Or at least spying on you.

A dangerous aspect of the #newnormal is increased web attacks aimed at individuals. We make good targets sitting at home online for most of the day with no corporate IT geeks to protect us. Even worse our children are online most of the day – although they may be more tech savvy than their elders.

What’s a DNS and why is it dangerous?

A Domain Name Server (DNS) converts a name like blog.tomevslin.com to an IP address – a string of numbers like 104.18.139.190. It’s very similar to the way we used to use phonebooks to get phone numbers from names. When you type a URL like blog.tomevslin.com into your browser, the browser sends the text of that URL to a DNS which responds with the IP address. The browser then sends a message to that IP address which eventually sends a response to your IP address.

A malicious DNS can send back the wrong address – very similar to tricking you into driving into a dangerous neighborhood. For example, you type in www.mybank.com; the DNS server sends back the address of a site in Moldavia which has a login sequence which was copied from your bank. You faithfully give your name and password. It immediately signs into your real bank account and moves some money out before you even realize there is anything wrong. It may then change the password of your account so you’ll lose more time before reporting a problem.

Another example: you type in www.facebook.com but the evil DNS sends you to a site in Turkmenistan. You get a page that looks like Facebook with a popup over it saying “Facebook needs you to install a new gidget to proceed”. You click OK. The site promptly installs a virus on your computer or locks your files or does something else nefarious.

Less dangerous but still very annoying, your DNS knows the name of every site you visit. That’s valuable information. The operators of a DNS aren’t doing anything illegal when they sell that data or use it to target you with ads. Both happen all the time.

The wrong DNS service can also slow down your browsing. A complex webpage such as you get from almost every site you visit contains dozens if not hundreds of names which must be resolved, one for every picture, for example. If the DNS lookup process is slow, so is page loading even if you have plenty of bandwidth.

Who decides what DNS I use?

Back when you were in the office, the good geeks did that for you. Although you can control this choice (see below for how), by default your ISP makes this decision for you. When you attach your home router to a modem from your ISP, the ISP tells the router the IP address of a DNS to use to resolve domain names. When you are away from home and you logon to the free WiFi in Joe’s Bar and Grill – which will be reopening soon – Joe’s WiFi service by default will decide where your domain name queries are sent. Joe may be able to get internet service more cheaply if he doesn’t ask many questions, which he doesn’t know how to ask anyway, about who is providing the DNS. Next thing you know your web pages are coming from Moldavia or Turkmenistan. The fancy hotel you’re staying in with high-priced WiFi may generously provide their own DNS. They don’t want to misdirect you; they just want to know all about you.

So how do I protect myself?

The good news is that you can protect yourself; the bad news is that it’s complicated and the method differs operating system by operating system and router by router. First you choose what DNS to use (that’s not too bad); then you tell your computer and/or router to honor your choice.

Choosing a DNS

First, second, and third considerations are safety; then comes privacy; and finally speed. Domain name service is usually free to individuals. If you’re a commercial operation or you want your domain name service to actively protect you rather than just refraining from betraying you, you will end up paying something. I’ll just talk about the three most widely used free public domain name services here. They all spread their DNS over multiple data centers for redundancy and speed.

Google Public DNS is probably the most widely used. It lives at IP address 8.8.8.8 and 8.8.4.4. Many ISPs, including Starlink, instruct their customers’ routers to send queries here by default. Google has a specific policy which says it only keeps a list of who resolved what names for 48 hours for debugging purposes and, unlike its search service, does not sell this data or use it for targeting. After 48 hours, it only keeps aggregate data, which it definitely mines.

OpenDNS at 208.67.222.222 and 208.67.220.220 is owned by Cisco. By default it blocks some sites which it believes are used for phishing. This can be a help if you accidentally click a bad link or sometimes an annoyance if you really want to go to the site for some reason or the blacklist is wrong. I cannot find a specific privacy statement for the service. The general Cisco privacy statement would allow them to use and share information about what sites you visit.

Cloudflare 1.1.1.1 at 1.1.1.1 and 1.0.0.1 is my personal favorite. They hire KPMG to audit and assure they aren’t keeping, using, or selling personal data. They claim to be the fastest DNS and do seem to be from my monitoring. They don’t block anything, something I like but you may not.

Specifying your DNS

This is the yucky part (fun for a nerd). You don’t need to open an account with any of these providers to use their service. Even when they don’t mine your data in any way, their hosting businesses benefit by having your queries go their datacenters – that’s why they’re free. You do have to tell your computer – and possibly your router – to go to the IP addresses I gave with each service for domain name resolution. The first address is where the computer goes first; the second is backup in case it doesn’t get an answer.

If your computer is going to travel and connect to any WiFi or ethernet outside your house, it is critical that you specify what DNS you want your computer to use and not let it default to the DNS offered by Joe’s. How you do that differs by operating system. There’s a good rundown for Windows 10 on Windows Central. If you’re running Linux, you already know how to do this. For a Mac, follow the instructions given on the web site of the DNS provider you’ve chosen.

If you have specified a DNS address for all your home computers, they will use that away or at home despite what your ISP may have told your home router to do. Your SmartTV, tablets, smartphonw when connected to home WiFi, and other home devices will do what the router tells them to do. To protect these as well as  guests who sign onto your WiFi, you should also change the primary and secondary DNS addresses in your router. You’ll find the instructions for this by searching your router’s model number and “DNS”.

Good luck – don’t let a DNS mislead you.