Private, Secure & Fast DNS
0 ratings
When you put a domain name into the address bar of a browser, say for example www.montel-its.uk, your device has to turn that name into an Internet Protocol (IP) address before it can make a connection to the machine hosting my website. To do that it has to ask a Domain Name System (DNS) to find the IP address related to the name and send it back to the device you are using. Only then can your browser go to the address you have entered.
The Internet is designed to work this way because humans find it much easier to remember, and enter, alpha numeric names than trying to deal with the IP addresses machines use. Every time you access a system or service on the Internet by using a domain name the device you are using will be doing this two step process to get to the host server.
Each time a request for an IP address is sent out to DNS it offers a simple and quite effective way to improve your Internet security and your digital privacy. It is however a double edged sword that criminals can exploit but more about that later.
Usually, your router will be getting its DNS server addresses directly from your Internet Service Provider (ISP). When your router connects to the ISP it will normally be given two IP addresses that will point to two different DNS machines. One address will be the primary IP address used for all DNS queries. The second address, called the secondary, acts as a backup just in case your router cannot reach the primary DNS machine.
Your ISP’s DNS may be able to block a specific domain name to prevent you from accessing certain types of material. All the large UK based ISP’s are required by law to do this for some inappropriate types of material that can be found on the web. By looking at the domain name in the request it is relatively easy to check it against a list of names known to host inappropriate material and not return a valid IP address.
This is one way that DNS filtering can be applied to protect someone from certain types of content. The DNS can also check the IP address related to a given domain name to see if that is linked to content that could be illegal. Applying filtering at the DNS stage is a quick and simple way to protect all the devices connected to a router.
There are some DNS services available that offer to provide high quality filtering with a wider range of material that can be blocked. One problem with many of them is that there is a cost involved. There are plenty of free DNS services as well but there is no way of knowing how well any of these services, paid for or free, respect a users privacy. Neither is it easy to know how reliable or secure they will be.
For example probably the best known free DNS comes from Google. Its DNS service at 8.8.8.8 and 8.8.4.4 are often used in place of an ISP’s own DNS servers even though its pretty obvious why Google provides the free service. Being able to look at a users DNS requests will tell you quite a lot about what a user is looking at. Ultimately it will come down to trust and there are a lot of people, including me, who cannot trust Google with DNS data.
So who can you trust?
How about a company called Cloudflare. They have finally been able to prove that their free DNS service is not only very fast, but also provides true privacy to its users. To prove it Cloudflare took the very unusual step of getting their DNS service audited by KPMG. It took much longer to do this than they expected at nearly two years but at least anyone using the service can be sure that it will respect their digital privacy. You can find information about this, and download a six page PDF copy of the audit results here:
https://www.cloudflare.com/compliance/
By configuring your router to use the Cloudflare DNS service you can be certain that nothing is being stored or sold to third parties. Another advantage of this service is that they have over 1,000 servers located across the globe so reliability and speed is as good as it gets. If you want to see all the details and reasons why using their 1.1.1.1 service makes sense then take a look at this web page:
https://www.cloudflare.com/learning/dns/what-is-1.1.1.1/
Their 1.1.1.1 service is certainly worth using but what if you would like something with some filtering to give your devices added protection from malware or inappropriate content. Well now you can have it as Cloudflare have launched two extra services that are aimed primarily at home users but could still be appropriate for small businesses as well.
The first DNS service attempts to filter out as much malware as possible and the second one filters out malware and what it calls adult content. You can find some details about these new services here:
https://blog.cloudflare.com/introducing-1-1-1-1-for-families/
With their 1.1.1.1 service you don’t have a secondary DNS address and that should not be a problem given their huge global network of DNS machines. Just configure the primary DNS in your router to use 1.1.1.1 and you are done. Leave the secondary IP address empty unless you must give it an IP address.
