Is your DNS Safe?

[DelJo63]

Is your DNS safe?

All depends upon several factors.

First, find out which DNS you are using with this windows command

• ipconfig /all

You will see several adaptors and there settings, but you are looking for
either your

Ethernet adapter Local Area Connection:
or
Wireless LAN adapter Wireless Network Connection:

In either case, your current DNS server will be shown like

Default Gateway . . . . . . . . . : 192.168.0.1
DNS Servers . . . . . . . . . . . : xxxx
yyyy
209.18.47.62​

I've included the Default Gateway for a reason: This is a sample of your router's address (198.192.?.?) and if XXXXX / YYYY are the same as your gateway, then absolutely your DNS is unsafe -- change it immediately! {The 209.18.47.62 shown is the DNS that my ISP would like me to use }

It is quite true that many if not all routers start off with the Gateway == DNS address as that allows the highest flexibility of all configurations. It means that if the router doesn't know what to do with a specific DNS request, that it will be forwardedto your ISP. (This is referred to as a recursive request).

If the DNS shows as the Gateway, why is that UNSAFE? Because your router can get corrupted and who knows what happens or where the request is sent.

If my DNS shows up like my ISP's 209.18.47.62, is that safer than using the Gateway? NO.

The ISP will happily find what was requested, or slyly monitor / redirect as the ISP desires and that becomes UNSAFE too.


A better soultion than using the ISP' DNS or your Gateway address is to use a trusted DNS server.
There are several, but here are a few I use:

8.8.8.8
8.8.4.4 the Google DNS Pair​

1.1.1.1
1.0.0.1 a free Domain Name System (DNS) service. The public DNS service and
servers are maintained and owned by Cloudflare in partnership with APNIC.[1]
The service functions as a recursive name server providing domain name resolution
for any host on the Internet. The service was announced on April 1, 2018,[2]
see https://en.wikipedia.org/wiki/1.1.1.1 for details
​

How to change your DNS address
There are two places where you can alter the DNS properly:

• 1) directly in the network adapter settings
• 2) in the router itself

Both work, but using #2 is far more effective -- it protects all devices that connect to your LAN -- even your mobile devices.

You log into your router, find the Basic or WAN settings (this differs between the manufacturers) and manually configure the DNS address pairs for yourself. Be sure to save the settings and then logoff.

Router changes become active when the device makes the first connection to the Internet.

 

[TheDevopsGuy]

@jobeard have you heard of DNS 9.9.9.9?

I've been utilizing it for the past few weeks and it works efficiently. It's not as fast as cloudflares DNS or google but it has one optimal feature. It's practically a pihole from the DNS provider. It made it easier to eliminate "most" ads without the use of an ad blocker inside the entire network.

 

[DelJo63]

Quad9: aka 9.9.9.9

Quad9 routes your DNS queries through a secure network of servers around the globe. The system uses threat intelligence from more than a dozen of the industry’s leading cyber security companies to give a real-time perspective on what websites are safe and what sites are known to include malware or other threats. If the system detects that the site you want to reach is known to be infected, you’ll automatically be blocked from entry – keeping your data and computer safe. ​

That's two services in one package. Personally I normally opt for individually 'replaceable' components so newer or more reliable/stable choices can be found if need be.

My realtime protection choice at the moment is Avast and I am happy with it.

Thanks for the comment

 

[DelJo63]

BTW: I failed to define "SAFE"

In the context of a DNS, Safe is the fidelity to the intend of the request. The application makes a request to translate a domain name into the registered host IP address. The question becomes, what occurs during the translation and precisely what gets returned?

1. Ignoring advanced DNS services (like round-robin scheduling), a DNS has no need to log or track the request/reply pair -- but some do which violates YOUR privacy. This is different than Set No Tracking and thus UNSAFE.
   
2. Intentional redirection of some requests to incorrect address, making the DNS a LIAR, fraudulent, and UNSAFE. Originally, this kind of thing could be see as a reply which said something like "address not found" (which is different than the 404 Page Not Found). Today, this has become nefarious by intent/design to bring the user to anything not associated with the original domain name.

To validate that your DNS is honest, you can perform this simple test:

get a command prompt and type NSLOOKUP whatever_domain_name.
this will return the registered IP address for that domain_name

The type PING whatever_domain_name
It should report timings to the same IP address show from nslookup.

If not, you need a different DNS or you've been hacked.

{ Mac users: launch Network Utility, then Lookup the domain name and finally Ping it }
​

The DNS servers shown above have publicly vowed to not log your requests (1) nor to redirect you to other than what you requested (2) and thus are SAFE for your use. As noted above, placing your choice of a DNS pair into your router will protect all your devices no matter how they connect to your lan.