Best public dns service for security?

Discussion in 'other security issues & news' started by Iangh, May 28, 2010.

Thread Status:
Not open for further replies.
  1. Iangh

    Iangh Registered Member

    Joined:
    Jul 13, 2005
    Posts:
    611
    Location:
    Melbourne, Australia
    I see opendns, google, dnsadvantage, norton...as options.

    Which ones offers the best security?

    I understand there may be a hit on speed just interested in security.

    Ian
     
  2. Konata Izumi

    Konata Izumi Registered Member

    Joined:
    Nov 23, 2008
    Posts:
    1,544
    I go with GOOGLE.
     
  3. subhrobhandari

    subhrobhandari Registered Member

    Joined:
    Nov 6, 2009
    Posts:
    708
    I would go with OpenDNS.
     
  4. Cutting_Edgetech

    Cutting_Edgetech Registered Member

    Joined:
    Mar 30, 2006
    Posts:
    4,953
    Location:
    USA
    I say OpenDNS.
     
  5. funkydude

    funkydude Registered Member

    Joined:
    Apr 5, 2004
    Posts:
    6,855
    Unless privacy is a concern yeah. :D
     
  6. noone_particular

    noone_particular Registered Member

    Joined:
    Aug 8, 2008
    Posts:
    3,798
    As far as it relates to security, I don't see where it will make much difference. There's no way a DNS service can keep up with malicious sites any more than a maintainer for a host file will. There's nothing a DNS service can do for you that your own system shouldn't already have covered. IMO, the biggest differences between them will be performance, and to a limited degree, privacy. I use Open DNS for its performance and reliability. For me, Google is out of the question because of their data hoarding alone.

    Unless you're using TOR or an equivalent, there's no real privacy gain. Even if you use another DNS service, it still goes through your ISP where it can be logged.
     
  7. Pleonasm

    Pleonasm Registered Member

    Joined:
    Apr 9, 2007
    Posts:
    1,201
    Norton DNS may be of interest:

     
  8. xxJackxx

    xxJackxx Registered Member

    Joined:
    Oct 23, 2008
    Posts:
    4,050
    Location:
    USA
    I tested the Norton DNS for a couple of days but since they block BetaNews I got rid of it. I'd rather have something that didn't filter so aggressively.
     
  9. katio

    katio Guest

    I think in both terms of security and privacy it's best to stick with your ISP's DNS. They see all the connections you make in any case and the attack surface is smaller because you don't introduce a 3rd party into the equation.
    If you are really concerned about security there's only one answer anyway: DNSSEC.
     
  10. Fumo Tropo

    Fumo Tropo Registered Member

    Joined:
    Mar 4, 2010
    Posts:
    15
    Location:
    Quel Paese
    Please forgive my ignorance but what is DNSSEC and how do I implement it?
    What are some pros and cons?
    I started using OpenDNS a few months ago in the interest of security.
    Your advice has me questioning the wisdom of my decision.
    As a home user need I be concerned about DNS security?
    Thanks for your patience. I'm pretty new to anything beyond the "average" computer security measures. Been lurking here at Wilders for a couple years trying to learn.:D
     
  11. Konata Izumi

    Konata Izumi Registered Member

    Joined:
    Nov 23, 2008
    Posts:
    1,544
  12. katio

    katio Guest

    I haven't really looked into it though, someone with more knowledge may chime in. All I know is, DNS is pretty broken as it is and, sorry to disappoint you, but there isn't really any way you could change that right now.
    When DNS was developed in the 80s the internet was a lot different than today and security wasn't even an afterthought. DNSSEC is here to fix that - better late than never. It's currently deployed and will take a year or so to be fully implemented.
    As a starting point please see the wikipedia article.

    In terms of security, it probably doesn't matter if you use them, your ISP's or some other public DNS like from Google. But I wouldn't use them for two different reasons:
    Privacy, you are giving OpenDNS (or any other provider) a lot of data to mine they otherwise would have no access to, while you don't make it any harder for your ISP to monitor you.
    They break basic functionality by default (redirecting invalid URLs which breaks a lot of applications that aren't browsers) and serve you ads instead. Add the data mining from above and you see why I'm no supporter of their business model.

    In a business environment with a lot of PCs on a single network segment spoofing and poisoning is something to think about when designing the network. But for a home user I don't think that's a realistic threat to be worried about. And as mentioned above there isn't really anything you could do to improve the security anyway.
     
  13. hierophant

    hierophant Registered Member

    Joined:
    Dec 18, 2009
    Posts:
    854
    A related issue is DNS censorship.

