Earlier this month, Cloudflare and APNIC announced a new DNS server at 220.127.116.11 which allows for more speed and privacy when using it instead of your default DNS server provided by your ISP. The 18.104.22.168 server joins a group of a few “famous” alternative DNS servers that allow you to override the ISP defaults and point your browser/operating system/router/VPN or applications to a different service which promises something other than what is given by the ISP. What is it that is promised, and what is it that you gain/lose by it?
First – recap – what is DNS and why do we need it?
DNS – Domain Name System is a protocol used at the core of the internet to allow users navigation using simple domains names instead of IP addresses (Let’s be honest here for a moment – If I suggested during our conversation that you checked out my website, you might remember its domain name damsky.tech but chances are you will not remember the IP address it is on by the time you get some free time to do it).
Basically, the way it works is that every time you enter a domain name into a browser, it reaches out to a DNS server and requests the IP to which it should point you to. The first server that is asked about it will be the server that is defined on your device/application and is either was set by your ISP (if you are a home/mobile user) or by your system administrator (if you are inside of a corporate network) – there is, of course, the third option – it might have been set by you/your friend/grandkid a while ago for some unknown reason, and you completely forgot about it by now, and it’s a good idea to change it.
So, what is the problem with default DNS servers? Is there even a problem?
If your query is sent to me and I’m your DNS server, I can do some really cool things with it now:
- I can do the expected thing - I can send you the response that you are looking for – that is, the address you should go to in order to get to the website you initially wanted to get to.
I can do a bit more than expected of me - I can send you to a totally different website (redirect) or just tell you that your website does not exist. Why? Because…
- I want to block some malicious resource for you (malware, phishing…)
- I don’t want you to browse social networks from the office
- I am the government of some country, and I disallow porn or some political views
- Or, I can do the (expected by some but) unwanted (by most of us) thing - I can collect information about you, your browsing habits, your interests and so on and then sell those to the highest bidder (Cambridge Analytics comes to mind?)
What DNS servers can I use?
Now, let’s for a moment talk about some of the famous (new-ish) alternative DNS servers out there (in historical release order)
Google DNS – 22.214.171.124
Google public DNS is *not* new.
Google public DNS has been around for quite a while and hopefully is here to stay. The promise it gives is to speed up your browsing, improve your security and to avoid redirection in the paths that your queries traverse upon.
Is it actually what you are getting? Seems like it.
You can learn more about the benefits of the Google DNS on their website: https://developers.google.com/speed/public-dns/
Quad9 – 126.96.36.199
Announced in October 2017, this service is the product of a cooperation of the Global Cyber Alliance with IBM and Packet Clearing House (although multiple other vendors and organizations are also part of this effort and provide threat intelligence feeds to support the effort – they include: abuse.ch, APWG, Bambenek Consulting, Cisco, F-Secure, Mnemonic, Netlab 360, Payload security, Proofpoint, RiskIQ and ThreatSTOP).
The Quad9 DNS server promises the user robust security protections on top of high-performance and privacy. It does so by implementing a DNS Firewall and using the different threat intelligence feeds to block traffic from your devices to known malicious domains on the internet. High performance is achieved by the fact that multiple servers are deployed worldwide (just like google) and privacy by the fact that your data is anonymized.
So, are you actually getting this? Yes, you do.
Quad 9 is giving you the security you are looking for in the most easily possible way of installing it (and for free, which should not be underestimated) but not as quickly as other services available out there (although, let’s be honest, based on a speed comparison check done by Nykolas Z – their global average is 18.25 ms, which is amazing and objectively delivers the speed promise)
Regarding the privacy aspects, (a) Quad9 never captures the source IP – thus they cannot actually connect you to your query in retrospect, and (b) Quad9 states that they save the anonymized data and share it only with the partners of the project (that is, all the companies listed above) – but this should not actually concern you, as this is statistical data and doesn't connect to you.
