|Router Security||Test Your DNS Servers||
Website by |
Devices connected to the Internet are assigned unique numbers called IP addresses. All communication on the Internet is done based on these unique numbers. You know this site as RouterSecurity.org and its IP address is 22.214.171.124. The system that translates names into the underlying numeric IP addresses is called DNS (Domain Name System) and the computers that do the translation are referred to as DNS servers.
DNS Servers are extremely important. Probably 99% of all communication between two computers on the Internet, starts with a call to a DNS Server to translate a computer name into an IP address. Every Internet Service Provider is required to provide access to a DNS Server as part of every Internet connection. In fact, DNS is so important, that at least two DNS servers are configured for every Internet connection.
Malicious DNS servers can do what any malicious translator can do - lie to you. In the worst case, they might send you to a scam copy of a website. This can be very hard to detect as the web browser displays the correct address/URL. And, there is nothing Citibank can do about a DNS server sending you to a scam copy of citi.com. They don't know it is happening. Not to pick on Citibank at all, they are just an example.
Nerds that don't want to see ads, play tricks with DNS so that computers serving ads, such as ad.tagdelivery.com, ads.mopub.com or ads.yieldmo.com are purposely translated to invalid IP addresses. This website is www.RouterSecurity.org. Is there an aaa.RouterSecurity.org or a bbb.RouterSecurity.org? No. And if you try to visit them, you get a DNS error. For example, Chrome 70 on Windows says the "server IP address could not be found."
The Defensive Computing (its my thing) thing to do is to know what your DNS servers should be and what they actually are. The web pages listed below are not testing DNS servers in the sense of checking whether they are functioning correctly, they are reporting the DNS servers your computing device is currently using.
Note that the answer is transitory. It is only valid as long as the tested computing device remains on the same network. Starting or stopping a VPN on the computing device would also change the effective DNS servers, even on the same network. Probably starting/stopping Tor would too.
Lingo alert: A DNS server is sometimes referred to as a DNS resolver.
The effective DNS servers may have come from multiple sources. They may have been manually configured in your computing device (computer/tablet/phone), or, they may have been set by a VPN running on the device, or, they may have come from the router. The router, in turn, may have been configured to always use a particular pair of DNS servers, or, it may be assigned DNS servers by the ISP. Having four possible sources is what makes the tester sites below necessary.
Often people are told to configure their computing device with certain DNS servers on the assumption that they will be used. For example, Quad9 offers these instructions for configuring macOS to use their DNS servers. This is, however, a bad assumption, even ignoring the use of VPNs. For one thing, malware may change the DNS settings on a computer. Then too, the router may over-ride them; some routers can force you to use their configured DNS servers regardless of what you have configured on your device. I blogged about this in March 2018 (Some routers can force their DNS servers onto all devices). Changing the DNS servers in a router is a common attack and without the tester websites below, it could be a very long time before the change is detected.
On public Wi-Fi, you are at the mercy of someone else's router and possibly their DNS servers. Just as you would think twice before eating food from a total stranger, so too DNS servers. All the more reason, to use the tester sites below.
The Defensive Computing thing to do on all public Wi-Fi networks is to use a VPN, which should force the use of DNS Servers from the VPN provider. The public router can not do anything about this, as all VPN traffic through the router, including DNS, is encrypted. The sites below can confirm that the VPN has forced the use of its DNS servers. Note that bad VPNs use public DNS servers such as those from Google (126.96.36.199). Good VPNs will either use the VPN server you are connected to as the DNS server or run their own DNS server on their network.
If you use a VPN at home you should check the effective DNS servers every now and then. It is best to check before and after connecting to the VPN.
Without a VPN, there are many public DNS servers that are better options than defaulting to your ISP's DNS servers. For example, OpenDNS, Quad9 and Cloudflare all offer some malware protection by not resolving/translating known bad website names. OpenDNS has its own tester page which is shown below.
