Just a short note about DNS (Domain Name Service) and suppressing advertizing.
Then some longer bits on other servers for DNS and why you might care.
Whenever you access a site by name, like chiefio.wordpress.com, that names gets turned into a number by a DNS Lookup. It is the numbers, or addresses, that connect things together. That lookup process is a critical bit, and by mapping offensive names to non-responding numbers, you can effectively block things.
The service is a hierarchy. At the very top are a few Root Servers. Then other folks point at them for most of their content, and only add their own local stuff. So, for example, your company might have a local set of machine names internally that are in the private DNS, that then looks ‘upstream’ to the Telco for more, which itself looks further upstream eventually reaching the Root Server. That lookup return value is then held or cached in those lower servers for reuse over a longer period of time. This also means that the nearer servers can override values if they desire. Essentially, you can decide to be ‘authoritative’ inside your own space.
I’d loaded a custom set of DNS entries onto the old HP Laptop and in that way blocked much of the ads that came in. Then it had the fan fail and I moved to other hardware. The Chromebox is a bit ‘user hostile’ on things having to do with systems administration and / or changing the way it works. (Thus my making sure the model I got can have Linux put onto it if / when I feel like it). But it does let you change your DNS servers.
I have an in-house DNS server set up on a Raspberry Pi, and that’s been a nice speed up for some things as the number of DNS lookups to the ‘outside’ drops and, frankly, many of the DNS servers provided by telcos are not the fastest… But I just set it up with generic DNS upstream servers, not a filtered list. On my “todo” list has been to add a block of local DNS entries to block ads. At WUWT, the pervasive and intrusive video ad was getting to me, and they suck bandwidth a lot. (On a ‘pay by the byte’ system like my mobile hot spot that is not just offensive, but costly too…) That finally pushed me into doing something about it today.
First step in such things is a ‘literature search’ of what others have done. Is there available somewhere a service that already has listed all the spam and ads folks? Can I just download a list like I did for the HP Laptop?
I was pleasantly surprised to find a DNS provider already providing a public DNS server that lets you do just what I wanted to do.
What is Alternate Public DNS?
Alternate DNS is a free, global Domain Name System (DNS)
resolution service, that you can use to block unwanted ads.
Try it out :
Configure your network settings to use the IP addresses 188.8.131.52 and 184.108.40.206 as your DNS servers
or, Read our configuration instructions here.
If you decide to use Alternate DNS, your client programs will perform all of their DNS lookups using Alternate DNS.
The DNS protocol is an important part of the web’s infrastructure, serving as the Internet’s phone book: every time you visit a website, your computer performs a DNS lookup. Complex pages often require multiple DNS lookups before they start loading, so your computer may be performing hundreds of lookups a day.
So I put those two numbers into the manual DNS setting choice of the Chromebox and hit WUWT. First thing I noticed was a MUCH faster general load. I’d suspected that the top of page Ad might have had a timer in it to cause you to loiter over it and read it. With it gone, along with the others, page loads are very fast. Hitting a few other pages (Tallbloke, my own, BigCharts) had speedup as well (though not quite as much as the video ads are not showing on those pages). The pages do look a bit more bland / plain as all the animated dancing craplets and colorful ads are gone, so too the noise and voices that have required me to keep the sound turned off unless playing a video.
I’ve not used this for long, so can’t say anything about the performance on other sites. DNS lookups seem fast (and without all the load ads crap between each lookup the whole process just flies) and the content of the pages looks to be fine. I can imagine a case, though, where some site I want to visit might be missing or some content that I want might not show up if provided by an advert provider, so I’ll be keeping track of my old DNS settings for use “someday” if needed.
I’m going to test drive with this DNS provider for a while and if it stays workable, will eventually point my DNS server at them (getting both in-house DNS service and ad suppression in one easy step; while keeping the ability to put local overrides in my DNS server as I see fit).
I have a small pang of remorse over this. WordPress is supported by the ads, and gives me a free site. Using this tech (and sharing it) cuts directly the hand that feeds my bytes. Yet it was their “in my face” video ads on WUWT that went too far. Sucking way too much bandwidth, far too intrusively.
The animated ads were bad enough. For those of us who are sensitive to peripheral visual field disturbance they can cause rapid exit from the page and / or sliding the page so the dancing java craplet is off screen to the side. Now I have a way for them to be ‘just gone’. Had I not been pushed hard enough via negative effects, I’d have not cared enough to suppress the simple printed ads.
Some Other Bits
So there you have it. A simple way to ditch the ads.
