What are DNS services

What is "DNS"? How does this affect your privacy and blocked websites?

Every time you surf the Internet or your device calls up data from the Internet, you are using a DNS service. We would therefore like to explain how this works and why a manual setting or use of alternative DNS services can increase your privacy or make blocked content accessible.

What is DNS (Domain Name Server)?

Every user on the Internet uses DNS. However, it is seldom clear to anyone what these services are actually doing.

The entire Internet is based on the fact that every connected device has a unique IP address (e.g. 192.10.20.30). This is the only way that all devices are able to communicate with one another and data packets find their way to the receiving devices independently.

Now web servers (websites) also have their own IP addresses and can only be accessed from a technical point of view. However, since it is awkward to remember number combinations and to be able to enter, for example, https://194.232.104.139/ in the browser instead of "www.ard.de", the "domain name" www.ard.de " and the IP address "194.232.104.139" can be linked.

Exactly this query and connection happens via the DNS services.

From a technical point of view, every time a page is opened in the browser or contact is made to a device through the use of a domain, a DNS service is asked for the destination IP address.

Description of the process for a DNS query:

  1. The browser receives the command to open a page.
  2. The DNS service to be used for the query is selected in the existing settings
  3. The data of the desired website is sent to the preconfigured DNS service.
  4. The DNS service processes this request and compares it with any blacklists.
  5. The DNS service transmits the IP address of the relevant destination back to the browser
  6. The browser establishes the connection to the target IP address of the website in the background
  7. The connection to the target address loads the relevant texts / images from the website to the browser
  8. The browser “interprets” this data and creates the website in a graphically prepared form.

Inquiries, comparisons and responses are therefore generated on the DNS service.

How does the DNS service actually know which IP address a certain domain / website has?

There is also a standard that regulates that DNS services exchange and save data from websites with one another. New domains / websites therefore always need a few hours before they can be accessed from all over the world, since the information where a domain points to must first be automatically distributed and compared. However, this information is kept in parallel on all publicly accessible DNS services in databases.

DNS are therefore also a risk to your own privacy.

Since every query can therefore also be logged, DNS services are of course also a risk to your own privacy. As part of the German law on data retention, German Internet service providers were obliged to store precisely this data on the user's activities. But advertising companies like Google also want to be able to own and evaluate this data.

Legal blocks are carried out via "block lists" on DNS services.

Legal requirements that oblige Internet providers to block individual pages or services are based in the simplest approach on the fact that these "website domains" are blocked on DNS services. As a result, user queries are blocked or redirected accordingly. This is the simplest form of blocking a website, but it is also very easy to bypass these blocks if the users use a different DNS than the one provided by the Internet provider.

What is a DNS leak? (Video)

DNS can also make a contribution to security!

There are also providers of DNS services who have taken the trouble to optimize their DNS in order to block access to harmful programs, viruses or content that can be "harmful to minors". Today, this is one of the simplest and most effective measures to achieve a certain level of basic security.

Note: Yandex is a Russian provider that offers excellent and anonymous DNS servers completely free of charge and was able to convincingly deter malware and other dangers in our tests. The advantage here is not only in the fast and efficient processing of inquiries and the timeliness of the blocked threats, but also that this service, unlike others, can be used completely free of charge.

At Yandex you also have the choice of three different DNS levels:

  • To choose a DNS as "normal, without blocking and fast DNS service".
  • A DNS that also recognizes threats from viruses, malware or fraudulent sites.
  • A DNS, which also blocks content harmful to minors accordingly (porn sites, violence, etc.).

The entire offer can be used completely without registration or other login scenarios.

How can you change your DNA?

Instructions for changing DNS on Windows, MaxOS, Android, Apple iOS, FritzBox, Speedport, etc.

INSTRUCTIONS: Change DNS


Alternative free DNS services

Google DNS

  • Primary: 8.8.8.8
  • Secondary: 8.8.4.4
  • DNSSEC not enabled

Best known and very fast DNS service without blocking. However, it is questionable whether Google will not also use the user activity data obtained for advertising. GoogleDNS


OpenDNS

  • Primary: 208.67.222.222
  • Secondary: 208.67.220.220
  • DNSSEC enabled

Sounds like free DNS, but these are part of the CISCO surveillance network (see published Snowden documents / NSA partner Cisco Inc.)

Youth protection DNS are available for a fee. OpenDNS


Cloudflare DNS

  • Primary: 1.1.1.1
  • Secondary: 1.0.0.1
  • DNSSEC enabled

Free DNS service that brought the fastest results in all tests. No other options but available.
Cloudflare DNS


Yandex DNS

  • Primary: 77.88.8.8
  • Secondary: 77.88.8.1
  • DNSSEC enabled
  • Malware protection: 77.88.8.2 / 77.88.8.88
  • Family protection: 77.88.8.3 / 77.88.8.7

Yandex service without data transfer to search engines. Very quickly and without failures. Malware and youth protection DNS are available free of charge for free use! Yandex DNS


OpenNIC

  • Primary: various
  • Secondary: diverse
  • DNSSEC not enabled

This user-supported open platform offers DNS which are operated by private users. This should prevent any connection to surveillance or advertisers. Test result: Not always the fastest DNS, depending on the location and the selection. OpenNIC


