Tuesday, September 2, 2014

Change the phone book: what is this "DNS" thing?

If you are reading this, chances are you made use of a Domain Name System, or DNS. Don't panic! After a brief lesson on a fundamental piece of modern networks, I will explain a very simple step you can take that dramatically reduces the risk of encountering malicious software or scam / phishing traps.

Putting aside for a moment the possibility that you are reading a printout, you are more than likely using a web browser. Perhaps you clicked a link in search results, or on another web site, or in an email from a friend. Maybe this blog is syndicated to your RSS feed. Or maybe you typed the URL in directly or used a bookmark. Regardless of the source, your browser did not just yell out on the Internet, "show me David Longenecker's blog." Instead, it referred to a DNS, a phone book of sorts, to translate the human-readable web site name or URL into an address it could travel to.

Computers use a network protocol to communicate with one another; typically this is IP, or Internet Protocol. DNS is how your computer knows that www.google.com is actually “” (or was at the time of this writing). It happens silently in the background and is usually ignored unless it stops working. The typical DNS will give a valid answer for any web site. Whether the web site is Google, Disney, Phil's Phony Pharmacy or Ingrid's Illicit Images, an ordinary DNS will respond with the correct address for that site. If in fact you want to go to Phil's Phony Pharmacy or Ingrid's Illicit Images, that is a good thing.

In my line of work I often do want to visit a phony or malicious web site. When I am researching a piece of malware or a phishing scam, sometimes it helps to see what it does, to access the websites that it accesses - but I do so from a protected research environment so I can avoid infecting other computers on my network. For the majority of my network I use an alternate DNS that blocks many of the undesirable web sites.

You can do this too - and it is an easy but highly effective way to protect yourself.

There are a variety of free DNS services that simply don’t resolve website addresses that go to known “adult” or malicious content. More accurately, they resolve such websites to a benign address that warns you about the nature of the site. In my experience this is one of the strongest additions you can make to the security of your home network. Below are several that I have used or looked at; with the exception of K9 Web Protection, they work essentially the same: you either modify the DNS setting on your computer / device, or you modify the DNS setting given by the DHCP server for your router. It's not as hard as it sounds.

If your computer connects directly to your Internet modem or if you are on a network you do not trust, you can change the DNS setting directly on your device. For Windows 7 and newer PCs, open your Start Menu or search bar and type in "Network and Sharing Center." Click "Change adapter settings" and select the network connection you are using. In most cases it will either be "Local Area Connection" or "Wireless Network Connection." From the connection properties dialog, click "Internet Protocol Version 4 (TCP/IPv4)" and click Properties. Instead of "Obtain DNS server address automatically, " select "Use the following DNS server addresses" and type in the addresses for the service you prefer (for example, for Norton ConnectSafe Security + Pornography).

Android devices have a similar setting. On Android you would go to Wifi in your settings panel and click on the wireless network you intend to connect with. Instead of connecting immediately, click to show advanced options. Under IP settings, select Static instead of DHCP. You will then see additional settings you can enter. The only ones that matter are DNS 1 and DNS 2. After entering your preferred DNS servers, change "IP settings" back to DHCP so your device will connect properly to the local network - the DNS settings you entered remain in effect even though the settings are no longer visible. For iPhone and iPad devices the screens look a bit different but the process is identical. Keep in mind that this is only effective when you are on a wireless network and not on a cellular (3G, LTE) data connection. There are some apps that will let you control the DNS settings for cellular data, but only on rooted or jailbroken devices.

This works for individual computers (and is useful if you travel and don't want to trust the DNS servers specified by your hotel / airport / Starbucks). In most homes you will have a router or wireless access point connected to your Internet modem. In that case, it can be easier to make this change once on the router, instead of on each individual device. Each router is a little different, but all will have an option to configure DHCP (Dynamic Host Configuration Protocol - essentially your computer says "who am I?" and the network gives it an an address). On my router, this setting is found by logging into the administrative console and selecting "LAN" under Advanced Settings. From there the DNS setting is identical to a PC or mobile device: just enter the numeric address of the DNS server you wish to use.

Just one caveat: website filtering (whether via DNA or a software agent such as K9 Web Protection) is only as good as the filtering list. The services below have built a fairly good reputation for quickly updating their filters, but there is still a period of time between when a new malicious link is created, and when it is added to block lists. DNS filtering is extremely effective, but it won't stop every single piece of badness. It's one layer in the security stack.

  • Norton ConnectSafe is perhaps the simplest option. You just change your network configuration to point to one of three addresses. The first option ("Security") blocks sites known to host malicious software, phishing attacks, and scams. The second ("Security + Pornography") blocks all of these along with pornography. The third ("Security + Pornography + Other") blocks all of the above, along with mature content, abortion, alcohol, crime, cults, drugs, gambling, hate, sexual orientation, suicide, tobacco or violence. The catch is, you get to choose among the three options Norton provides, but have no way to fine-tune things to suit your personal preferences.
  • OpenDNS Family Shield is slightly more involved, but far more customizable. With OpenDNS you create an account, with which you can select specific categories to block. In addition to the standard malicious content filter, there are about 60 other categories, ranging from nudity to gambling, dating to employment and job-seeker sites. Depending on your personal and household preferences, there is quite a bit of fine-tuning available.
  • BlueCoat, a maker of highly-regarded enterprise web filtering appliances, takes a different approach in its free K9 Web Protection product. With K9 Web Protection, you install a program or "agent" on your computer or device, then select the categories you would like to block. K9 has the added advantages of time-based controls (block Internet browsing during late night hours, for example), and tamper-resistance. It is more difficult for a savvy teen (again for example) to bypass the K9 agent than for the same teen to change their DNS resolver back to one that resolves undesired web sites. In my experience however the K9 agent had a tendency to fail, and would default to blocking all Internet traffic. Let's just say the wife found this highly annoying.
  • Dyn Internet Guide is one I have not used personally, but it appears to work very similarly to OpenDNS Family Shield. You create an account, adjust filtering categories to suit your preferences, and change your DNS settings to use their servers.
  • Secure DNS by Comodo is another option, very similar to Norton ConnectSafe in that it is a one-size-fits all, set it and forget it option. It too is one I have no personal experience with, but it is recommended by people I trust.

Do you have something to add? A question you'd like answered? Think I'm out of my mind? Join the conversation below, reach out by email at david (at) securityforrealpeople.com, or hit me up on Twitter at @dnlongen