Router Security Test Your DNS Servers Website by     
Michael Horowitz 
Home Site Index Bugs News Security Checklist Tests DNS Resources Stats Search Popular Pages
Also see my Defensive Computing Checklist website
 

Short Introduction to DNS    (switch to a Long DNS explanation)

Devices connected to the Internet are assigned unique numbers called IP addresses. You know this site as RouterSecurity.org and its IP address is 216.92.136.14. All communication on the Internet is based on these unique numbers, website names and computer names are just a convenience. The system that translates names into the underlying numeric IP addresses is called DNS (Domain Name System) and the computers that do the translation are referred to as DNS servers.

DNS Servers are extremely important. Probably 99% of all communication between two computers on the Internet, starts with a call to a DNS Server to translate a computer name into an IP address.

Malicious DNS servers can do what any malicious translator can do - lie to you. For example, they might send you to a scam copy of a website. Like food, you should not take DNS servers from a stranger.

You can check a computer or router or browser or VPN to see what your DNS servers should be, but the pages below show what they actually are (with the tested web browser). That is, they report the DNS servers your current browser is actually using. We need tests like these because there are many places that DNS servers could have come from. How many? The optional Long DNS explanation here lists 13 possible sources for the DNS configuration. There may even be more.

I have a list of suggested DNS providers.

About These Tests

The tests below run in a web browser. If one browser is using encrypted DNS while another, on the same computing device, is not, then expect these tests to show different results in each browser. Likewise, if you have two web browsers using different DNS providers, expect them to report different results in the tests below. For more on encrypted DNS see the Encrypted DNS topic on my Defensive Computing Checklist site.

DNS query results are cached. If you make a DNS configuration change, the best way to be 100% sure that the results of the tests below are accurate, is to restart your computing device.

If you are using the Private DNS feature of Android (first introduced in version 9) there is no need for any of the testers below. My experience has been that Android will always use the Private DNS servers, even when a VPN is active. Thank you, Google.

If a test only returns an IP address, an excellent source for learning about that IP address is ipinfo.io.

If you want to use the DNS services of your ISP (I would not), then after running a couple of these tests, check with the ISP to insure the reported DNS servers are theirs.

Learn Your Current DNS Servers - Generic Testers

The websites below reveal the DNS servers being used by the web browser you use to view them. They are not specific to any one DNS provider.

Learn Your Current DNS Servers - Specific Providers

The web pages below are from DNS providers and test whether their system is actually being used. They are a health/sanity check that confirms things are correctly configured. If you use one of these DNS providers, their customized test is preferable to the above generic tests. Again, DNS needs to be tested in every web browser on your computing device.

OPERATING SYSTEM TESTS

To see what the Operating System is using for DNS, outside of any web browsers, we can use the nslookup command on desktop operating systems (Windows, macOS, Linux). The command syntax is very simple: "nslookup domainname". The first thing returned by the command is the name and IP address of the default DNS server. Below is a screen shot from Windows 7 showing the system is using DNS server dns9.quad9.net at IP address 9.9.9.9.

nslookup command on Win7

DNS configurations in the Operating System can be all over the map. There can be different DNS servers configured for Ethernet vs. Wi-Fi. And, each wireless network (SSID) can be configured to use different DNS servers. Android 9, 10, 11 and 12 allow a global DNS setting for the entire operating system. iOS is the exact opposite, it even allows each app to configure its own DNS servers.

If a specific network connection does not specify any specific DNS server(s), then it gets assigned DNS servers by the router. But, again, a complication. The router may function as a DNS server itself, or it may simply pass DNS requests out to a DNS server on the Internet.

In the example above, the network connection was specifically configured to use Quad9. In the example below, a Windows 10 computer is using the router itself (at 192.168.1.99) as the DNS server.

nslookup command showing router in charge

FYI: On Windows, there are a couple debug options for the nslookup command. More here: nslookup's Debug Options by Didier Stevens (May 5, 2024).

Another option for Windows users is the ipconfig command. Its equivalent for MacOS and Linux is ifconfig.

On Windows, the command ipconfig /all shows details, including the DNS server(s) for all the defined network connections. Note that this only applies to the old insecure version of DNS. It does not know about browsers using new secure DNS. And, what the operating system specifies for old DNS can be transparently over-ridden by the router. Also, when connected to a VPN, there will be one entry for the net connection without the VPN (WiFi or Ethernet or 4G) and another entry for the VPN connection. Which DNS servers are really being used by the OS when not running a web browser? See nslookup above.

This command can also useful after closing a VPN connection. I have seen VPN software that did not reset the DNS servers correctly when shut down. This left the computer using the DNS servers from the VPN company even when the VPN software was not running.

macOS offers the scutil -dns command. Look for nameserver. The website ss64.com offers full command syntax.

Linux should offer the nmcli command. Its output contains various sections, including "DNS configuration". See its man page.

On both Linux and macOS, you can also use the dig command to see which DNS server is being used.
On macOS, do Applications -> Utilities -> Terminal
For Linux see How to Use the dig Command on Linux by Dave McKay (April 2020). A simple
 dig somedomain.com
command should display the DNS server used to answer the question. Look for "SERVER:" in the output.

I am not an iOS developer, but from what I have read about DNS on iOS it is far too complicated for non-developers to understand. Perhaps the best support for this opinion, is a video for iOS developers, Enable encrypted DNS, where the description says "... enable encrypted DNS within an app using standard networking APIs..." So, if each app can have its own DNS configuration, what testing/checking could anyone do? Also, in my blog on VPNs on iOS are a scam, I noticed iOS 15.6 making normal old UDP port 53 DNS requests to the router despite its being configured to use NextDNS system-wide. iOS does not fully honor the system wide DNS setting. There is much more on this in the DNS Long Explanation (click at the top of the page).

AND...

Hard to believe, there is still more to say about DNS.

 

Top 
Page Created: November 13, 2018      
Last Updated: August 31, 2024 6PM CT
Viewed 1,168,542 times
(541/day over 2,160 days)     
Website by Michael Horowitz      
Feedback: routers __at__ michaelhorowitz dot com  
Changelog
Copyright 2015 - 2024