Chaos Computer Club

  • Primary: 213.73.91.35
  • Secondary: 194.150.168.168
  • DNSSEC enabled

The well-known Chaos Computer Club from Germany also operates a record-free DNS service. However, this can only be used really quickly from Germany. CCC DNS


Digital courage

  • Primary: 46.182.19.48
  • Secondary: 194.150.168.168
  • DNSSEC not enabled

This public initiative tries to give users free access to the Internet through this free DNS service. Digital Courage DNS


DNS.WATCH (IPv6)

  • Primary (IPv6): 2001: 1608: 10: 25 :: 1c04: b12f
  • Secondary (IPv6): 2001: 1608: 10: 25 :: 9249: d69b
  • DNSSEC enabled

Crowd-financed DNS service, preferred for US users. Unfortunately, the servers cannot be reached quickly from Germany. DNS.WATCH


DNS have an impact on the page speed in the browser

Since the DNS used by you is requested every time you open a website, this and its response time also have a decisive influence on how quickly a website can be opened for you. Many websites contain dozens, if not hundreds, of images or links. Each of these contents sometimes requires a separate query (Technical: Where can I find the image: “https://domain.com/bild123.png”?). The faster your browser receives this information back, the faster your website will open.

How can I change the DNS used?

This is actually quite simple. Usually only a few steps are required. Every device with internet access has corresponding settings that can be changed. In many cases, the settings are obtained automatically from the Internet provider, but you should change this and manually enter the IP addresses of the desired DNS service.

Instructions: Change DNS directly via the home router

Log in to the configuration of your home router. Search for the settings for "WAN". As a rule, and depending on which device you are using, it should be possible to manually edit DNS entries there instead of "automatic DNS configuration".

Add the IP addresses of the desired DNS server there, for example. E.g.

  • DNS 1: 77.88.8.8
  • DNS 2: 77.88.8.1

These entries affect all connected devices.

Yandex also offers other very simple and illustrated instructions for other devices. As soon as you leave the "home network", your devices will otherwise use the DNS service of your Internet provider again.

The Myth of Unsafe DNS Service.

There are also persistent rumors on the Internet that DNS services pose a great threat to one's own security. It should happen again and again that authorities access it and thus also provide users of VPN services with it. Security gaps such as the DNS leak are often described and warned about them.

Now it is the case that a DNS service actually contains several pieces of information about the users. This is primarily the user's IP address. Of course, your own internet provider already knows the exact connection location and the name of the user. Therefore, it is also easy to track what the individual user is doing now. This is of course a danger and also very uncomfortable for the feeling of freedom or privacy in general. In practical terms, this information is even stored by law in some countries (Germany).

However, if you use a VPN service and thus an external IP address that cannot be directly traced back to your Internet access, then this risk is "largely" excluded.  

Security gaps that reveal the DNS services used are called "DNS leaks"

Such DNS leaks make it possible for a website user to find out about the DNS services used. This means that you know which DNS services have probably also saved the activities about the user. However, a hazard cannot really be identified immediately and immediately from this. Because just because you know which DNS service someone is using, you cannot trust that it could have permanently saved all activities or that you have no access to this data at all. The risk potential which is therefore based on it is therefore very low. It becomes completely impossible the moment the user has just used a VPN service with changing IP addresses, because then no data can be clearly assigned to this user on the DNS service either.

VPN providers whose DNS can only be used by their own customers

This has advantages in some cases, but is usually completely overestimated based on the considerations we have just made.

  • The first clear advantage of this is that DNS services operated privately and therefore not easily accessible to authorities or third parties are.

  • Another advantage can be that the queries to these DNS services are of course answered more quickly and therefore directly from the provider's own networka noticeable speed advantage when opening Internet pages is the result.

VPN providers who offer their own DNS services are, for example:

But since, as described, the threat potential from the use of a public DNS service and especially in combination with the use of “anonymous” IP addresses from a VPN provider is very low, this will mostly be negligible.

How can you find out which DNS service you are currently using?

This is very easy to determine in two ways. On the one hand, by looking for the relevant entries in your device. These can usually be found on the home routers or on the devices in the Internet settings.

The second way will appeal to many more as it can be done with just a click of the mouse:

VPNTESTER DNS check

Note: We use our own test procedures for DNS servers, as these always provide precise and understandable data. There are also many other partly "dubious test sites" which actually only distract from the relevant information with advertising or other data garbage.


Recommendation for using DNS!

As we have tried to explain, the choice of a DNS service has an absolute impact on your privacy. The question is who can use it to obtain what information about an individual's user activity. Since every Internet user constantly uses DNS services, it is also time to be clear about which data is generated and stored.

"In terms of data retention, in Germany, these DNS services play a significant role, but also when it comes to legally blocking access to certain websites."

However, you can also gain security by specifically selecting DNS services and thus protecting yourself against threat scenarios such as viruses, malware or phishing sites. When using a DNS, it must always be ensured that the identifier is the device's IP address. It is therefore advisable to always anonymize this via a VPN service and thus not to change it yourself.

 


Created on:5th May 2017

Categories Tips & Tricks with VPN, ⊕ All Posts, Instructions, VPN Router Instructions and Help

Security with VPN - Help with choosing!