When you type a URL in the browser's address bar, it just seems natural that the corresponding website responds with the pages you want. Behind the scenes, though, it's not so simple. Your request goes first to a server that uses the Domain Name System, or DNS, to translate your request into a numeric IP address. That address identifies the desired web server, which serves up the page you requested. Understanding DNS can help you protect your online security and privacy, and even speed your web surfing. We'll explain how and why changing your DNS server may be a good idea.
What Do DNS Servers Do?
The servers that route your internet requests don't understand domain names like pcmag.com. They only understand numeric IP addresses like 104.17.101.99 or the longer numeric addresses from the modern IPv6 system. (By longer, I mean a lot longer. Here's a sample IPv6 address: 2606:4700:0000:0000:0000:0000:6811:8e63. To be fair, that would typically be shortened to 2606:4700::6811:8e63, but still…)
So, the machines only speak numbers, but the people want to use memorable domain names like girlgeniusonline.com or zombo.com. To resolve this impasse, the Domain Name System handles translating friendly domain names to numeric IP addresses.
Your home network typically relies on a DNS Server supplied by your ISP. After your browser sends the server a domain name, the server goes through a moderately complex interaction with other servers to return the corresponding IP address, thoroughly vetted and verified. If it's a much-used domain, the DNS Server may have that information cached, for speedier access. Now that the interaction is down to numbers, the machines can handle the pages you want to see.
Why Change DNS Servers?
As you can see, the Domain Name System is essential to all your internet activities. Any problems with the system can have cascading effects on your experience.
For starters, if the ISP-supplied DNS servers are slow, or not properly configured for caching, they can effectively slow your connection. This is especially true when you load a page that draws content from many different domains, such as advertisers and affiliates. Switching to DNS servers optimized for efficiency can speed up your surfing, whether in a home or business setting.
Speaking of a business setting, some companies offer DNS services with business-friendly add-ons. For example, they can filter out malicious websites at the DNS level, so the pages never reach an employee's browser. They may also filter out porn and other work-inappropriate sites. Similarly, DNS-based parental control systems help parents control children's access to age-inappropriate content, on every device, though they admittedly lack the fine control of locally-installed parental control software.
I mentioned that your DNS server caches popular requests, so it can respond quickly, without having to query other components of the Domain Name System. Your PC or Mac also has a local DNS cache, and if the cache gets screwed up, you can have trouble visiting certain sites. This is a simple problem, one that doesn't require switching DNS servers. All you need to do is flush your local DNS cache.
Unless you're using a VPN (virtual private network), your ISP's DNS servers see every domain you request. You really can't get away from that—if you want something from the internet, you can't avoid telling someone what you want. Your ISP knows where you go on the web, and probably doesn't care.
However, some ISPs have found a way to monetize their DNS service. When you hit an erroneous domain, one that has no actual IP address, they divert your browser to a search and advertising page preloaded with a search phrase derived from the domain name. For example, the image below shows the results of trying to visit the non-existent funnydogepiktures.com through such an ISP.
This may seem like a nonissue. What does it matter if the ISP displays ads? But privacy-wise it's significant. You started with a private back-and-forth between your browser and the DNS server. The ISP broke that bubble of privacy by sending a version of your request to a search engine, which winds up in your search history. Some people worry about the privacy of search, which is why no-history search sites like DuckDuckGo and StartPage exist.
What Are the DNS Dangers?
You're probably familiar with the concept of phishing. Nefarious webmasters set up a fraudulent website that looks exactly like PayPal, your bank, or even a gaming or dating site. They disseminate links to the fake site using spam, malicious adverts, or other techniques. Any hapless netizen who logs in without noticing the fakery has given valuable login credentials to the bad guys. And the fraudsters typically use those credentials to log you into the real site, so you don't realize anything has happened.
The one thing that gives these frauds away is the address bar. Keeping a sharp eye on the address bar is one way to avoid phishing scams. Some are egregious, like a page that purports to be, say, LinkedIn, but has a totally unrelated domain such as bestastroukusa.com. Others work harder to fool you, with slightly-off names like microsfot.com, or extremely lengthy URLs that conceal the actual domain. But no matter how they try, they can't fool an eagle-eyed web surfer.
That's where cache poisoning comes in. In this kind of attack, malefactors infiltrate incorrect information into the Domain Name System, typically by manipulating the cache. The user types a valid domain name, the poisoned DNS system returns the IP address for a fraudulent site, and the Address Bar shows the valid name. Unless the miscreants did a poor job imitating the target site, there's no visible clue to their chicanery.
A similar attack called DNS hijacking happens on your local computer. Malware running on the system reaches into the TCP/IP settings and simply switches you over to a DNS server controlled by hackers. Of course, this only works if the malware in question can get past your antivirus, but there are still a few folks who haven't got the message about using antivirus on every computer.
