Most of you reading this are probably allowing your broadband ISP to manage the Domain Name Service (DNS), which translates IP addresses back and forth into human readable form (e.g. domain names like ISPreview.co.uk), but now there’s a new choice in the form of Quad9.
The vast majority of you probably won’t feel a need to use custom DNS providers, although if your ISP starts to inject content and filtering systems into your website browsing experience, or suffers a fault with their own DNS system that hampers page loading, then you may decide to try a third-party service.
At present there are already several popular free DNS providers, such as OpenDNS and Google’s Public DNS. Some of these claim to be faster than your ISP’s DNS system, although in reality you’re unlikely to notice much of a difference. So what makes Quad9 so special?
Quad9, which has been established by IBM, the Global Security Alliance (backed by the City of London Police and Center for Internet Security) and the Packet Clearing House, appears to be much more focused on security than we’ve seen before and routes your DNS queries through a secure network of servers around the globe.
The system, which pledges not to store, correlate or otherwise leverage your private data (Google makes a similar commitment), uses threat intelligence from more than a dozen of the industry’s leading cyber security companies to give a real-time perspective on what websites are safe and what sites are known to include malware or other threats. “If the system detects that the site you want to reach is known to be infected, you’ll automatically be blocked from entry – keeping your data and computer safe“, says Quad9’s website.
Generally all that’s required to give Quad9 a try is to switch the Primary DNS and Secondary DNS numbers on your router to use an IP address of 9.9.9.9 (use this for IPv6: 2620:fe::fe). Unfortunately some ISPs won’t allow you to change the DNS settings on their bundled routers, which means you either have to disable DHCP and setup your network / LAN IPs manually (painfully tedious) or change the DNS settings on each device connected to your network.
The caveat here is that ISPs tend to lock router DNS changes for a number of different reasons. For example, they may prevent such changes so as to limit the potential for your router to be hijacked by a hacker and have its DNS servers maliciously redirected. Likewise some of the biggest ISPs deploy DNS based filtering technologies (e.g. BT Web Protect and BT Parental Controls) and that may cause problems if you try a third-party DNS solution without first disabling those features.
At present Quad9 is still growing and so it should continue to get better over time.
Comments are closed.
The DNS filtering systems are generally independent of whatever DNS server you use, because they aksi employ reverse-DNS lookup (among other things). The only way to subvert those is to use a VPN, as they look at the individual web requests, and no just any DNS lookup.
I should also add that there is nothing, technically speaking, that could stop an ISP spoofing DNS services, even if they were directed at a different DNS server. I doubt very much that any actually do it as it would surely be detected and be controversial, but DNS spoofing is a potential danger on public WiFi networks set up for nefarious reasons.
The only real defence against DNS spoofing is to use a VPN (although, in principle, even a VPN could be spoofed unless it has a secure sign-on system validated at both ends).
“DNS filtering systems are generally independent of whatever DNS server you use”
the DNS filtering is done at the DNS server and is wholy dependant on the DNS server you use. OpenDNS filtering does not work if you don’t use their DNS servers. OpenDNS filtering does not work if you use your ISP’s DNS servers.
If you use an online VPN service then you are likely dependant on their DNS service they provide to you (i don’t use such services).
Commercial online VPN services are not as secure as you think they are.
https://www.theregister.co.uk/2017/10/08/vpn_logs_helped_unmask_alleged_net_stalker_say_feds/
@ChrisP
By DNS filtering I mean filtering on DNS names. Having worked in a company which used outbound web filtering, it was not possible to bypass by avoiding the DNS server. It worked even if using an numeric IP address as it performed a reverse lookup to check that the domains being visited were not on the black list.
Using DNS to redirect is another thing altogether.
Of course VPNs are only as secure as the company offering them. The point is if that you want to avoid any ISP filtering, then that’s the only way to do it.
Using DNS (rather than filtering on domain names) is easily bypassed and not effective.
Your company’s outbound web filtering would have been performed by a proxy server, either transparent (filters everything going to the net) or explicit (web browser / applications is/are configured to use it). The proxy does the dns lookup, not the client. The domain name is always translated to an ip, thats the only way your machine can hope to reach the domain. The remote ip checks the path and routes the traffic to the appropriate site at its IP. The proxy at your company would check the domain and path against its categorisations and permit or deny access accordingly.
i think you are suggesting that even if people use a separate dns service it wont stop the isp knowing or interfering with the pages you visit, which is true as they must at least know the remote ip your traffic needs to get to and its the meta data the security services want recorded.
But….. any isp that deliberately intercepted and redirected peoples page requests without good reason, like a court order to block content as is currently the case in the uk, wont be in business long.
These DNS services are more about having more control over the domains you or people in your house hold visit, for little to no cost. Its not fool proof, but also doesn’t involve installing any software on devices connected to your network.
The only more effective way to control what sites are connected to from your internet connection is to install a proxy which is likely far too complicated for most people to bother with.
@ChrisP
The ISP filtering systems employed by ISPs don’t use web proxies in the manner of major corporations, but systems like BTInternet’s cleanfeed system work outside of DNS filtering systems. Whilst the details of the technology have not been released (for fairly obvious reasons), it is believed to work by intercepting any IP addresses that may be suspect and then routing any such access (invisibly) via a proxy server where the more sophisticated filtering is performed as blocking IP addresses wholesale is far too crude.
The system cannot be bypassed by using a non-BT DNS server.
The details of how cleanfeed works has been explicitly published, BT maintain a list URLs (partly from the IWF, partly from court orders) that are converted to a list of IP address. Requests to those IP addresses are forwarded to a proxy server that does a URL based inspection of the content and blocks any URL that are on the combined list the IP address are extracted from.
That does lead to a potential oracle attack that allows someone to use it find which IP address have content that is currently being blocked https://www.cl.cam.ac.uk/~rnc1/cleanfeed.pdf from there reverse DNS can be used to disclose the sites that operate on those IPs
Oh and some ISP will redirect requests on port 53 to the ISP DNS servers unless the customer forces them to “opt-out” – this breaks things like DNSSEC so has become less prevalent.
The provisions in the Digital Economy Act explicitly list DNS poisoning as an acceptable method for blocking adult content that is not applying age verification but recognises that a determined end user can easily bypass such a system
Thanks James
That’s an interesting read
backed by the City of London Police
Hmm…