Optimizing DNS for Better Performance, Filtering, and Security

A frustrating part of surfing the Internet is slow and sluggish domain name system (DNS) resolutions. Most Internet users don't realize that often a website or other service that seems slow to respond is actually working fine.

Instead, it’s the resolution of DNS that is putting a glitch in your giddy up. There is a wide range of reasons why DNS might be sluggish, ranging from an over-taxed server being used by too many users to insufficient memory to complicated iterative queries.

Tuning DNS resolution can improve performance and result in much faster internet interactions. There is also growing concern among many that there are malicious sites or unacceptable content online that should be filtered. DNS filtering offers a means to limit or restrict access to some of these problematic concerns.

Finally, there is also a need to be aware that communication eavesdropping is increasing. Both adversaries as well as your own internet service provider (ISP) may be monitoring your online activities. While many have opted into deploying a VPN for online interactions and a majority of the sites visited are now protected by TLS encryption (i.e., HTTPS), there are still many circumstances where DNS queries occur outside of these protections and they are subject to being viewed by others. There are DNS encryption options available which can improve the privacy protection of online activities.

DNS Tuning for Performance

There are several steps you can take to optimize your DNS to get better performance. Often performance improvements can be realized just by changing the DNS lookup server address being used.

For most networks, the DNS server lookup address is defined on your main network management device where the Dynamic Host Configuration Protocol (DHCP) is being performed. For most home users and small office environments, this will be on your wireless access point (WAP). For enterprise networks, this will be most often a dedicated DHCP server or appliance. The DHCP service can be configured to hand out a preferred DNS address to devices as they receive their IP address lease. Often you will piggyback on your ISP's DNS server(s) by default, but this is usually not the most efficient option.

The first and easiest option to improving DNS performance is to switch to an alternate DNS server for performing lookups. Consider using one of the free and open DNS servers rather than your ISP's. Many are available. Several common ones are:

• OpenDNS (http://www.opendns.com/):
  • IPv4 address: 208.67.222.222 or 208.67.220.220
  • IPv6 address: 2620:119:35::35 or 2620:119:53::53
• Google Public DNS (https://developers.google.com/speed/public-dns/):
  • IPv4 address: 8.8.8.8 or 8.8.4.4
  • IPv6 address: 2001:4860:4860::8888 or 2001:4860:4860::8844
• Cloudflare (https://1.1.1.1/):
  • IPv4 address: 1.1.1.1 or 1.0.0.1
  • IPv6 address: 2606:4700:4700::1111, 2606:4700:4700::1001, 2606:4700:4700::64, or 2606:4700:4700::6400
• Watch (https://dns.watch/):
  • IPv4 address: 84.200.69.80 or 84.200.70.40
  • IPv6 address: 2001:1608:10:25::1c04:b12f or 2001:1608:10:25::9249:d69b
• Level 3/CenturyLink DNS (http://www.level3.com/):
  • IPv4 address: 4.2.2.1, 4.2.2.2, 4.2.2.3, 4.2.2.4, 4.2.2.5, 4.2.2.6, 209.244.0.3, or 209.244.0.4

Picking at random one of these public DNS servers might not provide the most optimal DNS resolution speed. But there is a good chance it will provide better performance than whatever default DNS option is provided by your ISP.

It would be a good idea to try out several options before settling on the one to stick with. However, making a selection as to which alternate DNS server to use is somewhat subjective. You would pick the one that seemed to be faster than the others. Since there are lots of variables here, such as your web browser caching content, changing server loads, fluctuations of general internet activity, and your own perception. You may want to use each DNS option for a few days to see if there is a noticeable difference.

If you want a more systematic and data-driven approach to find out what the fastest DNS resolver is for your location, you need to use the DNS Benchmark tool from Steve Gibson of GRC fame. DNS Benchmark is a free Windows tool that will perform a detailed performance analysis against a range of DNS servers to discover which one is the most efficient and responsive at the time of testing.

How to Get Started

To get started, grab the tool, read the online instructions, then start the test. In about 30 minutes, you'll have your location-specific results. In most cases, selecting one of the top three DNS servers discovered by this tool will give you the highest performance results. If extremely optimized DNS resolution is essential to your internet experience, then you may want to repeat this DNS Benchmark test every few months.

