NOW SpinRite 6.1 – Fast and useful for spinning and solid state mass storage!
DNS BenchmarkDNS Benchmark
DNS Reconfiguration Guide
How to change your system's DNS Settings.
divider

“You can't optimize it until you can measure it”

And once you've measured it, you might want to change it!

Before we can meaningfully discuss reconfiguring your system's or network's domain name server (DNS) operation, we need to discuss all the ways it might currently be configured. Any of the following situations might be possible:

Small Office / Home Network DNS Configurations
Two Important Factors to Consider before Changing DNS

Aside from the obvious possibilities of benefiting from faster DNS lookups — which is the whole point of the DNS Benchmark and of these pages — you should keep two important factors in mind:

1DNS monitoring provides an extremely powerful
facility for Internet activity surveillance:
Any provider of your system's or network's DNS resolution
services could inherently collect a great deal of information
about virtually all of your Internet usage history and habits.

When you think about it, you'll see why this is true:

Therefore, anyone providing your DNS services could easily build a huge and comprehensive log of all of the domain names looked up by everyone using their services. This might be done for various generally benign marketing and statistical reasons. But even so, any such service could be compelled to release their records to legal authorities.

One mitigating factor to database compilation is that DNS queries are, for the moment anyway, “minimal & clean”, meaning that DNS queries do not carry any sort of persistent “cookie” or other tagging technology other than your IP address. That benefit is offset somewhat by the fact that virtually all web queries do carry both your IP address and persistent cookies, so tying the two together is the sort of thing that's probably already in someone's business plan. <grumble>

We do not mean to suggest that all of this is necessarily a huge problem, or that anyone should be overly worried about the privacy-impacting consequences of this. We only feel that all Internet users should be generally aware of the nature of the data gathering capabilities which are inherent in anyone providing DNS services.

The only practical way to avoid the possibility of this sort of DNS monitoring is to avoid the use of any third-party's DNS resolvers. The only way to do that is to run your own DNS resolver. If you were to do this, then rather than having all of your DNS queries sent to an ISP's resolvers for resolution, the effects of your DNS queries would be spread out across the Internet as your own DNS resolver directly queried the Internet's DNS servers for the IPs your computer(s) required. While it is possible for individuals to setup their own DNS resolvers — and advanced Internet users do so — doing this is beyond the scope of these pages. We just wanted you to know that the possibility existed.
1“DNS Spoofing” is a powerful means for tricking
unsuspecting users to visit fake (spoofed) web sites:
After changing your system's DNS providers, you should use GRC's free
DNS Spoofability system to verify that your new DNS provider has
configured their DNS resolvers to thwart DNS spoofing exploits.

A quick Google search on the phrase “DNS Spoofing” (perform search with this link) will reveal that the threat is real and very well understood. Despite this fact, it is estimated that upwards of 25% of the Internet's DNS servers are currently (in 2010) vulnerable to DNS spoofing vulnerabilities. GRC created its free DNS Spoofability testing system to allow Internet users to quickly check their own DNS provider's current “spoofability,” as well as to expose those DNS providers who had still not updated their configurations and to (hopefully) put some pressure on them to finally do so.

Needless to say, you do not want to mistakenly use any DNS resolvers that might be exploited to return the wrong IP address for a domain you visit — such as your online banking institution — which could cause you to expose your financial logon credentials and other confidential information to unscrupulous and malicious criminals.

We are not aware of any other system, besides the one offered by GRC, which provides a sophisticated analysis of the state of DNS resolver “spoofability.” PLEASE be sure to take advantage of its services. It is both fast and free.

What DNS Configuration is Best?

Now that you have some sense for the several possible DNS configuration arrangements, and for the consequences of changing your current DNS setup, let's examine how to go about making these changes. Assuming you have a router, as users with small networks will, the question to answer is whether you want your DNS configuration to use the centralized router-based approach (if offered by your router) or whether you'd prefer to have your network's computers use public DNS servers directly.

