BEAUTIFUL Job, Dave! - Clear, concise and complete. And thanks as always for the mention. I wrote that DNS Benchmark back in 2008 and it's overdue for an update. I'll be sure to let you know when I have that! Thanks again! 👍
And let me pay my respects to you as i use your resources for .... 15 years or so at least :) Your description of the DDOS attack you were targeted inspired my learning about the subject. Thank you!
GLAD to see STEVE here. !!!! I used to listen to your podcasts daily and knew more about computers than the IT Dept at the State of Oregon. I work as a fiscal analyst.
Indeed. We all owe a debt of gratitude to the likes of Elizabeth Feinler, Jon Postel, the two Pauls (Paul Mockapetris and Paul Vixie), and numerous others. Thank you, all -- named and unnamed (I'm not prepared to actually give an exhaustive list, so I'm not going to try, but those are a few that stand out in my mind).
@@Etcher I wish we used more of what the Internet and the TCP/IP can really do instead of shoving everything on HTTP and the Web, which is a mere "app" of the internet.
@ortivox I mean... sure, but that's kinda the nature of anything so incredibly central to a massive system. A heart is pretty vulnerable, too... but hey, with around 2 billion beats in a human lifetime, I'd say most hearts do a pretty damn good job.
DNS really is one of those amazing technologies that nearly 100.00% of the time it "just works" for why you don't think about it. And why it's quite noteworthy the few times there are issues
Yeah, and every intelligence agency knows what what interests are, google for example has on of the fastest ones for free, they really dont wanna know what your doing.... Really, plain old DNS is not cutting it anymore...
What's really fun is when you're doing load balancing via DNS but the GSLBs aren't authoritative so when some genius gets the idea of doing an any type request for... reasons, poisoning DNS cache, and absolutely obliterating the cache for a huge number of users.
Nice explanation. Just one clarification-pronunciation of live (as in “TTL”) is “live” as in “I live in the US.” The cache entry “lives” for a specific period of time.
Being a child of the '70's, I always knew it as 'Time to live' as in 'alive'. I agree, 'liv' makes more sense so not sure why I remember it as Dave does.
I agree. But I only started studying networking in 2001. Never heard it said Dave's way before. Live as in "until dead." Not Live as in "On Air Broadcast."
I always thought it was "live" not "liv". Probably because the only time I have to think about it is when making DNS record changes and how long it could take for the changes to go l-i-v-e.
One note: If you are benchmarking different DNS servers to try and eek out every last millisecond of performance, make sure you do some real world benchmarking and not just measuring how long the DNS requests take to return. The reason is some CDN's will use which DNS resolver a request comes in from in order to decide what server to serve you content from. This is complex, and if they redirect you afterwards is based on how the CDN is configured, how large the content you requested is and a bunch of other factors, but if you speed up DNS by 10ms, but add 20ms to a lot of your small HTTP requests, you may actually reduce your overall web performance even if pure DNS benchmarks are showing up as faster.
@@rudysal1429 Not got a single good answer, because it depends on things like what you use, where your CDN nodes are located etc ... Maybe I should build a dnspyre / dnsperf like tool to do exactly this.
On top of that, a lot of the DNS servers themselves are doing a type of anycasting, so the IP address of the DNS server could be going to different physical servers depending on how they're interpreting the physical location of your IP address. If your ISP is large and is allocating IP addresses without any rhyme or reason, they could be seriously screwing up your performance. I've noticed that the IP address of my phone sometimes is geo located in places that are over 500 miles away. I'm sure that ISPs that large probably have colocated CDNs and compensation measures in place, but I often wonder how well those work.
While watching this video I DL'ed DNS Benchmark and ran it. I then changed my DNS server and my response times got MUCH better. I am now letting it build it's "Custom List" for me and will have it retry the test. I found my current DNS server, before changing it, WAY down the list, which is probably why my browser was a bit slow. Thank You, Dave!!
as someone who has sworn to destroy cisco with their pure unadulterated hatrid for all things networking, this video broke things down really well and helped me understand certain processes that i always complain about in router config. Thank you
Just a note, this is great advice for the home, but could get you in trouble at work. Many filtering solutions use a special DNS server to block access to certain sites (like that other "hub"). Thus, using your own DNS could either bypass the filtering, or get you nothing at all (because all other DNS is blocked). Even at home it could be an issue if you're trying to filter your family's access to non-family friendly sites.
A *huge* factor in the responsiveness of your setup is how well your connection holds up when it's busy. We're talking latency under load, aka bufferbloat. Crappy home routers cause traffic jams, where the essential background stuff, like TCP ACKs and DNS requests, gets stuck in the routers' buffers. The user experience spirals down from there. So when the DNS benchmark candidates drop down the ratings list, it may not be the server's fault, or the number of hops, or the physical distance. It may just be bufferbloat. There are lots of articles out there on it.
@@joseph7179 Every week a podcast, in both video, audio and in text form, with both the show notes and actual podcast available as well. Video and Audio at TWIT, and the show notes at Steve's site of GRC, where he also has this freeware, along with his other software.
Note: This isn't going to speed up your internet connections, it will just speed up the initial connection. Subsequent connections will use lookups cached on your personal device, stored in a DNS cache so it is not needed to look up the IP again. This lasts as long as the TTL setting, which is going to be somewhere between 1h - 24h, typically 6h. It is far more important to choose a secure, and reliable DNS server, with a good reputation. Any malicious DNS server can set you up for a man-in-the-middle attack.
Unless you are a MS engineer.... and work on OS that handle caching badly.... or wose , in hte case of 365 , where they rotate the cloud endpoints FASTER, that the dns records renew... so you end up caching a load of potentially "dead" end point ip addresses...
