Share

Any attentive business or home user will quickly change their internet service provider (ISP) if availability is not up to scratch and yet few realise they can do exactly the same thing with the 'name servers' resolving the global Domain Name System (DNS). Doing this costs nothing and the benefits in terms of improved performance and security can be significant but few bother. Most users continue to take DNS for granted, unaware of the hidden bottlenecks of ISP services and the potential for improvement.

Read next: What is serverless computing?

How does a DNS service work?

Put very simply, the job of DNS name servers is to resolve public web addresses or domains to their underlying TCP/IP addresses. This sounds like a straightforward process but there are a number of variables that affect performance. The most obvious of these is simply the round-trip time between the client device and the DNS server itself, which will depend on geographical proximity as well as response times from any other DNS infrastructure involved in a query.

Even meaty name servers will not cache every possible website domain and have to look that up recursively by sending a query to a remote server. This is why visits to websites in remote countries sometimes take perceptibly longer for reasons that aren't (as many assume) to do with a slow web server on the other end of the request. Another problem is that DNS name servers can become congested due to heavy use at peak times or malicious DDoS attacks causing problems behind the scenes. DNS was designed to be resilient but under stress, it will still slow.

Security: DDoS attacks on DNS servers underscore the system's vulnerability – no website whose DNS servers have been overloaded will be able to conduct much business - but other security issues abound including cache poisoning (redirecting users from legitimate to fraudulent DNS servers). This was a major impetus behind the Domain Name Security Extensions (DNSSEC) security layer used to authenticate name servers for those providers supporting it.

By default, a computer will use the default DNS server of the network it is connected to, which will be provided by the service provider or ISP. The user can manually adjust that setting, either on a one-off basis or indefinitely. DNS really is a matter of preference.

Changing DNS settings: For IPv4, this can be carried out for every PC connection (separately for wired Ethernet and wireless) or for every device on a network through the network router's DNS settings panel. On Windows 10, navigate to the Control or Settings panel to the Ether or Wireless properties box and click on IPv4 properties. Then untick the 'obtain DNS server address automatically' and specify the correct address for the service that is going to be used. For home routers, the same is achieved via the configuration interface, usually in the WAN settings under something like 'DNS settings'.

Router v client: Don’t assume that the router's DNS settings take precedence over the device's. That’s only true if the client (Windows, say) is set up to 'Obtain DNS Server automatically'. Any manual setting on a device will over-ride the router on that interface, for instance, Wi-Fi/wired.

Mobile devices: Changing DNS servers on mobile platforms such as Android is more complex than for a PC. Android allows users to do this for Wi-Fi, but it will only remember the setting for that network, for example when a user is at home or work. It also requires the user to set a static IP address so no DHCP. There are a couple of apps to help with this on Android: DNS Changer and DNSet. Unfortunately, this approach can't be extended to 3G or 4G without root access – carrier access still requires accepting the default DNS.

IPv6: Public IPv6 servers are also offered by the following providers but it's best to steer clear of them for now.

Privacy: Most of the services described below promote themselves on filtering security which inevitably means they are gathering data on websites visited. You could argue that this is true of all DNS systems, including those from the ISPs that most people use quite happily. But it is not always clear where this data is stored nor what use it might be put to by those collecting it. Information is valuable in today's internet economy so be aware that a 'free' service might have hidden privacy downsides.

Public DNS services

Google Public DNS

Available on 8.8.8.8 and 8.8.4.4, Google's Public DNS service will support IPv6, but you'll need to change IP address accordingly to take advantage of its advanced security features.

Easy to remember for IPv4 on 8.8.8.8 with its backup on 8.8.4.4, users will still expect and get high availability, a lot of filtering and security such as DNSSEC as standard. Since Google's business is advertising, it's very much a one size fits all model with no configuration to speak of. The standard-setter for public DNS, Google is one of the fastest too. Google collects data on users as it does from all its services although in the case of DNS it should be impersonal. If you can put up with that, this is definitely the one to beat.

More information here.

OpenDNS

Now part of the Cisco empire, the primary is 208.67.220.220 with a backup on 208.67.222.222. OpenDNS is open to both business and home users, with both plans coming packed with solid security controls. Home users can simply adjust their DNS to point at one of the above but OpenDNS also offers a good home service including Family Shield, Home, phishing protection, enhances internet performance and parental controls, with web whitelisting also available. And for a price, enterprise users can take advantage of its full enterprise security service. 

More information here.

Norton ConnectSafe

Norton is well-known for its internet security software and services, and its DNS services don't disappoint. ConnectSafe users will receive malware and phishing protection and available in its basic form on 199.85.126.10 (backup 199.85.127.10) with other servers specified, ConnectSafe can filter content such as porn, file sharing, and mature content. Also offered as Norton ConnectSafe for Business.

More information here.

Comodo Secure DNS

Like Google, with Comodo, there is no configuration – using the service is simply a matter of switching to the service's primary and backup servers on 8.26.56.26 and 8.20.247.20.

This DNS service includes lots of servers across 15 locations, which means that it can optimise your internet performance by selecting the best server for you based on your location. And from a security standpoint, Comodo will protect against all types of nasties such as phishing campaigns, malware, spyware and even parked domains that may contain excessive and dangerous advertising.

More information here.

DNS.Watch

Available on 82.200.69.80 and 84.200.70.40, DNS.Watch is almost unique in offering an alternative DNS service without the website logging found on most others. DNS.Watch provides a stripped back DNS service with net neutrality at its heart. It can also be used across most major operating systems, including Windows, Mac OS and Linux.

More information here.

VeriSign Public DNS

Not to be outdone, VeriSign's public DNS offering is available on 64.6.64.6 and 64.6.65.6. Interestingly, the company made a big point is saying it would not collect data on users of the service and this public DNS will provide intelligence on the sorts of malicious sites real users attempt to visit.

More information here.

DNS performance tools

But how does one know whether a particular DNS server is fast, slow or perfectly normal? And how can this be assessed independently of other web infrastructure?

In theory, a crude method is simply to compare the speed of response when visiting a domain (e.g. computerworlduk.com) with the same action using the underlying IP address. Unfortunately, most websites - including this magazine's - use something called shared hosting which means that the IP address is not enough on its own to reach a site because several share the same address.

There are manual ways around this but the better solution is to gain insight using a dedicated tool, of which there are several free ones to choose from. All run on Windows, most on Linux and a few on Mac.

GRC DNS Benchmark

Authored by programmer Steve Gibson, this assembler utility requires no installation and has the helpful feature of making recommendations after it has run its tests. By default, it tests against a generic list that is skewed towards larger North American DNS providers, which isn't to say that these aren't the best to use. Alternatively, users can give it around half an hour to build a custom list from a database of nearly 5,000 global servers which will include lesser-known servers that are geographically nearer to individual users.

Conclusion: An excellent utility that makes a potentially complex subject as simple as it can imaginably be. Returns latency measurements for each DNS provider on the basis of cached names, uncached, and dotcom lookup but it is best to run a customer query. 

More information here.

Namebench

Available for Windows, Linux and Mac, Namebench is a useful if slightly aging utility that benchmarks your current DNS service against a range of others, coming up with recommendations for primary and backup name servers, often from different providers. The output opens as HTML, complete with graphs and response times, which in our case suggested improvements of between 13 percent and 60 percent over the default DNS name server offered by the ISP.

Find your next job with computerworld UK jobs