Having thorough IT security usually means having a layered approach. Basic antivirus, for instance, might catch PC-based malware once a user downloads it, but you could try to block it before it ever reaches the user device, or at least have another security mechanism in place that might catch it if the basic antivirus doesn’t. DNS-based filtering can do this! It can help stop users from browsing to malware and phishing sites, block intrusive advertising to them, and serve as adult content filters.
First, a quick primer for those who are unfamiliar with DNS: You utilize the Domain Name System (DNS) every time you surf the Web. Each time you type a site name into the browser, DNS is queried for the IP address corresponding to that particular domain, so the browser can contact the Web server to get the content. The process of converting the domain name to its IP address is called domain-name resolution.
There are two main types of DNS servers: recursive and authoritative. The ones that are used by most individuals and small companies (and that are covered here) are called recursive DNS and are the default services provided by most Internet Service Providers (ISPs). All the companies listed here offer recursive DNS services. Some of them, however, also sell authoritative DNS services, which allow website owners or hosts to define the web server IP addresses that their domain names point to and to manage other DNS settings.
Since DNS servers are the middlemen between your browser and website content, there are many third-party DNS services that offer additional functionality for both users and network administrators. These tools can include:
- Content filtering. This can be conveniently implemented to block adult sites, social networks, and other unwanted content, while requiring no software on the computers and devices.
- Malware and phishing blocking. This can be performed by the content filtering tool also, to block sites containing viruses, scams and other dangerous content.
- Advertisement and tracker blocking. This is another type of content filtering to help reduce the Ads you see and advertisers track you online, which some DNS services specifically concentrate on.
- Encrypted DNS traffic. The DNS protocols used by most ISPs and servers have been around forever. There are newer, smarter, and much more secure protocols (such as DNS-over-HTTPS and DNS-over-TLS) that some DNS servers provide to help authenticate and encrypt the DNS traffic. This can help prevent others from seeing what sites you’re accessing and helps stop DNS spoofing.
- Unblock geo-restricted services. Using certain DNS services, you can spoof your browsing location to unlock certain sites/content, similar to that of what VPN servers offer.
- Protection against botnets. This blocks communication with known botnet servers so your computer isn’t taken over.
- URL typo correction. For instance, if you typed gogle.com it would correct to google.com .
Five of these services are described here. Most are either completely free of charge or offer a number of free features that might make it worth your while to take a look.
The services
Because there are so many DNS services available, only those that provide some type of automatic or preconfigured content filtering are discussed here with a description of what the user sees sent when the filter kicks in, which can range from a boring ,”This site can’t be reached,” page to customizable block page.
It’s easy to switch to a different recursive DNS service. Simply change the IP addresses for DNS in the internet settings of your router to apply it to the entire network or change the DNS settings on select computers or other devices. Without further intervention, you’ll receive the DNS service’s preconfigured security or filtering protection. Some services also allow you to create an account (some free, some require premium services) to customize the level of protection and messages that appear when a site is blocked.
Remember, the speed, reliability and performance of DNS servers can vary. Slow or poor domain resolution can translate into slower and less reliable web browsing. You can run speed tests on DNS servers (try namebench) so that you can compare their performance at your particular location.
AdGuard DNS
Free for: Personal or business use (over 300K monthly queries requires paid subscription)
DNS Addresses: Varies based upon desired protection
AdGuard DNS offers free preconfigured DNS services with various filtering applied and has premium services, giving you control over the filtering. You may be familiar with their name as they also separately provide AdGuard VPN and AdGuard Ad Blocker.
There are three options that AdGuard DNS provides the public for free with no account needed:
- Plain old DNS service with no ad blocking and no filtering with these DNS servers: 94.140.14.140 and 94.140.14.141
- Blocking of just ads and trackers with these addresses: 94.140.14.14 and 94.140.15.15
- Blocking of ads, trackers, adult content, and the enabling of safe searching modes where possible: 94.140.14.15 and 94.140.15.16
They also provide separate addresses for DNS-over-HTTPS, DNS-over-TLS, DNS-over-QUIC, and DNSCrypt. These are smarter and more secure protocols to help authenticate and encrypt the DNS. They can help prevent others from seeing what sites you’re accessing and helps stop DNS spoofing.
You can manually configure routers and end-user devices with their DNS services, but they also offer a convenient app (Windows, Mac OS, Android, and iOS) for end-user devices to help choose the filtering and apply the DNS configuration to the device. Plus, the app allows you to easily turn the protection on and off. However, the use of the app requires their premium service, which start at $2.49 monthly after their 3-day trial period. The premium service also comes with access to a cloud dashboard to view DNS-related stats and manage the filtering on multiple devices.
Comodo Secure Internet Gateway
Free for: Personal or business use (over 300K monthly queries requires paid subscription)
DNS Addresses: 8.26.56.26 and 8.20.247.20 (8.26.56.10 and 8.20.247.10 for customizable service with an account)
Comodo Secure DNS offers a simple free service for the public. The preconfigured service that doesn’t require an account automatically blocks harmful websites such as those containing malware, spyware and phishing attempts. It claims to be more reliable, faster, and smarter than DNS services provided by most ISPs.