You can learn more about Quad9 on their website: https://www.quad9.net/
1dot1dot1dot1 – 188.8.131.52
The last service to be announced just on April 1 (and no, it was not a joke – but a play on 4/1) by Cloudflare with association with APNIC was 1dot1dot1dot1. This new service promises the ultimate privacy and speed to your DNS browsing habits.
The second, or maybe the main one, reason to use Cloudflare’s offering is the promise of enhanced privacy and that "We will never sell your data or use it to target ads. Period." Interestingly enough, they might not be selling the data, but they do state that they share it with APNIC as you can see on the original press release by APNIC. In all fairness, they also promise to destroy all private data as soon as (only) statistical analysis is done on it – thus, it is similar to what Google is offering.
Interesting to note that APNIC only leased the IP 184.108.40.206 to Cloudflare for a period of 5 years – what will happen in 5 years if this partnership is not renewed?
You can learn more about this service on https://220.127.116.11/
It is not fair not to mention the other players in the alternative DNS service market, but I will not look into them with details mainly since they have almost the same offering as the three mentioned above but (IMHO) don’t have such a cool IP address.
So here is a short list of other (free) services that are worth a mention (in alphabetical order):
- CleanBrowsing – web filter for adult content
- Comodo Secure DNS – malware and phishing protection
- Fool DNS – which targets blocking online tracking, profiling, and ads.
- Green Team Internet – which blocks malware, phishing, ads, porn, and violent sites
- Norton ConnectSafe – which is a cloud-based web filtering service
- OpenDNS by CISCO – who were the first to offer a personal DNS Firewall.
- Yandex DNS – virus and fraud protection, but mainly targets Russian speaking scams
So how do you choose? Or do you even need an independent DNS server? tl;dr – It is all a question of what you care about.
If you just want to use the internet or override your corporate restrictions and care about absolutely nothing else, you probably want to use a stable DNS server that will allow you to get the responses you want as quickly and as reliably as possible. In this case, you can either use your ISP which is physically usually the one closest to you (this will work to override a corporate DNS), Google DNS (18.104.22.168) or Cloudflare (22.214.171.124). I would not suggest using one of the offerings that offer filtering as it might (although low probability) cause some false positives which will limit your internet browsing falsely assuming that it is some sort of content that you should not access. Also, using Google and Cloudflare promises the highest availability – Since Google is somewhat the backbone of the internet, and Cloudflare hosts a huge amount of the internet – chances are that these DNS servers will not be blocked by your system administrator nor your ISP (although, if you are in North Korea or some other restrictive regime, don’t take my word on it).
If you want to make sure that no one collects information about you, I would suggest using Google (126.96.36.199) or Cloudflare (188.8.131.52) as it is stated they will not share the information in their privacy policies or FoolDNS which tried to do the same but cannot promise the same speeds as Cloudflare nor Google.
If you want to filter out maliciousness your best option will be Quad9 (184.108.40.206) or one of the other above-mentioned solutions such as Comodo, Norton or OpenDNS – but remember that while quad9 is offered by a non-profit for the sole benefit of its users, the other offerings come from security vendors.
One last thing – if you are debating between Cloudflare and Google I have pros for both options – the mains one being – Google proved themselves so many times over the years that many say "if it works, don’t touch it" – On the other hand, Cloudflare are new in this game and sometimes rooting for the underdog is something people like – so why not.
Personally, I’m not sure that 20ms difference in speed is worth you going to manually change the settings of your DNS configuration, unlike adding an additional level of security that can be offered by a DNS server such as Quad9 – but that is up to you.
This was too long, can you summarize in four sentences?
220.127.116.11 –for speed
18.104.22.168 – for privacy
22.214.171.124 – for security (although, you get privacy here as well)
(And, if you are already on 126.96.36.199, either go to 188.8.131.52 or stay there, the 20 ms that 184.108.40.206 will gain you is not worth the time you will invest in changing configuration and/or the lost privacy)
First publication: damsky.tech. Irena Damsky is the founder of damsky.tech. She is a security and intelligence researcher and developer based in Israel. Her focus is on threat intelligence, networking, malware & data analysis and taking out bad guys as she conducts research and provides consulting and training services.