The ven diagram of Dave’s videos and videos about dns means a huge smile on my face. I run a cluster of recursive DNS servers that then feed into pihole servers. Nice fast, lots of cache and secure dns
What recursive DNS servers do you use? I use two different Unbound servers. And yes, those feed into my Pi-Hole servers as well (which came out on top in the DNS benchmark).
Your comedic timing and taste is just perfect. Thanks for making content like this. A guy with your experience and resume is rare,and to share it with others to help learn, is even more rare. I'll be checking out your book and thanks again.
There was a DDOS attack on the DNS root server back in 2016. I was at my companies conferance and I owned and deployed the entire compute infrastructure in the convention center and when the attack happened, I thought it was our network, but then word got out that much more and it ended up being malware implanted in TV Set Top boxes and small IoT devices and all kinds of end points, that were flashed with an update that had this sleeping malware in it for years and all at once for two days, it flooded the entire root DNS and took down the entire internet and core services. Only local DNS resolvers with cached IP to site info would still work until the cache expired. They flooded the DNS core with 1.5Tbps of request data.
Thanks a lot, Dave. At one time a couple of decades ago, I used to keep a massive list of phone numbers in my head. I cannot imagine doing the same with IP addresses...
I suppose most techies still remember a few IP addresses. I remember the IP address for: my Router, PC, IP Camera, other commonly deployed routers/switches, Google DNS servers. Admittedly all but the last ones are local.
Dave I salute you. I found your channel after the recent CrowdStrike security issue. I found your videos very informative an easy to follow. Keeps up the great work!👍
Another great episode Dave! I love content like this that provides such great detail about systems and topics that are often glossed over, complained about, or ignored completely.
Good old Steve eh! I was a bit of a PC newbie around the time of the big DCOM vulnerability and used his Decombobulator, along with some of his socket advice.
I recall reading a detailed and fascinating DDOS account by Steve Gibson. Must be 20+ years ago. It was an attack on his systems and described how he discovered it and how he resolved it. Also explained the 3 way handshake of TCP/IP which I have used many times to explain even normal communication. Very good.
Love Steve Gobson, I followed his podcasts from about 15-17 years ago. Back then, I worked for the State as a Fiscal Analyst and knew more about computers and security than the IT staff at the State. I am a proud owner of SpinRite.
I personally like the idea of running your own recursive name server locally and using the root servers directly. Eliminates the privacy concerns of using Google or CloudFlare too.
Even in cases where DNS is encrypted, it is usually decrypted by the DNS provider, not the website you're trying to access -- so it is still important to trust the provider!
The fun thing about all this is that the source and destination IP addresses are still trivial to look up, and if you use a VPN, you have to hope your VPN service isn't actually logging stuff secretly, and on top of that, hope your browser isn't vulnerable in some way or isn't leaking data like real IP addresses through things like webrtc, and then on top of that hope your browser isn't secretly tracking you anyway like chrome was found to be doing even with incognito mode.
What an interesting explanation once again, Dave! Great stuff. What caught me off guard a little is your pronunciation of TTL. You say Time to Live with live as in live music. I always thought it was live as in living. It's how long the entry has left to live instead how long its considered live. It may be correct both ways? Don't know but I think it's interesting.
I run my own internal DNS resolvers, to eliminate /some/ of the DNS snooping from my ISP. As always, they are faster than any public DNS server in all categories (including the generated custom list) of Steve's awesome DNS Benchmark tool. There are multiple benefits of running your own DNS server, such as the ability to block access to certain domains (i.e., ads hosting companies), without messing with browser extensions or anyone's device. This works wonders for the devices where your configuration options are very limited.
Doing the same here, actually been doing this for about 30 years now. It has always been the best solution for those who understand DNS, but out of reach for most users.
Set up my own DNS DHCP appliance. £40 and now I can swap out my router without rebooting all current network hardware (Alexa, bulbs and sockets). Cable router replaced with PfSense PC. Local cable acting as a failover for fibre until cable contract ends.
But extensions blocks everything for me where dns didnt anything visually.(might blocked some tracking but not ads and certainly no where near extensions). But i am just one user.
DNS -- the thing that many admins get wrong in an Active Directory environment! Hint: AD clients will break if you assign them a public DNS server to query from, even if you put it as secondary. Any DNS server queried by an AD client must be able to resolve the AD domain. Generally, only the AD DNS server service should be querying public DNS. Also, remember that NXDOMAIN -- when the DNS server returns "I dunno" to a query -- is a valid response, and the client will NOT query the secondary server when it receives an NDXOMAIN response.
I managed (before retiring) an AD forest with child domains managed by their local admins. One guy set all of his forwarders to Google DNS servers and then called me complaining about their DNS problems while never mentioning what he had done. Plus it was something I had fixed one time before and warned him about it.
I don't know why but I've always loved anything to do with DNS. I'm by no means a network guy - I'm strictly software and that's where I feel most comfortable but there is a beauty in the design of the DNS system and the fact its been in use for 40 years that fascinates me. Great vid, really enjoyed it ;-)
The DNS system is so mind numbingly complex and unintuative that I'm miles away from noticing any beauty. It does my head in. And it's not for a lack of trying. I've been a C++ Windows application developer for 25 years, but I keep away from all things network. I just don't get it.
I was one of those guys building custom PCs when Win95 hit the scene. I think I lasted about 8-10 months after that, then quit the job after having a mental breakdown. WIN95 was so problematic that people would find my number in the phone book and call me for debug advice and to just complain...even people that were not my customers, it was INSANE. I do miss Windows 3.11
Can't wait to watch this. When I was getting my IT certs I wanted to get into networking. Planned a little homelab and everything. This is the stuff that intrigues me.
Since you mentioned Steve Gibson and SpinRite, i would live to hear your take on using it to speed up SSDs. Seems like s sufficiently geeky topic for this channel.
