How to choose public DNS provider for an ISP
-
As some of you know, I am working on building a WISP. One thing that I have decided to do is go all private IP addresses to cut down costs and to protect my system and subs a little more.
One thing I have a concern about is who do I want to point to for my upstream DNS? Default answer is Google or OpenDNS. Don't really trust big companies.
Without beating around the bush too much, should I consider a DNS provider that doesn't track queries but could also be blocking some of the Internet to the subscriber or a DNS provider that gives them full reign over the Internet without concern about the sub's privacy?
-
If it were me, I'd just provide full internet access. If you really feel strongly about helping people help themselves, then maybe offer an option to use a DNS service provided by you through something like Pi-Hole, but that would have to be optional. People get all kinds of cranky when they can't use the "coupon" websites and applications, where coupon is actually malware of course.
-
You are going to use private IP addresses, so all of you subs will be double nat'ed ?
-
@travisdh1 said in How to choose public DNS provider for an ISP:
If it were me, I'd just provide full internet access. If you really feel strongly about helping people help themselves, then maybe offer an option to use a DNS service provided by you through something like Pi-Hole, but that would have to be optional. People get all kinds of cranky when they can't use the "coupon" websites and applications, where coupon is actually malware of course.
Thank you. I could setup a pi-hole system. I tell the sub about this alternative DNS. If they opt-in, I change their DNS to point to my pi-hole. But they have to choose to be a part of it, otherwise they get straight Internet.
-
@brianlittlejohn said in How to choose public DNS provider for an ISP:
You are going to use private IP addresses, so all of you subs will be double nat'ed ?
That's what I'm considering. What are the potential problems with this?
-
@nerdydad said in How to choose public DNS provider for an ISP:
As some of you know, I am working on building a WISP. One thing that I have decided to do is go all private IP addresses to cut down costs and to protect my system and subs a little more.
One thing I have a concern about is who do I want to point to for my upstream DNS? Default answer is Google or OpenDNS. Don't really trust big companies.
Without beating around the bush too much, should I consider a DNS provider that doesn't track queries but could also be blocking some of the Internet to the subscriber or a DNS provider that gives them full reign over the Internet without concern about the sub's privacy?
I'd prefer one with no tracking whatsoever (to protect privacy), but that also is 100% open (as in no dns blocking). It's not your job to be an malware choke point.
At most, and probably preferrably, use a DNS service with zero tracking, and only potentially blocks known infection vectors.
-
@nerdydad said in How to choose public DNS provider for an ISP:
@brianlittlejohn said in How to choose public DNS provider for an ISP:
You are going to use private IP addresses, so all of you subs will be double nat'ed ?
That's what I'm considering. What are the potential problems with this?
It will work for most things, but what if a sub wants incoming traffic?
-
@travisdh1 said in How to choose public DNS provider for an ISP:
If it were me, I'd just provide full internet access. If you really feel strongly about helping people help themselves, then maybe offer an option to use a DNS service provided by you through something like Pi-Hole, but that would have to be optional. People get all kinds of cranky when they can't use the "coupon" websites and applications, where coupon is actually malware of course.
"Coupon malware is the best kind of malware. I love printing out a $1 off milk coupon online and then buying a new computer for hundreds of dollars" - Standard User
-
@brianlittlejohn said in How to choose public DNS provider for an ISP:
@nerdydad said in How to choose public DNS provider for an ISP:
@brianlittlejohn said in How to choose public DNS provider for an ISP:
You are going to use private IP addresses, so all of you subs will be double nat'ed ?
That's what I'm considering. What are the potential problems with this?
It will work for most things, but what if a sub wants incoming traffic?
I guess they can submit a request and I'll just forward it to their IP address only.
-
@nerdydad said in How to choose public DNS provider for an ISP:
@brianlittlejohn said in How to choose public DNS provider for an ISP:
@nerdydad said in How to choose public DNS provider for an ISP:
@brianlittlejohn said in How to choose public DNS provider for an ISP:
You are going to use private IP addresses, so all of you subs will be double nat'ed ?
That's what I'm considering. What are the potential problems with this?
It will work for most things, but what if a sub wants incoming traffic?
I guess they can submit a request and I'll just forward it to their IP address only.
So long as your terms of service has the standard "You're not allowed to run a server" in it, who cares. Personally I'd like an online form I could fill out for any exceptions, even better to have it linked to in the TOS.
-
@nerdydad said in How to choose public DNS provider for an ISP:
@brianlittlejohn said in How to choose public DNS provider for an ISP:
You are going to use private IP addresses, so all of you subs will be double nat'ed ?
That's what I'm considering. What are the potential problems with this?
It's confusing at best for the users and breaks lots of software.
-
@nerdydad said in How to choose public DNS provider for an ISP:
@brianlittlejohn said in How to choose public DNS provider for an ISP:
@nerdydad said in How to choose public DNS provider for an ISP:
@brianlittlejohn said in How to choose public DNS provider for an ISP:
You are going to use private IP addresses, so all of you subs will be double nat'ed ?
That's what I'm considering. What are the potential problems with this?
It will work for most things, but what if a sub wants incoming traffic?
