The standard DNS services offered by your Internet Service Provider offer a good enough option for simple DNS resolution. They do well with turning your request into the IP address for your browser to connect to, and caching it for faster response. But when it comes to security, sometimes “good enough” isn’t enough at all.
While we have already talked about preventing DNS attacks, now it’s time to see what actually are all of the risks of using an unsecure DNS server, and what provider you should choose to maximize security and privacy.
Risks of not using a secure DNS server
ISPs generally offer DNS services to their users, so when you don’t set up DNS servers on your computer or router, your DNS queries will run on your ISP’s DNS servers. Using default ISP DNS servers can result in certain problems while browsing the internet:
Most of the time, DNS requests are sent unencrypted, which can lead to many different types of DNS attacks. Some of the most common are::
- Domain hijacking, which involves changes in your DNS servers and domain registrar that can direct traffic away from your original servers to different destinations.
- DNS flood attack, a type of DDoS attack in which the attacker hits your DNS server in order to overload it, so it can’t continue serving DNS requests.
- DNS spoofing, or DNS cache poisoning, which is one of the most common DNS attacks around. By exploiting system vulnerabilities, attackers will try to inject malicious data into your DNS resolvers’ cache. You would then be redirected to another remote server.
- DNS hijacking, which involves malware infections used to hijack DNS. Malware hosted on the local computer can alter TCP/IP configurations so they can point to a malicious DNS server, redirecting traffic to a phishing website.
If you aren’t using a VPN when browsing the internet, your DNS requests can be easily observed. DNS requests are, as we mentioned, almost entirely unencrypted—meaning any third party in the middle of your traffic can see your online behaviour and the websites you’re connecting to. Additionally, your ISP’s DNS servers see every search you make in your browser. Using your ISP’s DNS servers as default DNS servers really doesn’t do anything in terms of your online and DNS privacy.
One of the most common concerns about ISP DNS servers is that they are simply slow. Furthermore, they might not be properly configured for caching, likewise making your internet connection unpleasantly slow.
Inability to load websites
DNS servers cache your previous requests so they can serve them more quickly in the future. As your device also has a local DNS cache, it’s not rare to see issues with cache that cause trouble when visiting certain sites. This inconvenience can be easily solved by using a different DNS server—your ISP and their DNS service aren’t the same, so you don’t have to use them. Additionally, some content may be geo-restricted to your IP address, meaning you can also be blocked from visiting websites that aren’t available for your location.
Best DNS servers for security and privacy
A secure DNS server adds an additional layer of security to the process of DNS resolution. By checking the IP addresses of websites it wants to serve you, it will determine whether they’re malicious or safe to access. And if you request to access an unsecure site, the DNS server will block it and notify you of the occurrence.
Besides improving your security in this way, changing your DNS servers is always a good idea as it:
- Improves your Internet speed and page-load time
- Stabilizes your connection
- Provides greater online security and privacy
- Removes geo-restrictions
When deciding to switch your DNS provider, it’s important to find the best provider for your needs. A while back, we ran two Twitter polls to find out what everyone’s favorite DNS server provider was, and based on the results, we’ve created a list of the best DNS servers available for improving your security and privacy:
OpenNIC is a free DNS server that routes your traffic away from DNS servers provided by your ISP. One unique feature of OpenNIC is that, depending on your location, you are offered different servers. So, once you’ve decided to switch to OpenNIC, they will provide you with the 4 servers closest to your location, both for IPv4 and IPv6.
Another thing that sets OpenNIC apart from the others is that it isn’t a public DNS server per se; it’s a group of volunteers who run an alternate DNS network.
OpenNIC offers DNS neutrality, but you also get the right to choose how much data OpenNIC logs.
One of the privacy issues some users may have is that because everything is run by a group of volunteers, and it isn’t that difficult to set up a Tier 2 server on OpenNIC, the log data may be viewed by anyone. Additionally, some users have reported that the speed of OpenNIC servers isn’t always up to par.
4. Cloudflare DNS
Even though Cloudflare DNS might be the most popular of Internet services with their content delivery network, and now with their public DNS service, but according to the Twitter poll it came in second to last!
Now, we’re talking about improving your online security, so Cloudflare DNS—an anycast service that doesn’t feature anti-phishing, improved security or any content filters—wouldn’t be on the list if it weren’t for a few other aspects in which it excels.
Cloudflare won’t control what you can or can’t visit while online, but your privacy is number one here. They do not log your DNS traffic and it don’t save your IP address. Everything logged by Cloudflare is deleted within the next 24 hours. In the interest of transparency, KPMG is hired by Cloudflare to audit their system and show in public reports that all promises of privacy to their users are being upheld.
