Turning you DNS Resolver into a Security Tool
Public Cloud DNS Resolvers are now well known in the industry. Google DNS has opened the door for many solutions offering a variety of DNS Resolver base solutions. Today, there is a multitude of cloud-based DNS Resolvers. These are services individuals might wish to explore. Everyone has the ability to control which DNS Resolver they connect. Normally, people and devices will get two DNS Service IPs from the provisioning (DHCP, Radius, Diameter via their WIFI, Mobile, Broadband or Network). There are times where people would prefer their devices use a DNS Resolver (rDNS) of their own choice. This choice has many reasons:
- Better rDNS Performance. Many times, rDNS is neglected in their Operator. Entropy decays the performance of anything on the Internet over time. Without care, the rDNS in the Operator will get slower and slower. DNS is set up so that the end users can bypass the provisioned rDNS and use one with better performance.
- Security. The DNS Resolver IS A SECURITY TOOL. If you know the domain name is bad (malicious), then why resolve the domain. It would be better to warn the person “this domain is trying to infect you with malware” or just block it. There are many malware, botnet, and ransomware attacks that could have been prevented if the DNS Resolver would have been used as a DNS Firewall. There are not many services that offer this to the public.
- Parental Control Services. Several Cloud DNS Resolver Solutions off Parental Control services. These service work with WIFI routers in the home and/or applications on the devices to provide parents with the tools to “parentally interact” with their family on when, where, and what content is accessed on the Internet.
- Business Security. There are several large DNS Resolver operators who provide specialized business security/services using the DNS Cloud Resolver. These services provide the business with extra visibility into the DNS security threatscape constantly poking and attacking their organization.
All of these reasons are powerful incentives for individuals to seek out “over the top” Cloud DNS Resolvers. This is an evolving list of the known Cloud DNS Resolvers. Please contact bgreene@senki.org if you have more information on others on the list.
Is there a “Best” Cloud DNS Security Solution?
Security tools, the “blacklist” that feed those tools, and the state of the Internet all change all the time. One moment one tool might be considered the “best.” The next time … depending on how the test is measured …. another vendor might be considered the “best.” What is true is that security is nothing unless it is USED and USEFUL. Hence, the purpose of this master list. The goal is to allow the individual and organization to explore all options to find the Cloud DNS Resolver that provides the services that they see as being adopted (used) and provides the reporting that they need to be useful.
Cloud rDNS Anycast/Unicast Address
The following is a list of all the known rDNS Cloud Operators. It is recommended that the individual or organization interact with each of the organization. Try several. There is no one solution that works best for every organization. Each organization would explore which DNS services are best for them. The DNS Resolver services are all listed alphabetically, with no judgment on their capabilities.
Each service has a short description and a list of functionality.
- DNS Firewall. DNS Firewall is where the DNS Resolver checks the domain name to see if it is part of a blacklist. The blacklist would be domain names used for phishing, spam, malware, botnets, malware’s command & control, downloaders, or other sides. The goal is to stop the resolution from succeeding. For example, a miscreant sending a phishing Email to a ransomware site would have the domains in the blacklist. The DNS Firewall function would return a null response or a redirection, keeping the person from getting infected by ransomware.
- ECS Support. EDNS0 Client Subnet (ECS) is IETF RFC 7871. This is a tool used by edge-compute and content distribution networks (CDNs) to match the end node location to the closet content. The objective is to maximize the customer experience by lowering the latency from the client to the content. There are some who claim privacy issues, but once the specific IP address of the endpoint/client is revealed when they connect to the service.
- Business Security. DNS Resolver Business security are additional service tuned towards enterprises and small business operations. They would include a portal on the usage and details for the security issues seen.
- Parental Control. “Parental Control” is a group of services which restrict domains which should not be seen by members of the family. Parental Control would also include national level censorship filtering.
- DNSSEC Support. DNSSEC is the tool we use to authenticate the authoritative DNS zone. The security is linked to the DNS Root Servers to the Top Level Domain to the specific domain. It is the tool that validates a reply from www.google.com to be truly from Google. The DNS Resolver must have DNSSEC Validation turned on for DNSSEC to work. “DNSSEC Support” means the resolver will do the additional DNSSEC security checks.
