Culture

DNS security and performance considerations, and ISP alternatives

DNS servers resolve web address names to IP addresses that your computer can use, but problems with these servers may result in performance issues.

Topher Kessler MacFixIt Editor

Topher, an avid Mac user for the past 15 years, has been a contributing author to MacFixIt since the spring of 2008. One of his passions is troubleshooting Mac problems and making the best use of Macs and Apple hardware at home and in the workplace.

See full bio

Topher Kessler

Dec. 5, 2009 9:35 a.m. PT

4 min read

When you load a website, or use any other fully qualified domain name (ie, www.macfixit.com), the name needs to be resolved to something that your computer can use, such as an IP address. The service that does this is DNS, or "Domain Name System", which is essentially the index or address book for the internet. The DNS network consists of servers and resolvers that work to cache and propagate a distributed hierarchical database of internet names, domains, and subdomains. The resolved IP addresses are sent to the client system (your computer) when you make a DNS request.

Security Considerations

In practice the DNS service behaves very much like the /etc/hosts file on your computer, which is where the system initially looks up name resolutions before relying on the DNS system. The file is basically a list of IP addresses followed by the name you've associated with those IP addresses. For example, if you edit the file you can associate any domain name with any IP address of your choosing.

Open Terminal and enter the following command to edit the hosts file

sudo pico /etc/hosts
Go to the bottom of the file and enter the following:

74.125.19.106 www.apple.com
Press control-o followed by the return key to save the file

After you have done this, open your web browser and enter "www.apple.com" in the address bar. If everything works as it should, you should see the homepage of Google load instead of that of Apple. The hosts file has resolved "www.apple.com" to the IP address for Google. To reverse the change, delete the line and re-save the file.

What you have just done is outlined one potential problem with any domain name resolution service, which is that any can improperly resolve domain names, sometimes purposefully for malicious purposes.

Imagine having a name like your bank's website resolved to a server that looks exactly like your bank, but actually is not. The name in your browser's address bar will be your bank's address, and the website may look the same, but the server in actuality is not. This is one hack that thieves have used to steal identities (called "Pharming"), and as you can see by the editing of the hosts file it's not all that hard to do. In fact, some recent malware for OS X (DNSChanger) can alter the DNS servers in your system to servers which strive to do exactly this.

Performance Issues

Overall, the use of DNS servers requires an element of trust, both to prevent misdirection as well as to get the best performance. Most DNS servers are provided by your internet service provider and usually can be trusted, but may not be the best name resolvers. The main reason for this is the servers get overburdened with requests from all the ISP's customers, and as a result pages may take time to fully load, with your browser pausing on certain parts of web pages. This can be due to latency between your computer and the server because of the server's network, and communication problems between the name server and others on it's network. Additionally, servers may suffer from caching issues depending on the demands placed on them.

To get around these problems, a few open (public) solutions have become available which are highly optimized and maintained. The OpenDNS project maintains a couple of DNS servers that have a reputation for being fast and devoid of the problems that other DNS servers endure, which you can use preferentially to those provided by your ISP. To do this, enter the following IP addresses into the DNS server list in the network system preferences (Select your network interface and click the "Advanced..." button).

208.67.222.222
208.67.220.220

Be sure to manually change the DNS servers for all your network interfaces (Airport, Ethernet, Bluetooth, VPN connections, etc.)

While some free servers including the OpenDNS ones may be fast, in order to pay for their services they may redirect mistyped names to a search that includes sponsored links, which is one way they help support the free service. This can be convenient to some people, but may also be a source of irritation to others.

Some other free DNS services besides OpenDNS are "dnsadvantage" (156.154.70.1, 156.154.71.1), "ScrubIt" (67.138.54.100, 207.225.209.66), "Cisco" (64.102.255.44, 128.107.241.185), and "Level 3 Communications" (4.2.2.1 though 4.2.2.6).

The Google Public Option

Google has recently launched a DNS service of their own, which like the OpenDNS project promises to be a highly optimized DNS service on a massive internet connection; however, unlike other free options Google does not implement filtering, blocking or redirecting for users. For instructions on what Google's DNS service is and how to use it, check out the company's instructions.

The Google DNS IP addresses are the following (easy to remember):

8.8.8.8
8.8.4.4

I have been using Google's servers for the past day, and they work as advertised. I do not see any performance difference between them and the OpenDNS server, but they do not redirect as the OpenDNS servers do. Personally I am indifferent to the redirecting features of DNS servers, as long as they perform well and do not hang on name resolution or incorrectly resolve accurately entered domain names. Both the OpenDNS and Google DNS servers are fast, and I recommend you use them if you are experiencing problems with web page loading troubles.

Questions? Comments? Post them below or email us!
Be sure to check us out on Twitter and the CNET Mac forums.