Most of us always lock the door. It’s the sane thing to do, it’s a reflex. But why is that window still ajar?
Here’s the thing: Most of us spend a significant part of our lives in a digital world. We’ve been taught and reminded about security seemingly since forever. So we have accepted the challenges – difficult (unmemorable) passwords (and written them down in secret places), authentication devices, fingerprint and retina scanners and what have you, so what do I mean – ‘forgot the windows’?
It’s complicated – and ‘forgot’ is an exaggeration. And ‘slightly ajar’ is a lot better than wide open, which was the rule a few years ago. All the hoops we’ve been through over the years have obviously helped. But things change continuously and the bad guys have ‘improved’ (evolved, developed) even faster than you and me (check out the post Security: Everything is broken). So the situation as we enter 2023 is worse than in 2022 or 2017. ‘Slightly ajar’ is dangerous.
You may know this already from the news. Everything security related seems to be deteriorating – malware, ransomware, fake emails, phishing, ID theft and so on. We’re all targets. People, businesses and institutions get robbed (stolen data) or held hostage – digitally – all the time.
Which is why I’m repeating the ‘lock the doors and windows’ message. And I’m not going to beat you up about passwords and habits and life style improvements again (check out the post ‘I got yor password’). Instead I’m going to explain how a small, one time change can improve your security significantly. One that will take you maybe 5 minutes to do. Actually, I’m inviting you to understand how a tiny little pice of the Internet works: The Internet directory service. If you understand it, you’ll start looking for (and close) (digital) windows automatically. Because it makes sense, is free and takes almost no time.
Think of the Internet directory as a phone directory – it’s where you enter (or look up) a name and get a number back. The Internet variant is known as the DNS, the Domain Name System. It translates the ‘dotted names’, the URLs, the web-addresses, the email addresses (commonly called ‘domain names’) to something the network can understand. And it does this automatically, out of sight. You don’t even know it’s there – until it doesn’t work, which means ‘everything’ seems broken.
Anyway, when you type ‘google.com’ or ‘irs.gov’ or something in your browser, you get to Google or IRS because the DNS translated the name to a numeric address, such as 184.108.40.206 (Google) or 220.127.116.11 (IRS). And you don’t have to worry about it because it’s automatic.
Without this out-of-sight service, the Internet wouldn’t work. And while it seems simple, it’s a very sophisticated, resilient and (optionally) secure service consisting of thousands of servers from a variety of service providers all over the world. You are using some of them via your ISP already and probably don’t know which. Why should you? You didn’t even know they existed – and it works, why worry? Now, here’s the thing: They aren’t all alike – not in terms of security and not in terms of speed. By choosing one of the best, your digital security may improve dramatically. And the net may suddenly appear more responsive too.
Let’s go back to the phone directory analogy for a second. If you get an ad or a brochure in your (physical) mailbox, there is (probably) a phone number to call to ask questions or place an order. You dial and get connected – and assume that the business is legit. What if it isn’t and the phone company knew about it? Kept a blacklist so to speak. Would you subscribe to a free service that prevented you from connecting to such business? And instead informed you about the reason for not connecting? Maybe even an option to connect anyway after you’d been warned. That’s protection, isn’t it?
This is exactly what some of the Internet directory services do. They maintain and share blacklists and block regular (and many professional) users from reaching those servers, thus protecting you and me from all sorts of digital crimes. Like when you get an email that looks like it’s from your bank or some other service you trust, but actually is phony – a so-called ‘phishing’ attempt – the links in that email will not work because the DNS service is blocking them.
Does that sound simple? Actually it sounds like the obvious thing to do. Technically, on the server side, it takes some magic to do it and quite some work to maintain the blacklists, but it’s not complicated. And not only that – this is preventive protection, not reactive protection. The difference is non-obvious to most of us, but here’s the thing: Security professionals hesitate to confirm this, but most devices – PCs, phones, tablets etc. – are infected most of the time. The infections are never benign but often harmless – until they somehow get a ‘wakeup-call’, which sounds spooky and is bad if it happens. In many cases it never happens because it gets wiped by an update or caught by the device’s ‘immune system’ – mechanisms built into the operating system. A filtering DNS service adds to this defence twice. First by reducing the chances of ‘infection’. Secondly, if your device should get infected by malware, the malware doesn’t work because it may not be able to ‘call home’.
This is all good but here’s another surprise: Such directory services have been available for 15 years but they’re still underutilized. In other words, unless you’re in a segment where this issue has received special attention, like in US schools, it’s unlikely that your Internet Service Provider (or your employer) is using them. And the reason is not money – the best of them are actually free. A company named OpenDNS made such services available for free in 2007, others followed suit – and over the years developed comprehensive protection and analytics services for the professional market.
This is where you can make a difference – on two levels: You can change the DNS setting on your home router to one of the safe (and free) services (see below). And you can ask at work whether such services are used. You may be able to test the latter yourself, but your company or its service provider may be doing some filtering on their own so the results may not be valid. And for the records, while locally administered filtering is good, it’s rarely as comprehensive as the professional ones.
