Any attentive business or home user will quickly change their internet service provider if availability is not up to scratch and yet few realise they can do exactly the same thing with the 'name servers' resolving the global Domain Name System.
Doing this costs nothing and the benefits in terms of improved performance and security can be significant, yet few bother. Most users continue to take Domain Name System (DNS) for granted, unaware of the hidden bottlenecks of internet service provider (ISP) services and the potential for improvement.
Read next: What is serverless computing?
How does a DNS service work?
Put very simply, the job of DNS name servers is to resolve public web addresses or domains to their underlying TCP/IP addresses. This sounds like a straightforward process but there are a number of variables that affect performance. The most obvious of these is simply the round-trip time between the client device and the DNS server itself, which will depend on geographical proximity as well as response times from any other DNS infrastructure involved in a query.
Even meaty name servers will not cache every possible website domain and have to look that up recursively by sending a query to a remote server. This is why visits to websites in remote countries sometimes take perceptibly longer for reasons that aren't (as many assume) to do with a slow web server on the other end of the request.
Another problem is that DNS name servers can become congested due to heavy use at peak times or malicious DDoS attacks causing problems behind the scenes. DNS was designed to be resilient but under stress, it will still slow.
Security: DDoS attacks on DNS servers underscore the system's vulnerability – no website whose DNS servers have been overloaded will be able to conduct much business - but other security issues abound including cache poisoning (redirecting users from legitimate to fraudulent DNS servers). This was a major impetus behind the Domain Name Security Extensions (DNSSEC) security layer used to authenticate name servers for those providers supporting it.
By default, a computer will use the default DNS server of the network it is connected to, which will be provided by the service provider or ISP. The user can manually adjust that setting, either on a one-off basis or indefinitely. DNS really is a matter of preference.
Changing DNS settings: For IPv4, this can be carried out for every PC connection (separately for wired Ethernet and wireless) or for every device on a network through the network router's DNS settings panel. On Windows 10, navigate to the Control or Settings panel to the Ether or Wireless properties box and click on IPv4 properties. Then untick the 'obtain DNS server address automatically' and specify the correct address for the service that is going to be used. For home routers, the same is achieved via the configuration interface, usually in the WAN settings under something like 'DNS settings'.
Router v client: Don’t assume that the router's DNS settings take precedence over the device's. That’s only true if the client (Windows, say) is set up to 'Obtain DNS Server automatically'. Any manual setting on a device will over-ride the router on that interface, for instance, Wi-Fi/wired.
Mobile devices: Changing DNS servers on mobile platforms such as Android is more complex than for a PC. Android allows users to do this for Wi-Fi, but it will only remember the setting for that network, for example when a user is at home or work. It also requires the user to set a static IP address so no DHCP. There are a couple of apps to help with this on Android: DNS Changer and DNSet. Unfortunately, this approach can't be extended to 3G or 4G without root access – carrier access still requires accepting the default DNS.
IPv6: Public IPv6 servers are also offered by the following providers but it's best to steer clear of them for now.
Privacy: Most of the services described below promote themselves on filtering security which inevitably means they are gathering data on websites visited. You could argue that this is true of all DNS systems, including those from the ISPs that most people use quite happily. But it is not always clear where this data is stored nor what use it might be put to by those collecting it. Information is valuable in today's internet economy so be aware that a 'free' service might have hidden privacy downsides.
Public DNS services
In April 2018, DNS services and content delivery network business Cloudflare announced its ‘220.127.116.11’ free DNS – which it touted as the “fastest” consumer DNS service out there. In a blog post from Cloudflare CEO Matthew Prince, he said that 18.104.22.168 is also aimed at the privacy conscious user, designed to address the lack of “privacy-respecting” free DNS options out there.
“What many internet users don’t realise is that even if you’re visiting a website that is encrypted, that doesn’t keep your DNS resolver from knowing the identity of all the sites you visit,” Prince said at the time. “That means, by default, your ISP, every Wi-Fi network you’ve connected to, and your mobile network provider have a list of every site you’ve visited while using them.”
Why trust CloudFlare to deliver on this? Well, the paranoiac might well not trust CloudFlare either, but the company points to its track record in not tracking users or selling advertising. “We don’t see personal data as an asset, we see it as a toxic asset,” Prince said. Auditing business KPMG will audit the company’s practices yearly and publish a public record that should prove CloudFlare is legit.
The company launched 22.214.171.124 on 1 April this year, leading some to suspect that it might be a (spectacularly unfunny) April Fool’s joke, but since all you have to do is trawl the various sysadmin, support and privacy forums out there to see that a lot of users are happy with the CloudFlare service.
