Today I discovered some great news, for me at least….
Cloudflare has now added the ability to add custom comments on your DNS records, on all plans. Users on the Pro, Business and Enterprise plan will also be able to tag DNS records as well.
This is a feature I have been waiting for for many years, not just from Cloudflare, but from Cpanel and DNS in general.
Managing DNS and keep track of what every record is for has always been problematic due to this lack of any notes or comments. This has become even more of a problem in recent years due to the requirements for the myriad of TXT records for verification, DKIM, Dmarc etc.
You very quickly lose track of what a record was for or if it is still required, so don;t want to delete it. This results in redundant, legacy records being left hanging around, potentially causing security issues, such as when an old email no longer authorized email source still has a valid dmarc and dkim record.
more details below from Cloudflare’s blog.
DNS records are important
DNS records play an essential role when it comes to operating a website or a web application. In general, they are used to mapping human-readable hostnames to machine-readable information, most commonly IP addresses. Besides mapping hostnames to IP addresses they also fulfill many other use cases like:
Ensuring emails can reach your inbox, by setting up MX records.
Validating a TLS certificate by adding a TXT (or CNAME) record.
Specifying allowed certificate authorities that can issue certificates on behalf of your domain by creating a CAA record.
Validating ownership of your domain for other web services (website hosting, email hosting, web storage, etc.) – usually by creating a TXT record.
And many more.
With all these different use cases, it is easy to forget what a particular DNS record is for and it is not always possible to derive the purpose from the name, type and content of a record. Validation TXT records tend to be on seemingly arbitrary names with rather cryptic content. When you then also throw multiple people or teams into the mix who have access to the same domain, all creating and updating DNS records, it can quickly happen that someone modifies or even deletes a record causing the on-call person to get paged in the middle of the night.
Enter: DNS record comments & tags 📝
Starting Dec 21st 2022, everyone with a zone on Cloudflare can add custom comments on each of their DNS records via the API and through the Cloudflare dashboard.
To add a comment, just click on the Edit action of the respective DNS record and fill out the Comment field. Once you hit Save, a small icon will appear next to the record name to remind you that this record has a comment. Hovering over the icon will allow you to take a quick glance at it without having to open the edit panel.
What you also can see in the screenshot above is the new Tags field. All users on the Pro, Business, or Enterprise plans now have the option to add custom tags to their records. These tags can be just a key like “important” or a key-value pair like “team:DNS” which is separated by a colon. Neither comments nor tags have any impact on the resolution or propagation of the particular DNS record, and they’re only visible to people with access to the zone.
Now we know that some of our users love automation by using our API. So if you want to create a number of zones and populate all their DNS records by uploading a zone file as part of your script, you can also directly include the DNS record comments and tags in that zone file. And when you export a zone file, either to back up all records of your zone or to easily move your zone to another account on Cloudflare, it will also contain comments and tags. Learn more about importing and exporting comments and tags on our developer documentation.
;; A Records
*.mycoolwebpage.xyz. 1 IN A 192.0.2.3
mycoolwebpage.xyz. 1 IN A 203.0.113.1 ; Contact Hannes for details.
sub1.mycoolwebpage.xyz. 1 IN A 192.0.2.2 ; Test origin server. Can be deleted eventually. cf_tags=testing
sub1.mycoolwebpage.xyz. 1 IN A 192.0.2.1 ; Production origin server. cf_tags=important,prod,team:DNS
;; MX Records
mycoolwebpage.xyz. 1 IN MX 1 mailserver1.example.
mycoolwebpage.xyz. 1 IN MX 2 mailserver2.example.
;; TXT Records
mycoolwebpage.xyz. 86400 IN TXT "v=spf1 ip4:192.0.2.0/24 -all" ; cf_tags=important,team:EMAIL
sub1.mycoolwebpage.xyz. 86400 IN TXT "hBeFxN3qZT40" ; Verification record for service XYZ. cf_tags=team:API
It might be that your zone has hundreds or thousands of DNS records, so how on earth would you find all the records that belong to the same team or that are needed for one particular application?