- DNS Privacy Support. DNS Privacy is a body of work from the IETF DNS PRIVate Exchange (dprive) Working Group. The This checkbox would indicate if the DNS Cloud Resolver service supports the DNS Privacy negotiation and service – having a TLS session between the client (stub resolver) and the resolver.
- Ad Blocking. DNS Resolvers have been found to be one way to block unwanted ads on sites. Some of the DNS Resolver solutions are built to focus on Ad Blocking.
- DNS over HTTPS. Some DNS Cloud Operators are allowing DNS to use HTTPS. This is work in the IETF community explore ways to add security capabilities to the client to DNS Resolver connection.
AdGuard DNS
AdGuard DNS is an alternative solution for ad blocking, privacy protection, and parental control. Easy to set up and free to use, it provides a necessary minimum of best protection against online ads, trackers, and phishing, no matter what platform and device you use.
AdGuard DNS | ✓ DNS Firewall ⃞ ECS ⃞ Business Security ✓ Parental Control ⃞ DNS Privacy |
176.103.130.130 176.103.130.131 |
2a00:5a60::ad1:0ff 2a00:5a60::ad2:0ff |
AnswerX Cloud
Akamai’s AnswerX Cloud is a white-labeled DNS Resolver solution to allow any organization to build their own “DNS Resolver cloud.” Organizations build their own “OpenDNS,” “Quad 9,” or other specialized DNS Resolver function without having to deploy and manage hundreds of services all over the world. The IP addresses listed are functional but provided for trials and demonstrations. The demo is set up with three functional groups deployed across Akamai’s global AnswerX Cloud:
- DNS Resolver with no Special Filtering
- Malware, Botnet, and Phishing Protection with redirection pages
- Business Control/Parental Control Protection. Pornography, Adult & Sexual, Illegal Activities, Weapons & Violence, Drugs & Alcohol, Gambling, Cyberbullying, Anonymizers, Suicide and Malware & Phishing
AnswerX Cloud | ✓ DNS Firewall ✓ ECS ✓ Business Security ✓ Parental Control ✓ DNS Privacy |
No Special Filtering 104.104.58.2 104.103.234.2 Malware Filtering 104.104.58.2 104.103.234.2 Parental Control 104.104.58.3 104.103.234.3 |
No Special Filtering 2600:1480::2 2600:1480:2::2 Malware Filtering 2600:1480::2 2600:1480:2::2 Parental Control 2600:1480::3 2600:1480:2:: |
AliDNS (Alibaba)
Ali Public DNS is a DNS recursive resolution system launched by Alibaba Group. The goal is to become a part of the domestic Internet infrastructure, providing free, recursive and parsing services for Internet users to “fast”, “stable” and “smart”.
AliDNS (Alibaba) | ⃞ DNS Firewall ⃞ ECS ⃞ Business Security ⃞ Parental Control ⃞ DNS Privacy |
223.5.5.5 223.6.6.6 |
No IPv6 Support |
Alternate.DNS
Alternate DNS offers an affordable, global Domain Name System (DNS) resolution service, that you can use to block unwanted ads.
Alternate.DNS | ⃞ DNS Firewall ⃞ ECS ⃞ Business Security ⃞ Parental Control ⃞ DNS Privacy ✓ Ad Blocking |
198.101.242.72 23.253.163.53 |
No IPv6 Support |
CIRA D-ZONE
D-Zone DNS Firewall combines the proactive intelligence derived from millions of DNS queries with advanced data science to protect your network from ransomware, malware, and other cybersecurity threats.
CIRA D-ZONE | ✓ DNS Firewall ⃞ ECS ✓ Business Security ⃞ Parental Control ⃞ DNS Privacy |
162.219.51.2 | 2620:10a:8054::2 |
Comodo
Comodo Secure DNS is a domain name resolution service that resolves your DNS requests through our worldwide network of redundant DNS servers. This can provide a much faster and more reliable Internet browsing experience than using the DNS servers provided by your ISP and does not require any hardware or software installation. When you choose to use Comodo SecureDNS, your computer’s network settings will be changed so that all applications that access the internet will use Comodo SecureDNS servers.