If you want to use their malware filtering service you will need to configure your router to use
Primary DNS: 1.1.1.2
Secondary DNS: 1.0.0.2
and for malware and adult content filtering you use:
Primary DNS: 1.1.1.3
Secondary DNS: 1.0.0.3
I have to say that I am extremely impressed with Cloudflare for launching these services and more so for offering them free of charge. This provides users with a choice of fast, reliable, safe and private DNS services that can be trusted.
A word of caution.
Please don’t assume that by using their malware filtering services you will be completely safe from all forms of malware as that will simply not be the case. All Cloudflare can hope to do is to try and block websites known to have malware threats on them. New and as yet undetected malware on websites will not be blocked. Neither will malware that arrives as attachments in emails or hidden in files and software you download.
You should also be aware that it is not very difficult for someone to bypass the routers configured DNS service if they so desire. As long as they can change the network settings on any device then they will be free to put their own DNS IP addresses in and use them to access anything they might want to.
One way to prevent this is to block all DNS traffic if it is not going to the Cloudflare IP addresses you want devices to use at all times. This is best done with a firewall either built into your router or one protecting your network. Making sure that your computer user accounts don’t have Administrator privileges should prevent users from changing the DNS settings.
How criminals can abuse DNS
I did say that DNS services can, and often are, used by criminals to help them compromise systems and steal data and money. One way they can do this is by gaining access to a router and changing the DNS settings so they point to DNS servers controlled by the criminals. Once that happens it is very easy for them to redirect the browser to a fake version of a website and the outcome becomes almost inevitable.
Unfortunately, there have been quite a few attacks against routers, often because they have been poorly configured by the ISP or because they have serious security vulnerabilities that criminals can exploit. Another technique used by criminals is to get malware onto a device that will reconfigure the device to use the criminals DNS service and bypass the routers DNS service.
Most people won’t know what the correct DNS IP addresses should be, won’t know how to find them, and won’t be protecting them so its no surprise that criminals can get away with this type of attack for a long time before it gets spotted.
Know your DNS settings
My advice would be to do two things to help protect your DNS settings and more easily spot any changes.
The first thing is to change your router DNS settings to use one of the Cloudflare services. Their IP addresses are some of the easiest to remember and you can, and probably should, make a note of the ones you decide to use. Then any change should stand out like a sore thumb.
The second thing is to make sure you know how to check what DNS IP addresses your computer or other devices are using.
In Microsoft Windows one way to do this is to open a Command Prompt window. You can find ways to open a Command Prompt in various versions of Microsoft Windows here:
https://www.lifewire.com/how-to-open-command-prompt-2618089
With a Command Prompt window open enter the following command:
ipconfig /all
Scroll down and look for the DNS details. They should be exactly the same as the ones configured in your router.
On an Apple computer you can do the following:
Go to Applications then Utilities and open the Terminal application.
type in:
cat /etc/resolv.conf
The result should be something like:
$ cat /etc/resolv.conf
domain Home
nameserver 1.1.1.2
nameserver 1.0.0.2
The addresses you see should match those configured in your router. The ones you see above are mine. Newer versions of macOS can use:
scutil --dns
The result should look something like this:
resolver #1
search domain[0] : home
nameserver[0] : 1.1.1.2
nameserver[1] : 1.0.0.2
if_index : 4 (en0)
flags : Scoped, Request A records
reach : 0x00000002 (Reachable)
The only advice I can give you about your router is to make sure it has a strong and unique password for its Administration account and if possible turn off all external access. That should help to prevent criminals from accessing it.
If you want to use one of the Cloudflare DNS services and you need help to do it or you want help making sure that your router and DNS is as secure as possible please contact me and I will be happy to assist you in any way I can.
What about mobile devices like a phone or tablet?
If you are on your own wireless network you should still be using your routers DNS unless your wireless Access Point (AP) has its own DNS settings.
If you are connected to someone else's wireless network then you will be using their DNS service. If you are using a smartphone or other device connected to a 3G/4G/5G mobile service then the DNS will normally be provided by your mobile service providers network.
