Your router makes DNS requests as you browse the web. By default, though, your ISP sees all your searches and web addresses. You can change your DNS settings for increased security and privacy.
What Is a DNS Server?
A DNS (Dynamic Name System) server is a service that automatically translates human-readable web addresses into IP addresses. That’s important because, in your home and out on the internet, every network device has an IP address. Using IP addresses as humans would be tedious. Even if we could remember them we’d mistype them. That’s why the Domain Name System was devised.
When you try to connect to a website your router checks to see whether that site’s details are in its cache. If not, it makes a DNS request by sending the website’s domain name to a DNS server. The DNS server looks up the domain name, finds the IP address, and sends it back to your router so that it can attempt to connect to the web server hosting the website.
In reality, it’s more complicated. By default, the DNS server your router connects to is a DNS precursor server provided by your internet service provider.
If the precursor server doesn’t hold the website’s details in its own cache, it sends a request to a DNS root name server. The root name server responds to the precursor server with a list of top-level domain servers that can handle the top-level domain (.COM, .INFO, .ORG, and so on) of the requested website. The precursor server repeats its request to one of the top-level domain servers on that list.
The top-level domain server responds with the name of a DNS authoritative name server that actually holds the details of the domain. The precursor server then makes its request once more, to the authoritative name server, to finally obtain the IP address.
In our example, the person was trying to reach a website, but the same holds true for any web resource that is identified by a domain name, such as an email server.
DNS, Security, and Privacy
Using your ISP’s default DNS server has implications for privacy and security.
The data in DNS requests isn’t encrypted, even if some of the attached metadata is. A man-in-the-middle attack or a nosy employee of your ISP can expose and review your online activity very easily. That’s bad enough, but using an ISP’s DNS server can weaken your security too.
Some of the most common DNS-centric cyberattacks are:
- Distributed Denial of Service: This creates a flood of fake requests that overwhelm the DNS server, rendering it unable to service genuine requests.
- DNS Spoofing/Poisoning: This creates false, malicious DNS responses that your router acts upon. Cybercriminals can send users to fraudulent websites instead of genuine websites. These can may be phishing websites that harvest login credentials.
- DNS Hijacking: Malware infects your computer and changes the TCP/IP settings and behavior so that DNS requests are redirected to the cybercriminals’ fraudulent DNS servers. These redirect web requests to phishing or other malicious websites.
- Domain Hijacking: This is a rarer form of attack. It requires changing the details in the domain registrar’s systems, so that the stored details of a legitimate website are pointed toward a fake website.
There is no real security in standard DNS. All it can do is check that the response from a downstream server comes from the same IP address the request was sent to. It’s something, but it’s hardly thorough.
The Domain Name System Security Extensions, or DNSSEC, were developed to add digital signatures to DNS requests. These allow DNS servers to check that the data they receive definitely comes from where it claims to come from. This is called data origin authentication. On top of that, the receiver can verify that the data hasn’t been modified in transit. This is called data integrity protection.
DNS over HTTPS, DoH, is a new protocol that encrypts DNS requests and inter-server traffic. However, logged and cached DNS requests are not encrypted. They’re only encrypted in transit. And of course, most ISPs log everything they can, and they don’t all support DNSSEC and DoH.
The Best DNS Servers for Secure Browsing
Public DNS servers will be more private, more secure, and faster than your ISP’s default offering. Here are five of the best DNS servers we recommend:
OpenDNS Home
- Primary DNS: 208.67.222.222
- Secondary DNS: 208.67.220.220
OpenDNS was bought by Cisco in 2015. The “Open” part means it accepts DNS requests from anywhere. It has nothing to do with open source. OpenDNS has paid and free tiers.
Cisco built its name on top-of-the-range networking products and know-how. Cisco knows as much about networking and traffic routing as any company on the planet. It has a global presence and offers a rock-solid DNS service.