Awesome! Good to know I wasn't quite utilizing the fastest DNS for my area; great tool! Also, bravo to the old school Family Guy reference 🤣. I MUST get your book on living with ASD. I have yet to be diagnosed, but, after months and months of reading up on it online and in the DSM-5, about 12 online tests all coming back 'strong likelihood', and much time spent in reflection, I have no doubts I am on the spectrum; so many things in my life now make so much more sense. Your videos have helped, as well, as I am currently studying cyber sec and preparing for the arduous road of having no experience, but landing a gig. Thanks. (This comment has no gone on for way too long, I know 🙄)
Things have changed a bit since you were using them Dave. There IS encrypted DNS, it's called DNS-over-HTTPS (DOH) and it's neither complicated nor difficult. It is actually integrated both in Windows and in Firefox and very easy to enable. And it is recommended for everyone to do it.
@@toby9999 nope. In Windows settings, when setting DNS server manually, just set "DNS over HTTPS" to "On (automatic template)". Or in Edge, in settings, search for "use secure dns" and toggle on
@@QualityDoggo DNS-over-HTTPS is the evolution of DNS-over-TLS. The latter has a distinctive signature (it uses port 853) and it can be easily blocked by the network administrator (and is indeed blocked by some) or the internet provider. DNS-over-HTTPS on the other hand is not different from normal HTTPS traffic and cannot be blocked. And it is natively supported by Windows, Android, Firefox and others.
While DNS-over-HTTPS (DOH) is easy to implement in some cases and is more secure than non-encrypted DNS, there is often a performance penalty. In addition, most consumer routers do not allow DOH to be set in their configuration panels.
This is such a good video. I am a competitive fps gamer and IT student and I have been using that DNS benchmark tool for a long time. I had a rough idea of how DNS worked but this was super informative and helpful.
Great explanation; I've never come across a video on this subject before that I started to watch and sat out until the end. You are very talented, Sir! And Steve Gibson sounded very familiar to me. Then I remembered Spinrite and how many times it saved my data.
The fastest DNS is by running one's own DNS resolver, such as PowerDNS' Recursor, then pointing one's local systems to the address of the local recursors (the more recursors on the local area network, the higher the redundancy and the performance). PowerDNS' Recursor will cache the results for the TTL interval, of course, building up a cache; I have 99.5% cache hit on the recursors on my local area network.
Love your explanation. Interesting fact about a DDOS attack on DNS root servers. Even if a DDOS attack was successful in making these servers inaccessible they have about 7 days to resolve the issue before the DNS system is actually broken.
There’s also something I’ve heard about DNS being faster at certain times of day. This makes it so much more complicated, but I see why the popular DNS are popular.
Back in the 90's when I was a sys and network admin for my local ISP, I used to run my own home servers and would tailor everything for my own behalf (not sacrificing customer resources of course) and delegated everything down to my own devices, so to speak. It was kind of wild performing dumps and traces on the network traffic and filtering for DNS versus other services, like HTTP, etc. The internet was wild back then; it was.almost like a Wild West of sorts. I even had my own ASN for BGP requests (which actually helped later on when we had DDoS attacks against customers which could have affected our entire client network.)
Love local servers that can cache locally based on queries your household does. And you can have them do parallel lookup against a list. Adguard is what I use. Pretty simple and just works. And blocks ads without needing ad block on devices! Saves on even more network traffic.
I swear 20+ years ago when I was in my CCNA class it was Domain Name Service and just recently came across a number of people with the same memory of Domain Name Service instead of System. It's my own Mandela Effect.
This was really helpful and easy to understand. Building my custom DNS list now, lol. Also, thank you for mentioning your book. I know you have brought up Autism in the past but I wasn't aware you had written anything. I'll definitely be checking it out. Cheers! :)
Well done Dave. As usual, I may add. As you mentioned, DNS is the equivalent to the telephone assistance service. The equivalent of the phone book would be the HOSTS.TXT file published by SRI, later the InterNIC until it became too big and impractical. DNS is old, 1983 as far as I remember. I was not able to find out when the InterNIC stopped publishing a HOSTS.TXT file - maybe already in the 1980s. These days the hosts file only has marginal meaning to deal with special cases. As for robustness, the root nameservers are using anycast addresses. Which means there could be multiple servers using the same IP address and they might even be in different locations. Where is hard to say for sure but there are hundreds of physical systems not just 13.
Simply knowing and typing the IP Address of the server in a web browser may not get you a web page, or the web page you actually want. There are many shared hosting sites, or load balanced hosts where you have to make the querty to the correct named host with the IP. The easiest way would be to manually enter the domain with server with its matching IP address into the hosts file. A more extreme way to do this would be to run your own DNS server.
Great presentation, Dave! One nit: it is pronounced "time to lĭv" (soft "i"), not "time to līv" (hard "i"). From the American Heritage Dictionary: *live.* _v.intr._ 1. To be alive; exist. 2. To continue to be alive: lived through a bad accident. 3. To support oneself; subsist: living on rice and fish; lives on a small inheritance. 4. To reside; dwell: lives on a farm. 5. To conduct one's life in a particular manner: lived frugally. 6. To pursue a positive, satisfying existence; enjoy life: those who truly live. 7. To remain in human memory: an event that lives on in our minds.
Given the DNS outage that happened a few years ago and the recent CrowdStrike BSOD outages, it feels like organized and deliberate attacks outside the of a zone of trust are not even in the same league as errors that occur within a trusted zone as far as the havoc that can be caused. This feels like an obvious insight but what keeps me up at night sometimes is the realization of what a bad actor with access can do and given how easy it is for all the holes in the stack of Swiss cheese are to align even on a simple accident.
“Time to live”? I play drums live in a few bands, but I live in each experience. Shout out to GRC. I’d love to see/hear a collaboration, perhaps as Dave being a featured guest on Security Now!
I've been playing around with DNS services lately so this videos quite providential😅. Currently using Control D, it's definitely a different kind of dns service, so far best benefit is the customizability, to a fault almost, you raise your ad block severity too much and you'll be having a fun time figuring out which things you need to make an exception rule for.