Performance difference? What about the relative performance of the “router proxy” configuration (where the network's computers use the router's private (gateway) IP as their DNS resolver), versus computers directly using public DNS resolver IPs either received from the router or manually configured?

During the development of the DNS Benchmark the general consensus was that there was no detectable difference in performance. Since the proxying involves an extra step, we were curious to see whether any significant delays were introduced. But compared with the time required to obtain replies from across the Internet, any small delay through the router was insignificant and undetectable.
How to Reconfigure Your System's DNS?

Once you have determined the DNS configuration approach that best fits your needs, you'll need to make the appropriate changes to your router and/or networked computers.

Unfortunately, every version of Windows has dramatically changed its networking configuration user-interface from every previous version, every router has its own entirely different way of performing configuration, and then there's Apple Mac versions, the UNIXes, and about a million and one different Linux “distros” and desktops. Consequently, there's no practical way for us to provide the sort of detailed configuration guidance that many users might need.

But we have a solution!

A well known and well regarded commercial DNS provider (OpenDNS) is in the business of providing “feature enhanced” DNS resolution services (see big yellow note below). This means that they, too, have needed to help all sorts of different people alter the DNS resolver settings for their computers and their routers. Since they have the same need this page has, the best solution is to refer you to the OpenDNS web site where you can use their very nice step-by-step reconfiguration guides.

But first . . .

A note about OpenDNS before you head over there...

Some people object to using the OpenDNS resolvers because instead of returning errors for non-existent domain lookups (DNS errors), the OpenDNS resolvers redirect users to a commercial “intercept page” containing advertising and who-knows-what. Internet purists argue that this is not the way the Internet is supposed to work. And, moreover, they dislike the idea of having their “typos” monetized.

On the one hand, the purists are right, and I count myself among them — DNS lookup errors should return errors. (And also note that other ISPs (perhaps yours?, the Benchmark will alert you) are also beginning to stop returning errors in favor of generating incremental revenue.) But the modern Internet is no longer as simple and clean as the purists would like. And OpenDNS does offer some compelling benefits as well . . .

Imagine if a DNS resolver KNEW about domains where malware, viruses, scams, and other forms of dangerous or distasteful content lurked. Such a “smart DNS resolver” could actively protect your computer — and your whole network — by never providing the IP addresses of those malicious or undesirable domains. If, for example, you clicked a malicious link in an eMail, your computer would only know to ask OpenDNS for the IP of the domain of the malicious link. But if OpenDNS had already flagged that domain as malicious and blocked, your computer would be prevented from “going there,” and you and it would be protected. It's a clever and compelling idea which, from a security standpoint, makes a great deal of sense.

Here's a link to OpenDNS's page of benefits for households.

Note that the DNS Benchmark already incorporates the two OpenDNS resolver IP addresses of [208.67.222.222] and [208.67.220.220]. And also note that the DNS Benchmark detects that, in its default configuration, the OpenDNS resolvers do not return errors. This behavior can be disabled for registered OpenDNS users.

Just to be clear, you don't need to use the OpenDNS resolvers in order to use their very helpful step-by-step reconfiguration guides. We went through all this because we feel it's only fair to explain what's going on with OpenDNS since (a) you're about to be using their helpful guide pages for your own (non-OpenDNS) purposes, and (b) it is important to explain about DNS redirection, which is, no matter how you may feel about it, something the Internet is going to be seeing more of in the future.

HERE ARE THE OPENDNS GUIDE PAGES
for assisting with DNS computer
and router reconfiguration


GRC's DNS Benchmark Pages:

Jump to top of page
Gibson Research Corporation is owned and operated by Steve Gibson.  The contents
of this page are Copyright (c) 2024 Gibson Research Corporation. SpinRite, ShieldsUP,
NanoProbe, and any other indicated trademarks are registered trademarks of Gibson
Research Corporation, Laguna Hills, CA, USA. GRC's web and customer privacy policy.
Jump to top of page

Last Edit: Aug 16, 2010 at 14:42 (5,170.49 days ago)Viewed 17 times per day