| Router Security | Long DNS Explanation |
Website by Michael Horowitz |
| Other DNS Pages | ||
| Test Your DNS | Suggested DNS Providers | Still More To Say |
Devices connected to the Internet are assigned unique numbers called IP addresses. You know this site as RouterSecurity.org and its number/IP address is 216.92.136.14. All communication on the Internet is based on these unique numbers, names of websites and assorted servers, are just a convenience. The system that translates names into the underlying numeric IP addresses is called DNS (Domain Name System) and the computers that do the translation are referred to as DNS servers.
It rarely matters, but if you are curious, there are many ways to learn the underlying IP address(s) for a particular website/server/computer. One page that offers this service is www.ipaddress.com/ip-lookup (where hostname means computer name).
DNS Servers are extremely important. Probably 99% of all communication between two computers on the Internet, starts with a call to a DNS Server to translate a computer name into an IP address. Every Internet Service Provider (ISP) is required to provide access to a DNS Server as part of every Internet connection. In fact, DNS is so important, that at least two DNS servers are configured for every connection to an ISP.
Malicious DNS servers can do what any malicious translator can do - lie to you. For example, they might send you to a scam copy of a website. This can be very hard to detect as the web browser displays the correct address/URL. A Citibank customer, for example, would see citi.com in their browser and there is nothing Citibank can do about this. Not every server on the Internet is a website, DNS can send you to the wrong computer for anything you try to access.
Malicious DNS servers can also spy on you. In the US, ISPs are allowed to spy on their customers and logging DNS requests is a simple cheap way to do so. Your DNS history shows all the computers/websites/servers you contact. It shows which cloud provider you use for off-site backup, which email system you use, which political party you belong to, perhaps which doctors you use, etc. Some DNS providers promise not to log anything.
Technical people that don't want to see ads, play tricks with DNS so that computers serving ads, such as ad.tagdelivery.com, ads.mopub.com or ads.yieldmo.com are purposely translated to invalid IP addresses which blocks the ads.
Some technical people like to focus on the speed of different DNS providers. They are morons. Speed is the least important aspect of any DNS provider (so said the Defensive Computing guy). None of my suggested DNS providers were chosen for their speed.
This website is www.RouterSecurity.org. Is there an aaa.RouterSecurity.org or a bbb.RouterSecurity.org? No. And if you try to visit them, you get a DNS error. You may not realize its a DNS error though. Chrome version 129 says the " ... server IP address could not be found." and "ERR_NAME_NOT_RESOLVED". The process is translating a computer name into an IP address is known as resolving. Firefox version 133 says "We can't connect to the server at aaa.RouterSecurity.org". It says nothing about DNS or resolving.
Lingo alert: A DNS server is sometimes referred to as a DNS resolver.
The Test Your DNS page on this site exists because the Defensive Computing thing to do is to both know what your DNS servers should be and what they actually are. To be clear, the "testers" there are not checking whether DNS servers are functioning correctly, they are reporting the DNS servers that your computing device is currently using.
Note that the answer from any DNS tester is transitory. It is only valid as long as the tested computing device remains on the same network, is using the same web browser and does not start or stop a VPN connection.
This service is needed because DNS has gotten much more complicated since it was first invented. Just as websites migrated from HTTP to HTTPS, DNS has also migrated from an initial insecure design to a secure, encrypted scheme. Also, the number of ways to specify and get a DNS configuration has increased. More on this below.
Often people are told to configure their computing device with certain DNS servers on the assumption that they will be used. For example, Quad9 offers these instructions for configuring macOS to use their DNS servers. This is, however, a bad assumption, even ignoring the use of VPNs. For one thing, malware may change the DNS settings on a computer. Then too, the router may over-ride them; some routers can force you to use their configured DNS servers regardless of what you have configured on your device. I blogged about this in March 2018 (Some routers can force their DNS servers onto all devices). Changing the DNS servers in a router is a common attack and without the tester websites below, it could be a very long time before the change is detected.
On consumer routers, the Guest Wi-Fi network(s) use the same DNS servers as everyone else connected to the router. On higher end business/professional routers, such as Peplink, Ubiquti UniFi, Cisco and Draytek, an SSID can be assigned to a VLAN and thus each SSID can use different DNS servers.
On public Wi-Fi, you are at the mercy of someone else's router and possibly their DNS servers. Just as you would think twice before eating food from a total stranger, so too DNS servers. All the more reason, to use the tester sites below.