You can also run your own local DNS proxy such as Acrylic DNS Proxy, default is local system only, but can be set to allow other devices on LAN if you run it on an always on PC - or run DNSMasq on a Raspberry Pi
Knowing about DNS can be pretty useful. I host a pihole DNS server on my network and it lets me add block lists to try to avoid malware or ads online. There's also DNS servers out there that do this as well, if you don't want to host your own.
I really enjoy your videos, very much. Been working with operating systems, including the long and sordid history of the MS' ones since the late 80's While this was very basic, I do really hope/wish that you wil use your imense knowledge and ability to simplify stuff, to dive deeper in to the DNS-ecosystem (how to protect youself from posiong, hybrid DNS, faking and all that suff). A series? :D Thank you!
Great video as always but a very small correction: TTL means Time to LIVE - where live here is the "my cat lives next door to Alice" pronunciation, not the "a cat have nine lives" pronunciation. It means exactly what it means - "how long much this entry live in the cache before it is evicted?".
@@tuphdc8779 I was wondering about that but I could have sworn I've heard the same pronunciation from Dave before, and he didn't have his usual trolling tone engaged :) But it sure is a possibility.
If you think there is a time to resolve differences between DNS Queries for Seattle (or West Coast US) and Miami (or East Coast US), try the difference between any US DNS Servers (or UK and European DNS servers) from Melbourne Australia! Now we have basically explained very well for us old-timer IT Programmers / Professionals, time for part 2 (how setting up configuring access to secure DNS servers?) and 3 (setting up your own local DNS resolver, such as Pi-Hole or AdGuard)? I can follow the step by guides, but I want someone with David's style and humour to actually explain what is happening first!!!
BEAUTIFUL Job, Dave! - Clear, concise and complete. And thanks as always for the mention. I wrote that DNS Benchmark back in 2008 and it's overdue for an update. I'll be sure to let you know when I have that! Thanks again! 👍
Thank you from the users
Steve, thanks for all that you do! Love the podcast too.
And let me pay my respects to you as i use your resources for .... 15 years or so at least :) Your description of the DDOS attack you were targeted inspired my learning about the subject. Thank you!
Would using this tool today upset sites and rate limit me?
GLAD to see STEVE here. !!!!
I used to listen to your podcasts daily and knew more about computers than the IT Dept at the State of Oregon. I work as a fiscal analyst.
got me on the hub joke lol
I had a mental image of barney from the Simpsons complaining about the speed of the download of 'art'
He means Github, right?
i love dave's jokes. they are always good!
@@dertyp6833 suuuuure
The fairly dry delivery really made that one land
Kudos to the original architects of DNS. It’s an amazing system with performance, reliability, and expansion capability.
It really is. It's one of my favourite aspects of the internet (from an architectural perspective) with TCP/IP coming in a close second.
Indeed. We all owe a debt of gratitude to the likes of Elizabeth Feinler, Jon Postel, the two Pauls (Paul Mockapetris and Paul Vixie), and numerous others. Thank you, all -- named and unnamed (I'm not prepared to actually give an exhaustive list, so I'm not going to try, but those are a few that stand out in my mind).
@@Etcher I wish we used more of what the Internet and the TCP/IP can really do instead of shoving everything on HTTP and the Web, which is a mere "app" of the internet.
@ortivox I mean... sure, but that's kinda the nature of anything so incredibly central to a massive system. A heart is pretty vulnerable, too... but hey, with around 2 billion beats in a human lifetime, I'd say most hearts do a pretty damn good job.
DNS really is one of those amazing technologies that nearly 100.00% of the time it "just works" for why you don't think about it. And why it's quite noteworthy the few times there are issues
Yeah, and every intelligence agency knows what what interests are, google for example has on of the fastest ones for free, they really dont wanna know what your doing.... Really, plain old DNS is not cutting it anymore...
"It’s not DNS
There’s no way it’s DNS
It was DNS"
What's really fun is when you're doing load balancing via DNS but the GSLBs aren't authoritative so when some genius gets the idea of doing an any type request for... reasons, poisoning DNS cache, and absolutely obliterating the cache for a huge number of users.
It works reliably due to distributed DNS server all over the world.
it's broken by design
I worked in a Data Center, Bay area. Didn't expect a professional when I saw the title. Excellent and accurate.
You’re the kind of genius that starts with “com”. Comedic.
Nice explanation. Just one clarification-pronunciation of live (as in “TTL”) is “live” as in “I live in the US.”
The cache entry “lives” for a specific period of time.
Being a child of the '70's, I always knew it as 'Time to live' as in 'alive'. I agree, 'liv' makes more sense so not sure why I remember it as Dave does.
I agree. But I only started studying networking in 2001. Never heard it said Dave's way before. Live as in "until dead." Not Live as in "On Air Broadcast."
Yep, it is a common mistake.
I always thought it was "live" not "liv".
Probably because the only time I have to think about it is when making DNS record changes and how long it could take for the changes to go l-i-v-e.
No, it's cached, not live. So when the time expires and it stops being cached, it goes live; real-time.
One note: If you are benchmarking different DNS servers to try and eek out every last millisecond of performance, make sure you do some real world benchmarking and not just measuring how long the DNS requests take to return.
The reason is some CDN's will use which DNS resolver a request comes in from in order to decide what server to serve you content from. This is complex, and if they redirect you afterwards is based on how the CDN is configured, how large the content you requested is and a bunch of other factors, but if you speed up DNS by 10ms, but add 20ms to a lot of your small HTTP requests, you may actually reduce your overall web performance even if pure DNS benchmarks are showing up as faster.
How do you do that?
@@rudysal1429 Trial and error I presume. Set the DNS, make several requests. Time them. Then do the same with a different DNS and compare the results.
