Having comprehensive IT security often means taking a layered approach. For example, basic antivirus software might catch PC-based malware after the user downloads it, but you could try to block it before it reaches the user’s device, or at least have another security mechanism that catches it while the basic antivirus software is running. No. DNS-based filtering can do just that! It helps prevent users from browsing malware and phishing websites, blocks intrusive ads for them, and acts as an adult content filter.
First, a quick primer for those unfamiliar with DNS: You use the Domain Name System (DNS) every time you go online. Every time you type a site name into your browser, DNS queries the IP address that corresponds to that specific domain so the browser can contact the web server for the content. The process of converting domain names into IP addresses is called domain name resolution.
There are two main types of DNS servers: recursive and authoritative. What most individuals and small companies use (and are described here) is called recursive DNS, and it is the default service provided by most Internet service providers (ISPs). All companies listed here provide recursive DNS services. However, some of them also sell authoritative DNS services, allowing website owners or hosts to define the web server IP addresses to which their domain names point and manage other DNS settings.
Because DNS servers are the middlemen between your browser and website content, there are many third-party DNS services that provide additional functionality to users and network administrators. These tools can include:
Content filtering. This can be easily implemented to block adult websites, social networks, and other unwanted content without requiring any software to be installed on your computers and devices.
Malware and phishing blocking. This can also be performed by content filtering tools to block sites containing viruses, scams, and other dangerous content.
Ad and tracker blocking. This is another type of content filtering that helps reduce the ads you see and the number of times advertisers track you online, something some DNS services are particularly concerned about.
Encrypted DNS traffic. The DNS protocol used by most ISPs and servers has always existed. Some DNS servers offer newer, smarter, more secure protocols (such as DNS-over-HTTPS and DNS-over-TLS) to help authenticate and encrypt DNS traffic. This helps prevent others from seeing the sites you are visiting and helps prevent DNS spoofing.
Unblock geo-restricted services. Using some DNS services, you can spoof your browsing location to unblock certain sites/content, similar to what a VPN server provides.
Prevent botnets. This blocks communication with known botnet servers so your computer cannot be taken over.
URL typos corrected. For example, if you type gogle.com, it will be corrected to google.com.
Five of these services are described here. Most are completely free or offer some free features that might be worth your time to take a look at.
Service Content
Because there are so many DNS services available, only those that provide some type of automatic or preconfigured content filtering are discussed here, and describe what the user sees being sent when the filter is activated, which can range from something as boring as “this Websites can be ‘reached’ pages into customizable block pages.
Switching to a different recursive DNS service is easy. Simply change the DNS IP address in your router’s Internet settings to apply it to your entire network, or change DNS settings on selected computers or other devices. You get preconfigured security or filtering protection for your DNS service without further intervention. Some services also let you create an account (some are free, some require premium services) to customize the level of protection and the message that displays when a website is blocked.
Keep in mind that DNS server speed, reliability, and performance may vary. Slow or poor domain resolution may translate into slower and less reliable Web browsing. You can run a speed test (try namebench) on your DNS servers so you can compare their performance in your specific location.
AdGuard DNS
Free for: Personal or commercial use (over 300,000 queries per month requires paid subscription)
DNS address: Varies based on required protection
AdGuard DNS provides a free, pre-configured DNS service that applies various filters and offers advanced services that allow you to control filtering. You may be familiar with their names as they also offer AdGuard VPN and AdGuard Ad Blocker respectively.
AdGuard DNS offers three options for free to the public, no account required:
These DNS servers are plain old DNS services without ad blocking and filtering: 94.140.14.140 and 94.140.14.141
Block ads and trackers only using the following addresses: 94.140.14.14 and 94.140.15.15
Block ads, trackers, adult content and enable safe search mode where possible: 94.140.14.15 and 94.140.15.16
They also provide separate addresses for DNS-over-HTTPS, DNS-over-TLS, DNS-over-QUIC, and DNSCrypt. These are smarter, more secure protocols that help authenticate and encrypt DNS. They can help prevent others from seeing the sites you are visiting and help prevent DNS spoofing.
You can manually configure routers and end-user devices using their DNS service, but they also provide a convenient app for end-user devices (Windows, Mac OS, Android, and iOS) to help select filtering and apply DNS configuration to the device . Additionally, the app allows you to easily turn protection on and off. However, using the app requires their premium service, which starts at $2.49 per month after a 3-day trial. Premium services also provide access to a cloud dashboard to view DNS-related statistics and manage filtering on multiple devices.
Comodo Secure Internet Gateway
Free for: Personal or commercial use (over 300,000 queries per month requires paid subscription)
DNS addresses: 8.26.56.26 and 8.20.247.20 (8.26.56.10 and 8.20.247.10 for using account customization services)
Comodo Secure DNS provides a simple free service to the public. The preconfigured service, which does not require an account, automatically blocks harmful websites, such as those containing malware, spyware, and phishing attempts. It claims to be more reliable, faster, and smarter than the DNS services provided by most ISPs.
Accounts are completely free and provide tools for custom filtering, blocking pages, and access reports. However, Comodo’s GUI and configuration process are not as straightforward as other services, and non-IT users may have difficulty. It’s clear that Comodo is aimed at enterprises. It drives managed service providers (MSPs) to manage services through the ITarian platform, but for other businesses and enterprises, points to the Comodo management site.
The advanced Comodo Secure DNS service supports configuring custom blocking pages or setting up redirects. However, the free DNS service does not have a notification page for blocked pages, and users will see a browser error page when a website is blocked.
Signing up for a Premium account adds the ability to create additional policies and encrypt DNS traffic, provide more user visibility and monitoring, and provide virtual appliance support. Comodo also sells services including authoritative DNS services for websites and many other security solutions, such as SSL certificates, secure email services, antivirus, and even PCI compliance services.
Control D
Free for: Personal or commercial use
DNS address: Varies based on required protection
Control D offers some free DNS servers with pre-configured filtering, which can help spoof a user’s location without using a VPN. Additionally, in addition to traditional access, they offer DNS-over-HTTPS/3 and DNS-over-TLS/DoQ.
The service provides several different DNS servers to the public for free, no account required:
These DNS servers are plain old DNS services without filtering: 76.76.2.0 and 76.76.10.0
Only blocks malware domains with the following addresses: 76.76.2.1 and 76.76.10.1
Block malware, ads and trackers: 76.76.2.2 and 76.76.10.2
Blocks malware, ads, trackers and social networks: 76.76.2.3 and 76.76.10.3
Blocks malware, ads, trackers and adult content: 76.76.2.4 and 76.76.10.4
Unblock some censored domain names from different countries: 76.76.2.5 and 76.76.10.5
Unlike most DNS services, Control D does not have a default custom blocking page; users simply see their browser’s error page. But with advanced services, they can configure redirects to specified URLs.
The service also allows selection of the precise filtering configuration and provides the DNS addresses to be used. In addition, the service publishes third-party DNS addresses with various filtering features enabled.
Routers and end-user devices can manually configure the DNS service, but it also provides end-user devices with a simple Windows application that can quickly apply the service’s DNS configuration to the device.
Control D offers premium services starting at $2 per month after a 30-day free trial. This allows for more filtering to better protect against threats from clickbait, dynamic DNS, torrents, shortened URLs, and other attack tools. Additionally, it provides reports and analytics on customer usage. Their premium plan starts at $4 per month and supports location spoofing as well as unlocking geo-restricted content.