Cloudflare have an App available for mobile devices from Apple and those running Android. It offers different levels of protection so you can turn it off when you are at home but use its secure VPN to access the Cloudflare DNS when you are using someone else's wireless network or a mobile data network. You can find the free App on the relevant store for your device.
Each time a request for an IP address is sent out to DNS it offers a simple and quite effective way to improve your Internet security and your digital privacy. It is however a double edged sword that criminals can exploit but more about that later.
Usually, your router will be getting its DNS server addresses directly from your Internet Service Provider (ISP). When your router connects to the ISP it will normally be given two IP addresses that will point to two different DNS machines. One address will be the primary IP address used for all DNS queries. The second address, called the secondary, acts as a backup just in case your router cannot reach the primary DNS machine.
Your ISP’s DNS may be able to block a specific domain name to prevent you from accessing certain types of material. All the large UK based ISP’s are required by law to do this for some inappropriate types of material that can be found on the web. By looking at the domain name in the request it is relatively easy to check it against a list of names known to host inappropriate material and not return a valid IP address.
This is one way that DNS filtering can be applied to protect someone from certain types of content. The DNS can also check the IP address related to a given domain name to see if that is linked to content that could be illegal. Applying filtering at the DNS stage is a quick and simple way to protect all the devices connected to a router.
There are some DNS services available that offer to provide high quality filtering with a wider range of material that can be blocked. One problem with many of them is that there is a cost involved. There are plenty of free DNS services as well but there is no way of knowing how well any of these services, paid for or free, respect a users privacy. Neither is it easy to know how reliable or secure they will be.
For example probably the best known free DNS comes from Google. Its DNS service at 8.8.8.8 and 8.8.4.4 are often used in place of an ISP’s own DNS servers even though its pretty obvious why Google provides the free service. Being able to look at a users DNS requests will tell you quite a lot about what a user is looking at. Ultimately it will come down to trust and there are a lot of people, including me, who cannot trust Google with DNS data.
So who can you trust?
How about a company called Cloudflare. They have finally been able to prove that their free DNS service is not only very fast, but also provides true privacy to its users. To prove it Cloudflare took the very unusual step of getting their DNS service audited by KPMG. It took much longer to do this than they expected at nearly two years but at least anyone using the service can be sure that it will respect their digital privacy. You can find information about this, and download a six page PDF copy of the audit results here:
https://www.cloudflare.com/compliance/
By configuring your router to use the Cloudflare DNS service you can be certain that nothing is being stored or sold to third parties. Another advantage of this service is that they have over 1,000 servers located across the globe so reliability and speed is as good as it gets. If you want to see all the details and reasons why using their 1.1.1.1 service makes sense then take a look at this web page:
https://www.cloudflare.com/learning/dns/what-is-1.1.1.1/
Their 1.1.1.1 service is certainly worth using but what if you would like something with some filtering to give your devices added protection from malware or inappropriate content. Well now you can have it as Cloudflare have launched two extra services that are aimed primarily at home users but could still be appropriate for small businesses as well.
The first DNS service attempts to filter out as much malware as possible and the second one filters out malware and what it calls adult content. You can find some details about these new services here:
https://blog.cloudflare.com/introducing-1-1-1-1-for-families/
With their 1.1.1.1 service you don’t have a secondary DNS address and that should not be a problem given their huge global network of DNS machines. Just configure the primary DNS in your router to use 1.1.1.1 and you are done. Leave the secondary IP address empty unless you must give it an IP address.
If you want to use their malware filtering service you will need to configure your router to use
Primary DNS: 1.1.1.2
Secondary DNS: 1.0.0.2
and for malware and adult content filtering you use:
Primary DNS: 1.1.1.3
Secondary DNS: 1.0.0.3
I have to say that I am extremely impressed with Cloudflare for launching these services and more so for offering them free of charge. This provides users with a choice of fast, reliable, safe and private DNS services that can be trusted.
