DNS for security


New member
Usually the service is provided by your ISP. I've used OpenDNS for security monitoring. It's reliable, straight forward and FOC. I would say that in terms of hardening your network, if you know what you're doing then they're all going to be evenly matched. With a commercial product you expect to pay for the premium product and service (usually in support) which is provided.

There was an icident whereby a thief physically got hold my network hardware and compromised the security. After I realised that I had to monitor network activity originating locally and for that OpenDNS came in useful. OpenDNS has both a personal service which is FOC and more elaborate DNS platform for businesses or enterprise types which costs.


New member
You should also take a look at openvpn :) There are better options than dyndns. also you might get a static IP from your isp.


New member
The safest, will be the least known DNService, however you still want a diverse group of services on the DNS as to prevent a generalized attack. For example a DNS service is to only (arbitraily) host "video games" then it could be attacked on the sole basis of video games and not intending to hit a particular target however if its diverse, the chances of the hacker needing to access the services will be higher and the likely hood of their incentive to attack is lowered now.


digitsdotnu said:

i'm evaluating a google dns alternative for my router.which is better for security purpose ?[/size]

Not sure what you mean by security in this context. If you're worried about been sent a malicious IP instead of a valid one (which may occur in case of a DNS poisoning attack against the DNS server) then rest assured that it's HARD to do that nowadays, especially against those professional large-scale DNS services, and, in this regard, I would say that you're safe 95% of the time.

The DNS is an old Internet protocol/service and didn't anticipate the existence of HOSTILE users on the network. BUT! Things have changed: a lot of hardening has been implemented, as part of the good practice side of things, and a security extension has been added to the protocol itself (the so-called DNSSEC.)

Where is the problem then?... The problem is (and I think will always be) malicious DDoSing of DNS servers. But here it's just a denial of service which, granted, may be crippling for your average Web users but not for the savvy ones. There is always a work around to this, especially if one knows the IP of the web site he wants to go to... That easy!

I, personally, use my plain old 'host' file as my dns for the website that I go to frequently (the downside is that you have to update it whenever the IP changes for a given domain.)

Now, if your security concerns have to do with privacy, then that's quite another discussion (and I wont delve into here.)

Good luck!


New member
well, for me DNS has not that much to to with security... there are nice solutions around lfor certain purposes like content filtering or Geo unlocking for watchting IPTV or so... But in general you won't hide yourself with that


New member
It might help you to harden you own DNS entries by using DNSSEC. Or just simply secure the port/connection by a secure and strong certificate.
For most of your needs you should be able to generate your own certificate for free and when ever you use a connection which is secure via an SSL certificate you can be sure your packages are routed to the right direction. This way you don't have to be concerned about the reliability of your DNS service.