Setting the DNS server lookup address on your DHCP service will ensure that all members of the network that receive a dynamically assigned IP address will be issued your preferred DNS address. If you are unable to change the DNS lookup address assigned to every system, or just don’t want to, but you still want to optimize DNS performance on your individual systems, then local DNS lookup configuration changes need to be made.

Local DNS configurations override the dynamic assignment. Even if the device accepts the host IP address, subnet mask, and default gateway that is dynamically assigned by the DHCP service, the local system can have a static DNS lookup server defined, which will cause the DHCP offered one to be ignored. This is especially useful if you are connecting using a public network link or working from a customer’s location. Local DNS configuration allows you to set your preferred lookup server address regardless of what network you connect to.

A Few Cautionary Statements

For some public networks, such as hotels and coffee shops, you often have to interact with a captive portal. A captive portal is that page that appears automatically in your web browser once you connect to a network and then attempt to visit a site of your choosing.

The network will automatically redirect you to its own local terms and conditions. Some networks may require nothing other than agreement to terms, while others may require payment, watching advertisements, a code from a receipt, authentication using your last name and room number.

If there is a captive portal on the local network, then changing your local DNS lookup server might prevent your system from accessing the captive portal and in turn block your network access in general. Thus, you may want to use the default/local DNS lookup server initially, and once you have either past the captive portal or discovered that there is not one, then change your DNS configuration to your preferred choice.

DNS Server Lookup Optimization Is a Moving Target

A second caution is to understand that DNS server lookup optimization is a moving target. The best response-performance DNS server today may not be the same server a few days from now.

So, you need to be satisfied with a DNS service that is good rather than always wanting the fastest. If you demand the best, you will need to re-evaluate DNS systems regularly. If you re-test too often, you will spend more time testing than you will gain. However, never re-evaluating DNS performance could mean you are missing out on better performance. I would recommend rechecking DNS performance about once a quarter but no more than once a month.

DNS Performance Is Connection Based

A third concern is that DNS performance is connection based. What I mean by that is the best DNS server for you from your primary work location may not be the same when connecting to a different network. The best DNS server for you from the head office may be different from the one while working from home, which also would likely be different from the best option at a hotel or that coffee shop.

I doubt it is worthwhile to perform a full DNS benchmark each time you connect to a new network, especially if you are only going to be connected to that network for a few minutes to a few hours. Thus, I would reserve the retest time investment for when you will work and connect from a new network location for more than a few days (such as when on a business trip).

If you elect to only change the DNS lookup address on individual systems, then in order to fully benefit from the changed lookup target you need to either reboot or manually flush the DNS cache in order to clear out any previous resolutions being held in memory.

On Windows, this is accomplished from a Command Prompt using ipconfig /flushdns. On Linux, this is accomplished from a terminal window using sudo /etc/init.d/nscd restart.

DNS Tuning for Filtering

In addition to optimizing DNS resolution speed, you might also want to take advantage of DNS content filtering capabilities. DNS content filtering is when the DNS resolution servers are configured to block or deny resolution of certain Fully Qualified Domain Names (FQDNs) based upon the content hosted at those sites or locations.

For example, you could elect to use a DNS filtering service that blocks access to some content, or which allows resolution of only safe FQDNs, there are even DNS filters for blocking phishing, scam, and other forms of malicious sites.

There are many services that offer DNS filtering, here are a few examples:

• CleanBrowsing (https://cleanbrowsing.org/filters): Adult content filter:
  • IPv4 address: 185.228.168.10 & 185.228.169.11
  • IPv6 address: 2a0d:2a00:1::1 & 2a0d:2a00:2::1
• CleanBrowsing (https://cleanbrowsing.org/filters): Family filter:
  • IPv4 address: 185.228.168.168 & 185.228.169.168
  • IPv6 address: 2a0d:2a00:1:: & 2a0d:2a00:2::
• CleanBrowsing (https://cleanbrowsing.org/filters): Security filter:
  • IPv4 address: 185.228.168.9 & 185.228.169.9
  • IPv6 address: 2a0d:2a00:1::2 & 2a0d:2a00:2::2
• OpenDNS (https://www.opendns.com/): Family filter:
  • IPv4 address: 208.67.222.123 & 208.67.220.123
• Neustar UltraDNS Public (https://www.publicdns.neustar/): Threat Protection:
  • IPv4 address: 156.154.70.2 & 156.154.71.2
  • IPv6 address: 2610:a1:1018::2 & 2610:a1:1019::2
• Neustar UltraDNS Public (https://www.publicdns.neustar/): Family Secure:
  • IPv4 address: 156.154.70.3 & 156.154.71.3
  • IPv6 address: 2610:a1:1018::3 & 2610:a1:1019::3
• AdGuard DNS (https://adguard.com/): Family protection:
  • IPv4 address: 94.140.14.15 & 94.140.15.16
  • IPv6 address: 2a10:50c0::bad1:ff & 2a10:50c0::bad2:ff
• DNS for Family (https://dnsforfamily.com/): Family protection:
  • IPv4 address: 94.130.180.225 & 78.47.64.161
  • IPv6 address: 2a01:4f8:1c0c:40db::1 & 2a01:4f8:1c17:4df8::1

A more advanced option is available for free through Cloudflare Gateway, but it does require registration and providing a form of payment as well as some setup. Fortunately, there is a setup guide that walks you through the process, so you don’t have to be a skilled DNS or network technician.

Cloudflare Gateway’s DNS filtering services allow you to enable a simple SafeSearch and then add or customize from there. The configuration options include blocking malicious and suspicious sites that relate to spam, phishing, botnets, spyware, crypto mining, etc., quick blocking of topical groups of domain names that relate to drugs, child abuse, deceptive advertisements, adult themes, and questionable content, as well as the ability to add your own FQDNs to block.

In addition to this, you also have access to an analytics dashboard where you can monitor and investigate internet activity and DNS resolution attempts in detail.

There are several subscription service DNS filtering solutions, but with the free options listed here, most of your needs should be met without having to expend funds.

It is also possible to deploy your own local DNS filtering function. Some WAPs and firewall products include this feature, but you can also install custom software. However, this does place the entire burden of populating your blocklist on your own shoulders. I prefer to use a service for that rather than adding one more thing to do onto my already too long list of network management tasks.

There is also the potential of using DNS filtering as a means to block advertisements and minimize tracking activities. There are many options for this type of filtering, but many require a paid subscription. One example of a free service that blocks ads and tracking is available from AdGuard:

• AdGuard DNS (https://adguard.com/): Ad & tracking protection:
  • IPv4 address: 94.140.14.14 & 94.140.15.15
  • IPv6 address: 2a10:50c0::ad1:ff & 2a10:50c0::ad2:ff

However, if you choose to block ads and tracking, you should realize that many sites are able to detect that and may block you from accessing their content while the advertisement and tracking services are blocked.

While many of us want to eliminate or minimize ads and tracking, many web sites exist only because they receive payment from marketing and tracking organizations. Whether or not you agree with that business model, you may be limiting access to legitimate sites and services if you use an ad blocking DNS filter. You need to weigh the benefits and drawbacks of that choice.

DNS Tuning for Security

We all should be well aware by now that there are entities online that are attempting to monitor, record, and track our every move. Some of this gathered information is used to optimize services and target advertisement and products. While some of the gathered information could be used by adversaries to perform identity theft, account takeover fraud, or other forms of impersonation. Whether criminal attacks or just your local ISP, it is often necessary to implement your own protections against unwanted monitoring.

DNS security was initiated over a decade ago with the development of DNSSEC (DNS Security). This is a DNS improvement which installs a digital certificate onto each DNS server. DNSSEC ensures that communications between DNS servers is verified using mutual certificate authentication and is then protected inside a TLS encrypted communications tunnel. A majority of DNS servers on the internet are now DNSSEC compliant. However, DNSSEC does not extend its security protections to the endpoints, it only covers DNS servers.

Fortunately, there are client or endpoint DNS security options available now. There are currently two primary DNS security options that many endpoints might adopt or even support natively. These are DNS over TLS (DoT) and DNS over HTTPS (DoH).