Also be aware that while more than a dozen free and (quite) fast global DNS services are available – Google (address 18.104.22.168) being best known – only a few offer filtering. Also, while quite fast, there are significant differences in speed between them, depending on your location. To get an idea, you can download a test suite (aimed at IT professionals, but it’s not complicated) or refer to some of the articles about the issue on the net.
To give you an idea, here’s a test run from my home office (ms = milliseconds):
# bash ./dnstest.sh all| sort -k 22 -n test1 test2 test3 test4 test5 test6 test7 test8 Average quad9 9 ms 9 ms 8 ms 9 ms 9 ms 9 ms 8 ms 9 ms 8.70 cloudflare 9 ms 9 ms 8 ms 9 ms 9 ms 9 ms 9 ms 9 ms 8.90 norton 15 ms 16 ms 16 ms 16 ms 16 ms 16 ms 15 ms 16 ms 16.60 cleanbrowsing 17 ms 17 ms 17 ms 17 ms 17 ms 18 ms 17 ms 17 ms 17.10 google 18 ms 18 ms 36 ms 27 ms 25 ms 26 ms 17 ms 26 ms 24.50 level3 29 ms 29 ms 29 ms 29 ms 29 ms 29 ms 29 ms 29 ms 29.00 nextdns 30 ms 31 ms 31 ms 30 ms 31 ms 30 ms 30 ms 30 ms 30.30 opendns 41 ms 18 ms 34 ms 37 ms 17 ms 36 ms 17 ms 51 ms 31.90 neustar 36 ms 35 ms 35 ms 36 ms 35 ms 35 ms 34 ms 35 ms 35.10 freenom 46 ms 46 ms 46 ms 46 ms 76 ms 46 ms 67 ms 81 ms 61.20 yandex 70 ms 68 ms 75 ms 72 ms 68 ms 69 ms 71 ms 77 ms 70.10 adguard 103 ms 104 ms 117 ms 104 ms 103 ms 139 ms 104 ms 138 ms 111.90 comodo 1000 ms 1000 ms 1000 ms 29 ms 1000 ms 29 ms 30 ms 1000 ms 516.30 #
Interestingly the first two, Quad9 and Cloudflare, seems to beat the rest in terms of speed almost regardless of location, thanks to their almost universal network presence: They have servers spread all over the world.
Which means we have two clear winners: Quad9, run by IBM (the name describing the main IP-address of the service – 22.214.171.124), and Cloudflare’s DNS service which could have been called Quad1, but isn’t because the company offers three levels of filtering at different addresses: None (126.96.36.199), malware filtering (188.8.131.52) and malware+adult filtering (184.108.40.206). Quad9 includes malware filtering.
What this means is that if you change your home router’s DNS setting to use one of these filtering addresses – and their respective backup address (so called ‘secondary DNS’) for resiliency – 220.127.116.11 if you chose Quad9, 18.104.22.168 or 22.214.171.124 if you chose Cloudflare – you have reduced exposure and increased security significantly for your home network. If you chose the adult filtering service from Cloudflare you have prevented your kids from accessing adult sites too. What’s there to lose? For more technical details, refer to the links below and this link for practical hints from Cloudflare.
Instead of making this modification in your router, you can make it in every device (as described here for Apple devices) instead. Which is more work, but has the advantage of protecting your mobile devices when they’re away from home. So the smart thing to do is both – change the router setting and the settings on your family’s mobile devices.
For businesses the next (and natural) step is to sign up for a professional DNS filtering solution which includes a lot more than simple DNS filtering, like blocking certain file types, applying different levels of blocking to different parts of a network, monitoring and logging and more. A number of such services are discussed in this post.
While there is no downside to making an adjustment like this, there are a few caveats. One is that many of the free services on the market will collect your data and may sell them to interested parties. Quad9 and Cloudflare are safe in that they don’t sell data and collect them only as part of a service you have purchased. Which means that nothing is collected from the free services.
A second caveat is related to one of Apple’s recent security features. The iCloud Private Relay service effectively makes your network traffic invisible to your own ISP and other parties on the net, which is a good thing. It’s also noticeably slower at times and bypasses the DNS settings in the device and in the local router. In other words – if you use iCloud Private Relay, DNS filtering will not work, and you will have to make a choice. How to turn this service off is covered in this post.
A third caveat is VPNs: If you use one, the situation becomes akin to the Apple case above: You’re bypassing the locally configured DNS settings as part of the service. Which may be OK even though not all VPN services do DNS-filtering as comprehensively as the big ones. Also, if you’re using filtered DNS, you may not need a VPN service at all. Such services are not universally good and should not be used unless there is a specific need – because they are complicated, often slow, and some times a security risk in themselves. But that’s a different story – for another time and day.
There is a final point which is not a caveat, rather the opposite: The Internet directory service – the DNS – has had plenty security issues of its own over the years. These have been addressed jointly by the technical community and the vendors, enhanced standards have been created and implemented, but the old, insecure variant is still in widespread use. This is obviously a bad thing, and one that the free and (most) commercial DNS filtering services address. Another incentive to spend a few minutes to make the change.
Bottom line: Use professional DNS filtering. It’s free, it’s fast and reduces both exposure and risk for all users. Good for you, good for the world.