Change Your DNS Resolver 

DO THIS NOW!

 

Welcome back to the second installment of our “DO THIS NOW!” series, in which we offer simple, low-to-no cost steps you can take to improve your personal or business cyber security. Today’s topic sounds wonky and technical, but it is really a quite simple concept. Bottom line up front: You can use free or low-cost services to help prevent you (or your family) from inadvertently browsing to malicious websites. These same services can also limit your children’s access to sites you deem inappropriate.  Quick disclaimer: The tools we will describe today should be a layer in your cyber security efforts. They are not a magic bullet, and don’t absolve you of the need for vigilance against phishing or other attacks.

 

What is a Domain Name System (DNS)?

If you already understand how the Domain Name System (DNS) works, feel free to skip ahead. If not, its time for a little primer that begins with a simple analogy. You want to send a birthday card to your Aunt Sally in Wisconsin. If you just wrote “Aunt Sally in Wisconsin” on the envelope, the Postal Service would be unable to deliver your card. The Postal system doesn’t work based on names – it works based on addresses. You don’t have Aunt Sally’s address memorized, so you consult an address book and get her address. You drop it in the mail, and within a few days, bring a smile to her face.

The internet works in a very similar fashion. I may want to go to badgerinfosec.com – but that is just a name and by itself won’t get my browser where I want to go. I need to consult an address book to get the actual address for my browser to visit. When you type “badgerinfosec.com” into your browser and hit enter, your browser consults an address book for you.

 

That address book is called a “DNS resolver”, which is a server that looks up the name you provided and returns the “real” address. In geek speak, this is called the “IP address”, and looks something like “129.42.38.10.”  You usually never see this address – the browser takes care of translating the website name and initiating the actual website request behind the scenes. 

 

DNS Resolvers – An Opportunity for Defense

This system presents an opportunity to shim in a layer of security. Most, but not all, malicious links you receive in a phishing email are names for the evil site – not the actual IP address. If you click on one of these links, your browser must perform a DNS lookup to get the address, just like for any other name. If you are using your Internet Service Provider’s (ISP’s) DNS resolver, you will likely get back the malicious IP and be off to frolic in the land of evil. But what if you used a different DNS resolver? What if you chose one that doesn’t just blindly hand out IP addresses, but one which tracks known evil sites and refuses to send their IP address back to you? 

 

That is exactly what “filtering” DNS resolvers such as OpenDNS, Quad9 and CleanBrowsing do. If your browser requests a name translation to a known evil site, they refuse to give you the address. Instead, they send you someplace to explain that you are courting evil…or at least going someplace that you might not want to be:

Villains create thousands of new domain names daily, and it is takes time for the evil to be detected and blocked – so these solutions aren’t going to protect you from everything. But some security is better than no security, which may be what you currently have with your ISP’s default DNS resolver.

Some of these filtering DNS resolvers (e.g. OpenDNS, CleanBrowsing) offer options that can help block unwanted content such as adult sites. The level of control you get depends on whether you want to drop real coin, but the free options are good. 

 

One note of caution: Some of these services may break your ability to use a Virtual Private Network (VPN). But it is fairly painless to change resolvers on your local machine, allowing you to use a less restrictive resolver whenever needed. 

 

DNS Resolver Implementation

The most effective way to protect all the devices connected in your home is to configure the DNS resolver settings on your ISP-provided modem/router. We are going to use a web browser to connect to that small blinky box that your ISP deposited in your home. There are thousands of varieties of router out there, but for most, it is a similar process – and I promise, it’s not hard. This journey may take you to some unfamiliar places, but they are not scary! That being said: You can take down your internet connection by monkeying with the wrong things in your router – so take your time and be sure you are in the right place before making changes. Before you change anything, write down the original values. You always want to be able to undo what you have done. But here we go:

1. The first thing you will need to do is to access the router’s web-based dashboard. Connect to your home network, open a browser, and enter – wait for it – an IP address. Which IP address? Chances are, one of the following will get you to the dashboard
2. 192.168.0.1, 192.168.1.1 or 192.168.2.1 
3. 10.0.0.1, 10.0.1.1 or 10.1.1.1

When you type the IP address into your browser, manually type http:// before the address. Many modern browsers default to https:// (note the “s”), but most home routers don’t support encrypted communications.

Once you hit enter, expect to get some sort of warning that your connection isn’t secure – but it’s OK, I promise. You may need to select a button like “advanced” in Chrome in order to proceed.

If the above IP address options don’t work for you, you can determine your router’s IP address by getting your hands a little dirty in the command line. In your Windows search bar, type “cmd” (no quotes) and hit enter. Once the command prompt appears (black window, white letters), type:

ipconfig | findstr /i “Gateway”

You should be able to easily see the IP address you need:

• Once you are at the web interface, you will need to login. Hopefully you know your credentials, because you changed them and securely stored them when you first got the router. If not, try looking for a sticker on the device. If still stuck, try googling your router’s model number with “default password.” 
• CAUTION: Do not get confused if you see a link to a setting for “Dynamic DNS.” This is NOT what you are looking for – stay away!
• Now here is the part where you need to do some exploring – or perhaps Googling by your router’s model number. Seriously, if you are at all uncomfortable with where this is going, do a two word google search: “OpenDNS” and “<YOUR ROUTER’S MODEL NUMBER>”. 
• You are looking for the section that allows you to enter the IP addresses of the DNS resolver you have chosen. Some clues to aid your search:
  • On many home routers, you will find these under ADVANCED SETTINGS > WAN SETTINGS. 
  • The language used to describe the setting will vary, but it will almost always have a place to enter two IP addresses – one primary and one secondary. You can use the same address for both.
  • If you see options for IPv4 and IPv6, Choose IPv4
  • The fields may be labeled “DNS 1” and “DNS 2.” 
  • If you have an option to select DNS type, choose “Static DNS

Once again, your router will likely be different than mine, but here is a sample walkthrough for configuring a home router to use OpenDNS Family, which has a primary IP address of 208.67.222.123, and a secondary of 208.67.220.123:

After you login, go to the Advanced Setup Feature.

Look for WAN Settings, and any sub-menus with “WAN” in the title. CAUTION: Avoid the “Dynamic DNS” area – you can see this in my example just below where you really want to be.

I ensured that “Static DNS” is chosen, and enter the primary and secondary IP addresses for OpenDNS FamilyShield.

After that, look for some sort of “Apply” or “Save” button near the bottom of the page. Your router may reboot, and if so, you may temporarily be kicked off the network. No worries – you just added a layer of security to your life – small price to pay.