A word of caution.
Please don’t assume that by using their malware filtering services you will be completely safe from all forms of malware as that will simply not be the case. All Cloudflare can hope to do is to try and block websites known to have malware threats on them. New and as yet undetected malware on websites will not be blocked. Neither will malware that arrives as attachments in emails or hidden in files and software you download.
You should also be aware that it is not very difficult for someone to bypass the routers configured DNS service if they so desire. As long as they can change the network settings on any device then they will be free to put their own DNS IP addresses in and use them to access anything they might want to.
One way to prevent this is to block all DNS traffic if it is not going to the Cloudflare IP addresses you want devices to use at all times. This is best done with a firewall either built into your router or one protecting your network. Making sure that your computer user accounts don’t have Administrator privileges should prevent users from changing the DNS settings.
How criminals can abuse DNS
I did say that DNS services can, and often are, used by criminals to help them compromise systems and steal data and money. One way they can do this is by gaining access to a router and changing the DNS settings so they point to DNS servers controlled by the criminals. Once that happens it is very easy for them to redirect the browser to a fake version of a website and the outcome becomes almost inevitable.
Unfortunately, there have been quite a few attacks against routers, often because they have been poorly configured by the ISP or because they have serious security vulnerabilities that criminals can exploit. Another technique used by criminals is to get malware onto a device that will reconfigure the device to use the criminals DNS service and bypass the routers DNS service.
Most people won’t know what the correct DNS IP addresses should be, won’t know how to find them, and won’t be protecting them so its no surprise that criminals can get away with this type of attack for a long time before it gets spotted.
Know your DNS settings
My advice would be to do two things to help protect your DNS settings and more easily spot any changes.
The first thing is to change your router DNS settings to use one of the Cloudflare services. Their IP addresses are some of the easiest to remember and you can, and probably should, make a note of the ones you decide to use. Then any change should stand out like a sore thumb.
The second thing is to make sure you know how to check what DNS IP addresses your computer or other devices are using.
In Microsoft Windows one way to do this is to open a Command Prompt window. You can find ways to open a Command Prompt in various versions of Microsoft Windows here:
https://www.lifewire.com/how-to-open-command-prompt-2618089
With a Command Prompt window open enter the following command:
ipconfig /all
Scroll down and look for the DNS details. They should be exactly the same as the ones configured in your router.
On an Apple computer you can do the following:
Go to Applications then Utilities and open the Terminal application.
type in:
cat /etc/resolv.conf
The result should be something like:
$ cat /etc/resolv.conf
domain Home
nameserver 1.1.1.2
nameserver 1.0.0.2
The addresses you see should match those configured in your router. The ones you see above are mine. Newer versions of macOS can use:
scutil --dns
The result should look something like this:
resolver #1
search domain[0] : home
nameserver[0] : 1.1.1.2
nameserver[1] : 1.0.0.2
if_index : 4 (en0)
flags : Scoped, Request A records
reach : 0x00000002 (Reachable)
The only advice I can give you about your router is to make sure it has a strong and unique password for its Administration account and if possible turn off all external access. That should help to prevent criminals from accessing it.
If you want to use one of the Cloudflare DNS services and you need help to do it or you want help making sure that your router and DNS is as secure as possible please contact me and I will be happy to assist you in any way I can.
What about mobile devices like a phone or tablet?
If you are on your own wireless network you should still be using your routers DNS unless your wireless Access Point (AP) has its own DNS settings.
If you are connected to someone else's wireless network then you will be using their DNS service. If you are using a smartphone or other device connected to a 3G/4G/5G mobile service then the DNS will normally be provided by your mobile service providers network.
Cloudflare have an App available for mobile devices from Apple and those running Android. It offers different levels of protection so you can turn it off when you are at home but use its secure VPN to access the Cloudflare DNS when you are using someone else's wireless network or a mobile data network. You can find the free App on the relevant store for your device.
Private, Secure & Fast DNS