OpenDSN Home supports DoH and DNSSEC. It also comes bundled with content filtering and malware/phishing protection. You can’t opt out of it. You have some control over their settings, but not as much as you do on one of their paid tiers.
Perhaps more worrying, OpenDNS logs your DNS queries, your IP address, and more, and it places what it calls “web beacons” on pages you’ve visited.
OpenDNS is fast and secure, but its privacy concerns will be a turn-off for some.
Google Public DNS
- Primary DNS: 8.8.8.8
- Secondary DNS: 8.8.4.4
Google’s Public DNS is free for everyone, including business use. It is a robust and reliable service with fast response times. And of course, you can be sure Google isn’t going to go away.
Google’s public DNS supports many lookup protocols including DNS over HHTPS, and it supports DNSSEC, too. It also includes some protection against DDoS attacks.
The only issue with Google’s DNS is Google. Everyone knows it generates revenue by harvesting data and using it to target advertising. It also shares the data, for a fee, with third parties. So, Google scores highly for robustness and security, but not so much for privacy.
Google says that the data it gathers is anonymized, with no personally identifiable information in it, so that might not bother you. If you already use Google products such as Gmail, Android, or the Google web search engine, Google won’t learn much more about you than it already does.
But, if you’d prefer not to engage with their “big tech, big data, big brother” corporate machinery, Google won’t be for you.
Cloudflare
- Primary DNS: 1.1.1.1
- Secondary DNS: 1.0.0.1
Cloudflare is best known as a provider of content delivery networks, which load-share website traffic across mirrored, distributed instances, and protects against DDoS attacks of virtually any magnitude.
It has the fastest DNS performance and it’s publicly committed to never recording your IP address, and deleting operational logs every 24 hours. This is independently verified by KPMG.
It doesn’t bundle content filtering and blocking by default, but you can have it if you want. To enable it, you just need to use Cloudflare’s alternate primary and secondary DNS servers.
Cloudflare DNS can be tricky to set up, and the Cloudflare website isn’t the most intuitive to navigate. Once it is running though, you’re on the fastest DNS there is, with the bonus that it respects your privacy.
DNSWatch
- Primary DNS: 84.200.69.80
- Secondary DNS: 84.200.70.40
DNSWatch says it supports net neutrality, and it doesn’t try to filter any content with its DNS servers. Neither does it log any DNS queries or user history. DNSWatch will never share or sell your data because it doesn’t collect any.
It does support DNSSEC and DoH, but anything else such as protection against phishing sites or malware sites is left up to you. One thing it does promote is its refusal to do any hijacking of failed requests.
Typically, an ISP will send you to a sponsored search page if the site you’re trying to reach doesn’t respond. Everything entered into that site is logged by your ISP. DNSWatch doesn’t do that, it shows you your browser’s default bad connection page.
Quad9
- Primary DNS: 9.9.9.9
- Secondary DNS: 149.112.112.112
Although Quad9’s headquarters are in Europe, it has 183 clusters of DNS resolvers in 90 countries around the globe. It’s a free service. Its servers log transaction and performance data, but not personally identifying information. It logs timestamps, transport protocols, requested domains and their geolocation, and so on.
By default, it offers security beyond DNSSEC and DoH, by blocking known bad websites that harbor malware or harvest user credentials. The list of blocked sites is gathered from over 20 public and commercial intelligence sources. It doesn’t filter or block content, ads, or web trackers, only malicious websites.
If you don’t want this blocking enabled, you can use its alternate primary and secondary IP addresses.
In terms of speed, Quad9’s average response time is 21mS, and it has a 99.94% uptime. Google and Cloudflare have response times in the region of 10mS, which is where they excel: raw speed. However, 21mS is still blindingly fast. In normal operation, you wouldn’t notice any difference between the two.
Try Them; They’re Free
Because these providers all have free DNS services, you can pick one and try it. Or try several. We have guides covering a variety of platforms:
Just remember that security and privacy are not the same thing, and they’re not always given equal attention by every DNS provider.