One Defensive Computing thing to do on all public Wi-Fi networks is to use a VPN, which should force the use of DNS Servers from the VPN provider. The public router can not do anything about this, as all VPN traffic through the router, including DNS, is encrypted. The sites below can confirm that the VPN has forced the use of its DNS servers. Note that bad VPNs use public DNS servers such as those from Google (8.8.8.8). Good VPNs will either use the VPN server you are connected to as the DNS server or run their own DNS server on their network.
DNS VERSION 1
DNS is as old as the Internet. The first version was an amazing technical design. It still works decades later as the Internet has grown far larger than the original designers could have imagined. But, it was not secure and that has led to assorted improvements over the years.
DNS VERSION 2
A number of fixes/improvements were attempted but did get much traction. The latest DNS re-design seems to be catching on. DNS version 2 is called secure DNS, private DNS and/or encrypted DNS. It comes in two flavors, DoT and DoH. The difference between the two flavors is not relevant in an introductory article.
Before going into the details, note that encrypted DNS does not provide a huge amount of privacy. A much higher level of privacy is available from a VPN or Tor. Still, it is a step up and worth looking into.
Secure DNS has further expanded the places that a given computing device may get its DNS configuration from. It makes the assorted tester websites all the more important. The effective/current DNS servers may have come from:
It is now so complicated the DNS providers listed on the DNS providers page each has a long list of instructions for configuring different operating systems to use their services.
WEB BROWSERS
The first place I ran across encrypted DNS was in a web browser. I recommend using it in every browser that offers it. On public networks, even if the privacy is not perfect, it does let you force the use of a trusted DNS provider. On desktop Operating Systems, pretty much every browser supports this (Firefox, Chrome, Brave, Edge, Opera and Vivaldi do). On iOS browsers do not support this. My experience has been that DNS settings in the browser over-ride DNS settings from the router, the operating system and from a VPN. Again, use the tests on this site to verify this. FYI: How to enable DNS-over-HTTPS (Secure DNS) in Chrome, Brave, Edge, Firefox and other browsers by Martin Brinkmann (Oct 2021).
ANDROID
Of all the popular operating systems, Android is, by far, the best when it comes to DNS. Android versions 9, 10, 11 and 12 have a Private DNS feature that applies system-wide. With a single setting, the entire device uses secure DNS and makes no old DNS requests. See: Manage advanced network settings on your Android phone. This one setting should take precedence over DNS settings from a public Wi-Fi router. It definitely takes precedence over DNS settings that a VPN might want to impose.
WINDOWS
Secure DNS is available in Windows 11 and Windows Server 2022. It is not available in Windows 10 (as service pack 22H2 in July 2024). Windows 11 only does DoH, but I have heard that Microsoft is planning on adding DoT at some point.
There are two system-wide settings for DNS in Windows 10 and 11, one for Ethernet and one for Wi-Fi. Windows refers to these as "network adapters". Windows 11 also has DNS settings on a Wi-Fi network/SSID basis. Windows 10 can not configure DNS on a network/SSID basis.
In Windows 10 (service pack 22H2 as of July 2024), you can modify DNS with:
Settings -> Network and Internet -> pick Ethernet or WiFi
For Wi-Fi, click on "Change adapter options" -> right click on the Wi-Fi network adapter -> Properties -> Internet Protocol version 4 (TCP/IPv4) -> gray Properties
button -> "Use the following DNS server addresses". All you can do here is put in two IP address for old DNS.
In Windows 11, you can modify DNS with:
Settings -> Network and Internet -> pick Ethernet or WiFi
For Wi-Fi, Click on Hardware properties ->
next to "DNS server assignment" click the EDIT button -> change from Automatic to Manual and turn on IPv4 (and maybe IPv6).
For IPv4 you must enter an IP address. Here is a screen shot of what Windows 11 (22H2 as of July 2023) looks like when configured to use Quad9 with old DNS for all Wi-Fi connections.
Note that it says (unencrypted) next to each IP address.
August 9, 2024: I tried configuring a Windows 11 system to use Secure DNS and it failed. The error message was useless, as usual. Microsoft can not even be bothered to highlight the field in error and when setting this up there are many fields in play. The system was current on bug fixes and I was logged on as an administrator, so fuck Microsoft.
This screen shot shows how to configure Windows 11 22H2 (with bug fixes as of July 2023) to use secure DNS for either Wi-Fi or Ethernet. I include the date and service pack because this interface has changed over the lifespan of Windows 11.