@@rudysal1429 Not got a single good answer, because it depends on things like what you use, where your CDN nodes are located etc ...
Maybe I should build a dnspyre / dnsperf like tool to do exactly this.
Then there's also things like network buffer bloat to take into consideration
On top of that, a lot of the DNS servers themselves are doing a type of anycasting, so the IP address of the DNS server could be going to different physical servers depending on how they're interpreting the physical location of your IP address. If your ISP is large and is allocating IP addresses without any rhyme or reason, they could be seriously screwing up your performance.
I've noticed that the IP address of my phone sometimes is geo located in places that are over 500 miles away.
I'm sure that ISPs that large probably have colocated CDNs and compensation measures in place, but I often wonder how well those work.
While watching this video I DL'ed DNS Benchmark and ran it. I then changed my DNS server and my response times got MUCH better. I am now letting it build it's "Custom List" for me and will have it retry the test. I found my current DNS server, before changing it, WAY down the list, which is probably why my browser was a bit slow. Thank You, Dave!!
Does using this tool piss off dns servers due to large number of requests per min. And rate limit you... what skme ppl said.
@@JohnDoe-uz1yb it's a couple of requests per DNS server. You're querying a hundred different servers. They don't even know you're doing it.
@@enihi where do people come up with these stories? thank you, I will give the tool a try today.
I can recommend getting your own (recursive) DNS server (e.g. Pi-Hole, preferably in combination with Unbound).
@@apveening does it stop ads from within sites? like YT ads
I’d love to see more networking videos like this. Always so interesting for me
The HUB joke was hilarious. Best part was you didn't even grin:)
This is the absolute best DNS explainer video I have ever watched.
I agree! It's quite good! Naomi Brockwell has a good one as well.
@@Insightfill I agree she is great too
I did DNS for 15 years in my organization but I dont do DNS anymore, so I have forgotten a lot. THIS was a very good explanation.
New to Dave's content but could listen to how he explains about anything. Extremely enjoyable presentation.
I'm mad at you Dave !! I took your autism on-line test and got 42 !! I'm 80 yrs old ... on to my newfound life . Thank you, my friend ! 😎
Hola, bob ross
Sorry to hear ur very autistic 😢
Steve Gibson is an absolute legend! I've been using Shields Up for years and still do on a regular basis.. thanks for the great video Dave
as someone who has sworn to destroy cisco with their pure unadulterated hatrid for all things networking, this video broke things down really well and helped me understand certain processes that i always complain about in router config. Thank you
Just a note, this is great advice for the home, but could get you in trouble at work. Many filtering solutions use a special DNS server to block access to certain sites (like that other "hub"). Thus, using your own DNS could either bypass the filtering, or get you nothing at all (because all other DNS is blocked). Even at home it could be an issue if you're trying to filter your family's access to non-family friendly sites.
A *huge* factor in the responsiveness of your setup is how well your connection holds up when it's busy. We're talking latency under load, aka bufferbloat. Crappy home routers cause traffic jams, where the essential background stuff, like TCP ACKs and DNS requests, gets stuck in the routers' buffers. The user experience spirals down from there. So when the DNS benchmark candidates drop down the ratings list, it may not be the server's fault, or the number of hops, or the physical distance. It may just be bufferbloat. There are lots of articles out there on it.
4:08 It's "time to live" as in how long the packet will live (short "i"; verb), not "live" (long "i"; adjective) as in "alive".
Yes, it’s live as in rhymes with sieve.
@@MarcWickens I had to look up what s-i-e-v-e spells... *cough* 😁
@@danielhooke6115
Oh you millimenials - no edumicated good. Ya gotsta reed mor bukes sos ya no mor word-thingies! 😅
Ah yes, Steve Gibson, he also does a security podcast on Twit with Leo LaPort. Truly a legend.
I've met Leo (and Lisa) in person, but it would be great to meet Steve as well...
@@IBM_Museum Wow! Is Leo still with us? He goes way back.
@@joseph7179 - That's been about eight years back, in Gainesville, Florida. Quite a long talk with Leo. But yes, he's still around.
@@joseph7179 Every week a podcast, in both video, audio and in text form, with both the show notes and actual podcast available as well. Video and Audio at TWIT, and the show notes at Steve's site of GRC, where he also has this freeware, along with his other software.
Security Now is a great podcast. I actually got to sit in on a taping of The Tech Guy at the TWiT studios back in 2012
Note: This isn't going to speed up your internet connections, it will just speed up the initial connection.
Subsequent connections will use lookups cached on your personal device, stored in a DNS cache so it is not needed to look up the IP again.
This lasts as long as the TTL setting, which is going to be somewhere between 1h - 24h, typically 6h.
It is far more important to choose a secure, and reliable DNS server, with a good reputation.
Any malicious DNS server can set you up for a man-in-the-middle attack.
Unless you are a MS engineer.... and work on OS that handle caching badly.... or wose , in hte case of 365 , where they rotate the cloud endpoints FASTER, that the dns records renew...
so you end up caching a load of potentially "dead" end point ip addresses...
The ven diagram of Dave’s videos and videos about dns means a huge smile on my face. I run a cluster of recursive DNS servers that then feed into pihole servers. Nice fast, lots of cache and secure dns
You must have a super brain like Dave's. My brain refuses to comprehend anything relating networking, other than plugging in cables, lol.
What recursive DNS servers do you use? I use two different Unbound servers. And yes, those feed into my Pi-Hole servers as well (which came out on top in the DNS benchmark).
I cant express how much clear to the point explanations without any unrelated information are enjoyable to watch, good work sir. Loved the video
Your comedic timing and taste is just perfect. Thanks for making content like this. A guy with your experience and resume is rare,and to share it with others to help learn, is even more rare. I'll be checking out your book and thanks again.
_"It's just an executable."_ 7:35
Famous last words of many Microsoft Windows users.