For this we created a new filter option in the dashboard. This allows you to not only filter for comments or tags but also for other record data like name, type, content, or proxy status. The general search bar for a quick and broader search will still be available, but it cannot (yet) be used in conjunction with the new filters.
By clicking on the “Add filter” button, you can select individual filters that are connected with a logical AND. So if I wanted to only look at TXT records that are tagged as important, I would add these filters:
One more thing (or two)
Another change we made is to replace the Advanced button with two individual actions: Import and Export, and Dashboard Display Settings.
You can find them in the top right corner under DNS management. When you click on Import and Export you have the option to either export all existing DNS records (including their comments and tags) into a zone file or import new DNS records to your zone by uploading a zone file.
The action Dashboard Display Settings allows you to select which special record types are shown in the UI. And there is an option to toggle showing the record tags inline under the respective DNS record or just showing an icon if there are tags present on the record.
And last but not least, we increased the width of the DNS record table as part of this release. The new table makes better use of the existing horizontal space and allows you to see more details of your DNS records, especially if you have longer subdomain names or content.
Try it now
DNS record comments and tags are available today. Just navigate to the DNS tab of your zone in the Cloudflare dashboard and create your first comment or tag. If you are not yet using Cloudflare DNS, sign up for free in just a few minutes.
A hostname is a label assigned to a device (a host) on a network. It distinguishes one device from another on a specific network or over the internet. The hostname for a computer on a home network may be something like new laptop, Guest-Desktop, or FamilyPC.
Hostnames are also used by DNS servers so you can access a website by a common, easy-to-remember name. This way, you don’t have to remember a string of numbers (an IP address) to open a website.
A computer’s hostname may instead be referred to as a computer name, sitename, or nodename. You may also see hostname spelled as host name.
A DNS cache (sometimes called a DNS resolver cache) is a temporary database, maintained by a computer’s operating system, that contains records of all the recent visits and attempted visits to websites and other internet domains.
In other words, a DNS cache is just a memory of recent DNS lookups that your computer can quickly refer to when it’s trying to figure out how to load a website.
The information in this article applies to home users who haven’t changed their DNS settings.
The Purpose of a DNS Cache
The internet relies on the Domain Name System to maintain an index of all public websites and their corresponding IP addresses. You can think of it as a phone book.
With a phone book, we don’t have to memorize everyone’s phone number, which is the only way phones can communicate: with a number. In the same way, DNS is used so we can avoid having to memorize every website’s IP address, which is the only way network equipment can communicate with websites.
You type in a URL like lifewire.com and your web browser asks your router for the IP address. The router has a DNS server address stored, so it asks the DNS server for the IP address of that hostname. The DNS server finds the IP address that belongs to lifewire.com and then is able to understand what website you’re asking for, after which your browser can then load the appropriate page.
This happens for every website you want to visit. Every time you visit a website by its hostname, the web browser initiates a request out to the internet, but this request cannot be completed until the site’s name is “converted” into an IP address.
The problem is that even though there are tons of public DNS servers your network can use to try to speed up the conversion/resolution process, it’s still quicker to have a local copy of the “phone book,” which is where DNS caches come into play.
The DNS cache attempts to speed up the process even more by handling the name resolution of recently visited addresses before the request is sent out to the internet
There are actually DNS caches at every hierarchy of the “lookup” process that ultimately gets your computer to load the website. The computer reaches your router, which contacts your ISP, which might hit another ISP before ending up at what’s called the “root DNS servers.” Each of those points in the process has a DNS cache for the same reason, which is to speed up the name resolution process.
How a DNS Cache Works
Before a browser issues its requests to the outside network, the computer intercepts each one and looks up the domain name in the DNS cache database. The database contains a list of all recently accessed domain names and the addresses that DNS calculated for them the first time a request was made.
The contents of a local DNS cache can be viewed on Windows using the command ipconfig /displaydns, with results similar to this:
docs.google.com ------------------------------------- Record Name . . . . . : docs.google.com Record Type . . . . . : 1 Time To Live . . . . : 21 Data Length . . . . . : 4 Section . . . . . . . : Answer A (Host) Record . . . : 220.127.116.11
In DNS, the “A” record is the portion of the DNS entry that contains the IP address for the given host name. The DNS cache stores this address, the requested website name, and several other parameters from the host DNS entry.