Not to mention that Cloudflare has the fastest public DNS servers of all!
So, the benefits of using Cloudflare are:
- Not logging DNS traffic, no saving of your IP—privacy first
- Speed—the fastest of all DNS providers
- Community forum support
- Easy setup
Primary and secondary DNS servers:
The DNS resolver also operates through IPv6:
Founded in 2005 and owned by Cisco since 2016, OpenDNS is a free, public and cloud-based service that provides DNS servers. It’s one of the most popular, but surprisingly, our Twitter poll showed it in third place.
OpenDNS is a great choice for protecting yourself from malicious attackers. To connect with your nearest DNS server, and for faster page load times, it uses anycast routing.
Other benefits of using OpenDNS are:
- High speed
- 100% uptime
- Phishing sites are blocked
- Web filtering to block adult content - optional
- Email support
- History of your internet activity for the past 12 months
- Access to specific websites only
- Easy setup
Preferred and alternate DNS servers are:
OpenDNS offers three solutions in their Home package, two of which are free—OpenDNS Family Shield and OpenDNS Home. Both are similar to the paid solution; they’re equipped with all the same features except internet activity history and differences in access to specific websites.
Family Shield comes with parental protection by default, whereas Home needs to be configured to block adult content.
The OpenDNS VIP Home solution costs $19.95 per year and, along with the standard features included in the free solutions, it offers entire detailed internet usage statistics for the past year and restrictions on internet access to specific whitelisted domains.
Besides the Home package, OpenDNS has a business solution where it offers protection for 3 devices per person, for 1-5 users.
It’s very easy to set up: All you need to do is reconfigure your device to use OpenDNS nameservers, or you can read their setup guide for setting up all kinds of devices.
As with everything, OpenDNS has its downsides.
Logging the DNS traffic it receives might be a turn-off for some, but it all depends on what kind of service you need.
DNSWatch is another hugely popular DNS provider that is free to all, and doesn’t offer any paid packages like other providers.
DNSWatch proved itself very popular in our polls as well, and for a good reason. It offers DNS neutrality, just like OpenNIC, meaning it doesn’t censor any content. Privacy is also a huge factor in DNSWatch and it doesn’tt log any DNS queries or record your history.
So the main benefits of DNSWatch are:
- Free service for all
- No restricted content
- No logging of any DNS queries
Now, since they are a privacy-focused provider, and a small company which doesn’t offer any security intelligence analysis, any protection against phishing, malware or attacks will need to be addressed by you. In the end, it somehow comes to choosing between a more open internet without restricted content, or more secure browsing.
Primary and secondary DNS servers:
1. Quad9 DNS
We have a winner! Quad9 DNS has won two of our polls and takes the crown for a reason.
Quad9 DNS has been active since 2016, and from then it has earned its status as one of the best DNS providers around, for the security and speed it offers its users.
Here you will have all malicious and suspicious domains blocked so your security is ensured. Quad9 even uses security intelligence from 19 companies, one of which is IBM’s X-Force.
Quad9 uses whitelisting methods, including one no longer in use, which pulls from Alexa. Since Alexa lists are not updated regularly (the indexed pages are updated daily, but the rank is not), they use the Majestic Million feed and a “Gold List” of domains such as Microsoft, Google, etc., that are always shown as secure.
Also, the foundational performance of Quad9 is astonishing, with a speed just below Cloudflare’s (which is the fastest) but still higher than its competitors, although some users in particular locations may experience slower speeds.
Quad9 is committed to keeping users’ privacy, but they do keep logs on some activity, which they’ve highlighted:
- General location (on the metropolitan level)
- First seen, last seen
- Requested domain name and its geolocation
- Record type
- Transport protocol and their encryption status
- Whether it’s IPv4 or IPv6
- Response code
- Other (such as their machines that processed the request, etc. )
Primary and secondary DNS servers:
The DNS services your ISP provides by default aren’t the safest way to browse the internet, and with them you may experience certain content restrictions based on your location. This means that basically, switching to any of the providers we’ve listed would be a step in the right direction toward improving your online privacy and security at the DNS level.
When it comes to choosing a new, secure DNS server, the bottom line is that the most important thing is what kind of service you need. After you’ve decided what’s most important to you in terms of privacy, security and speed, it will be much easier to choose the right one.
While being the mover behind the internet we know today, DNS is also one of the most frequently attacked protocols, with different types of DNS attacks targeting organizations. Creating a full inventory of all internet-connected assets, including DNS records, is a crucial step in any investigation. SecurityTrails API™ can help you discover any suspicious changes to DNS records by giving you access to full DNS record history. Sign up for your API key today.