Editor’s note: We are aiming this tutorial at the non-technical person. Please share with anyone in your life who could benefit from this. -bg
Cyberspace is a complex domain and our adversaries are always seeking new ways to steal information or spread their malicious code or hold our data for ransom. This is the big reason why there are no silver bullets in cybersecurity. There is no single thing you can do that will stop all attacks.
But there are things you can do that make a huge difference. One in this category is changing your home and office DNS configurations.
What is DNS (Domain Name Service)?
Have you ever seen a picture of an old fashioned telephone operator? The operator played a critical function in establishing a global telephone network where any phone could talk to any phone. When a person wanted to make a call, they connected to the operator and the operator would either connect the person directly to the other party or connect through other banks of operators. Without this ability to switch and connect physical wires together, phones would never have worked.
All of that has been automated now. When you dial a phone number, computers figure out the smart way to connect your conversation with the right party.
The Internet only works because it has a similar automated system. This system is orchestrated by something called DNS (short for Domain Name Service). Every device you have, indeed, every device on the Internet, uses DNS to determine how to route information to other devices.
When you buy Internet service for your home, your Internet Service Provider automatically configures a DNS service for you. And when you authorize any device to join your home network, your network and your device are smart enough to automatically configure themselves to use your ISP’s DNS service. It all works so smoothly that you almost don’t need to think about DNS at all.
But it turns out there is good reason to consider how you configure your DNS. If you configure it correctly, it can be an important part of your defense, helping keep bad guys and their software from attacking your systems.
Consider for example, the example of the old fashioned phone operator. What if you were receiving a call from someone you do not know, and before connecting the operator gets on the line with you and says “Based on our historical records, the person calling you has a record of conducting fraud and they are probably going to try to deceive you.” That would have been a nice feature back in the day.
If you configure your DNS properly, you can put features like that, and far more, at your command. Depending on which DNS features you want and which provider you select, you can use a managed DNS service to speed up your web browsing. You can also use it to make customized filtering decisions for your home system (for example, you can tell it that no one should have access to certain types of sites). You can also use managed DNS to prevent viruses and other types of malicious code from communicating with their bosses (their control servers), which can help reduce the chance that your information will be stolen from malicious code.
Also, consider again the example of the telephone operator. Imagine an operator who was working with a criminal. A caller might dial the operator asking to be connected to the bank, and the malicious operator might really connect the caller with a criminal group for further fraud. Traditional DNS has weaknesses like that. With certain types of DNS attacks an adversary can make you think you are going to a favorite website but can re-direct you to a bad one, perhaps to steal your login info or to download malicious code. This is another very important reason to use a managed DNS service.
There are cautions to consider when selecting a DNS provider. Some DNS providers collect information from you in ways that may creep you out. For example, if you select the free DNS service from Google, although there are privacy protections, they will be aggregating even more data on you and your browsing habits. It is free and offers protection and is backed by a company with incredible engineers, but you will give up some info you might want kept private.
Here are four options to think through:
- Google Public DNS: Google is doing a great service for the world with this free DNS resolution service. This will speed up your browsing, improve your security, and get you results with no redirection. But guess what? They get something out of it too. They get data. Their DNS resolver is at the address 220.127.116.11.
- Quad9: In association with the Global Cyber Alliance and Packet Clearing House and a consortium of industry and non-profit contributors, Quad9 provides a DNS service designed with privacy and security in mind. This reduces risk, speeds browsing, and since it is being fielded by a non-profit there is no collection of personally identifiable information like some other providers. DNS address is 18.104.22.168.
- Verisign: Verisign Public DNS is a free DNS service that offers improved DNS stability and security over other alternatives. Verisign respects privacy. DNS data and other PII is not sold or shared or used to serve you ads. Their DNS address is 22.214.171.124
- Cloudflare: In April 2018 Cloudflare announced a free to use DNS service called 126.96.36.199, which is their DNS address. They have optimized their DNS for privacy and speed.
Which of these is right for you? This is your choice. For me the choice is Quad9 because of their security and privacy features. But if you are looking for more features, consider Verisign. Their free service is good and their paid offerings with fuller features give you incredible power over how your systems access the net.
But back to Quad9, here is what they say about their security features:
Quad9 blocks against known malicious domains, preventing your computers and IoT devices from connecting to malware or phishing sites. Whenever a Quad9 user clicks on a website link or types in an address into a web browser, Quad9 checks the site against a list of domains combined from 19 different threat intelligence partners. Each threat intelligence partner supplies a list of malicious domains based on their heuristics which examine such factors as scanned malware discovery, network IDS past behaviors, visual object recognition, optical character recognition (OCR), structure and linkages to other sites, and individual reports of suspicious or malicious behavior. Based on the results, Quad9 resolves or denies the lookup attempt, preventing connections to malicious sites when there is a match.
It’s worth noting that Quad9 doesn’t just use IBM’s threat intelligence – there are 18 other combined feeds that make up their threat blocking, which is fairly unique and gives a cross-section of blocking abilities from some of the world’s best threat management organizations.
Now how might you implement DNS at home? Each of those services is going to give you very easy to follow tips for using them, and the methods are really the same for any DNS provider you use. You will change the DNS entries on your home router, and you will also change the DNS settings on your mobile devices and computers. It is all quite easy.
Tips for Changing Your DNS:
- You have options on how you want to do this. The easy and fast option is to change the DNS that your router at home or office uses. At home when you purchased cable or fiber or other comms the ISP installed a router. They gave you a way to log into it. If you forgot how, you can probably look on the bottom of the box and it will give you an IP address (probably 192.168.1.1 or 192.168.2.1) and default login. So you should be able to log into it from any of your computers and change some configurations. It is a best practice to note what the DNS settings currently are (just in case you want to change back). Change the default DNS to be the address from the provider you selected (for example, 188.8.131.52).
- Changing the router at home or office will be good for any device you connect to there. But you can also tell your devices what DNS to use. This comes in especially handy for the traveler.
- For mobile devices, look under your Wi-Fi settings and update the DNS entries there.
- For MacOS laptops, go to settings and select “Network”. Select a network interface from the sidebar and click advanced. Click the DNS tab and click the + button to add a new DNS server. Then enter the new DNS numbers. Here is a video of how to do it for Mac
- For Windows laptops/tablets click the Start button and then control panel. Under Network click View network connections. Then right-click the connection you want to change, and click properties. Click either IPV4 or IPv6 and click properties. You will see where to enter the DNS numbers. Here is a video for how to change DNS for Windows.
Do you have lessons learned or best practices you can share regarding reducing digital risk. We would love to hear from you. Reply to any of our emails or contact us here. We have built a collection of tips and best practices aimed at reducing your digital risk. Find them at the OODALoop Members Resources site. Looking for something more hands-on? OODA provides technical services including CTO-as-a-Service and CISO-as-a-Service support, we would be glad to lend a hand.
Latest posts by Bob Gourley
- RiskIQ: An OODAcon 2020 Future Proof Sponsor - February 28, 2020
- Percipient.ai: An OODAcon 2020 Future Proof Sponsor - February 28, 2020
- Centripetal Networks: An OODAcon 2020 Future Proof Sponsor - February 26, 2020