What Is DNS Cache Poisoning?
A DNS cache becomes poisoned or polluted when unauthorized domain names or IP addresses are inserted into it.
Occasionally a cache may become corrupted because of technical glitches or administrative accidents, but DNS cache poisoning is typically associated with computer viruses or other network attacks that insert invalid DNS entries into the cache.
Poisoning causes client requests to be redirected to the wrong destinations, usually malicious websites or pages full of advertisements.
For example, if the docs.google.com record from above had a different “A” record, then when you entered docs.google.com in your web browser, you’d be taken somewhere else.
This poses a massive problem for popular websites. If an attacker redirects your request for Gmail.com, for example, to a website that looks like Gmail but isn’t, you might end up suffering from a phishing attack like whaling.
DNS Flushing: What It Does and How to Do It
When troubleshooting cache poisoning or other internet connectivity problems, a computer administrator may wish to flush (i.e. clear, reset, or erase) a DNS cache.
Since clearing the DNS cache removes all the entries, it deletes any invalid records too and forces your computer to repopulate those addresses the next time you try accessing those websites. These new addresses are taken from the DNS server your network is set up to use.
So, to use the example above, if the Gmail.com record was poisoned and redirecting you to a strange website, flushing the DNS is a good first step to getting the regular Gmail.com back again.
In Microsoft Windows, you can flush the local DNS cache using the ipconfig /flushdns command in a Command Prompt. You know it works when you see the Windows IP configuration successfully flushed the DNS Resolver Cacheor Successfully flushed the DNS Resolver Cachemessage.How to Flush and Clear Windows DNS Cache
Through a command terminal, macOS users should use dscacheutil -flushcache but know that there is not a “successful” message after it runs, so you’re not told if it worked. In some cases, Mac users will also have to kill the DNS responder (sudo killall -HUP mDNSResponder.) Linux users should enter the /etc/rc.d/init.d/nscd restart command. The exact command will vary based on your Linux distribution, though.
A router can have a DNS cache as well, which is why rebooting a router is often a troubleshooting step. For the same reason you might flush the DNS cache on your computer, you can reboot your router to clear the DNS entries stored in its temporary memory.
A list of additional free DNS servers can be found in the table near the bottom of the page.
What Are DNS Servers?
DNS servers translate the friendly domain name you enter into a browser (like lifewire.com) into the public IP address that’s needed for your device to actually communicate with that site.
Your ISP automatically assigns DNS servers when your smartphone or router connects to the internet but you don’t have to use those. There are lots of reasons you might want to try alternative ones (we get into many of them in Why Use Different DNS Servers? a bit further down the page) but privacy and speed are two big wins you could see from switching.
Primary DNS servers are sometimes called preferred DNS servers and secondary DNS servers sometimes alternate DNS servers. Primary and secondary DNS servers can be “mixed and matched” from different providers to protect you if the primary provider has problems.
Best Free & Public DNS Servers (Valid March 2021)
Below are more details on the best free DNS servers you can use instead of the ones assigned.
If you’re not sure, use the IPv4 DNS servers listed for a provider. These are the IP addresses that include periods. IPv6 IP addresses use colons.
GOOGLE: 18.104.22.168 & 22.214.171.124
Google Public DNS promises three core benefits: a faster browsing experience, improved security, and accurate results without redirects.
Primary DNS: 126.96.36.199
Secondary DNS: 188.8.131.52
Google also offers IPv6 versions:
Primary DNS: 2001:4860:4860::8888
Secondary DNS: 2001:4860:4860::8844
Google can achieve fast speeds with its public DNS servers because they’re hosted in data centers all around the world, meaning that when you attempt to access a web page using the IP addresses above, you’re directed to a server that’s nearest to you.
QUAD9: 184.108.40.206 & 220.127.116.11
Quad9 has free public DNS servers that protect your computer and other devices from cyber threats by immediately and automatically blocking access to unsafe websites, without storing your personal data.
