- Unsupervised Learning
- Posts
- DNS Servers That Offer Privacy and Filtering
DNS Servers That Offer Privacy and Filtering
If you’re a programmer, a systems administrator, or really any type of IT worker, you probably have your favorite go-to IP addresses for troubleshooting. And if you’re like me, you’ve probably been using the same ones for years.
Such IPs can be used for:
Testing ping connectivity
Checking DNS resolution using dig or nslookup
Updating a system’s permanent DNS settings
Most DNS servers allow you to ping them.
I like using DNS servers for this because you can use them for both connectivity and name resolution testing, and for the longest time I used the Google DNS servers:
8.8.8.8 8.8.4.4
…but they don’t have any filtering enabled, and in recent years I’ve become less thrilled about sending Google all my DNS queries.
Cisco bought OpenDNS, which is where Umbrella came from.
Alternatives to Google DNS
At some point I switched to using Cisco’s Umbrella servers because they do URL filtering for you. They maintain a list of dangerous URLs and block them automatically for you, which can help protect from malware.
208.67.222.222 208.67.220.220
The OpenDNS servers are great, but I always have to look them up. Then, a few years ago, a new set of DNS servers came out that focused not only on speed and functionality, but also memorability.
One of the first easy-to-remember options with filtering that came out was IBM’s Quad 9—which as you might expect has an IP address of four nines:
9.9.9.9
I figured they were being overwhelmed at launch time, or their filtering wasn’t tweaked yet.
I tried to use Quad9 one for a bit when it first came out, but found it a bit slow. I imagine they have probably fixed that by now, but more on performance below.
Enter CloudFlare
So with Google, Cisco, and IBM providing interesting options with various functionality, we then saw CloudFlare enter the arena.
But rather than provide filtering, they instead focused on privacy.
Some other recursive DNS services may claim that their services are secure because they support DNSSEC. While this is a good security practice, users of these services are ironically not protected from the DNS companies themselves. Many of these companies collect data from their DNS customers to use for commercial purposes. Alternatively, 1.1.1.1 does not mine any user data. Logs are kept for 24 hours for debugging purposes, then they are purged.
CloudFlare Website
And perhaps coolest of all for me was their memorability rating, which is basically flawless:
1.0.0.1 abbreviates to 1.1, so you can literally test by typing ping 1.1.
1.1.1.1 1.0.0.1
How cool is that?
They also do filtering of malware at:
Unsupervised Learning — Security, Tech, and AI in 10 minutes…
Get a weekly breakdown of what's happening in security and tech—and why it matters.
1.1.1.3
And of malware and adult content at:
1.0.0.3
Norton ConnectSafe DNS
Norton also has a public DNS service, which has an interesting feature of multiple levels of URL content filtering.
Block malicious and fraudulent sites
199.85.126.10 199.85.127.10
Block sexual content
199.85.126.20 199.85.127.20
Block mature content of many types
199.85.126.30 199.85.127.30
My recommendation
Performance also matters here, and that will vary based on where you are, but in recent testing I found all of these options to be fairly responsive.
To me it comes down to this:
If you care about privacy and speed and maximum memorability, I recommend CloudFlare:
1.1.1.1 1.0.0.1
I find the filtering claims by both companies to be too opaque for my tastes, with both of them feeling like borderline marketing to be honest.
If you want URL filtering I recommend Quad9 over Umbrella simply because it’s easier to remember and seems to focus on having multiple threat intelligence sources.
9.9.9.9
And if you want multiple levels of URL filtering, you can go with the Norton offering, but I think I personally prefer to just use Quad9 for that and be done with it. But I think Norton is still a cool option for like protecting an entire school or something by forcing their DNS through the strictest option.
Summary
Final answer—if pressed—here are the two I recommend you remember.
For speed and privacy: 1.1.1.1
For filtering: 1.0.0.3
Notes
Apr 11, 2021 — Updated the article to include the fact that Cloudflare now does filtering as well. Thanks to Jason P. for the update.