National Cybersecurity Awareness Month 2020 and The Domain Name System (DNS)
By Joe St Sauver and Ben April
October is National Cybersecurity Awareness Month (NCSAM). DNS security is not only important for enterprises – it is also important for consumers as well.
We know, we know. During this month, you may feel as if you're "back in high school" because everyone will be suddenly "giving you homework" such as:
- Getting your computer, smartphone, tablet and home wireless router patched up-to-date
- Backing your system up (in case your system gets encrypted by ransomware or gets lost or stolen)
- Getting your system set up to use a password manager
- And making sure you've got an antivirus product installed (with up-to-date antivirus definitions!)
You really should be doing all those things. Yes, it can be a pain to "do your chores," but doing those things will usually help to keep you safe(r) online. In this blogpost, we are going to share what consumers need to know – and steps to take – regarding DNS security to help improve your security and privacy online.
2. Important As Those Things Are, That's Not ALL You Should Be Thinking About
You should also be thinking carefully about your DNS (Domain Name System) settings.
We say this knowing that you've probably never even heard of "DNS." We also know that you're probably wondering "how can something I've never even heard of be important?"
Here's the "bullet point" version:
DNS is often called "the phone book of the Internet."
It's the service that resolves Internet "domain names" (such as www.farsightsecurity.com) to the underlying numeric IP addresses your computer and the Internet actually uses (such as 220.127.116.11). The DNS does this for you whenever you're using the Internet. You haven't had to "know about it" or "think about it" because it generally "just works." That's good because:
- If your DNS is broken, the Internet will feel like it's "down," with web sites and other stuff all being inaccessible.
- If your DNS works but is slow, your connection to the Internet will feel slow (no matter how fast a connection you may have bought)
- If your DNS works but is insecure or untrustworthy, you can be sent wherever an attacker wants you to go, instead of going to your intended destination.
DNS traffic is also potentially important because it can tell your DNS service provider what you're doing online. Your DNS provider should be assumed to know pretty much everything you're doing online, whether that's planning a vacation to Hawaii, arranging for cancer treatment, filing for bankruptcy, shopping for clothes, or watching videos. (Marketers/advertisers adore this sort of consumer profiling information).
Depending on the DNS service you pick, DNS can also be configured to help protect you by blocking accidental visits to known bad sites (such as malware-dropping sites, phishing sites, scam sites, spam sites, etc.)
3. What Do Most Consumer's "Pick" For Their DNS? They Usually Just Use Whatever DNS They're Given….
Crazy, isn't it? Now that you know how potentially important DNS can be, you'd think everyone would really pay attention to the DNS service that they're using, but in reality few ever do. Here's what we suggest…
a) Begin by figuring out what DNS service you're currently using. To do this, try visiting DNS Leak Test (the "Standard test" available from that site should be fine):
i. For example, if you're connecting via Comcast and you're using their DNS by default, you should see something like the following (you may see different hostnames/IPs, but the ISP shown is the key part):
ii. If you're intentionally (or inadvertently) using a third-party DNS service (perhaps as a result of using Firefox in its default config as your web browser), you might see something more like this, instead:
Again, don't get hung up on the specific IPs or the quoted location (which may vary depending on your computer's location). Instead note that instead of pointing at our ISP's default name servers, we're using a "Cloudflare" name server instead. (Firefox may use different name servers than other applications (or even other web browsers) – try comparing what Firefox shows to what Chrome shows).
iii. As a final example, consider the "Opera" web browser. It comes with a free/built-in VPN ("virtual private network"). If that VPN gets used, it can be set to backhaul traffic to VPN concentrators in the Americas, in Europe, or in Asia. In this case, we've set it to use "Asia." Having done that, our Opera web browsing is going via Singapore, and we're getting name service from name servers located there, too:
iv. Note that the name servers you use may vary depending on how/where you connect. For example, if you connect at a hotel while traveling or at your workplace or school, those alternative locations may result in you using different name servers.
b) Next check out the policies and operational details of the name servers you're using.
Does the DNS service you're using promise to protect your privacy? Check the DNS service's policies to find out. For example, see:
Does the DNS service you're using actually filter anything out? Some DNS services filter phishing sites, malware-related sites, scam sites, spam sites, etc. Others may also offer a "family" mode that filters sexually explicit content that might be inappropriate for children. Often these filtered DNS services are paid offerings, but there are some services that are free for select audiences. See, for example:
c) Hold Tight? Or Make A Change?
If you're happy with the DNS service you're using, great – you need do nothing. "Just keep on keeping on." You've now done your due diligence.
On the other hand, if you want to change your name servers, check out the information provided by the service you like– they'll normally walk you through the technical details of doing so.
d) Do It Yourself?
Finally, if you're a technically-inclined computer enthusiast, another option may be to run your own recursive resolver rather than relying on any third party provider. (See, for example, this Business Insider interview with Farsight CEO Dr. Paul Vixie: "Internet pioneer Paul Vixie thinks we're giving up both privacy and speed thanks to the way we've configured our internet connections").
The details of how to do that are beyond the scope of this blog article, but you can easily find a variety of "How To" articles that will walk you through the process. One example of such an article would be "Block ads at home using Pi-hole and a Raspberry Pi". That open source recursive resolver project would act as your local recursive resolver, while also blocking (or at least reducing) the number of online ads you're shown.
4. "I Think Something Odd May Be Going On…"
Finally, be aware that if you're infected with some types of malicious software, your DNS service may have been redirected to bad name servers without your permission. If you check your name servers and find yourself pointing at "weird"/"unexpected" name servers, or if you find yourself going to sites you didn't expect to visit, your computer (or your home wireless router) may be infected with malware that's changed your name servers to ones controlled by bad guys.
See, for example:
We recommend that you seek assistance with your computer in that case.
DNS is not the only channel that ISPs and others may use to get get information about your traffic. Using a VPN (Virtual Private Network) may also help improve your privacy, although even using a VPN does not guarantee total anonymity, as emphasized in the recently- released VPN Trust Initiative Principles.
We hope you've enjoyed this DNS review as part of National Cybersecurity Awareness Month. Stay safe online and in the physical world, wherever you and your family may happen to be.
Joe St Sauver Ph.D. is a Distinguished Scientist and Director of Research with Farsight Security®, Inc.
Ben April is the CTO with Farsight Security®, Inc..