WEBINAR: Live Event Date: September 20, 2017 @ 1:00 p.m. ET / 10:00 a.m. PT
Designing a Proactive Approach to Information Security with Cyber Threat Hunting REGISTER >
Using an alternative DNS provider, such as OpenDNS or Google's Public DNS, can improve performance and increase security. It's worth taking the time to compare your alternatives.
The Domain Name System (DNS) is something we all use and depend on, yet don't really pay much attention to; if you have some time to investigate alternatives, you could really enhance your network's performance and security.
Before I tell you how to do this, lets have a brief explanation of what DNS is. Think of what a phone book does; it allows you to look up someones phone number so long as you know the persons name. The DNS does something similar for computers. For example, if you type in google.com it translates that name into a sequence of four numbers, called an IP address, which functions something like a phone number does. In this case, google.coms number is 126.96.36.199.
The overall Internet infrastructure has a series of master phone books, or DNS root servers, located at strategic places around the world and maintained by a collection of public, semi-public, and private providers. They talk to each other on a regular basis to make sure that as we add new domains they are in synch.
As you may imagine, if someone wants to poison one of the entries, or misdirect Internet traffic to a phony domain, it can be done with the right amount of subterfuge. This is what happened in 2008 when an Internet provider in Pakistan managed to block access to all of YouTube when they were apparently just trying to keep Pakistanis from viewing a single video. A more comprehensive list of the various flavors of DNS attacks can be found here at Google.com.
Make the call
Unlike phone numbers, once youve set up your network, typically you dont give your DNS settings any further thought. If you have a cable or DSL modem, you hook it up and it automatically gets its DNS settings from the cable or phone companys DNS servers, so you may never even know the IP address unless you take the time to check. If you are running a large enterprise network, typically you have your own internal DNS server to provide this service.
There are several alternative providers, including OpenDNS and Google's Public DNS, among many others (listed in a blog post here). Why bother to opt for an alternative provider? Two good reasons: better browsing performance and better security, which can help protect you from known phishing and malware-infected domains.
Evaluating which of these alternative DNS providers gives your users better performance is tricky. A lot will depend on how you are connected to your ISP, where they are located, and where your destination is located across the Internet.
Before you pick an alternative DNS provider, you can use a Java program to test the speed of your own DNS vs Google and OpenDNS. More details are available at three blogs I recommend: The Browser Mob Blog (to learn about the Java tool); TechSutra or Habitually Good (for OpenDNS vs. Google comparisons).
You can change your DNS settings for your individual PC, or for your overall network, typically at your DHCP server or cable modem or router. Any of the alternative providers offer their services free, and some, such as OpenDNS, offer a lot more than just the mapping of IP addresses too.
Here are the instructions for changing the DNS settings. The whole process, from reading the instructions to implementing the change, shouldn't take you more than a couple of minutes.
There are a few other nice things about using these alternative providers. First, you can choose to block objectionable domains, which can help you to protect yourself from potential lawsuits over workplace harassment claims.
OpenDNS and Google both also spend time blocking known exploit domains, so you have a better chance of not getting trapped by a hacker.
You also get better DNS service, because these providers have servers that will return the domains supposedly faster than the ones for the general Internet. They also catch common typos in domains, so if you are like me and make mistakes typing URLs into your browser, Google and OpenDNS can usually direct you to the place you intended.
These alternative DNS's are just the first step in securing your DNS resources. If you are interested in learning more, a good place to start is with this July 2008 blog post from Paul Vixie. Vixie is one of the original Wise Men of the Internet and has been involved in authoring numerous RFPs (Requests for Proposals) and protocols. He and others are part of a substantial effort underway to create a new series of secure DNS protocol extensions and products to support these extensions. You can check out these products and read more on this site to understand what is involved to deploy them.