On the technical side, the service supports both DNS-over-TLS and DNS-over-HTTPS, both of which are transparent, open standards. Prince pointed out that Google was the only vendor operating a DNS-over-HTTPS service at scale, perhaps leading Google competitors reticent to migrate to the standard, and CloudFlare hopes that by offering this it will lead to more people making use of it, which is generally speaking, faster and more secure.
It will be particularly alluring to the many privacy-conscious users out there who want to de-Google entirely.
Google Public DNS
Available on 126.96.36.199 and 188.8.131.52, Google's Public DNS service will support IPv6, but you'll need to change IP address accordingly to take advantage of its advanced security features.
Easy to remember for IPv4 on 184.108.40.206 with its backup on 220.127.116.11, users will still expect and get high availability, a lot of filtering and security such as DNSSEC as standard. Since Google's business is advertising, it's very much a one size fits all model with no configuration to speak of. The standard-setter for public DNS, Google is one of the fastest too. Google collects data on users as it does from all its services although in the case of DNS it should be impersonal. If you can put up with that, this is definitely the one to beat.
Now part of the Cisco empire, the primary is 18.104.22.168 and 22.214.171.124. OpenDNS is open to both business and home users, with both plans coming packed with solid security controls. Home users can simply adjust their DNS to point at one of the above but OpenDNS also offers a good home service including Family Shield, Home, phishing protection, enhanced internet performance and parental controls, with web whitelisting also available. And for a price, business users can take advantage of its full enterprise security service.
In late 2017, IBM announced its own public DNS system launched in partnership with the Global Cyber Alliance group of researchers and law enforcement agencies to launch Quad9, designed to block malware at the DNS level – its address is 126.96.36.199.
The free service pulls in threat intelligence from IBM X-Force as well as information from other partners like Cisco, F-Secure and Proofpoint.
Obviously this means you’ll be trusting these companies to decide what is and isn’t malicious – some domains will permanently get a free pass such as Google, Azure and AWS – but if you or your business are looking for a simple and effective DNS security package it is probably worth consideration.
Norton is well-known for its internet security software and services, and its DNS services don't disappoint. ConnectSafe users will receive malware and phishing protection and available in its basic form on 188.8.131.52 (backup 184.108.40.206) with other servers specified, ConnectSafe can filter content such as porn, file sharing, and mature content. Also offered as Norton ConnectSafe for Business.
Available on 220.127.116.11 and 18.104.22.168, DNS.Watch is almost unique in offering an alternative DNS service without the website logging found on most others. DNS.Watch provides a stripped-back DNS service with net neutrality at its heart. It can also be used across most major operating systems, including Windows, Mac OS and Linux.
However as of early 2018 users are reporting that DNS.Watch is either down or performing slowly - and its website has also disappeared (cached version available here).
Not exactly a public DNS per se, Open NIC describes itself as an "organisation of hobbyists who run an alternative DNS network" – and so you can get access to domain names that aren’t administered by web regulator ICANN.
All of the OpenNIC public servers are listed here while the OpenNIC website will point you to your nearest working server. The website also provides wizards for modifying DNS settings to access OpenNIC servers for Windows, Linux, iOS and Android.
VeriSign Public DNS
Not to be outdone, VeriSign's public DNS offering is available on 22.214.171.124 and 126.96.36.199. Interestingly, the company made a big point is saying it would not collect data on users of the service and this public DNS will provide intelligence on the sorts of malicious sites real users attempt to visit.
DNS performance tools
But how does one know whether a particular DNS server is fast, slow or perfectly normal? And how can this be assessed independently of other web infrastructure?
In theory, a crude method is simply to compare the speed of response when visiting a domain (e.g. computerworlduk.com) with the same action using the underlying IP address. Unfortunately, most websites - including this magazine's - use something called shared hosting which means that the IP address is not enough on its own to reach a site because several share the same address.
There are manual ways around this but the better solution is to gain insight using a dedicated tool, of which there are several free ones to choose from. All run on Windows, most on Linux and a few on Mac.
GRC DNS Benchmark
Authored by programmer Steve Gibson, this assembler utility requires no installation and has the helpful feature of making recommendations after it has run its tests. By default, it tests against a generic list that is skewed towards larger North American DNS providers, which isn't to say that these aren't the best to use. Alternatively, users can give it around half an hour to build a custom list from a database of nearly 5,000 global servers which will include lesser-known servers that are geographically nearer to individual users.
Conclusion: An excellent utility that makes a potentially complex subject as simple as it can imaginably be. Returns latency measurements for each DNS provider on the basis of cached names, uncached, and dotcom lookup but it is best to run a customer query.
Available for Windows, Linux and Mac, Namebench is a useful if slightly aging utility that benchmarks your current DNS service against a range of others, coming up with recommendations for primary and backup name servers, often from different providers. The output opens as HTML, complete with graphs and response times, which in our case suggested improvements of between 13 percent and 60 percent over the default DNS name server offered by the ISP.