Comodo | ✓ DNS Firewall ⃞ ECS ✓ Business Security ⃞ Parental Control ⃞ DNS Privacy |
8.26.56.26 8.20.247.20 |
No IPv6 Support |
DNS Filter
DNS Filter believes content filtering and threat protection should be easy. DNSFilter makes it simple to deploy an enterprise-grade solution at an affordable price. Without any contracts or commitments, you can be up and be running in minutes.
DNS Filter | ✓ DNS Firewall ✓ ECS ✓ Business Security ✓ Parental Control ⃞ DNS Privacy |
103.247.36.3 103.247.37.37 |
No IPv6 Support |
DNS.WATCH
DNS.Watch believes in freedom of information. No censorship. No Bullshit. Just DNS.
DNS.WATCH | ⃞ DNS Firewall ⃞ ECS ⃞ Business Security ⃞ Parental Control ⃞ DNS Privacy |
84.200.69.80 84.200.70.40 |
2001:1608:10:25::1c04:b12f 2001:1608:10:25::9249:d69b |
Dyn Recursive DNS
Surf the web faster with Dyn’s free Dyn Recursive DNS. Easily install within your router to provide the same safe and fast experience on all devices connected to your network or use our Update Client to configure IG on a local Windows or Mac OS X computer. Simply install our update client to monitor your device, and your hostname will update whenever its IP address changes.
Dyn Recursive DNS | ⃞ DNS Firewall ⃞ ECS ⃞ Business Security ⃞ Parental Control ⃞ DNS Privacy |
216.146.35.35
216.146.36.36 |
No IPv6 Support |
FreeDNS
FreeDNS is an open, free and public DNS Server. Usually, you get the DNS from your access provider and your computer resolves the DNS via DHCP automatically. But access provider sometimes implements redirects, so if you enter a web address you don’t get the webpage you expected. To avoid this behavior you can use an unrestricted DNS Server.
FreeDNS | ⃞ DNS Firewall ⃞ ECS ⃞ Business Security ⃞ Parental Control⃞ DNSSEC Support ⃞ DNS Privacy |
37.235.1.174 37.235.1.177 |
No IPv6 Support |
FoolDNS
Destroy 90% of advertising, delete tracking cookies, avoid profiling with just one click, for FREE.
FoolDNS | ⃞ DNS Firewall ⃞ ECS ⃞ Business Security ⃞ Parental Control ⃞ DNSSEC Support ⃞ DNS Privacy |
87.118.111.215 213.187.11.62 |
No IPv6 Support |
Google DNS
The DNS Resolution speed is critical to the Internet’s user experience. Yet, Operators around the world would neglect their DNS resolvers. Google took the lead in the industry, building their own global cloud DNS Resolvers as an alternative, setting the standard for “cloud-based” DNS Resolver services.
Google DNS | ⃞ DNS Firewall ✓ ECS ⃞ Business Security ⃞ Parental Control✓ DNSSEC Support ⃞ DNS Privacy ✓ DNS over HTTPS |
8.8.8.8 8.8.4.4 |
2001:4860:4860::8888 2001:4860:4860::8844 |
GreenTeam Internet
First line of defense. Blocks all known phishing, malware, fraudulent and infected websites so you, your kids or employees won’t accidentally go there. (Note: Currently, the GreenTeam has no way to contact them. They are registered as “UK,” but run out of Israel.
GreenTeam Internet | ✓ DNS Firewall ⃞ ECS ⃞ Business Security ⃞ Parental Control ⃞ DNSSEC Support ⃞ DNS Privacy ⃞ DNS over HTTPS |
81.218.119.11 209.88.198.133 |
No IPv6 Support |
Hurricane Electric
Hurricane Electric deployed an IPv4 and IPv6 DNS Resolver to facilitate the use of their IPv6 Tunnel Broker service.
Hurricane Electric | ⃞ DNS Firewall ⃞ ECS ⃞ Business Security ⃞ Parental Control ⃞ DNSSEC Support ⃞ DNS Privacy ⃞ DNS over HTTPS |
74.82.42.42 | 2001:470:20::2 |
Level 3
Level 3 has been providing public DNS Resolver service for more than a decade.
