Router Security DNS Providers Website by     
Michael Horowitz 
Home Site Index Bugs News Security Checklist Tests DNS Resources Stats Search Popular Pages
Also see my Defensive Computing Checklist website
 

There are many choices for DNS providers and the default, using DNS servers from an ISP, is the worst option. Some options are below, the list is far from complete. DNS can be a great way to get ad blocking, tracker blocking and/or malware blocking without having to install software.

Old insecure DNS is specified with IP addresses (normally two of them). New Secure DNS is specified with a server name. Typically a company offers one server for DoH and another for DoT. That said, the two secure DNS flavors use different TCP ports, so they could both be available on a single server.

To test which DNS system/servers your computer is using, see the many available tester pages on the Test Your DNS page.

GOVERNMENTS AND DNS

TESTING DNS SERVICES

URLhaus is in the business of collecting, tracking and sharing malware URLs. Their Statistics page (in the Blocklist Comparison section) compares DNS providers. Sadly the data is undated. They compare AdGuard, Quad9, Cloudflare, dns0.eu, ProtonDNS and others.

June 5, 2023: Public DNS malware filters tested by Kris Lowet of Nexxwave. Tests of a handful of DNS providers that claim to block malware domains. The worst was Comodo Secure DNS which blocked nothing. Cloudflare for Families (1.1.1.2) was very bad, blocking only 13%. Quad9 blocked 78%. CleanBrowsing Security Filter blocked 87%. The two best services were dns0.eu and dns0.eu ZERO which both blocked 94%.

Years back there was an issue with the old insecure DNS system that let bad guys intercept an outbound request and forge a response. A fix was created that introduced more randomness in the source port and/or transaction ID of these old insecure DNS requests. Steve Gibson created a DNS spoofability test that evaluates how well a DNS server does in regard to this randomness. The test is a web page with no creation date and no last update date, but the bug/problem/issue first came to light in 2008. The test is not aware of the new secure DNS system, so probably best not to run it from a browser using secure DNS. That said, I tested it with Firefox v114 (June 2023 on Windows) that was using NextDNS for secure DNS. The tester picked up three NextDNS servers and they all tested very well.



Top 
Page Created: March 13, 2022      
Last Updated: April 15, 2024 2PM CT
Viewed 47,705 times
(48/day over 996 days)     
Website by Michael Horowitz      
Feedback: routers __at__ michaelhorowitz dot com  
Changelog
Copyright 2015 - 2024