DNS over TLS (DoT) is used to encrypt the DNS query transaction using TLS. This creates a modified and secured DNS protocol which operates over TCP port 853. Normally in traditional DNS, TCP port 53 is used for DNS server to DNS server communications, typically referred to as zone transfers, while UDP port 53 is used for DNS queries.

With DoT, the TCP protocol is being used to support queries instead of UDP and this also allows for the use of the TLS encryption tool. While DoT does provide for encrypted DNS, it does not seem to be as widely supported in the industry as DoH. DoT is natively supported by Android 9 and newer and iOS 14 and newer. Most other platforms require additional software to add DoT support. There are numerous DoT DNS providers, but not as many as DoH providers. It is not clear why DoT is not as widely adopted as DoH, but one potential reason is that DoT operates on a unique port, TCP 853, which can be blocked to prevent the use of DoT.

DNS over HTTPS (DoH) also benefits from TLS encryption, but accomplishes this by using a standard secured web session over HTTPS as a type of VPN tunnel to carry the DNS query. Therefore, DoH communications occur over the same TCP port 443 as secure web transactions. DoH queries and responses are now “lost” or “hidden” amongst the secure web communications. This means that blocking DoH is much more difficult and not based on blocking a single port.

DoH seems to be much more popular because it is natively supported in many operating systems, including Android, iOS, MAC OS, and Linux. There are also many individual software products, mostly browsers, which also support DoH, even if the host OS does not support it or it is not configured. These browsers include Chrome, Firefox, Edge, and Opera. Even without native DoH support, it is easy to add DoH to Windows through an add-on application named “Simple DNSCrypt” from https://simplednscrypt.org/. 

I am a primary Windows user and this is the DNS encryption product I use. However, I caution against deploying this tool on systems used by non-technology savvy persons, as this tool often requires configuration adjustment and depending upon the network, it may need to be temporarily disabled to establish a connection (usually to deal with captive portals).

Recent Advancements

A recent advancement of DoH is Oblivious DNS-over-HTTPS (ODoH). The remaining privacy concern with DoH was that the owner of the DoH DNS resolver could track the FQDN being resolved and link them to the endpoint’s IP address.

This is the very information that was to be protected by DoH so that ISPs and adversaries could no longer access or collect this data. However, entities could run their own DoH server and still collect that information from anyone electing to use their services. The advancement of ODoH is to implement a proxy between the endpoint and the DoH server so that the source IP address of a query and the query/response contents are separated from each other.

The DoH proxy uses NAT/PAT to change the source IP address of the requesting endpoint, then forwards the still encrypted query payload to the DoH DNS resolver. As long as the DoH proxy and DoH resolvers are operated by separate entities, the privacy of the queries themselves remains protected. One of the early adopters and supporters of ODoH is CloudFlare. You can read more about their adoption of ODoH and their proxy partners at https://blog.cloudflare.com/oblivious-dns/.

Whether you implement a secure DNS solution through your OS, only your web browser, or through an add-on application, I think it is a significant improvement in privacy protection compared to traditional DNS.

Time to Implement DNS Changes

It is always our responsibility to ensure that our online communications are secure. We have made great strides in securing web and email communications with TLS encryption, so it is long past time that we focus our attention at other common and essential protocols and services like DNS.

Based on my recommendations in this white paper, you now have the knowledge and tools to improve your DNS performance, implement DNS filtering, and optimize your DNS security and privacy.

Improving DNS for your organization or just your own personal systems and devices is just a start. There are many other important security concerns that you need to be aware of.

Because only with knowledge can you make a change for the better. Everyone has security responsibilities, both for themselves and for their employer. That responsibility starts with knowing more and seeking out means to gain more knowledge.

One source of additional knowledge is the educational materials made available from Global Knowledge. Global Knowledge offers a wealth of online resource such as this white paper and other online materials. Global Knowledge is also a world leader in training, both in-person on-site instructional courses, as well as live online virtual classes and pre-recorded at-your-own-pace lessons. Find out more about the educational opportunities from Global Knowledge at www.globalknowledge.com.

Related courses

• CISSP Certification Prep Course
• Security+ Certification Prep Course
• Certified Network Defender (CND) Certification Prep Course
• CEH Certification Prep Course
• CySA+ Certification Prep Course
• CASP+ Certification Prep Course