DNS Resolvers and YouBy David J. Meier
As you are already well aware (if not, see the announcement – we’ll wait), Google is now offering a free DNS resolver service. Before we get into the players, though, let’s first understand the reasons to use one of these free services.
You’re obviously reading this blog post, and to get here your computer or upstream DNS cache resolved securosis.com to 22.214.171.124 – as long as that works, what’s the big deal? Why change anything?
Most of you are probably reading this on a computer that dynamically obtains its IP address from the network you’re plugged into. It could be at work, home, or a Starbucks filled with entirely too much Christmas junk. Aside from assigning your own network address, whatever router you are connecting to also tells you where to look up addresses, so you can convert securosis.com to the actual IP address of the server. You never have to configuring your DNS resolver, but can rely on whatever the upstream router (or other DHCP server) tells you to use.
For the most part this is fine, but there’s nothing that says the DNS resolver has to be accurate, and if it’s hacked it could be malicious. It might also be slow, unreliable, or vulnerable to certain kinds of attacks. Some resolvers actively mess with your traffic, such as ISPs that return a search pages filled with advertisements whenever you type in a bad address, instead of the expected error.
If you’re on the road, your DNS resolver is normally assigned by whatever network you’re plugged into. At home, it’s your home router, which gets its upstream resolver from your ISP. At work, it’s… work. Work networks are generally safe, but aside from the reliability issues we know that home ISPs and public networks are prime targets for DNS attacks. Thus there are security, reliability, performance, and even privacy advantages to using a trustworthy service.
Each of the more notable free providers cites its own advantages, along the lines of:
- Cache/speed – In this case a large cache should equate to a fast lookup. Since DNS is hierarchical in naturem if the immediate cache you’re asking to resolve a name already has the record you want, there is less wait to get the answer back. Maintaining the relevance and accuracy of this cache is part of what separates a good fast DNS service from, say, the not-very-well-maintained-DNS-service-from-your-ISP. Believe it or not, but depending on your ISP, a faster resolver might noticeably speed up your web browsing.
- Anycast/efficiency – This gets down into the network architecture weeds, but at a high level it means that when I am in Minnesota, traffic I send to a certain special IP address may end up at a server in Chicago, while traffic from Oregon to that same address may go to a server in California instead. Anycast is often used in DNS to provide faster lookups based on geolocation, user density, or any other metrics the network engineers choose, to improve speed and efficiency.
- Security – Since DNS is susceptible to many different attacks, it’s a common attack vector for things like create a denial-of-service on a domain name, or poisoning DNS results so users of a service (domain name) are redirected to a malicious site instead. There are many attacks, but the point is that if a vendor focuses on DNS as a service, they have probably invested more time and effort into protecting it than an ISP who regards DNS as simply a minor cost of doing business.
These are just a few reasons you might want to switch to a dedicated DNS resolver. While there are a bunch of them out there, here are three major services, each offering something slightly different:
- OpenDNS: One of the most full featured DNS resolution services, OpenDNS offers multiple plans to suit your needs – basic is free. The thing that sets OpenDNS apart from the others is their dashboard, from which you can change how the service responds to your networks. This adds flexibility, with the ability to enable and disable features such as content filtering, phishing/botnet/malware protection, reporting, logging, and personalized shortcuts. This enables DNS to serve as a security feature, as the resolver can redirect you someplace safe if you enter the wrong address; you can also filter content in different categories. The one thing that OpenDNS often gets a bad rap for, however, is DNS redirection on non-existent domains. Like many ISPs, OpenDNS treats every failed lookup as an opportunity to redirect you to a search page with advertisements. Since many other applications (Twitter clients, Skype, VPN, online gaming, etc…) use DNS, if you are using OpenDNS with the standard configuration you could potentially leak login credentials to the network, as a bad request will fail to get back a standard
NXDOMAINresponse. This can result in sending authentication credentials to OpenDNS, as your confused client software sees the response as a successful
NOERRORand proceeds, rather than aborting as it would if it got back the ‘proper’
NXDOMAIN. You can disable this behavior, but doing so forfeits some of the advertised features that rely on it. OpenDNS is a great option for home users who want all the free security protection they can get, as well as for organizations interested in outsourcing DNS security and gaining a level of control and insight that might otherwise be available only through on-site hardware. Until your kid figures out how to set up their own DNS, you can use it to keep them from visiting porn sites. Not that your kid would ever do that.
- DNSResolvers: A simple no-frills DNS resolution service. All they do is resolve addresses – no filtering, redirection, or other games. This straight up DNS resolution service also won’t filter for security (phishing/botnet/malware). DNSResolvers is a great fast service for people who want well-maintained resolvers and are handling security themselves. DNSResolvers effectively serves as an ad demonstrating the competence and usefulness of parent company easyDNS), by providing a great free DNS service, which encourages some users to consider easyDNS’ billable DNS services. (Full disclosure: we pay for some of easyDNS’s commercial services).
- Google Public DNS: Almost functionally identical to DNSResolvers, Google’s standards-compliant DNS resolution service offers no blocking, filtering, or redirection. They emphasize their active resolver cache, which helps with request lookup speeds; this may be an advantage in comparison to with DNSResolvers. Your mileage may vary, however, depending on your own location and ISP.
Not surprisingly, all the people I randomly talked to about Google DNS had the same initial reactions: “Google already has enough of my information.” and “Yeah, right! Like they’re not going to correlate it to other services I use.” None of those people had actually read the privacy statement which is short and to the point. As of this writing, Google keeps DNS information private, and does not correlate it with your other Google activities.
So why is this something that Google feels is worth the time and expense? The trivial answer is monetary. But most services Google offers are visual, at some level, and thus advertising makes sense. However with DNS and Google’s stance (remember they promise not going to meddle, and to remain standards compliant) they’re not in a position to provide anything visually. This probably means Google is trying to position itself for something which might allow them to create a revenue stream: DNSSEC. It may be a stretch now, but depending on how DNSSEC plays out, there could be opportunity for providing secure DNS services which could very well roll back into something like Google Apps – think key management, generation, and rotation services. This also gives them an incredible source of information – every single website anyone using the service is visiting. Even without any identifying information, such data is incredibly useful – especially combined with all their advertising and indexing data. Ka-ching.
Back to our main point, though: external DNS resolvers and you. The first three bullets above are generally sufficient reason not to use your ISP’s DNS service, but add to that the fact that most ISPs today are trying to monetize your typos when typing domain names (Comcast, for example, has a service called “Domain Helper” in which they oh-so-helpfully enrolled their all subscribers in last August). Additionally, ISP resolvers are generally behind the curve on security updates compared to dedicated services. This really became apparent when Dan Kaminsky was exposing serious DNS flaws. DNS is an essential component of Internet service, and a good place to improve security through separation of duties – in addition to the potential performance benefits. Personally I feel it’s a good thing that Google is starting to play in this space, as it raises the bar for their competitors, and draws more attention to the possibilities.
Changing your service is easy. On your computer or home router, in your network configuration there’s a setting for DNS. Each DNS resolver service provide two IP addresses (primary and secondary) and you can simply enter these manually. Any computer behind a home router uses the DNS resolvers it specifies, unless you manually override them on the computer. Don’t forget that if you have a laptop, even if you set a new DNS resolver on your home router, you will also want to set it directly on the laptop for when you connect to other networks.
Better security, speed, and reliability. What more could you ask for?