Any attentive business or home user will quickly change their Internet Service Provider if throughput or availability is not up to scratch and yet few realise they can do exactly the same thing with the ‘name servers’ resolving the global Domain Name System (DNS). Doing this costs nothing and the benefits in terms of improved performance and security can be significant and yet few bother. Most users continue to take DNS for granted, unaware of the hidden bottlenecks of ISP services and potential for improvement.
Put very simply, the job of DNS name servers is to resolve public web addresses or domains to their underlying TCP/IP addresses. This sounds like a straightforward process but there are a number of variables that affect performance. The most obvious of these is simply the round-trip time between the client device and the DNS server itself, which will depend on geographical proximity as well as response times from any other DNS infrastructure involved in a query.
Even meaty name servers will not cache every possible website domain and have to look that up recursively by sending a query to a remote server. This is why visits to websites in remote countries sometimes take perceptibly longer for reasons that aren’t (as many assume) to do with a slow web server on the other end of the request. Another problem is that DNS name servers can become congested due to heavy use at peak times or malicious DDoS attacks causing problems behind the scenes. DNS was designed to be resilient but under stress, it will still slow.
Security: DDoS attacks on DNS servers underscore the system’s vulnerability – no website whose DNS servers have been overloaded will be able to conduct much business - but other security issues abound including cache poisoning (redirecting users from legitimate to fraudulent DNS servers). This was a major impetus behind the Domain Name Security Extensions (DNSSEC) security layer used to authenticate name servers for those providers supporting it.
By default, a computer will use the default DNS server of the network it is connected to, which will be provided by the service provider or ISP. The user can manually adjust that setting, either on a one-off basis or indefinitely. DNS really is a matter of preference.
Changing DNS settings: For IPv4, this can be carried out for every PC connection (separately for wired Ethernet and wireless) or for every device on a network through the network router’s DNS settings panel. On Windows 10, navigate to the Control or Settings panel to the Ether or Wireless properties box and clicking on IPv4 properties. Then untick the ‘obtain DNS server address automatically’ and specify the correct address for the service that is going to be used. For home routers, the same is achieved via the configuration interface, usually in the WAN settings under something like ‘DNS settings’.
Router v client: don’t assume that the router’s DNS settings take precedence over the device’s. That’s only true if the client (Windows, say) is set up to ‘Obtain DNS Server automatically’. Any manual setting on a device will over-ride the router on that interface, for instance, Wi-Fi/wired.
Mobile devices: changing DNS servers on mobile platforms such as Android is more complex than for a PC. Android allows users to do this for Wi-Fi, but it will only remember the setting for that network, for example when a user is at home or work. It also requires the user to set a static IP address so no DHCP. There are a couple of apps to help with this on Android, DNS Changer and DNSet. Unfortunately, this approach can’t be extended to 3G or 4G without root access – carrier access still requires accepting the default DNS.
IPv6: public IPv6 servers are also offered by the following providers but it’s best to steer clear of them for now.
Privacy: most of the services described below promote themselves on filtering security which inevitably means they are gathering data on websites visited. You could argue that this is true of all DNS systems, including those from the ISPs that most people use quite happily. But it is not always clear where this data is stored nor what use it might be put to by those collecting it. Information is valuable in today’s Internet economy so be aware that a 'free' service might have hidden privvacy downsides.
Public DNS services
Easy to remember for IPv4 on 184.108.40.206 with its backup on 220.127.116.11, users will expect and get high availability a lot of filtering and security such as DNSSEC as standard. Since Google’s business is advertising, it’s very much a one size fits all model with no configuration to speak of. The standard-setter for public DNS, Google is one of the fastest too. Google collects data on users as it does from all its services although in the case of DNS it should be impersonal. If you can put up with that, this is definitely the one to beat.
Now part of the Cisco empire, the primary is 18.104.22.168 with a backup on 22.214.171.124. Home users can simply adjust their DNS to point at one of the above but OpenDNS also offers the service wrapped up in three further tiers of service, Family Shield, Home, and VIP Home, the latter having a subscription fee of $19.95 (£14) per annum. These come with varying levels of filtering and security, including parental control, anti-phishing protection and, on the subscription tier, web whitelisting.
Available in its basic form on 126.96.36.199 (backup 188.8.131.52) with other servers specified to filter content such as porn, file sharing, abortion, mature content. Also offered as Norton ConnectSafe for Business.
Comodo Secure DNS
Rather like Google in that there is no configuration – using the service is simply a matter of switching to the services primary and backup servers on 184.108.40.206 and 220.127.116.11.
Available on 18.104.22.168 and 22.214.171.124, DNS.Watch is almost unique in offering an alternative DNS service without the website logging found on most others. We quote: “We're not interested in shady deals with your data. You own it. We're not a big corporation and don't have to participate in shady deals. We're not running any ad network or anything else where your DNS queries could be of interest for us.”
VeriSign Public DNS
Not to be outdone, VeriSign recently started offering public servers on 126.96.36.199 and 188.8.131.52. Interestingly, the company made a big point is saying it would not collect data on users of the service, a sign that privacy is starting to become something companies believe they can market themselves on. What VeriSign gets from this setup is intelligence on the sorts of malicious sites real users attempt to visit.
It is important to remember that there is probably no single DNS service that will do the job for everyone. The one that delivers the best performance for one company or individual might not do so for someone else. This is why it is important to run some tests.
DNS performance tools
But how does one know whether a particular DNS server is fast, slow or perfectly normal? And how can this be assessed independent of other web infrastructure?
In theory, a crude method is simply to compare the speed of response when visiting a domain (i.e. computerworlduk.com) with the same action using the underlying IP address (in this case, 184.108.40.206). Unfortunately, most websites - including this magazine’s - use something called shared hosting which means that the IP address is not enough on its own to reach a site because several share the same address.
There are manual ways around this but the better solution is to gain insight using a dedicated tool, of which there are several free ones to choose form. All run on Windows, most on Linux and a few on Mac.
GRC DNS Benchmark
Authored by programmer Steve Gibson, this assembler utility requires no installation and has the helpful feature of making recommendations after it has run its tests. By default, it tests against a generic list that is skewed towards larger North American DNS providers, which isn’t to say that these aren’t the best to use. Alternatively, users can give it around half an hour to build a custom list from a database of nearly 5,000 global servers which will include lesser-known servers that are geographically nearer to individual users.
Conclusion: an excellent utility that makes a potentially complex subject as simple as it can imaginably be. Returns latency measurements for each DNS provider on the basis of cached names, uncached, and dotcom lookup but it is best to run a customer query. Because it uses x86 Assembler, there’s no Mac version but Linux users can access it through Wine.
Available for Windows, Linux and Mac, Namebench is a useful if slightly ageing utility that has benchmarks your current DNS service against a range of others, coming up with recommendations for primary and backup name servers, often from different providers. The output opens as HTML, complete with graphs and response times which in our case suggested improvements of between 13 percent and 60 percent over the default DNS name server offered by the ISP.
Find your next job with computerworld UK jobs