Choosing your own domain name services

Topic

New Reply

ON SECURITY By Susan Bradley There is a long-standing joke in enterprise technology: “It’s always DNS.” That’s because if something isn’t working, che
[See the full post at: Choosing your own domain name services]

Susan Bradley Patch Lady/Prudent patcher

7 users thanked author for this post.

kewlputergeek, jburk07, fisher75, Steve S., DLivesInTexas, lmacri, rc primak

Reply | Quote

Replies

Hello,

 

Thank you for your article.

 

It is my understanding that many (most?) browsers started using encrypted DNS lookup for web traffic several years ago which totally bypasses any DNS servers set by the user in the OS or in the router.

I’ve used OpenDNS myself in the past and kind of gave up filtering when I read about what browsers were doing and how it would negate the protections I’d setup.

What are your thoughts on the matter?

—

Ron Miller

Reply | Quote

I set up a “Pi-Hole/Raspberry PI” DNS server for my home network and it’s the best thing I’ve ever done.

It’s setup to be my only DNS server on each computer. Pi-Hole can be setup to use any DNS server out there. Pi-Hole then blocks any requests for ADs from known AD sites (it currently knows of 116,155 sites and this is updated daily). Blocking the sites means my meager bandwidth is not used for downloading ADs (I live in a rural area with a 9 Mbps up/down as the fastest connection I can get here).

Pi-Hole blocked 30% of my DNS queries just this morning. Sometimes I feel bad about not letting a site earn some money from the ADs, but when I take my laptop elsewhere and connect to a non-Pi-Hole network I’m reminded of the incredible amount of ADs pushed at me and I bless my Pi-Hole again.

Setting this up does take some technical skills and you have to purchase a Raspberry PI, but it is incredibly well worth it. See https://pi-hole.net/ for more info.

Marc

2 users thanked author for this post.

windbg, kewlputergeek

Reply | Quote

As for not being able to change these DNS servers, be aware that the router from an ISP is only 1 of 13 possible sources for your DNS configuration. For the full list, see the long DNS explanation here
https://www.routersecurity.org/testdns.php

The introduction of new secure DNS, a few years back, made this list much longer. Also, an active VPN connection always changes your DNS configuration.

OpenDNS is owned by Cisco and personally, I find it hard to trust Cisco. Many other DNS providers offer assorted filtering. Here are just a few

https://www.routersecurity.org/DNS.providers.php

As for manually changing Operating System level DNS configuration, note that Windows has two settings, one for Ethernet and one for Wi-Fi. On top of that, DNS can also be set for each SSID in Windows 11 (not in Windows 10).

And, as the person before me commented, most every desktop web browser now supports new/secure DNS (DoH or DoT) and my experience has been that the DNS setting in the web browser over-rides anything else. You can verify this using the many DNS testers in the link above.

As for “The modem supplied by Comcast has hard-coded DNS servers — 75.75.75.75 and 75.75.76.76.” Modems do not do DNS, routers do. The device being referred to here must be a combination modem/router. Yes, nitpicking, but still.

Get up to speed on router security at RouterSecurity.org and Defensive Computing at DefensiveComputingChecklist.com

3 users thanked author for this post.

windbg, kewlputergeek, Steve S.

Reply | Quote

I still see that these edge services block malicious sites from all of my devices. Browsers also can be adjusted to different DNS entries.  That’s another article for another day 🙂

Susan Bradley Patch Lady/Prudent patcher

Reply | Quote

What about setting DNS for IPV6?  For some reason my Windows 10 Pro machine won’t let me set these.

I’ve had instances where my ISP’s DNS is not responding and my PC’s DNS doesn’t fail over to its IPV4 settings.

Thoughts?

Reply | Quote

All ISPs are not the same, of course, but using DNS from your ISP is often the worst option. For one thing, running a DNS server is not their core competence. Plus, it makes it easier for them to spy on you. Finally, they probably do not offer a filtering service.

Get up to speed on router security at RouterSecurity.org and Defensive Computing at DefensiveComputingChecklist.com

1 user thanked author for this post.

windbg

Reply | Quote

Never mind.  I figured it out.  Use the IPV6 configuration box accessible from the Control Panel’s  “Internet and Sharing Center” instead of the Windows 10 Settings / Network & Internet / Ethernet / <Network Name>  page.  The latter is buggy.

 

Reply | Quote

Interesting synchonicity. As a small part of my start to the new year I reviewed my DNS settings just yesterday (I had been using Cloudflare).

I decided to try one of Mullvad’s encrypted filtering DNS servers. I first changed my ISP-provided router which allows setting my own DNS. Then I set all my browsers to use the same: Brave, Firefox and LibreWolf. I have DuckDuckGo’s browser, but it has no DNS setting that can be changed. I assume the router takes care of that.

I use NordVPN which has the option to choose a custom DNS, so that got changed as well.  Also had to go into Settings>Network & Internet>Status>Properties (Ethernet while connected) and Edit to change the DNS servers there as well.  Wifi is turned off on this computer.

In elevated command prompt I just now ran “ipconfig /all” to check everything, as suggested by Michael432. VMware Virtual adapters still show 1.1.1.1 and 1..0.0.1 – I may have to open VMware to change these later.  All is working well so far. 🤞  https://mullvad.net/en/help/dns-over-https-and-dns-over-tls

 

Win10 Pro x64 22H2, Win10 Home 22H2, Linux Mint + a cat with 'tortitude'.

Reply | Quote

Steve,
You can verify the use of Mullvad’s DNS system here
https://mullvad.net/en/check
In your case, check all browsers with and without an active VPN configuration.

The one time I tried Mullvad DNS, I found I was using a DNS server thousands of miles from my location. They were nice enough to respond to a question (I was not a customer at the time) about it, and its just the way Anycast works. That said, the important things about DNS are filtering and encryption, not speed.

Get up to speed on router security at RouterSecurity.org and Defensive Computing at DefensiveComputingChecklist.com

1 user thanked author for this post.

Steve S.

Reply | Quote

Thanks. Some weirdness to be staightened out, it seems. I’ll tweak some more….

 

Win10 Pro x64 22H2, Win10 Home 22H2, Linux Mint + a cat with 'tortitude'.

Reply | Quote

Seems there is an incompatibility with LibreWolf:  My VPN has to be on no matter what DNS settings I chose in LibreWolf. With the VPN off, it’s a complete no-go. I’m OK with that for the time being since Brave and Firefox work fine with VPN being on or off.  I may try a different secure DNS later.

 

Win10 Pro x64 22H2, Win10 Home 22H2, Linux Mint + a cat with 'tortitude'.

Reply | Quote

I always put my Xfinity gateways into bridge mode and use my own routers so I can take complete control of my Internet experience.  At one small property, I have a decent router that isn’t too expensive.  At another larger, three floor property that must have been designed by a secret government agency in the early 2000’s to make each room a Faraday Cage, I use a very expensive three router mesh system using powerline networking for the Ethernet backhaul (and I frequently think profane thoughts in the home builder’s general direction — alternated with daydreams of pulling Cat 6 through the entire house to serve the backhaul).

https://www.xfinity.com/support/articles/wireless-gateway-enable-disable-bridge-mode

1 user thanked author for this post.

windbg

Reply | Quote