    Are there publicly-available DNS servers that route commonly black-holed IPs?
     
  14. vasa1

    vasa1 Registered Member

    Joined:
    May 1, 2010
    Posts:
    4,152
    What is the feeling regarding using Open DNS (or Norton DNS) together with the WOT extension/add-on?

    Specifically, does the use of a DNS that prevents access to phishing or malware sites make having WOT for the browser redundant?
     
  15. J_L

    J_L Registered Member

    Joined:
    Nov 6, 2009
    Posts:
    8,516
    In this case, the more the better I'd say. They don't conflict in any way because of vastly different technology and complements each other.
    Anything found by the DNS would be automatically blocked, WOT won't see that page. If the DNS misses it, then WOT will be in action.

    WOT is the most effective out of the three imo.
     
  16. vasa1

    vasa1 Registered Member

    Joined:
    May 1, 2010
    Posts:
    4,152
    Hi JL, thanks for answering.

    I agree that one can't have too much of a good thing, but are the technologies really different? I understand that WOT is based on feedback of users. I don't know how the DNS guys make up their "black lists".
     
  17. J_L

    J_L Registered Member

    Joined:
    Nov 6, 2009
    Posts:
    8,516
    The implementation is definitely different.
    Your browser contacts the DNS server before loading the website. Therefore if it's on a blacklist, it will be blocked before even loading the website.

    WOT works separately on your system. Once you reach the website, WOT will alert you.
    By most effective I meant its database, not blocking method (I'm unsure on how well it works against drive-by malware, but that is very rare on up-to-date systems).
     
  18. hierophant

    hierophant Registered Member

    Joined:
    Dec 18, 2009
    Posts:
    854
    Although I appreciate being protected from malicious websites, blacklists also include various politically-incorrect websites. One can find IP lookups for blacklisted URLs on various topical websites.

    Is there a blacklist-free DNS server that's publicly-available? OK, perhaps blacklist-free wouldn't be so good, given the risk of malicious redirects. And yes, I did ask essentially the same question two weeks ago, and got no response :'(
     
  19. vasa1

    vasa1 Registered Member

    Joined:
    May 1, 2010
    Posts:
    4,152
    I think I used the wrong term. What I wanted to get at was that both a DNS and WOT refer to a database, for blocking outright access in the case of DNS and for warning (and then blocking if that's how WOT is set up) in the case of WOT.

    So just how the is database constructed? Won't both basically rely on feedback from users?

    In that case, WOT (and those of its genre) maybe more "friendly" depending on how you set it up although it requires an additional step compared to blocking by the DNS.

    But as you said, there's no need to take an "either or" attitude. It's just that I've noticed a few times that the WOT rings don't appear in my Google search results, other things being the same.
     
  20. vasa1

    vasa1 Registered Member

    Joined:
    May 1, 2010
    Posts:
    4,152
    I think that Google's DNS would fit the bill currently.
     
  21. hierophant

    hierophant Registered Member

    Joined:
    Dec 18, 2009
    Posts:
    854
    Thanks. I'll test it and report.
     
  22. vasa1

    vasa1 Registered Member

    Joined:
    May 1, 2010
    Posts:
    4,152
    I've been using Norton DNS for about a week without any noticeable negatives. (Maybe I'm not adventurous enough.)
     
  23. xxJackxx

    xxJackxx Registered Member

    Joined:
    Oct 23, 2008
    Posts:
    4,050
    Location:
    USA
    It looks like Norton is now hijacking your DNS settings when you install NIS. I don't currently have NIS installed but I did a couple of weeks ago. Today when I go to download a file from Softpedia I get a Norton page telling me it is an unsafe site. I couldn't figure out at first why I was seeing a Norton page until I thought about DNS. I pulled up the settings for my wireless connection and sure enough there were the static IP's for Norton DNS. They never asked if I wanted it, told me they were doing it, or removed them on uninstallation of their product. It's not the worst thing that has ever happened to me by any means, but I really would appreciate them letting me know they are changing my DNS settings. Especially since they tend to block a lot of legitimate sites. :thumbd:
     
  24. Ibrad

    Ibrad Registered Member

    Joined:
    Dec 8, 2009
    Posts:
    1,949
    I have started using ClearCloud (Sunbelt) DNS today and so far I really like it.
     
  25. funkydude

    funkydude Registered Member

    Joined:
    Apr 5, 2004
    Posts:
    6,855
    Symantec products leaving elements behind on your system, nothing new there. :D Sorry to hear it though.
     
Loading...
Thread Status:
Not open for further replies.