I guess they can submit a request and I'll just forward it to their IP address only.
So if I put in a request for a port, no other customer can have it? How will that work? Say I want to have a PBX, I'm the only person that can make calls?
-
@brianlittlejohn said in How to choose public DNS provider for an ISP:
@nerdydad said in How to choose public DNS provider for an ISP:
@brianlittlejohn said in How to choose public DNS provider for an ISP:
You are going to use private IP addresses, so all of you subs will be double nat'ed ?
That's what I'm considering. What are the potential problems with this?
It will work for most things, but what if a sub wants incoming traffic?
Like a VPN for example.
-
@nerdydad said in How to choose public DNS provider for an ISP:
@travisdh1 said in How to choose public DNS provider for an ISP:
If it were me, I'd just provide full internet access. If you really feel strongly about helping people help themselves, then maybe offer an option to use a DNS service provided by you through something like Pi-Hole, but that would have to be optional. People get all kinds of cranky when they can't use the "coupon" websites and applications, where coupon is actually malware of course.
Thank you. I could setup a pi-hole system. I tell the sub about this alternative DNS. If they opt-in, I change their DNS to point to my pi-hole. But they have to choose to be a part of it, otherwise they get straight Internet.
Just let them do their own at that point.
-
@nerdydad said in How to choose public DNS provider for an ISP:
@brianlittlejohn said in How to choose public DNS provider for an ISP:
You are going to use private IP addresses, so all of you subs will be double nat'ed ?
That's what I'm considering. What are the potential problems with this?
Think about it conceptually. No ISP puts a global firewall in front of its clients. You are building a single corporate LAN environment here rather than an ISP WAN network, basically. Nothing will work as expected. And you will guarantee that at least one private range that they should be able to use will be broken.
You are thinking of this as an SMB IT department trying to control employees, rather than an ISP trying to provide service to customers.
-
@scottalanmiller said in How to choose public DNS provider for an ISP:
@nerdydad said in How to choose public DNS provider for an ISP:
@brianlittlejohn said in How to choose public DNS provider for an ISP:
You are going to use private IP addresses, so all of you subs will be double nat'ed ?
That's what I'm considering. What are the potential problems with this?
Think about it conceptually. No ISP puts a global firewall in front of its clients. You are building a single corporate LAN environment here rather than an ISP WAN network, basically. Nothing will work as expected. And you will guarantee that at least one private range that they should be able to use will be broken.
You are thinking of this as an SMB IT department trying to control employees, rather than an ISP trying to provide service to customers.
Uhm... just about every ISP is doing carrier grade NAT anymore. It's caused all sorts of headaches in Millersburg because some goofball decided to use 192.168.1.X for their CGNAT. #fail
-
@travisdh1 said in How to choose public DNS provider for an ISP:
@scottalanmiller said in How to choose public DNS provider for an ISP:
@nerdydad said in How to choose public DNS provider for an ISP:
@brianlittlejohn said in How to choose public DNS provider for an ISP:
You are going to use private IP addresses, so all of you subs will be double nat'ed ?
That's what I'm considering. What are the potential problems with this?
Think about it conceptually. No ISP puts a global firewall in front of its clients. You are building a single corporate LAN environment here rather than an ISP WAN network, basically. Nothing will work as expected. And you will guarantee that at least one private range that they should be able to use will be broken.
You are thinking of this as an SMB IT department trying to control employees, rather than an ISP trying to provide service to customers.
Uhm... just about every ISP is doing carrier grade NAT anymore. It's caused all sorts of headaches in Millersburg because some goofball decided to use 192.168.1.X for their CGNAT. #fail
Down here in mexico, almost all cable companies that also provide internet service use CGNAT as well, the downside is they are also some of the worst providers but they do use it.
-
@romo said in How to choose public DNS provider for an ISP:
@travisdh1 said in How to choose public DNS provider for an ISP:
@scottalanmiller said in How to choose public DNS provider for an ISP:
@nerdydad said in How to choose public DNS provider for an ISP:
@brianlittlejohn said in How to choose public DNS provider for an ISP:
You are going to use private IP addresses, so all of you subs will be double nat'ed ?
That's what I'm considering. What are the potential problems with this?
Think about it conceptually. No ISP puts a global firewall in front of its clients. You are building a single corporate LAN environment here rather than an ISP WAN network, basically. Nothing will work as expected. And you will guarantee that at least one private range that they should be able to use will be broken.
You are thinking of this as an SMB IT department trying to control employees, rather than an ISP trying to provide service to customers.
Uhm... just about every ISP is doing carrier grade NAT anymore. It's caused all sorts of headaches in Millersburg because some goofball decided to use 192.168.1.X for their CGNAT. #fail
Down here in mexico, almost all cable companies that also provide internet service use CGNAT as well, the downside is they are also some of the worst providers but they do use it.
It's pretty rare here from what I can tell. I never see people getting non-public IPs.
-
@scottalanmiller - I didn't even know that was a thing.
-
@wrx7m said in How to choose public DNS provider for an ISP:
@scottalanmiller - I didn't even know that was a thing.
It exists, but I had no idea that people were seeing it commonly, so many things break when you do that.