Warning to Windows users: There is a caching or buffering issue involving VPNs. After connecting to a VPN, the above sites typically show both the pre-VPN DNS servers and the current DNS server from the VPN provider. On iOS 12 and Android 7.1 all the above testers work fine, only Windows is buggy. I have not tested other OSs. In the screen shot below, from the Express VPN tester page, the four OpenDNS servers were in use before the VPN connection was made and the server at Leaseweb USA is from the VPN provider. I tried the command "ipconfig /flushdns" but it did not help.
On Windows, the only tester page above that has been bullet-proof in my experience is the one for OpenDNS. It simply reports a YES/NO on whether OpenDNS is being used and it is not fooled by whatever caching issue confuses the other testers. As a side note, all the VPN services I have used assign a single DNS server. Outside of a VPN, there are normally two or more DNS servers in use.
Another issue is that different DNS testers report a different number of DNS servers. Some only report on one DNS server, others report on multiple DNS servers. I don't know why this is.
Cloudflare DNS servers are 188.8.131.52 and 184.108.40.206. In November 2018, Cloudflare released iOS and Android apps that configure those systems to use their DNS servers. It works by creating a pseudo VPN connection. The testers above do not report either 220.127.116.11 or 18.104.22.168 as the in-use DNS servers. The Cloudflare app will show that it is being used, and I am sure it is, but the above DNS testers report other IP addresses. And, you can't go by the hostname either, the servers used by Cloudflare do not have host names. The only clue from these testers is that Cloudflare is the ISP.
One feature of Cloudflare DNS is encryption. The connection between your computer and their DNS server is encrypted using one of two fairly new approaches: DNS over TLS or DNS over HTTP. This only an issue when you are not using a VPN. A VPN encrypts everything (when it is working correctly) coming and going from the computer so there is no need to pay special attention to encrypting DNS.
Warning to WIRED readers: The article You Know What? Go Ahead and Use the Hotel Wi-Fi by Brian Barrett (Nov 18, 2018) comes to a very wrong conclusion. The main point of the article is that the widespread use of HTTPS (secure websites) eliminates the old dangers of sniffing and snooping on unencrypted data. For one thing, this shows a lack of understanding of the limits of HTTPS. Secure websites do not deserve that much trust. Still, the bigger danger is that on a public wireless network you have an encrypted connection to bad guys. HTTPS does nothing to protect you from a scam website that looks real enough, displays the correct URL in the address bar, but whose sole purpose is to harvest passwords. Extended Validation could offer this protection, but in the real world it does not. For one thing, web browsers are constantly changing how they indicate EV vs. DV (Domain Validation). And, some browsers do not give any visual indication of the difference. And, I suspect no non-techies are even aware of the EV/DV concept in the first place. Even more insidious is using DNS not to fake out the main/displayed domain name, but to point the browser at a scam copy of included code from a third party. Many sites are compromised by including malicious code from hacked third parties. DNS means that the third party does not even need to be hacked. So, using trustworthy DNS servers, not those from hackers, a coffee shop or a hotel, is critical to computing safely. The article also ignores the issue of evil twin networks, an attack for which there is (as far as I know) no defense.
Anyone running a VPN on Windows 8 or 10 needs to be aware of a situation where DNS requests may be sent outside of the VPN tunnel. For more, see Guide: Prevent DNS leakage while using a VPN on Windows 10 (and Windows 8).
In May 2017, Trend Micro made a great point: "Unfortunately, website-based tests may not be reliable once a home router has been compromised." With that in mind, it makes sense to check with the router directly, be it with a web interface or an app, to double check the DNS servers.
Windows users have another excellent option, the DNS query sniffer program by Nir Sofer. The program is free, portable and from a trustworthy source. It simply traces DNS requests and responses. Before connecting to a VPN, tell it to examine either your Wi-Fi or Ethernet connection to confirm the program is working. Then connect to the VPN and you should see no further DNS activity. As further proof that the VPN is handling things, tell the program to examine your VPN connection (Options -> Capture Options) and you should see all your DNS requests.
As for whether a DNS server is actually working well, we have Steve Gibson's a DNS spoofability test. The page has no creation date and no last update date, but it has been around for a long time.