, ,

The Importance of Using Secure DNS Servers

, ,

All good IT administrators know that maintaining a secure, productive and supportable computing environment means considering (and implementing) security at many levels. There is a whole load more to it than just installing a virus scanner on all your computers (though deploying a good antivirus and anti-malware solution is of course one element in this). Ideally you'll have Endpoint protection for AV and Malware on all desktops, laptops and servers (Onega tend to recommend and use Kaspersky, AVG and MalwareBytes depending on use case), but also a secure firewall (e.g. a good Watchguard XTM or similar unit) and external cloud based email filtering to reduce the risk of anything untoward getting into your network in the first place.

One thing we are also now recommending (aside from reminding people about limiting use of full admin rights to a PC - see http://www.onega.net/blog/2015/6/4/are-you-logged-in-with-admin-level-credentials-on-your-computer-right-now ) is to set your external DNS servers to be secure servers.

In QA format - here you are:

Q. What is the difference between Secure and Non-Secure DNS Servers?
A. In this context, the answer is that a standard or non-secure DNS server does a good job of DNS resolution and turning your request for http://www.randomwebsite.com/ into the IP address (143.95.83.184 in IPV4 Land as I type) that hosts the site for your web browser to connect to or your email to be delivered to etc.  The resolution process is simple, fast and robotic and the DNS server will cache entries for fast response or look them up for you recursively from first principles and the Root DNS Servers. When the server has the result then it gives it to you.  A secure DNS Server adds an extra level of security to this process. It will lookup websites and Internet addresses, but before giving you the result, it will check that the IP address is of known good or known bad reputation (or check it with a virus scanner first); such that if the site is deemed clean then your computer is given the IP address in the blink of an eye. If the site is one that you'd probably be glad not to be visiting, then the DNS server will redirect you to a harmless web page which will let you know why you are there.

Q. Put simply, what is the benefit of secure DNS?
A. It helps reduce this risk of accidentally browsing to an undesirable website that might otherwise have tried to install malware or other junk on your computer. Thus you are very likely to save hard money through reduced downtime and lost productivity and also less time to fix (and cost of fix) on a machine otherwise.

Q. Which Secure DNS Servers to we recommend?
A. The two main contenders at the moment for secure DNS are:

Comodo Secure DNS: 8.26.56.26 and 8.20.247.20
(See https://www.comodo.com/secure-dns/index.html )

OpenDNS: 208.67.222.222 and 208.67.220.220 (others are available on premium packages - these are free for public use)
(See https://www.opendns.com/ )

Q. How to we implement Secure DNS?
A. Make note of the DNS server addresses above, and either set these individually on a PC / laptop (if not in an office environment) or else set these servers as the DNS Forwarding servers on a Linux / Windows / Mac Server DNS server in an office environment. DHCP should give out DNS servers that relate to these (or actually give the addresses out if you don't have an Active Directory environment).
.. or just ask Onega of course and we can help configure these for you quickly.

Q. Is there a Cost?
A. If you are a business then it is of benefit to subscribe to one of the premium services which has a modest charge but this is of relatively trivial level and soon, anecdotally, pays for itself. The premium services also give you the confidence of an SLA as well as extra features. On the setup / installation / configuration of secure DNS in your environment, Onega would do this for you, either free if you are under a proactive maintenance agreement with us, or based on our standard PAYG time charges (it would normally take no more than an hour on the average client network servers and firewalls, unless you have a really big system).

Q. What about Google's DNS - is that Service Secure? (8.8.8.8 and 8.8.4.4)
A. No, not in the sense being discussed here. Google being Google, that is likely to change over time.