Using DNS Proxies for Security

What if there was a simple change you could make to your computer’s network configuration that would go a long way to protecting you from picking up malware on the Internet. This change could even protect you from accidentally clicking on malicious links in phishing emails. What if this simple fix could keep malware already on your computer from “phoning home” to the command and control servers (CnC or C2) run by cybercriminal groups or nation/state attackers? Would you make that change?

Regular reader know when the questions are rhetorical, my answer is: Of course you would make the change! The good news is there are a number of free, public DNS server options that also include web filtering features that prevent the cybersecurity incidents and attacks I listed in the opening paragraph.

Typically, your DNS servers are provided with your public IP address by your Internet Service Provider, companies such as Comcast and ATT. DNS was designed to provide directory services and location information for resources on the Internet. People sometimes choose a DNS service other than their ISP’s to improve speed and responsiveness when browsing the web.

Coupling DNS with web site proxying, content filtering and malicious web address blocking is an interesting solution to cybersecurity problems such as:

Distributed denial of service and other attacks by botnets.
Filtering undesirable web content such gambling, drug, adult, and hate speech sites, and even state lottery and social networks, if desired.
Detecting and dropping malicious software downloads before they can install in the destination computer.
Blocking known malicious web addresses that are used in phishing exploits.
Blocking parked domains known for aggressive pop-up advertising and adware downloads.

Here are my favorite solutions:

OpenDNS (208.67.222.222 and 208.67.220.220) – I’ve used OpenDNS for many years. Even though it was acquired by Cisco Systems, OpenDNS still offers a few service for consumers, OpenDNS Home. They also offer a more robust consumer product called OpenDNS Home VIP for twenty dollars per year. Their commercial product is Cisco Umbrella. They provide a full array of web content filtering, and block known phishing websites, too. Their DNS resolution is rated second fastest (behind Cloudflare) of the DNS services in this article.
Quad9 (9.9.9.9 and 149.112.112.112) – I saw a presentation by Quad 9 at the Minneapolis SecureWorld event on September 6th, and was very impressed with their credentials. Their primary DNS server address is 4 9’s (Quad9 – get it?) They are relatively new, and are an open-source community-driven resource. They are free. The Quad9 address was donated by IBM, who is a major supporter. They represent themselves as a security and privacy focused DNS provider, and are working to block malicious sites as quickly as they are identified. Quad9 also ranks in an impressive third place in DNS resolution time. To my mind, they are best alternative from a security standpoint, followed by OpenDNS and then Comodo.
Comodo Secure DNS (8.26.56.26 and 8.20.247.20) – Comodo is a well known cybersecurity vendor, so their focus is primarily security related. Adding DNS service to their collection of security offerings makes sense from a security perspective. Unfortunately, they ranked last place in the speed category. This is a good option for you if you are already a Comodo customers, and don’t mind the slightly more pedestrian performance.
Cloudflare (1.1.1.1 and 1.0.0.1) – Who do you gotta pay to get an IP address of 1.1.1.1?Cloudflare is well-known in the website business, and provides a world class content delivery system, and web application firewall services, when are not part of the DNS service. The DNS service is simply about speed, and they came in number one in that category. They also have a commitment to privacy, and promise not to store your originating IP address or sell your browsing history to advertisers.
Google Public DNS (8.8.8.8 and 8.8.4.4) – With all the fingers they have in the Internet and web site SEO and analytics, and of course web advertising, it is no surprise that Google offers a great public DNS alternative. But if security and privacy are on your wish list, you need to look elsewhere.
Norton ConnectSafe would have been included in this review, but it is being discontinued by Symantec on November 15, 2018. If you happen to be using them, you need to make a selection from the list above.

To use any of these DNS providers, you need to change the setting in your IP addressing, and each of these companies provide instructions. OpenDNS has a setup guide that includes instructions for home routers, computers and laptops, servers, and smart devices.

In Windows PCs you can change the DNS servers by opening the Control Panel, Network and Sharing Center. Click on the network connection, and a Status window opens. Press the Properties button, select Internet Protocol version 4 from the list, click on Properties again. The IPv4 Properties window opens, and you just need to enter the DNS server address of your choice into the lower box. If this seems confusing, you may need professional assistance.

Nevertheless, this is a pretty good way to add another layer of security to your cybersecurity stack.