The essential DNS

DNS tips and tricks

computer network 000016779847
Credit: iStockphoto

The Domain Name System (DNS) is a very simple, yet extremely important, service that most of us take for granted. Without it, Web browsing would be a much different experience. Instead of typing google.com into your browser, for instance, you would have to remember one of the company's many IP addresses.

A sluggish DNS service can slow your browsing, and website DNS changes can trigger that dreaded Not Found page.

Here are some tips and tricks to help DNS be all it can be for your business or home network.

[For more about how to use DNS to protect your network from phishing sites, botnets and other security issues, read 6 DNS services protect against malware and other unwanted content.]

Test DNS server speeds with namebench

Many DNS providers tout their fast speeds, but the rates you see are based upon many different aspects. Among these characteristics: The speed and geographic distance between the network's router and your computer on one end and, on the other, the DNS server used for the domain lookups and the DNS host of the websites you're visiting.

Remember, DNS speeds vary based upon which websites you visit as well. So one DNS server may be fast for one user while not so much for another user, even if on the same network.

To get an idea of which DNS servers are the best for your particular computer or network, consider running some speed tests with namebench, an open-source DNS benchmark utility. It is available for Windows, Mac OS X and Unix.

namebench-GUI

The namebench utility has this GUI and is also available via a command-line interface.

Namebench performs testing to find the fastest DNS servers for your particular computer. Using your browsing history, it tests DNS speeds for sites you've already visited, giving you a personalized recommendation for which DNS server would be fastest. If you aren't comfortable with using your browsing history, or for a more general test, you can optionally test against the top 2,000 websites from Alexa, an analytics provider.

After testing is complete, namebench will present a report. In addition to giving you a table and graphical charts of the results, it will tell you which DNS server was the fastest and let you know the percentage of the speed increase compared to your current primary DNS server. It also lists the addresses for the recommended DNS servers, with the primary being the fastest and the next two best servers as secondary options.

namebench report

Tests showed a DNS server from NTT was a whopping 1,794.1% faster than the ISP’s default servers.

Once you know which servers are the fastest, you can change the DNS addresses of individual computers by configuring static addresses in their TCP/IP settings, or apply these changes to an entire network by configuring static addresses in your router's WAN/Internet settings.

Block access to other DNS servers

Many companies use DNS settings to block inappropriate content from the network. But users can change the DNS server settings on their individual computer or device, bypassing the network's DNS servers. To get around content filtering, users just have to configure static DNS addresses in the TCP/IP settings -- very simple and straightforward if they know where the settings are.

Even if users don't knowingly change their DNS servers, some devices and applications -- like Roku, Chromecast, Apple TV and certain gaming systems -- have certain DNS servers configured by default. Again, this would bypass your preferred DNS, which can be an issue if you rely on DNS for content filtering.

If your network uses DNS-based filtering, consider blocking other DNS servers. One way to do this is to modify the network's firewall configuration. Even many consumer-level routers offer this capability. Though the exact interface and settings vary between different routers and firewalls, here are the general steps:

  • Block all outbound and/or inbound traffic on port 53 (both TCP and UDP)
  • Add another rule to explicitly allow traffic on port 53 (both TCP and UDP) for only the external IP address(es) of your preferred DNS server(s)

Once you've configured the firewall as discussed and a user has manually configured another DNS server on their computer or device, normal Web browsing would be prevented for that particular device. Though they could still visit any website they wish to, they'd have to enter its IP address in the browser, but even then they may encounter further issues since the website could contain content from other domains and still attempt to block them.

After performing this step, devices and applications that come preconfigured to use another DNS server should automatically revert to using your preferred server if theirs isn't reachable.

Create website redirects or shortcuts

Windows, Mac OS X and Linux all utilize a hosts file, which basically provides a simple internal DNS server. Before the computer contacts the external DNS server, it checks the hosts file for the domain or host name you're trying to visit and, if found, uses the IP address defined in there to render the website in the browser.

hosts file

A Windows' hosts file configured with redirects and shortcuts.

You can utilize the hosts file to create website redirects to block certain websites or to create website shortcuts. You can block specific websites by redirecting a user to another site of your choice or to a blank page. You can create website shortcuts for various reasons; perhaps make the letter g point to google.com, the word router point to the router's Web GUI, or block facebook.com by making it redirect to google.com. The options are endless.

To edit the hosts file in Windows 7, start by opening Notepad with administrative privileges: find Notepad on the Start menu and right-click Run as administrator. In Windows 8 and later, go to the Start Screen, type "notepad," right-click Notepad in the results and select Run as administrator. Once you're in Notepad, open the hosts file at C:\windows\system32\drivers\etc\.

To open the hosts file in Mac OS X, launch Terminal and enter the following command: "sudo nano /private/etc/hosts". When finished, hit Control + O to save.

Once you have the hosts file open in the text editor, you can add redirects or shortcuts by entering the IP address of the desired site or server and then the desired domain or host name. Enter one redirect or shortcut per line and include a single space between the IP and domain/host name.

Once you add a redirect or shortcut, it may not work right away if you've recently visited the same domain or host name. If this happens, refer to the next section to reset the DNS caches.

Keep in mind that many viruses utilize the hosts file to redirect you to adware and malware-filled sites. This is very dangerous, because the correct domain name will appear in the browser, though you're viewing a completely different website. These bogus sites can mirror the look and feel of a legitimate website so you think it's the real one, and then they capture your login credentials.

Thus, when editing your hosts file, investigate any suspicious entries. You typically should only see one or two default entries, relating to localhost (127.0.0.1) or broadcasthost (255.255.255.255).

Reset DNS by deleting the cache

To reduce the number of times your computer has to contact a DNS server, the operating system has a DNS caching feature. For example, if you go to Google, it logs the IP address of the Google site in temporary cache so the next time you visit it, your computer tries the IP in the cache before contacting the external DNS server. Some Internet modems, routers and gateways also include caching ability, which would apply to all the computers and devices on the network.

The problem with DNS caching occurs when there is an IP or DNS change for a website, or sometimes when you have modified the hosts file. If the cache has an old IP logged, the new IP won't be retrieved from the external DNS server until the amount of time that has been set for the cache to expire, typically referred to as the time to live (TTL). Until that time, you may see Page Not Found and/or other errors when visiting a site.

If you think there's an issue with the info logged by your DNS cache, you can manually reset it. Start with refreshing the operating system cache; if that doesn't solve the problem, reboot your Internet modem, router or gateway in case it performs caching as well.

To reset Windows DNS cache, open a Command Prompt and enter "ipconfig /flushdns".

To flush the DNS cache in Mac OS X 10.5 Leopard and later, open Terminal and enter "dscacheutil -flushcache".

Computerworld's IT Salary Survey 2017 results
Shop Tech Products at Amazon