There was a DDOS attack on the DNS root server back in 2016. I was at my companies conferance and I owned and deployed the entire compute infrastructure in the convention center and when the attack happened, I thought it was our network, but then word got out that much more and it ended up being malware implanted in TV Set Top boxes and small IoT devices and all kinds of end points, that were flashed with an update that had this sleeping malware in it for years and all at once for two days, it flooded the entire root DNS and took down the entire internet and core services. Only local DNS resolvers with cached IP to site info would still work until the cache expired. They flooded the DNS core with 1.5Tbps of request data.
Thanks a lot, Dave. At one time a couple of decades ago, I used to keep a massive list of phone numbers in my head. I cannot imagine doing the same with IP addresses...
I suppose most techies still remember a few IP addresses.
I remember the IP address for: my Router, PC, IP Camera, other commonly deployed routers/switches, Google DNS servers. Admittedly all but the last ones are local.
Especially those IPv6 addresses !
your videos are the best ad for the RE20 ever. Your voice is mic'd better than most of the audio specific channels I follow.
Dave I salute you. I found your channel after the recent CrowdStrike security issue. I found your videos very informative an easy to follow. Keeps up the great work!👍
Dymistifier Dave 😊
Steve Gibson, there's a name I haven't heard in a while ❤
Hi, great info! I changed from the the DNS that came with Xfinity to Quad9 and it drastically reduced my junk mail. Take care.
Another great episode Dave! I love content like this that provides such great detail about systems and topics that are often glossed over, complained about, or ignored completely.
Good old Steve eh! I was a bit of a PC newbie around the time of the big DCOM vulnerability and used his Decombobulator, along with some of his socket advice.
"Trouble in Paradise", "Never10", the list of Steve Gibson gems goes on and on...
I remember using Steve’s firewall many many years ago. First learned about him and his software library back in the ZDTv days in the late 1990s.
So TTL stands for Time To Live! I always thought it stood for Time To Live!!!
I clearly said "live" :-)
@DavesGarage I think he meant "Live" as in pronounced "Liv" as in the time the record has to "live" before being refreshed.
@DavesGarage I live in a house and I'm live online inside the house.
Live and live are heteronyms.
Um… To both of you who replied to Dave: r/whoosh!
😂😂😂😂😂
I recall reading a detailed and fascinating DDOS account by Steve Gibson. Must be 20+ years ago. It was an attack on his systems and described how he discovered it and how he resolved it. Also explained the 3 way handshake of TCP/IP which I have used many times to explain even normal communication. Very good.
Love Steve Gobson, I followed his podcasts from about 15-17 years ago. Back then, I worked for the State as a Fiscal Analyst and knew more about computers and security than the IT staff at the State. I am a proud owner of SpinRite.
I personally like the idea of running your own recursive name server locally and using the root servers directly. Eliminates the privacy concerns of using Google or CloudFlare too.
Does Pi-hole do this?
@@thecandyman9308 Not out-of-the-box. But it can be setup to do this.
@@thecandyman9308 Easiest way to set that up is to also install/run Unbound and use that as upstream DNS server for your Pi-Hole.
Just found your channel based on the Crowdstrike debacle. Subscribed. Great videos.
this is the "Coles notes" of O'Reilly DNS and BIND. Fantastic job breaking it down!!!
Hi Dave, I really enjoy your videos and it's great to see you get more and more comfortable doing them!
Even in cases where DNS is encrypted, it is usually decrypted by the DNS provider, not the website you're trying to access -- so it is still important to trust the provider!
I love the way you explain things, I'm a casual when it comes to tech but you're upskilling me like crazy!
Dave, you clearly got the youtube algorithm to do your bidding and promoting your videos, but your content never lets one hanging!
The fun thing about all this is that the source and destination IP addresses are still trivial to look up, and if you use a VPN, you have to hope your VPN service isn't actually logging stuff secretly, and on top of that, hope your browser isn't vulnerable in some way or isn't leaking data like real IP addresses through things like webrtc, and then on top of that hope your browser isn't secretly tracking you anyway like chrome was found to be doing even with incognito mode.
What an interesting explanation once again, Dave! Great stuff. What caught me off guard a little is your pronunciation of TTL. You say Time to Live with live as in live music. I always thought it was live as in living. It's how long the entry has left to live instead how long its considered live. It may be correct both ways? Don't know but I think it's interesting.
Brilliant work Dave! Very concise and clear. Passing it on to my tech who is studying to become a network administrator.
I run my own internal DNS resolvers, to eliminate /some/ of the DNS snooping from my ISP. As always, they are faster than any public DNS server in all categories (including the generated custom list) of Steve's awesome DNS Benchmark tool. There are multiple benefits of running your own DNS server, such as the ability to block access to certain domains (i.e., ads hosting companies), without messing with browser extensions or anyone's device. This works wonders for the devices where your configuration options are very limited.
Doing the same here, actually been doing this for about 30 years now. It has always been the best solution for those who understand DNS, but out of reach for most users.
Set up my own DNS DHCP appliance. £40 and now I can swap out my router without rebooting all current network hardware (Alexa, bulbs and sockets). Cable router replaced with PfSense PC. Local cable acting as a failover for fibre until cable contract ends.
But extensions blocks everything for me where dns didnt anything visually.(might blocked some tracking but not ads and certainly no where near extensions). But i am just one user.
@@JohnDoe-uz1yb Use the correct DNS server (Pi-Hole).
DNS -- the thing that many admins get wrong in an Active Directory environment!
Hint: AD clients will break if you assign them a public DNS server to query from, even if you put it as secondary. Any DNS server queried by an AD client must be able to resolve the AD domain. Generally, only the AD DNS server service should be querying public DNS.
Also, remember that NXDOMAIN -- when the DNS server returns "I dunno" to a query -- is a valid response, and the client will NOT query the secondary server when it receives an NDXOMAIN response.
