500/year), but more about whether I should just hand the customer Google dns addresses via dhcp or should I give them something that is more privacy focused but might also restrict their access to the internet.
You are right. My bad.
-
@nerdydad said in How to choose public DNS provider for an ISP:
@anthonyh said in How to choose public DNS provider for an ISP:
If one of the arguments is to increase security, why not simply do a separate management VLAN using private IP addressing? You can have the customer facing network, aka the Internet, on say VLAN A, and then have the private management network on VLAN B? Implement the appropriate firewalling/ACLs so the two VLANs cannot talk to each other.
That is the plan anyways. The question here really wasn't about public versus private IP addresses (though that is going to raise my overhead $500/year), but more about whether I should just hand the customer Google dns addresses via dhcp or should I give them something that is more privacy focused but might also restrict their access to the internet.
I would not consider anything but Google for a default. If they want more privacy that is 100% up to them. If they are using anything that comes from their ISP blindly they aren't concerned with privacy anyway. Remember, this is only the DNS that you hand to their firewall, not the one that they should be using for anything.
-
@travisdh1 said in How to choose public DNS provider for an ISP:
@nerdydad said in How to choose public DNS provider for an ISP:
@brianlittlejohn said in How to choose public DNS provider for an ISP:
@nerdydad said in How to choose public DNS provider for an ISP:
@brianlittlejohn said in How to choose public DNS provider for an ISP:
You are going to use private IP addresses, so all of you subs will be double nat'ed ?
That's what I'm considering. What are the potential problems with this?
It will work for most things, but what if a sub wants incoming traffic?
I guess they can submit a request and I'll just forward it to their IP address only.
So long as your terms of service has the standard "You're not allowed to run a server" in it, who cares. Personally I'd like an online form I could fill out for any exceptions, even better to have it linked to in the TOS.
Most don't consider there using an Xbox as a server - not sure if it requires direct access or not? Just one consideration.
-
@dashrender said in How to choose public DNS provider for an ISP:
@travisdh1 said in How to choose public DNS provider for an ISP:
@nerdydad said in How to choose public DNS provider for an ISP:
@brianlittlejohn said in How to choose public DNS provider for an ISP:
@nerdydad said in How to choose public DNS provider for an ISP:
@brianlittlejohn said in How to choose public DNS provider for an ISP:
You are going to use private IP addresses, so all of you subs will be double nat'ed ?
That's what I'm considering. What are the potential problems with this?
It will work for most things, but what if a sub wants incoming traffic?
I guess they can submit a request and I'll just forward it to their IP address only.
So long as your terms of service has the standard "You're not allowed to run a server" in it, who cares. Personally I'd like an online form I could fill out for any exceptions, even better to have it linked to in the TOS.
Most don't consider there using an Xbox as a server - not sure if it requires direct access or not? Just one consideration.
I don't know anyone opening ports for their XBox to work.
-
@scottalanmiller said in How to choose public DNS provider for an ISP:
@dashrender said in How to choose public DNS provider for an ISP:
@travisdh1 said in How to choose public DNS provider for an ISP:
@nerdydad said in How to choose public DNS provider for an ISP:
@brianlittlejohn said in How to choose public DNS provider for an ISP:
@nerdydad said in How to choose public DNS provider for an ISP:
@brianlittlejohn said in How to choose public DNS provider for an ISP:
You are going to use private IP addresses, so all of you subs will be double nat'ed ?
That's what I'm considering. What are the potential problems with this?
It will work for most things, but what if a sub wants incoming traffic?
I guess they can submit a request and I'll just forward it to their IP address only.
So long as your terms of service has the standard "You're not allowed to run a server" in it, who cares. Personally I'd like an online form I could fill out for any exceptions, even better to have it linked to in the TOS.
Most don't consider there using an Xbox as a server - not sure if it requires direct access or not? Just one consideration.
I don't know anyone opening ports for their XBox to work.
It was a stab in the dark.
