Verisign launches Public DNS service that respects user privacy
Verisign Public DNS is a free DNS service that promises better connection times, stability, security, and privacy when compared to the majority of public DNS services available on today's Internet.
The DNS services that Internet providers offer are often not the fastest, and it is easy enough to verify that by running programs like DNS Benchmark which test the performance of multiple DNS servers on the host system to find out which performs the best.
When it comes to third-party Public DNS services, there are plenty to choose from. While speed and reliability should definitely be a point of consideration, there may be others of interest including privacy, restrictions and extras that services may offer.
Companies may sell data that they collect based on your computer's look ups, and others may redirect you to custom error pages with their ads on them instead of the web browser's default error page.
While it is easy enough to find out about custom error pages, whether a company is selling or processing your data may not always be that obvious.
Verisign's newly launched Public DNS service promises to respect user privacy:
And, unlike many of the other DNS services out there, Verisign respects your privacy. We will not sell your public DNS data to third parties nor redirect your queries to serve you any ads.
The setup guide walks you through setting up the DNS server on desktop and mobile operating systems. Note that there is no program or app that you can run to set Verisign Public DNS automatically on a system.
Before you do that, you may want to test the performance of the DNS service. This can be done with the excellent DNS Benchmark which ships with dozens of DNS servers. You do need to hit the Add/Remove button to add both Verisign Public DNS IP addresses to it. The IP addresses that you need to add are 64.6.64.6 and 64.6.65.6.
As you can see on the screenshot above, it came in second right after the local network nameserver used on the test device.
The status tab confirms furthermore that it won't intercept bad domain names which means that the browser's error page will be used whenever you try to load a domain name that does not exist.
Public DNS is a bare-bones DNS service apart from that offering no filtering options for you to configure for example. That's not necessarily a bad thing considering that you may not need these options at all. It is quick to set up and if you run into issues, quick to remove as well.
Verisign promises not to sell the data but it will still process it internally as mentioned in the Terms of Service.
Verisign uses the Service Data to provide the Service and for internal business and analysis purposes. [..] Verisign will not sell, distribute any personally identifiable information (PII) collected as a result of performing the Service. Verisign will not permanently store the PII and will retain such PII for no longer than is necessary.
Closing Words
Benchmark results may vary depending on where you connect to the Internet from. It is therefore suggested to run benchmarks if you consider switching to the DNS service.
Now You: Which DNS service are you using and why?
I use Swiss Privacy Foundation also Ben, their address was changed earlier this year. IPv4 and IPv6 addresses available. Would bookmark and visit this site more often if the connection was more secure. As of now I come in through Daily Rotation on occasion, another unsecured connection. Oh well, my shared email address inbox or spam folder might get flooded, and they have my first name, but I can deal with that.
@Bond
https://github.com/alterstep/dnscrypt-unbound
http://yvoinov.blogspot.com/2014/05/windows-7-unbound-dnscrypt.html
The options/settings like resolver is random because everyone like to use other resolvers, but most if not everything is already explained over official documents. The only real think you need to be careful is that the internal dnsclient needs to be disabled + DNSCrypt need to be set to another port. The clients are very easy to use, because if something is wrong, windows can’t start them and you need to look at the logs. Pretty easy (imho).
DNSCrypt + Unbound as a cache till I die.
Care to guide me to some tutorial, an easy/clear one for Windows?
“Respects user privacy” .. NOT
Read section 9; all of your personal information collected (they don’t even break it out), will be transmitted to the US (and to authorities of your country of residence); ALL information they collect, regardless if it required by law, they just do it in accordance with the law.
Required Accordance
Pass… I’d rather have my information combined with that of others and sold rather than to have my individual information handed over.
9. Compliance with Laws. You agree that you will use the Service in compliance with these Terms of Service and all applicable local, state, national, and international laws, rules and regulations, including any laws regarding the transmission of technical and personally identifiable information data exported from the United States or the country in which you reside.
– Verisign will not sell, distribute any PII collected as a result of performing the Service. Verisign will not permanently store the PII and will retain such PII for no longer than is necessary.
So they are now in the explicit business of collecting your personal information to provide to the US (and the country you reside) and notice that they have not said that they will not turn over this information ONLY if it is required by court order etc.
Pass…
Take your pick…
Logging, a little logging, no logging, logging disabled …
http://wiki.opennicproject.org/Tier2
You do know what Verisign actually does for their income? {gas}{horror} Google would be better and that is so far down my list it is barely a dot. :)
I have reliability issues with OpenNIC servers. They go down a fair bit (at least the ones nearest to me in SE Asia).
>You do know what Verisign actually does for their income?
No, what?
Been using OpenDns for years wont touch google,Giving this Verisign a try ,So far
very fast ,Also ran Spoofability test https://www.grc.com/dns/dns.htm, Results Excellent.
I,L continue to use so far very good.
Interesting, at my location the Verisign DNS performed the worst.
Likewise–Adding Verisign to DNS Jumper and running a test resulted in 167ms and 177ms compared to, say, Ultra at 30ms and 31ms.
A few months ago I ran DNS Benchmark and OpenDNS-3 was the quickest at the location were I am most of the time. As OpenDNS has a good rep I was happy to use it.
I have to admit I know little about DNS servers. DNSCrypt is something I am not familiar with.
Maybe you can do a tutorial/blog about the whole DNS thing for the less informed. That would be great.
Thanks Martin.
That would be good, i always had interest in DNSCrypt but it feels too complicated to configure.
If you use a *buntu or derivative distro (like Mint), I would suggest http://www.webupd8.org/2014/08/encrypt-dns-traffic-in-ubuntu-with.html
Fairly easy to follow, and it works.
I’ve been using DNSCrypt for years. I suggest you start it manually after you’ve started Windows. It’s an option not to auto start it when Windows starts. Otherwise, see
https://www.opendns.com/about/innovations/dnscrypt/
I use this one: http://www.privacyfoundation.ch/de/service/server.html
I’ve just pinged both Verisign DNS resolvers’ addresses (64.6.64.6 and 64.6.65.6) and results are indeed excellent.
At this time I’m using DNSCrypt and therefor available DNS resolvers are limited. OpenDNS is still my choice, even though it does log, because it has built-in as well as user defined filtering capabilities. Built-in filters defeat all other public DNS resolvers (as well as system default) and moreover OpenDNS handles DNSCrypt, so the choice here is rather quickly done at this time.
I had a look on Verisign Public DNS’ forum and read that a user had brought up the wish of having Verisign propose a DNSCrypt connection ( https://verisign.vanillacommunity.com/discussion/16/support-dns-crypt-and-also-non-standard-ports ). If done I’d be most interested.
It didn’t say it’s non-logging, or does it say that it won’t censor sites. I’ll stick with dns.watch and censurfridns.dk for now (and dnscrypt.eu for DNS Crypt support).
I’m using the Google one (8.8.8.8) mostly because it’s a free DNS service without blocks and because it’s easy to remember. The secondary one, which will only be used if the primary server is unavailable, belongs to my ISP. I guess I should run DNS benchmark, thanks for the reminder ;)
So Google not only tracks you with cookies and JavaScript on ca. 90% of all websites, your web searches, your email, but you willingly offer them every single domain name you ever visit. Good for you.
Anyone who is even a little bit concerned about privacy should NOT use Google DNS.