This! 100%.
VERY Sage advice here!!!! Admins take note :)
admins who get this wrong are not admins
NXDOMAIN is not, "I don't know,"; it is a definitive does not exist.
I managed (before retiring) an AD forest with child domains managed by their local admins. One guy set all of his forwarders to Google DNS servers and then called me complaining about their DNS problems while never mentioning what he had done. Plus it was something I had fixed one time before and warned him about it.
Super helpful as always Dave. Steve's stuff has been helping me for ~25yrs 👌.. as for the hub... yeh, thats the one i thought you ment 🧐😁
I don't know why but I've always loved anything to do with DNS. I'm by no means a network guy - I'm strictly software and that's where I feel most comfortable but there is a beauty in the design of the DNS system and the fact its been in use for 40 years that fascinates me. Great vid, really enjoyed it ;-)
The DNS system is so mind numbingly complex and unintuative that I'm miles away from noticing any beauty. It does my head in. And it's not for a lack of trying. I've been a C++ Windows application developer for 25 years, but I keep away from all things network. I just don't get it.
@@toby9999 I hear ya, perhaps I'm conflating "beauty" with "complexity"!
I was one of those guys building custom PCs when Win95 hit the scene.
I think I lasted about 8-10 months after that, then quit the job after having a mental breakdown. WIN95 was so problematic that people would find my number in the phone book and call me for debug advice and to just complain...even people that were not my customers, it was INSANE.
I do miss Windows 3.11
Love Steve's benchmarking tool (well, all his tools)! Thanks for the vid
Can't wait to watch this. When I was getting my IT certs I wanted to get into networking. Planned a little homelab and everything. This is the stuff that intrigues me.
Since you mentioned Steve Gibson and SpinRite, i would live to hear your take on using it to speed up SSDs. Seems like s sufficiently geeky topic for this channel.
Awesome! Good to know I wasn't quite utilizing the fastest DNS for my area; great tool! Also, bravo to the old school Family Guy reference 🤣. I MUST get your book on living with ASD. I have yet to be diagnosed, but, after months and months of reading up on it online and in the DSM-5, about 12 online tests all coming back 'strong likelihood', and much time spent in reflection, I have no doubts I am on the spectrum; so many things in my life now make so much more sense. Your videos have helped, as well, as I am currently studying cyber sec and preparing for the arduous road of having no experience, but landing a gig. Thanks. (This comment has no gone on for way too long, I know 🙄)
Things have changed a bit since you were using them Dave. There IS encrypted DNS, it's called DNS-over-HTTPS (DOH) and it's neither complicated nor difficult. It is actually integrated both in Windows and in Firefox and very easy to enable. And it is recommended for everyone to do it.
DNS over TLS is a more direct alternative since it's DNS-only. DoH is mostly used to work around network limitations.
It's all complicated and difficult to understand.
@@toby9999 nope. In Windows settings, when setting DNS server manually, just set "DNS over HTTPS" to "On (automatic template)". Or in Edge, in settings, search for "use secure dns" and toggle on
@@QualityDoggo DNS-over-HTTPS is the evolution of DNS-over-TLS. The latter has a distinctive signature (it uses port 853) and it can be easily blocked by the network administrator (and is indeed blocked by some) or the internet provider. DNS-over-HTTPS on the other hand is not different from normal HTTPS traffic and cannot be blocked. And it is natively supported by Windows, Android, Firefox and others.
While DNS-over-HTTPS (DOH) is easy to implement in some cases and is more secure than non-encrypted DNS, there is often a performance penalty. In addition, most consumer routers do not allow DOH to be set in their configuration panels.
This is cool! Thank you for the information!😎👍
Edit: I remember both yellow and white phone book decades ago.
This is such a good video. I am a competitive fps gamer and IT student and I have been using that DNS benchmark tool for a long time. I had a rough idea of how DNS worked but this was super informative and helpful.
Another master-class in information packed and organized video.
wow, GRC is still up... glad to see it, I haven't poked around there in ages.
Spinright was my go to recovery tool back in the day. That was a blast from the past!
I remember Steve Gibson. He used to come into Advanced Computer Products from time to time. At the time he was working on _The Gibson Light Pen._
Great explanation; I've never come across a video on this subject before that I started to watch and sat out until the end. You are very talented, Sir!
And Steve Gibson sounded very familiar to me. Then I remembered Spinrite and how many times it saved my data.
The fastest DNS is by running one's own DNS resolver, such as PowerDNS' Recursor, then pointing one's local systems to the address of the local recursors (the more recursors on the local area network, the higher the redundancy and the performance). PowerDNS' Recursor will cache the results for the TTL interval, of course, building up a cache; I have 99.5% cache hit on the recursors on my local area network.
Wow! This is a great summary that I wish I had found at the time when I set up my first website. Great stuff.
Love your explanation. Interesting fact about a DDOS attack on DNS root servers. Even if a DDOS attack was successful in making these servers inaccessible they have about 7 days to resolve the issue before the DNS system is actually broken.
There’s also something I’ve heard about DNS being faster at certain times of day. This makes it so much more complicated, but I see why the popular DNS are popular.
What an amazing video - this is like a university level course lecture on how the web works.
That's kinda what I am for. CS students who are already smart and interested but may not know anything about THIS particular topic!
Back in the 90's when I was a sys and network admin for my local ISP, I used to run my own home servers and would tailor everything for my own behalf (not sacrificing customer resources of course) and delegated everything down to my own devices, so to speak. It was kind of wild performing dumps and traces on the network traffic and filtering for DNS versus other services, like HTTP, etc. The internet was wild back then; it was.almost like a Wild West of sorts. I even had my own ASN for BGP requests (which actually helped later on when we had DDoS attacks against customers which could have affected our entire client network.)
