You probably have a basic picture of how surfing the web works. You type pcmag.com in the Address Bar, your browser requests that page from a web host, and PCMag sends you a plenitude of useful information. But it's not quite that simple. There's another player involved, and understanding that fact can help you protect your security and privacy—and even speed your surfing.

Here's the thing: The servers that route your internet requests don't understand domain names like pcmag.com. They only understand numeric IP addresses like 52.201.108.115, or the longer numeric addresses from the modern IPv6 system. (By longer, I mean a lot longer. Here's a sample IPv6 address: 2001:0db8:85a3:0000:0000:8a2e:0370:7334.)

What Do DNS Servers Do?

So, the machines only speak numbers, but the people want to use memorable domain names like girlgeniusonline.com or zappa.com. To resolve this impasse, the Domain Name System, or DNS handles translating friendly domain names to numeric IP addresses.

Your home network typically relies on a DNS Server supplied by your ISP. After your browser sends the server a domain name, the server goes through a moderately complex interaction with other servers to return the corresponding IP address, thoroughly vetted and verified. If it's a much-used domain, the DNS Server may have that information cached, for speedier access. Now that the interaction is down to numbers, the machines can handle getting the pages you want to see.

DNS Difficulties

As you can see, the Domain Name System is essential to all your internet activities. Any problems with the system can have cascading effects on your experience.

For starters, if the ISP-supplied DNS servers are slow, or not properly configured for caching, they can effectively slow your connection. This is especially true when you load a page that draws content from many different domains, such as advertisers and affiliates. Switching to DNS servers optimized for efficiency can speed up your surfing, whether in a home or business setting.

Speaking of a business setting, some companies offer DNS services with business-friendly add-ons. For example, they can filter out malicious websites at the DNS level, so the pages never reach an employee's browser. They may also filter out porn and other work-inappropriate sites. In a similar fashion, DNS-based parental control systems help parents control children's access to age-inappropriate content, on every device.

I mentioned that your DNS server caches popular requests, so it can respond quickly, without having to query other components of the Domain Name System. Your PC or Mac also has a local DNS cache, and if the cache gets screwed up, you can have trouble visiting certain sites. Here's a problem that doesn't require switching DNS servers—all you need to do is flush your local DNS cache.

Unless you're using a VPN (Virtual Private Network), your ISP's DNS servers see every domain you request. You really can't get away from that—if you want something from the internet, you can't avoid telling someone just what you want. Your ISP knows where you go on the web, and probably doesn't care.

However, some ISPs have found a way to monetize their DNS service. When you hit an erroneous domain, one that has no actual IP address, they divert your browser to a search and advertising page preloaded with a search phrase derived from the domain name. For example, the image below shows the results of trying to visit the non-existent funnycatpiktures.com.

This may seem like a nonissue. What does it matter if the ISP displays ads? But privacy-wise it's significant. You started off with a private back-and-forth between your browser and the DNS server. The ISP broke that bubble of privacy by sending a version of your request to a search engine, where it winds up in your search history. Some people worry abut the privacy of search, which is why no-history search sites like DuckDuckGo and StartPage exist.

DNS Under Attack

You're probably familiar with the concept of phishing. Nefarious webmasters set up a fraudulent website that looks exactly like PayPal, or your bank, or even a gaming or dating site. They disperse links to the fake site using spam, malicious adverts, or other techniques. Any hapless netizen who logs in without noticing the fakery has given valuable login credentials to the bad guys. And the fraudsters typically use those credentials to log you in to the real site, so you don't realize anything has happened.

The one thing that gives these frauds away is the address bar. Keeping a sharp eye on the address bar is one way to avoid phishing scams. Some are egregious, like a page that purports to be, say, LinkedIn, but has a totally unrelated domain such as bestastroukusa.com. Others work harder to fool you, with slightly-off names like microsfot.com, or extremely lengthy URLs that conceal the actual domain. But no matter how they try, they can't fool an eagle-eyed web surfer.

That's where cache poisoning comes in. In this kind of attack, malefactors infiltrate incorrect information into the Domain Name System, typically by manipulating the cache. The user types a valid domain name, the poisoned DNS system returns the IP address for a fraudulent site, and the Address Bar shows the valid name. Unless the miscreants did a poor job imitating the target site, there's no visible clue to their chicanery.

A similar attack called DNS hijacking happens on your local computer. Malware running on the system reaches into the TCP/IP settings and simply switches you over to a DNS server controlled by hackers. Of course this only works if the malware in question can get past your antivirus, but there are still a few folks who haven't got the message about using antivirus on every computer.

What's the Best DNS Server?

DNS attacks and problems occur when DNS isn't a priority for your ISP. Getting away from these problems can be as simple as switching to a service that makes DNS security and privacy a priority.

