DNS Security is something few of us ever discuss, and with good reason.
The Internet’s Domain Name Service (DNS) works like magic, helping your computers communicate with all of cyberspace. DNS works every time you connect to the Internet, letting other computers know how to find your computer so you can experience the Internet. You really don’t need to know a thing about it to use the net. All computers today speak DNS and all are configured to exchange this information, and part of the beauty of DNS is that it is invisible to users. But DNS is so easy that DNS security is hardly ever considered.
It is good that this is all invisible. If you had to do the work of this system to communicate you would lose your sense of humor pretty quick! DNS is like an automated switchboard, routing connections from anywhere to anywhere. DNS security is not so automated.
But there is something very important you should know about DNS that can help you be more secure at home and on the go: You can make some easy one time changes to your DNS services to make life much harder on hackers.
First bit more on how the DNS works:
Have you ever seen a picture of an old-fashioned telephone operator? The operator played a critical function in establishing a global telephone network where any phone could talk to any other phone. When a person wanted to make a call, they connected to the operator and the operator would either connect the person directly to the other party or connect through other banks of operators. Without this ability to switch and connect physical wires together, phones would never have worked. Since DNS automates switching and routing for the Internet, there are no operators. Which is good! Imagine if every network everywhere had to have a human doing the switching?
Now the bad news. Sometimes hackers can attack computers that use and support DNS and they have created attacks that can misdirect your Internet browsing. Think of this like a telephone operator that is really working for criminals. A bad operator might tell you she is connecting you to the bank but really connect you to bad guys who want to steal your information. Same with DNS. A corrupt DNS service could make you think you are browsing to your bank but really have you browse to a malicious site that looks like your bank. That would be bad!
There are other things that bad guys do that have them leveraging DNS the way it is supposed to work. For example, they might set up a webpage with malicious code that will infect you if you visit it, then they might send you an email that tricks you into going to the site. There are automated software programs (viruses or worms) that also use DNS. They infect your system and then they use DNS to call home and tell their masters what they have found and start moving your information out.
Now the good news. You can use a managed DNS service, including several free options, to mitigate these kinds of threats.
The DNS you probably use right now is probably provided by your ISP and is automatically set up when you connect to your network. Behind the scenes your computer’s get IP addresses that say which DNS to use. All you need to do is change the IP address you computer has for your DNS server to one of the managed DNS security services and you will make things much harder on the bad guys.
Here are some of those services:
Google Public DNS, OpenDNS, GlobalCyberAlliance, and Verisign DNS.
Google Public DNS: Google is doing a great service for the world with this free DNS resolution service. This will speed up your browsing, improve your security, and get you results with no redirection. But guess what? They get something out of it too. They get data.
OpenDNS: Now part of Cisco, this firm was early in the home user market and is now growing among Cisco clients. Free and very low cost options for home users. Makes browsing faster and more secure. If you want the best malware protection you pay a small amount ($20.00 per year covers the entire household) and add software on your roaming devices.
Global Cyber Alliance: The Global Cyber Alliance (GCA), in partnership with Packet Clearing House (PCH) and a consortium of industry and non-profit contributors, is building a global anycast open recursive privacy-enabled DNS infrastructure. This reduces risk, speeds browsing, and since it is being fielded by a non-profit there is no collection of personally identifiable information like some other providers. It is in a pilot status. Contact GCA for more info.
Verisign: Verisign Public DNS is a free DNS service that offers improved DNS stability and security over other alternatives. Verisign respects privacy. DNS data and other PII is not sold or shared or used to serve you ads.
Now how might you implement DNS at home? Each of those services is going to give you very easy to follow tips for using them, and the methods are really the same for any DNS provider you use. You will change the DNS entries on your home router, and you will also change the DNS settings on your mobile devices and computers. It is all quite easy.
Tips for Changing Your Home DNS security:
- Routers all have slightly different instructions but you should easily be able to find a section for DNS. It is a best practice to note what the DNS settings currently are (just in case you want to change back). But when you are ready simply change to be the DNS numbers of the service you have decided to use (for example, for Verisign, use 220.127.116.11 and 18.104.22.168).
- For mobile devices, look under your Wi-Fi settings and update the DNS entries there.
- For MacOS devices, go to settings and select “Network”. Select a network interface from the sidebar and click advanced. Click the DNS tab and click the + button to add a new DNS server. Then enter the new DNS numbers.
- For Window devices click the Start button and then control panel. Under Network click View network connections. Then right-click the connection you want to change, and click properties. Click either IPV4 or IPv6 and click properties. You will see where to enter the DNS numbers.
Configuring your DNS is by no means the only step to take at home (we also strongly recommend using multi-factor authentication on all your accounts and using a good password manager). However, if you optimize your DNS configuration you can reduce your overall risk.
This is but one of many steps you will want to take to enhance the defense of your technology. We capture many more in the Things Cyber Protect Yourself section, and review them more comprehensively in our guide to Protecting Your Home from the Cyber Threat
If these tips are of use to you please share! The more we help each other defend ourselves the better off we will all be.