Why OpenDNS [if you can not run DJBDNS]

To test, I let DHCP update my resolve file with the DNS servers of my [horribly slow!] KPN Internet mobile connection:

bash-3.2# cat /etc/resolv.conf
nameserver 208.67.222.222
nameserver 208.67.220.220
nameserver 62.133.126.28
nameserver 62.133.126.29

The top two address are my 'normal' DNS entries, from the fine folks of OpenDNS [who where secure since day one].

Now let's check the DNS servers from both OpenDNS & KPN mobile with a simple dig:

bash-3.2# dig @208.67.220.220 +short porttest.dns-oarc.net TXT
z.y.x.w.v.u.t.s.r.q.p.o.n.m.l.k.j.i.h.g.f.e.d.c.b.a.pt.dns-oarc.net.
"208.69.34.6 is GOOD: 28 queries in 1061.8 seconds from 28 ports with std dev 17429.24"
bash-3.2# dig @208.67.222.222 +short porttest.dns-oarc.net TXT
z.y.x.w.v.u.t.s.r.q.p.o.n.m.l.k.j.i.h.g.f.e.d.c.b.a.pt.dns-oarc.net.
"208.69.34.4 is GOOD: 26 queries in 4.3 seconds from 26 ports with std dev 20231.33"

bash-3.2# dig @62.133.126.28 +short porttest.dns-oarc.net TXT
z.y.x.w.v.u.t.s.r.q.p.o.n.m.l.k.j.i.h.g.f.e.d.c.b.a.pt.dns-oarc.net.
"62.133.126.28 is POOR: 26 queries in 4.2 seconds from 1 ports with std dev 0.00"
bash-3.2# dig @62.133.126.29 +short porttest.dns-oarc.net TXT
z.y.x.w.v.u.t.s.r.q.p.o.n.m.l.k.j.i.h.g.f.e.d.c.b.a.pt.dns-oarc.net.
"62.133.126.29 is POOR: 26 queries in 4.2 seconds from 1 ports with std dev 0.00"

Of course, nothing beats djbdbs, but for day today use, OpenDNS p0wnserz your provider's DNS hands down.

To keep your resolve.conf file save and clean on OSX and prevent DHCP from updating it, set the immutable bit:
chflags uchg /var/run/resolv.conf
To remove the flag use:
chflags nouchg /var/run/resolv.conf