Level 3 | ⃞ DNS Firewall ⃞ ECS ⃞ Business Security ⃞ Parental Control ⃞ DNSSEC Support ⃞ DNS Privacy ⃞ DNS over HTTPS |
209.244.0.3 4.2.2.1 4.2.2.2 4.2.2.3 4.2.2.4 4.2.2.5 4.2.2.6 |
No IPv6 Support |
Neustar’s DNS Advantage “UltraRecursive”
Neustar UltraRecursive is a cost effective enterprise grade, cloud-based recursive DNS service that delivers fast and reliable access to vital online applications with built-in security and threat intelligence. Neustar UltraRecursive has a range of free of charge Recursive DNS services. These enable users, families, and small businesses choose the level of DNS Resolver security and protection capabilities they deem best suited for their objectives. Each service is grouped with their own IPv4/IPv6 addresses.
- Reliability & Performance 1 – For users that want reliable and fast DNS lookups without blocking any specific categories.
- Reliability & Performance 2 – For users that want reliable and fast DNS lookups without blocking any specific categories. These IPs will not redirect NXDomain (Non-existent Domain) responses to a landing page.
- Threat Protection – For users who want protection against malicious domains for security purposes. Includes Reliability & Performance. Categories Blocked: Malware, Ransomware, Spyware & Phishing
- Family Secure – For families that want to ensure children don’t have access to mature content. Includes Reliability & Performance + Threat Protection. Categories Blocked: Low + Gambling, Pornography, Violence & Hate/Discrimination
- Business Secure – For businesses that want to ensure employee productivity by blocking unwanted and time-wasting content. Includes Reliability & Performance + Threat Protection + Family Secure. Categories Blocked: Medium + Gaming, Adult, Drugs, Alcohol & Anonymous Proxies
Neustar’s DNS Advantage | ✓ DNS Firewall ⃞ ECS ✓ Business Security ✓ Parental Control ✓ DNSSEC Support ⃞ DNS Privacy ⃞ DNS over HTTPS |
Reliability & Performance 1 156.154.70.1 156.154.71.1 Reliability & Performance 2 156.154.70.5 156.154.71.5 Threat Protection 156.154.70.2 156.154.71.2 Family Secure 156.154.70.3 156.154.71.3 Business Secure 156.154.70.4 156.154.71.4 |
Reliability & Performance 1 2610:a1:1018::1 2610:a1:1019::1 Reliability & Performance 2 2610:a1:1018::5 2610:a1:1019::5 Threat Protection 2610:a1:1018::2 2610:a1:1019::2 Family Secure 2610:a1:1018::3 2610:a1:1019::3 Business Secure 2610:a1:1018::4 2610:a1:1019::4 |
Norton ConnectSafe
Norton ConnectSafe is a free service that provides a first layer of defense by blocking unsafe sites automatically. On a computer, Norton ConnectSafe does not replace the comprehensive protection of a full security product such as Norton Internet Security or Norton 360. Instead, Norton ConnectSafe provides basic browsing protection and content filtering for all Web-enabled devices on your home network. ConnectSafe has three IP address groups for three levels of protection:
- A – Security (malware, phishing sites, and scam sites). All policies block malware, phishing and scam sites
- B – Security + Pornography. Pornography includes sites that contain sexually explicit material.
- C – Security + Pornography + Other. “Other” includes sites that feature: mature content, abortion, alcohol, crime, drugs, file sharing, gambling, hate, suicide, tobacco or violence.
Norton ConnectSafe | ✓ DNS Firewall ⃞ ECS ⃞ Business Security ⃞ Parental Control ⃞ DNSSEC Support ⃞ DNS Privacy ⃞ DNS over HTTPS |
A – Security (malware, phishing sites, and scam sites) 199.85.126.10 199.85.127.10 B – Security + Pornography 199.85.126.20 199.85.127.20 C – Security + Pornography + Other 199.85.126.30 199.85.127.30 |
No IPv6 Support |