Now, the two option for secure DNS are "ON with an automatic template" or "ON with a manual template". Needless to say, Windows does not bother to explain what a template is. Needless to say. You're on your own. If I used Windows 11, I would research this, but I'm still on Windows 10.
When I first tried secure DNS with Windows 11, it did not go well. This was in March 2023 with service pack 21H2 build 22000.1641 which had bug fixes as of Feb. 2023.
My experience was that depending on the IPv4 address, Windows 11 may or may not let me use DNS over HTTPS. Why? None of your business, there is no explanation (a recurring theme with Microsoft). If you enter an ugly IP address, the only option is old DNS which Windows 11 calls "Unencrypted only". If you enter a pretty IP address, then two Secure DNS options were available "Encrypted only (DNS over HTTPS)" and "Encrypted preferred, unencrypted allowed".
The Cloudflare DNS system that blocks malware uses 1.1.1.2 and Windows thinks that is ugly, it will only do old DNS. However, the Cloudflare system that does not block anything, uses IP address 1.1.1.1 and Windows 11 will let you pick new DNS with that IP address. Quad9 uses 9.9.9.9 and that allows for encryption, however the main OpenDNS IP address, 208.67.222.222 does not
Setup instructions from NextDNS, for their customers, say to enter their two IP v4 addresses (one for Preferred DNS and one as the Alternate DNS), then select "On (manual template)" and enter https://dns.nextdns.io/xxxxxx where the Xs are on of your NextDNS profile IDs. Do this twice, once for the Preferred DNS and once for the Alternate. Click the SAVE button.
If you are not using NextDNS, then research with your DNS provider how to deal with Windows 11.
As for conflicting DNS settings, web browsers configured to use new/secure DNS, use the browser DNS settings rather than those for Ethernet or Wi-Fi (tested on Windows 10 21H2 and Windows 11 21H2). More here: Secure DNS Client over HTTPS (DoH) (Last updated March 2022).
CHROME OS
ChromeOS has a system wide encrypted DNS setting that even applies to Guest Mode. However, when using a VPN, the system-wide DNS only applies to the Chrome browser. Other browsers use the DNS from the VPN provider. Last tested May 2023 using the Brave and DuckDuckGo browsers.
IOS
DNS on iOS is very compicated and I do not fully understand it.
Secure DNS was added to iOS in version 14, but it was sloppy, confusing and co-exists with old DNS. For example, in iOS 15, if you search the iOS settings for DNS, it returns nothing.
On iOS 15 you could configure what looks like system-wide DNS with: Settings -> General -> VPN, DNS & Device Management -> DNS. This feature appeared to have been removed in iOS 17, but not really. While it is off by default in iOS 17, if you use a Configuration Profile to control DNS system-wide, then it appears.
iOS does configuration profiles that can set system-wide DNS. You can get a profile file from a DNS provider and downloaded it to an iOS device and then install it. Much more complicated than Android.
To use the Configuration Profile to get system-wide encrypted DNS with Quad9, see Setup: iOS DNS over HTTPS or DNS over TLS (June 2022). For NextDNS, start at apple.nextdns.io. It is probably best to configure this using Safari on the iPad in question.
In my testing of a system-wide DNS via a Configuration Profile from NextDNS, the DNS in the Configuration Profile was not used while my VPN was connected.
But, it's not that simple.
iOS devices operate under two different sets of rules, one for managed devices (MDM) and one for stand-alone consumer devices. Managed devices can force system settings in ways that consumer devices can not. More: Get started with a supervised iPhone, iPad, or iPod touch (from Apple).
As for browsers, iOS does not let web browsers specify anything about DNS. When connected to a VPN, browser based tests show the browsers using DNS from the VPN, not the system-wide setting. This is the opposite of how Android works.
iOS does let you specify DNS for each SSID individually. Here is a screen shot (iOS 15) of the properties for a single SSID, showing the "Configure DNS" option. As of iOS 17 you have to change the first option from Automatic to Manual, then you can enter the IP Address(es) of your desired DNS servers for that SSID. Since it only takes an IP address and not a server name, I assume this feature only supports old DNS. It's a dinosaur.
Does setting DNS for a single SSID work? Maybe.
I tested this on iOS 17.3 and the DNS setting for the SSID was ignored. Instead browser based tests showed my iPad was using DNS from the router it was connected to. My tests on iOS 15.5 found that the system wide DNS setting over-rode the DNS setting for one specific SSID.