Google Public DNS has been available for almost 10 years, with the easy-to-remember IP addresses of 8.8.8.8 and 8.8.4.4. Google promises a secure DNS connection, hardened against attacks, as well as speed benefits.

Founded in 2005, OpenDNS has been offering secure DNS even longer. It doesn't have memorable IP addresses like Google's, but does offer a variety of services. In addition to DNS servers focusing on privacy and security, it offers what it calls FamilyShield servers, which filter out inappropriate content. The company also offers a premium parental control system that gives parents more granular control over filtering. Its parent company Cisco supplies enterprises with Cisco Umbrella, which includes a security and DNS services for businesses.

Cloudflare may be the biggest internet company you've never heard of. With a sprawling, worldwide collection of servers, it offers websites internet security and protection against Distributed Denial of Service attacks, among other services. Last year Cloudflare made secure DNS available, at the very memorable IP addresses of 1.1.1.1 and 1.0.0.1. More recently, the company embarked on a plan for its 1.1.1.1 mobile app to replace VPN protection.

There are other free, public, security-centric DNS services, but you won't go wrong with these three big ones. In practical fact, the field may be shrinking. Last year, Symantec shuttered its Norton ConnectSafe service, directing users instead to OpenDNS.

How Do I Change My Router's DNS Server?

As far as switching your router to a fast, secure DNS server, I have good news and bad news. The good news is that if you make the change in your router settings, it affects every connected device. Not just computers and smartphones, mind you, but video doorbells, smart garage doors, even internet-aware toasters. The bad news is that the precise technique for changing your router's DNS settings is different for every router.

To get started, search the web by appending "change DNS" to the make and model of your router. If you're lucky, you'll find a clear set of instructions. Navigate to the desired setting and enter the primary and alternate DNS addresses for the service you chose. You may need to restart the router for the change to take effect.

While working through the steps for this article, I got an unpleasant surprise. It turns out that my ISP-supplied router, which brings me internet, TV, and phone service, does not permit me to change the DNS settings. Apparently, a true network wiz could make the change by using Telnet to log into the router, which nominally doesn't support Telnet. I guess the ISP wants to lock in the revenue from those ad and search pages.

How Do I Change My Laptop's DNS Server?

Now all the devices on your home network are using fast, secure DNS, but you've probably got some devices that don't stay on the home network. When your laptop or smartphone connects to the free Wi-Fi at that sleazy internet café, you're also using whatever DNS server the owner chose as the default. Who needs cache poisoning when you have total DNS control?

That's why you should change the local DNS settings on your mobile devices. Just how you do that varies by platform. On Windows 10:

Click the Windows button,

Click the Windows button, Choose the Settings gear,

Choose the Settings gear, Click Network & Internet,

Click Network & Internet, Click Change adapter options,

Click Change adapter options, Right-click the Wi-Fi connection and choose Properties,

Right-click the Wi-Fi connection and choose Properties, Select Internet Protocol Version 4 and click the Properties button,

Select Internet Protocol Version 4 and click the Properties button, Click the item labeled Use the following DNS server addresses,

Click the item labeled Use the following DNS server addresses, Enter the two addresses,

Enter the two addresses, Click OK, and, if necessary,

Click OK, and, if necessary, Repeat the process for Internet Protocol Version 6.

Yes, that's quite a few steps, but you can do it!

If you're using a macOS laptop:

Select Preferences from the Apple menu,

Select Preferences from the Apple menu, Launch the Network app,

Launch the Network app, Highlight the Wi-Fi connection and click the Advanced button,

Highlight the Wi-Fi connection and click the Advanced button, Click the DNS tab,

Click the DNS tab, Use the plus-sign button to add both IPv4 and IPv6 DNS addresses, and

Use the plus-sign button to add both IPv4 and IPv6 DNS addresses, and Use the minus-sign button to remove any existing addresses.

As for your mobile devices, Android versions before 9 (Pie) and all versions of iOS just don't support a global change to your DNS preferences. You have to reach in and make the change any time you connect to a new Wi-Fi network, and you can't touch the DNS settings for the cellular network. It's true that on both platforms, you can buy an app to automate that change, if you wish. But if you're going to buy an app, I'd suggest you simply run a VPN on those devices. Doing so shunts your DNS requests through the VPN company's servers, which in most cases are more secure than what you'd get from your ISP.

Going forward, Cloudflare's 1.1.1.1 app looks like an interesting DNS solution for mobile devices, and it's free. A coming enhancement called Warp will make it more like a VPN. When the VPN-enhanced app hits general release, we'll put it through its paces and let you know.

So, here's the rundown. DNS servers translate human-friendly domain names to machine-friendly IP addresses. You're probably using a DNS server supplied by your ISP, one whose quality is unknown. Switching to a third-party DNS service can both speed your internet activity and protect against tricky DNS-based attacks.

Further Reading

Security Reviews