What's the Best DNS Server?
DNS attacks and problems occur when DNS isn't top of mind for your ISP. Getting away from these problems can be as simple as switching to a service that makes DNS security and privacy a priority.
Google Public DNS has been available since 2009, with easy-to-remember IP addresses of 8.8.8.8 and 8.8.4.4. Google promises a secure DNS connection, hardened against attacks, as well as speed benefits.
Founded in 2005, OpenDNS has been offering secure DNS even longer. It doesn't have memorable IP addresses like Google's but does offer a variety of services. In addition to DNS servers focusing on privacy and security, it offers what it calls FamilyShield servers, which filter out inappropriate content. The company also offers a premium parental control system that gives parents more granular control over filtering. Its parent company Cisco supplies enterprises with Cisco Umbrella, which includes security and DNS services for businesses.
Cloudflare may be the biggest internet company you've never heard of. With a sprawling, worldwide collection of servers, it offers websites internet security and protection against Distributed Denial of Service attacks, among other services. Starting in 2018 Cloudflare made secure DNS available, at the very memorable IP addresses of 1.1.1.1 and 1.0.0.1. The company also offers a free desktop and mobile app, cleverly named 1.1.1.1, which automates using secure DNS and provides related privacy protection features.
There are other free, public, security-centric DNS services, but you won't go wrong with these three big ones.
How Do I Change My Router's DNS Server?
As far as switching your router to a fast, secure DNS server, I have good news and bad news. The good news is that if you make the change in your router settings, it affects every connected device. Not just computers and smartphones, mind you, but video doorbells, smart baby monitors, and even internet-aware lightbulbs. The bad news is that the precise technique for changing your router's DNS settings is different for every router.
To get started, search the web by appending "change DNS" to the make and model of your router. If you're lucky, you'll find a clear set of instructions. Navigate to the desired setting and enter the primary and alternate DNS addresses for the service you chose. You may need to restart the router for the change to take effect.
If your router is an all-in-one handling internet and TV signals, and possibly phone as well, you may not be able to make this change. These high-end multi-function devices don’t make it easy to directly access settings, and even when they do, they may not allow you to switch to another DNS server. A true network expert could install a standard router upstream from the all-in-one and thereby take greater control over the network, but most of us aren’t true network experts.
How Do I Change My Device's DNS Server?
With your router configured for fast, secure DNS, all the devices on your home network are protected. However, you almost certainly have some devices that don't stay on the home network. When your laptop or smartphone connects to the free Wi-Fi at that sleazy internet café, you're also using whatever DNS server the owner chose as the default. Who needs cache poisoning when you have total DNS control?
That's why you should change the local DNS settings on your laptops and mobile devices. Just how you do that varies by platform. On Windows 10:
Yes, that's quite a few steps, but you can do it! Note that the addresses for IPv6 aren't easy to remember like the IPv4 ones. For example, Google's 8.8.8.8 becomes 2001:4860:4860::8888.
Windows 11 is a lot like Windows 10...except when it isn't. To be fair, the dialog boxes where you make those changes in Windows 10 have been virtually unchanged for decades. Here's what you do in Windows 11:
You'll notice that each address has a switch to enable DNS over HTTPS (DoH). Leave those turned off, for now, as this technology isn't universally supported.
If you're using a macOS laptop:
Be especially careful when entering the DNS addresses, as macOS doesn't seem to check them for validity. Under Windows, a misplaced colon gets you a slap on the write. In macOS, by observation, you can enter just about anything.
Where ancient versions of Android made setting your own choice of DNS servers quite difficult, it’s easy in modern versions. Well, almost.
That next-to-last step is the reason I said it’s almost easy. Android doesn’t let you enter an easy IP address like 1.1.1.1 or 8.8.8.8. Instead, you must enter the corresponding hostname. For Google Public DNS, that’s not too bad—it's dns.google. But for CloudFlare, you’ll have to type 1dot1dot1dot1.cloudflare-dns.com.
Apple’s iOS protects you from all kinds of security problems by locking down settings that other operating systems leave open. This added security can get in the way, though. You can change DNS settings on an iOS device, but you must do it again every time you connect to a new Wi-Fi network. As for your cellular connection, there’s no built-in way to change its DNS settings. Those using iOS need a third-party app to get global DNS control. A VPN would do the job, as would Cloudflare's 1.1.1.1 app.
DNS Is More Important Than You Think
You never see them in action, but without DNS servers the internet just wouldn’t work. They translate human-friendly domain names into machine-friendly IP addresses. Right now, chances are good you’re using a DNS server supplied by your ISP, a server whose quality is unknown, owned by an entity that likely doesn’t value your privacy. Switching to a third-party DNS service can both speed up your internet activity and protect against tricky DNS-based attacks. Give it a try!