Best public dns service for security?

I see opendns, google, dnsadvantage, norton...as options.

Which ones offers the best security?

I understand there may be a hit on speed just interested in security.

Ian

 

I go with GOOGLE.

 

I would go with OpenDNS.

 

I say OpenDNS.

 

Unless privacy is a concern yeah.

 

As far as it relates to security, I don't see where it will make much difference. There's no way a DNS service can keep up with malicious sites any more than a maintainer for a host file will. There's nothing a DNS service can do for you that your own system shouldn't already have covered. IMO, the biggest differences between them will be performance, and to a limited degree, privacy. I use Open DNS for its performance and reliability. For me, Google is out of the question because of their data hoarding alone.

Unless you're using TOR or an equivalent, there's no real privacy gain. Even if you use another DNS service, it still goes through your ISP where it can be logged.

 

Norton DNS may be of interest:

 

I tested the Norton DNS for a couple of days but since they block BetaNews I got rid of it. I'd rather have something that didn't filter so aggressively.

 

I think in both terms of security and privacy it's best to stick with your ISP's DNS. They see all the connections you make in any case and the attack surface is smaller because you don't introduce a 3rd party into the equation.
If you are really concerned about security there's only one answer anyway: DNSSEC.

 

Please forgive my ignorance but what is DNSSEC and how do I implement it?
What are some pros and cons?
I started using OpenDNS a few months ago in the interest of security.
Your advice has me questioning the wisdom of my decision.
As a home user need I be concerned about DNS security?
Thanks for your patience. I'm pretty new to anything beyond the "average" computer security measures. Been lurking here at Wilders for a couple years trying to learn.

 

you can check your current dns' security here
https://www.grc.com/dns/dns.htm

 

I haven't really looked into it though, someone with more knowledge may chime in. All I know is, DNS is pretty broken as it is and, sorry to disappoint you, but there isn't really any way you could change that right now.
When DNS was developed in the 80s the internet was a lot different than today and security wasn't even an afterthought. DNSSEC is here to fix that - better late than never. It's currently deployed and will take a year or so to be fully implemented.
As a starting point please see the wikipedia article.

In terms of security, it probably doesn't matter if you use them, your ISP's or some other public DNS like from Google. But I wouldn't use them for two different reasons:
Privacy, you are giving OpenDNS (or any other provider) a lot of data to mine they otherwise would have no access to, while you don't make it any harder for your ISP to monitor you.
They break basic functionality by default (redirecting invalid URLs which breaks a lot of applications that aren't browsers) and serve you ads instead. Add the data mining from above and you see why I'm no supporter of their business model.

In a business environment with a lot of PCs on a single network segment spoofing and poisoning is something to think about when designing the network. But for a home user I don't think that's a realistic threat to be worried about. And as mentioned above there isn't really anything you could do to improve the security anyway.

 

A related issue is DNS censorship.

Are there publicly-available DNS servers that route commonly black-holed IPs?

 

What is the feeling regarding using Open DNS (or Norton DNS) together with the WOT extension/add-on?

Specifically, does the use of a DNS that prevents access to phishing or malware sites make having WOT for the browser redundant?

 

In this case, the more the better I'd say. They don't conflict in any way because of vastly different technology and complements each other.
Anything found by the DNS would be automatically blocked, WOT won't see that page. If the DNS misses it, then WOT will be in action.

WOT is the most effective out of the three imo.

 

Hi JL, thanks for answering.

I agree that one can't have too much of a good thing, but are the technologies really different? I understand that WOT is based on feedback of users. I don't know how the DNS guys make up their "black lists".

 

The implementation is definitely different.
Your browser contacts the DNS server before loading the website. Therefore if it's on a blacklist, it will be blocked before even loading the website.

WOT works separately on your system. Once you reach the website, WOT will alert you.
By most effective I meant its database, not blocking method (I'm unsure on how well it works against drive-by malware, but that is very rare on up-to-date systems).

 

Although I appreciate being protected from malicious websites, blacklists also include various politically-incorrect websites. One can find IP lookups for blacklisted URLs on various topical websites.

Is there a blacklist-free DNS server that's publicly-available? OK, perhaps blacklist-free wouldn't be so good, given the risk of malicious redirects. And yes, I did ask essentially the same question two weeks ago, and got no response

 

I think I used the wrong term. What I wanted to get at was that both a DNS and WOT refer to a database, for blocking outright access in the case of DNS and for warning (and then blocking if that's how WOT is set up) in the case of WOT.

So just how the is database constructed? Won't both basically rely on feedback from users?

In that case, WOT (and those of its genre) maybe more "friendly" depending on how you set it up although it requires an additional step compared to blocking by the DNS.

But as you said, there's no need to take an "either or" attitude. It's just that I've noticed a few times that the WOT rings don't appear in my Google search results, other things being the same.

 

I think that Google's DNS would fit the bill currently.

 

Thanks. I'll test it and report.

 

I've been using Norton DNS for about a week without any noticeable negatives. (Maybe I'm not adventurous enough.)

 

It looks like Norton is now hijacking your DNS settings when you install NIS. I don't currently have NIS installed but I did a couple of weeks ago. Today when I go to download a file from Softpedia I get a Norton page telling me it is an unsafe site. I couldn't figure out at first why I was seeing a Norton page until I thought about DNS. I pulled up the settings for my wireless connection and sure enough there were the static IP's for Norton DNS. They never asked if I wanted it, told me they were doing it, or removed them on uninstallation of their product. It's not the worst thing that has ever happened to me by any means, but I really would appreciate them letting me know they are changing my DNS settings. Especially since they tend to block a lot of legitimate sites.

 

I have started using ClearCloud (Sunbelt) DNS today and so far I really like it.

 

Symantec products leaving elements behind on your system, nothing new there. Sorry to hear it though.