-
@dashrender said in How to choose public DNS provider for an ISP:
@scottalanmiller said in How to choose public DNS provider for an ISP:
@dashrender said in How to choose public DNS provider for an ISP:
@travisdh1 said in How to choose public DNS provider for an ISP:
@nerdydad said in How to choose public DNS provider for an ISP:
@brianlittlejohn said in How to choose public DNS provider for an ISP:
@nerdydad said in How to choose public DNS provider for an ISP:
@brianlittlejohn said in How to choose public DNS provider for an ISP:
You are going to use private IP addresses, so all of you subs will be double nat'ed ?
That's what I'm considering. What are the potential problems with this?
It will work for most things, but what if a sub wants incoming traffic?
I guess they can submit a request and I'll just forward it to their IP address only.
So long as your terms of service has the standard "You're not allowed to run a server" in it, who cares. Personally I'd like an online form I could fill out for any exceptions, even better to have it linked to in the TOS.
Most don't consider there using an Xbox as a server - not sure if it requires direct access or not? Just one consideration.
I don't know anyone opening ports for their XBox to work.
It was a stab in the dark.
I know at one point in time under strict NAT scenarios Xbox Live is unhappy. It's possible a double NAT may anger it. I don't know if that's true today though.
-
@anthonyh said in How to choose public DNS provider for an ISP:
@dashrender said in How to choose public DNS provider for an ISP:
@scottalanmiller said in How to choose public DNS provider for an ISP:
@dashrender said in How to choose public DNS provider for an ISP:
@travisdh1 said in How to choose public DNS provider for an ISP:
@nerdydad said in How to choose public DNS provider for an ISP:
@brianlittlejohn said in How to choose public DNS provider for an ISP:
@nerdydad said in How to choose public DNS provider for an ISP:
@brianlittlejohn said in How to choose public DNS provider for an ISP:
You are going to use private IP addresses, so all of you subs will be double nat'ed ?
That's what I'm considering. What are the potential problems with this?
It will work for most things, but what if a sub wants incoming traffic?
I guess they can submit a request and I'll just forward it to their IP address only.
So long as your terms of service has the standard "You're not allowed to run a server" in it, who cares. Personally I'd like an online form I could fill out for any exceptions, even better to have it linked to in the TOS.
Most don't consider there using an Xbox as a server - not sure if it requires direct access or not? Just one consideration.
I don't know anyone opening ports for their XBox to work.
It was a stab in the dark.
I know at one point in time under strict NAT scenarios Xbox Live is unhappy. It's possible a double NAT may anger it. I don't know if that's true today though.
It's amazing that it could fail under NAT, when would it ever be used without NAT?
-
@scottalanmiller said in How to choose public DNS provider for an ISP:
@anthonyh said in How to choose public DNS provider for an ISP:
@dashrender said in How to choose public DNS provider for an ISP:
@scottalanmiller said in How to choose public DNS provider for an ISP:
@dashrender said in How to choose public DNS provider for an ISP:
@travisdh1 said in How to choose public DNS provider for an ISP:
@nerdydad said in How to choose public DNS provider for an ISP:
@brianlittlejohn said in How to choose public DNS provider for an ISP:
@nerdydad said in How to choose public DNS provider for an ISP:
@brianlittlejohn said in How to choose public DNS provider for an ISP:
You are going to use private IP addresses, so all of you subs will be double nat'ed ?
That's what I'm considering. What are the potential problems with this?
It will work for most things, but what if a sub wants incoming traffic?
I guess they can submit a request and I'll just forward it to their IP address only.
So long as your terms of service has the standard "You're not allowed to run a server" in it, who cares. Personally I'd like an online form I could fill out for any exceptions, even better to have it linked to in the TOS.
Most don't consider there using an Xbox as a server - not sure if it requires direct access or not? Just one consideration.
I don't know anyone opening ports for their XBox to work.
It was a stab in the dark.
I know at one point in time under strict NAT scenarios Xbox Live is unhappy. It's possible a double NAT may anger it. I don't know if that's true today though.
It's amazing that it could fail under NAT, when would it ever be used without NAT?
I bet a while ago it really wanted to use UPNP to open ports, NAT be damned