Love local servers that can cache locally based on queries your household does. And you can have them do parallel lookup against a list. Adguard is what I use. Pretty simple and just works. And blocks ads without needing ad block on devices! Saves on even more network traffic.
Thanks for another great video Dave. I always learn something even after forty years in IT.
Your explanations are quite clear and fun to listen to. Thanks.
The domain that ends in hub. I love it!
Steve Gibson! The man! I was using shields up back in the ISDN / early broadband days, and spinrite later.
In terms of explaining of things, You are on another lvl.
I swear 20+ years ago when I was in my CCNA class it was Domain Name Service and just recently came across a number of people with the same memory of Domain Name Service instead of System. It's my own Mandela Effect.
Great video Dave, thanks for the excellent explanation and entertainment!
This was really helpful and easy to understand. Building my custom DNS list now, lol. Also, thank you for mentioning your book. I know you have brought up Autism in the past but I wasn't aware you had written anything. I'll definitely be checking it out. Cheers! :)
Well done Dave. As usual, I may add.
As you mentioned, DNS is the equivalent to the telephone assistance service. The equivalent of the phone book would be the HOSTS.TXT file published by SRI, later the InterNIC until it became too big and impractical. DNS is old, 1983 as far as I remember. I was not able to find out when the InterNIC stopped publishing a HOSTS.TXT file - maybe already in the 1980s. These days the hosts file only has marginal meaning to deal with special cases.
As for robustness, the root nameservers are using anycast addresses. Which means there could be multiple servers using the same IP address and they might even be in different locations. Where is hard to say for sure but there are hundreds of physical systems not just 13.
“You can't optimize it until you can measure it”
Now you CAN measure it! Love the comment on the Page lol
Simply knowing and typing the IP Address of the server in a web browser may not get you a web page, or the web page you actually want. There are many shared hosting sites, or load balanced hosts where you have to make the querty to the correct named host with the IP.
The easiest way would be to manually enter the domain with server with its matching IP address into the hosts file. A more extreme way to do this would be to run your own DNS server.
Great presentation, Dave!
One nit: it is pronounced "time to lĭv" (soft "i"), not "time to līv" (hard "i").
From the American Heritage Dictionary:
*live.* _v.intr._
1. To be alive; exist.
2. To continue to be alive: lived through a bad accident.
3. To support oneself; subsist: living on rice and fish; lives on a small inheritance.
4. To reside; dwell: lives on a farm.
5. To conduct one's life in a particular manner: lived frugally.
6. To pursue a positive, satisfying existence; enjoy life: those who truly live.
7. To remain in human memory: an event that lives on in our minds.
Given the DNS outage that happened a few years ago and the recent CrowdStrike BSOD outages, it feels like organized and deliberate attacks outside the of a zone of trust are not even in the same league as errors that occur within a trusted zone as far as the havoc that can be caused. This feels like an obvious insight but what keeps me up at night sometimes is the realization of what a bad actor with access can do and given how easy it is for all the holes in the stack of Swiss cheese are to align even on a simple accident.
Got that covered too DAVE..
It's called: Kodachi
DNS is under the user's full control and it is FREE.
“Time to live”? I play drums live in a few bands, but I live in each experience. Shout out to GRC. I’d love to see/hear a collaboration, perhaps as Dave being a featured guest on Security Now!
I've been playing around with DNS services lately so this videos quite providential😅. Currently using Control D, it's definitely a different kind of dns service, so far best benefit is the customizability, to a fault almost, you raise your ad block severity too much and you'll be having a fun time figuring out which things you need to make an exception rule for.
A fellow EV RE-20 user. That's all I need to know to trust ya. (That and I've been around since the DOS days as well...)
You can also run your own local DNS proxy such as Acrylic DNS Proxy, default is local system only, but can be set to allow other devices on LAN if you run it on an always on PC - or run DNSMasq on a Raspberry Pi
Fwd lookup zones are akin to traditional phone books. Rev lookup zones were the limited phone books that had a section sorted by number.
Thanks Dave, this was very educational and clarifying too.
3:38 - nice terminal theme, Dave!
10:10 LMAO gold, and the delivery is spot on
As always great content, Dave. You are a true inspiration.
Knowing about DNS can be pretty useful. I host a pihole DNS server on my network and it lets me add block lists to try to avoid malware or ads online. There's also DNS servers out there that do this as well, if you don't want to host your own.
Most ads are served from within sites. I couldn't block RUclips ads by using DNS like adguard or nextdns.
I really enjoy your videos, very much. Been working with operating systems, including the long and sordid history of the MS' ones since the late 80's
While this was very basic, I do really hope/wish that you wil use your imense knowledge and ability to simplify stuff, to dive deeper in to the DNS-ecosystem (how to protect youself from posiong, hybrid DNS, faking and all that suff). A series? :D Thank you!
Nice to see your local DNS server comes out on top.
Great video as always but a very small correction: TTL means Time to LIVE - where live here is the "my cat lives next door to Alice" pronunciation, not the "a cat have nine lives" pronunciation. It means exactly what it means - "how long much this entry live in the cache before it is evicted?".
you got trolled
@@tuphdc8779 I was wondering about that but I could have sworn I've heard the same pronunciation from Dave before, and he didn't have his usual trolling tone engaged :) But it sure is a possibility.
If you think there is a time to resolve differences between DNS Queries for Seattle (or West Coast US) and Miami (or East Coast US), try the difference between any US DNS Servers (or UK and European DNS servers) from Melbourne Australia! Now we have basically explained very well for us old-timer IT Programmers / Professionals, time for part 2 (how setting up configuring access to secure DNS servers?) and 3 (setting up your own local DNS resolver, such as Pi-Hole or AdGuard)? I can follow the step by guides, but I want someone with David's style and humour to actually explain what is happening first!!!
Informative and entertaining :) Thanks Dave. ❤
Another excellent and well researched and delivered video / knowledge transfer.