Choosing Your Domain Name Server (DNS)

The election coverage recently had an article about the use of domain name service (DNS) requests by one of Donald Trump’s servers for a server at a Russian bank. While reading the article, I realized that many people probably just use the DNS servers provided by their Internet service provider (ISP) or wi-fi connection, which is not necessarily a good idea from a security perspective. Each time you surf a web page, open your email client, access the “update” function on a software product or do anything on the web, your computer makes a DNS request to translate the www.domain.com name of a server to the 1.1.1.1 format Internet Protocol (IP) address of the server.

If you use the DNS that your ISP gives to your router, your ISP can (and will) keep track of those requests and sell information on the sites that you visit. Some ISPs have a history of having their DNS servers compromised in a DNS poisoning attack; instead of giving you the IP address of mybank.com, the compromised DNS gives you the web site for impersonatedmybank.com and you can’t tell the difference. If you connect to a public WiFi router, it may give a compromised DNS server so that all of your traffic gets routed to malicious addresses. The Wi-Fi routers in most venues are not well secured, so the likelihood of problems with compromised DNS is high.

I used the DNS services provided by my ISP–until I detected a compromised DNS server, at which point I manually switched all of my machines to DNS servers run by a security software provider. If you are having DNS problems, switching to Google’s servers is a sure-fire way to fix them, but recognize that Google is logging your DNS activity. Here are some common DNS servers that you might set permanently on all of your devices. Most DNS providers offer a primary and a alternate (backup) server address. The security software websites listed have instructions for changing addresses that I won’t repeat here.

You should change the DNS settings in your router so that devices that connect to your router via DHCP will get the more secure DNS servers. You should also change the DNS settings on your laptop and other devices as well.

Norton

Norton offers three pairs of DNS servers described on the Norton ConnectSafe site:

• Filtering for malware only using 199.84.126.10 and 199.84.127.10
• Filtering for malware and pornography using199.84.126.20 and 199.84.127.20
• Filtering for malware, pornography and stuff that you probably do not want your children surfing using 199.84.126.30 and 199.84.127.30

Comodo

Comodo, a lesser-known security software vendor in the retail world offers DNS servers described in Comodo Secure DNS. The servers are located using 8.26.56.26 and 8.20.247.20.

OpenDNS

OpenDNS (a part of networking hardware giant Cisco) offers several free home DNS services.

Google

Google uses 8.8.8.8 and 4.4.4.4. These do not not provide any malware filtering, but are good for diagnosing DNS problems. Your traffic is certainly tracked, but these two are always fast. See Google Public DNS.

Summary

Changing your DNS services from the default values can provide much safer surfing. I do not get very many situations where the security software DNS stops me, but I am so, so glad when it does.