The system-wide DNS setting is full of holes. Perhaps the biggest is that each app can have its own DNS settings which means that there is nothing to do in the way of testing/checking. It is impossible to know what DNS will be used on iOS.
This is a 2020 video for iOS developers, Enable encrypted DNS. I watched the video even though most of it was over my head as I am not an iOS developer. Still, I learned that a given app can chose whatever DNS servers it wants to use. And, an app can use more than one DNS configuration. One app.Along the same line, here is a writeup from OpenDNS, DNS Resolver Selection in iOS 14 and macOS 11, that also comments on how apps can specify their own desired DNS settings.
The video also says that a DNS configuration from a VPN over-rides the system-wide DNS setting. However, the wording is tricky and implies that even with an active VPN connection, DNS takes place outside the VPN tunnel. Specifically, the video says that DNS resolution within the VPN tunnel uses the VPN DNS. Why say "within the VPN tunnel" if the VPN configuration applied system-wide? To me, there is no reason, so I assume DNS takes place outside a VPN tunnel by design. I saw some of that in my blog on VPNs leaking on iOS (May - August 2022). A detailed packet trace found iOS 15.6 making normal old UDP port 53 DNS requests to the router despite an active VPN connection. In addition, this happened with the iPad configured to use NextDNS system-wide, so it ignored both the VPN DNS and the system-wide DNS. Great OS you got there Apple.
The video also makes it clear that system-wide DNS is more than just one setting, there are also rules that can be programmed. Thus system-wide DNS can configure itself differently for Wi-Fi vs. Cellular or for different Wi-Fi SSIDs. And, the video said nothing about the old way of doing things, about configuring old DNS on an SSID by SSID basis. Where does that fit in? None of our business.
I am not an iPhone user. This article Change DNS on iPhone/iPad/iPod for WiFi and Cellular (3G/4G/5G) by Haris Karim (August 2021) says that changing DNS for cellular on an iPhone is quite different than for Wi-Fi. There is no system setting for this, you have to install a third-party app.
The DNS Providers page has information on how NextDNS users can generate and install an iOS profile file to configure the use of NextDNS at the system level. NextDNS has run into many DNS bugs in both iOS and macOS: Known issues with iOS/macOS system Encrypted DNS (DoH) support March 2022.
Bottom line: DNS on iOS it is far too complicated for non-developers to understand, let alone test.
In July 2021, Oleg Afonin of Elcomsoft wrote: Starting with iOS 14, Apple natively supports encrypted DNS. However, if you try searching through the Settings app, you will find no mention of it anywhere. The support for encrypted DNS is there, but the setting is not. In order to actually use a different (secure) DNS server, you will have to download a third-party app, or install a third-party configuration profile. There are several apps in the App Store offering encrypted DNS services such as Cloudflare, AdGuard and NextDNS... .
Finally, note that there is a bug in iOS 15 regarding encrypted DNS. There are many articles like this one about a Privacy Warning message, "This network is blocking encrypted DNS traffic." From what I can tell, the warning is false. No one knows what causes it. More here: DNS encryption blocked.
macOS
Quad 9 has instructions for using their encrypted service on macOS: Big Sur and later (Encrypted). They note that DoT and DoH are both supported natively in Big Sur and later. You have to use Safari to download a "profile" file. I am not impressed with macOS support of encrypted DNS, the instructions have lots of gotchas, warnings and exceptions.
AND
Getting back to an earlier point, there are two types of name leaks, even when using secure DNS, both having to do with secure web pages. Regardless of how the DNS translation was done, a request for a secure web page can leak the name of the website. In TLS version 1.2 this is always the case. In TLS version 1.3, the leak has been fixed. The desktop version of Firefox shows the version of TLS used to retrieve a web page. The desktop versions of Chrome and Brave do not display this. The other leak has to do with revoked certificates. Some checks for this send the unique certificate serial number in plain text (not encrypted). The serial number can be tied to the certificate which can be tied to a website/computer name.
If you use a VPN at home you should check the effective DNS servers every now and then. It is best to check before and after connecting to the VPN.
- - - - - - - - - - - - - - -
NOTE: The content of this page used to be optionally and dynamically included inside the Test Your DNS page. As of February 8, 2025 it was moved to this separate page. So, while the Page Creation date below is technically correct, the content of this page has been around much longer.
- - - - - - - - - - - - - -