Accouns are totally free with tools to customize the filtering, blocked pages, and access reporting. However, Comodo’s GUI and configuration process isn’t as simplified as other services, and non-IT users may struggle. It’s apparent that Comodo is targeting businesses. It pushes managed service providers (MSP) to manage the service via the ITarian platform but for other businesses and enterprises, directs to a Comodo management site.
The premium Comodo Secure DNS service supports configuring custom blocked pages or setting up redirections. However, the free DNS service doesn’t have notification pages for blocked page and users would see the browser’s error page when a site is blocked.
Signing up for a premium account adds the ability to create additional polices and encrypt the DNS traffic, offers more user visibility and monitoring, and provides virtual-appliance support. Comodo also sells services that include authoritative DNS services for websites and many other security solutions, such as SSL certificates, secure email services, antivirus, and even PCI compliance services.
Control D
Free for: Personal or business use
DNS Addresses: Varies based upon desired protection
Control D provides a few free DNS servers with preconfigured filtering, and it can help spoof users’ locations without the use of a VPN. Plus, they provide DNS-over-HTTPS/3 and DNS-over-TLS/DoQ in addition to legacy access.
The service provides several different DNS servers to the public for free with no account needed:
- Plain old DNS service with no filtering with these DNS servers: 76.76.2.0 and 76.76.10.0
- Blocking of just malware domains with these addresses: 76.76.2.1 and 76.76.10.1
- Blocking of malware, ads, and trackers: 76.76.2.2 and 76.76.10.2
- Blocking of malware, ads, trackers, and social networks: 76.76.2.3 and 76.76.10.3
- Blocking of malware, ads, trackers, and adult content: 76.76.2.4 and 76.76.10.4
- Unblocking of some censored domains from various countries: 76.76.2.5 and 76.76.10.5
Unlike most DNS services, Control D doesn’t have a default custom blocked page; users simply see their browser’s error page. But with the premium service they can configure redirections to a specified URL.
The service also allows picking exact filtering configurations, and it provides a DNS address to use. Plus, the service posts third-party DNS addresses that come with various filtering enabled.
Routers and end-user devices can be manually configured with the DNS services, but it also offers a simple Windows app for end-user devices to quickly apply the service’s DNS configuration to the device.
Control D has premium services, starting at $2 per month, after their 30-day free trial. This enables the use of even more filtering to better protect against threats from click baiting, dynamic DNS, torrents, shortened URLs, and other attack tools. Plus, it provides reporting and analytics on customer usage. Their higher plan, starting at $4 per month, enables location spoofing as well as unlocking geo-restricted content.
NextDNS
Free for: Personal or business use (over 300K monthly queries requires paid subscription)
DNS Addresses: Varies; they don’t publicly publish specific addresses
NextDNS provides a free public DNS service, but without an account, provides no filtering at all. However, accounts can be created totally free with a default configuration that protects against DNS-related security vulnerabilities plus blocks ads and trackers. The filtering can be customized to add more restrictions, such as adult content and specific site/app blocking. Plus, it provides access for DNS-over-HTTPS, DNS-over-TLS/QUIC.
Routers and end-user devices can be manually configured, but the service also offers DNS-configuration apps for end-user Windows, macOS, Chrome OS, iOS, and Android devices. The NextDNS web portal provides a dashboard for customizing features and functionality, including for users free accounts.
The fee for premium accounts starts at $1.99 per month, for which users get unlimited DNS queries. More expensive plans also add email-based support.
OpenDNS
Free for: Personal or business use for Enhanced DNS; personal use only for other home and family services
DNS addresses: 208.67.222.222 and 208.67.220.220 (“FamilyShield” DNS addresses: 208.67.222.123 and 208.67.220.123)
OpenDNS is one of the most popular third-party DNS providers around and offers both free and premium services for homes and businesses. In the past it had preconfigured protection against malware and phishing sites via their main DNS addresses, but now that requires signing up for a free or premium account.
Here are the different service options for personal home use:
- OpenDNS FamilyShield: These DNS servers are preconfigured to block adult content. No account is needed.
- OpenDNS Home: For free you can customize the filtering and security options, including customizable messages for blocked pages and basic logs and stats. It uses the main DNS addresses but requires you to create an account.
- OpenDNS Home VIP: Starting at $19.95 per year, this saves the logs and stats for up to a year and adds the ability to create white- and blacklists for sites. It also uses the same main DNS addresses and an account.
- OpenDNS Prosumer: Starting at $20 per user, per year, this adds built-in protection for malicious phishing and malware domains.
OpenDNS’ business service, Cisco Umbrella, offers advanced security and management, useful for larger networks and enterprise environments. It’s offered in different levels, and the service provides a 14-day free trial. They also offer an MSP and partner program, providing a streamlined console with monthly, post-paid, consumption based MSLA licensing.
(Eric Geier is a freelance tech writer. He’s also the founder of NoWiresSecurity providing a cloud-based Wi-Fi security service, Wi-Fi Surveyors providing RF site surveying, and On Spot Techs providing general IT services.)
This story, “5 DNS services to provide a layer of internet security ” was originally published by
Copyright © 2022 IDG Communications, Inc.