Primary DNS: 18.104.22.168
Secondary DNS: 22.214.171.124
There are also Quad 9 IPv6 DNS servers:
Primary DNS: 2620:fe::fe
Secondary DNS: 2620:fe::9
Quad9 does not filter content—only domains that are phishing or contain malware will be blocked. Quad9 also has an unsecured IPv4 public DNS at 126.96.36.199 (2620:fe::10 for IPv6).
OPENDNS: 188.8.131.52 & 184.108.40.206
OpenDNS claims 100% reliability and up-time and is used by 90 million users around the world. The offer two sets of free public DNS servers, one of which is just for parental controls with dozens of filtering options.
Primary DNS: 220.127.116.11
Secondary DNS: 18.104.22.168
IPv6 addresses are also available:
Primary DNS: 2620:119:35::35
Secondary DNS: 2620:119:53::53
The servers above are for OpenDNS Home, which you can make a user account for to set up custom settings. The company also offers DNS servers that block adult content, called OpenDNS FamilyShield: 22.214.171.124 and 126.96.36.199 (shown here). A premium DNS offering is available, too, called OpenDNS VIP.
CLOUDFLARE: 188.8.131.52 & 184.108.40.206
Cloudflare built 220.127.116.11 to be the “fastest DNS service in the world” and will never log your IP address, never sell your data, and never use your data to target ads.
CleanBrowsing has three free public DNS server options: a security filter, adult filter, and family filter. These are the DNS servers for the security filter, the most basic of the three that updates hourly to block malware and phishing sites:
Primary DNS: 18.104.22.168
Secondary DNS: 22.214.171.124
IPv6 is also supported:
Primary DNS: 2a0d:2a00:1::2
Secondary DNS: 2a0d:2a00:2::2
The CleanBrowsing adult filter (126.96.36.199) prevents access to adult domains, and the family filter (188.8.131.52) blocks proxies, VPNs, and mixed adult content. More features can be had at a price: CleanBrowsing Plans.
ALTERNATE DNS: 184.108.40.206 & 220.127.116.11
Alternate DNS is a free public DNS service that blocks ads before they reach your network.
AdGuard DNS has two sets of DNS servers, both of which block ads in games, videos, apps, and web pages. The basic set of DNS servers are called the “Default” servers, and block not only ads but also malware and phishing websites:
Primary DNS: 18.104.22.168
Secondary DNS: 22.214.171.124
IPv6 is supported, too:
Primary DNS: 2a10:50c0::ad1:ff
Secondary DNS: 2a10:50c0::ad2:ff
There are also “Family protection” servers (126.96.36.199 and 2a10:50c0::bad1:ff) that block adult content plus everything included in the “Default” servers. Non-filtering servers are available if you’re not interested in blocking anything: 188.8.131.52 and 2a10:50c0::1:ff.
Why Use Different DNS Servers?
One reason you might want to change the DNS servers assigned by your ISP is if you suspect there’s a problem with the ones you’re using now. An easy way to test for a DNS server issue is by typing a website’s IP address into the browser. If you can reach the website with the IP address, but not the name, then the DNS server is likely having issues.
Another reason to change DNS servers is if you’re looking for better performing service. Many people complain that their ISP-maintained DNS servers are sluggish and contribute to a slower overall browsing experience.
Yet another common reason to use DNS servers from a third party is to prevent logging of your web activity and to circumvent the blocking of certain websites.
Know, however, that not all DNS servers avoid traffic logging. If that’s what you’re interested in, make sure you read through the FAQs on the DNS provider’s site to make sure it’s going to do (or not do) what you’re after.
If, on the other hand, you want to use the DNS servers that your specific ISP, like Verizon, AT&T, Comcast/XFINITY, etc., has determined is best, then don’t manually set DNS server addresses at all—just let them auto assign.
Finally, in case there was any confusion, free DNS servers do not give you free internet access. You still need an ISP to connect to for access—DNS servers just translate between IP addresses and domain names so that you can access websites with a human-readable name instead of a difficult-to-remember IP address.
Additional DNS Servers
Here are several more public DNS servers. Let us know if we’re missing any major providers.
OpenNIC has several DNS servers. Visit its website and select one that’s geographically nearby for the optimal performance.