As a fall back, if anyone finds themselves without a workable DNS entry, I’m going to list a few other sources for generic DNS servers here. (you really need to write them down somewhere – more than once I’ve hit the paper list of DNS servers at some site when things were broken and I needed to point somewhere else for DNS to get things going again)
Open Root Server Network
Especially useful for folks in Europe, this system is a way to avoid dependence on a USA based infrastructure. While the original intent was to avoid a one nation driven shutdown, it might also be handy in preventing some kinds of, um, “intrusive” inspection of what an individual was doing. Basically, if your packets don’t come to the USA, they are less likely to be looked at by USA Three Letter Agencies.
Has a very nice chart of their servers and where located.
Open Root Server Network (ORSN) is a network of Domain Name System root nameservers for the Internet. ORSN DNS root zone information is normally kept in synchronization with the “official” Domain Name System root nameservers coordinated by ICANN. The networks are thus 100% compatible, though ORSN is operated independently. The ORSN servers are primarily placed in Europe. ORSN is also used by public name servers, providing Domain Name System access freely for everyone, without any limitation.
ORSN was primarily started to reduce the over-dependence of Internet users on the USA and Department of Commerce/IANA/ICANN/VeriSign, limit the control over the Internet that this gives, while ensuring that domain names remain unambiguous. And to avoid the technical possibility of global “Internet shutdown” by one party. They also expect their network to make domain name resolutions faster for everyone.
Markus Grundmann, Germany is the founder of ORSN, and author of ORSN distributed system management and monitoring software solution.
ORSN root server system consists of 13 root servers, a distributed system connected on a secure VPN, for synchronization and management. All of the 13 servers are running on FreeBSD and BIND. Monitoring and management daemon was developed by founder, Markus Grundmann.
So a good and secure choice of software, and able to disconnect from US ‘changes’ if desired or needed. (Speaking of things that make DNS servers break…)
Letter IP Country IPv4 Address IPv6 Address Operator / Sponsor A Austria 220.127.116.11 2a00:a6a0:1:1::6:2 XINON GmbH, St. Anna am Aigen, Austria B Poland 18.104.22.168 2001:67c:2044:c139::53 HosTeam S.C., Poznań, Poland C Germany 22.214.171.124 2a01:440:1:f:178:19:70:8 whTec, Oberhausen, Germany D Netherlands 126.96.36.199 2001:1af8:40e0:a007:bbb:: Mr. Ömer Canıtez E Denmark Zen Systems A/S, Copenhagen, Denmark F Germany 188.8.131.52 2a01:7e0:0:100:212:224:71:116 First Colo GmbH, Munich, Germany G Greece 184.108.40.206 Association for the Development of West Athens (ASDA), Athens, Greece H France 220.127.116.11 2001:41d0:2:5a70::c0de Mr. Péter Vámos, Budapest, Hungary I India National Knowledge Network, New Delhi, India J Germany 18.104.22.168 3Q Medien GmbH, Potsdam, Germany K Germany 22.214.171.124 2001:4b88:9000:: Titan Networks GmbH, Hofheim, Germany L Netherlands 126.96.36.199 JustNet GmbH, Baden, Switzerland M Germany 188.8.131.52 Mr. Markus Grundmann, Founder of ORSN, Germany
OpenDNS provides DNS services to anyone. I don’t know if they have any back room operations that are not desirable (such as tracking where folks go), but they seem to work well.
Though it is quicker to find the DNS number listing on the Wiki
OpenDNS offers DNS resolution as an alternative to using Internet service providers’ DNS servers or locally installed DNS servers. OpenDNS has adopted and supports DNSCurve.
OpenDNS provides the following recursive nameserver addresses for public use, mapped to the nearest operational server location by anycast routing:
The OpenDNS site just lists the first two as public and free. I’ve not explored the others. It also lists some DNS entries that OpenDNS requests you ‘sign up’ to get. I’m not fond of handing over my personal details to get a ‘free’ service, so won’t “go there”, but if it works without the sign up…
DNS services for personal home use
On May 13, 2007, OpenDNS launched a domain-blocking service to block web sites or non-Web servers visited based upon categories, allowing control over the type of sites that may be accessed. The categories can be overridden through individually managed blacklists and whitelists. In 2008, OpenDNS changed from a closed list of blocked domains to a community-driven list allowing subscribers to suggest sites for blocking; if enough subscribers (the number has not been disclosed) concur with the categorization of the site it is added to the appropriate category for blocking. As of 2014 there were over 60 categories. The basic OpenDNS service does not require users to register, but using the customizable block feature requires registering.
Other free, built-in features include a phishing filter. OpenDNS also run a service called PhishTank for users to submit and review suspected phishing sites.
OpenDNS also provides the following recursive nameserver addresses as part of their FamilyShield parental controls which block pornography, proxy servers, and phishing sites:
It does look like they have some negative behaviour, but not a whole lot worse than anyone else… missing / bad sites get a redirect to one of their servers…
In 2007, David Ulevitch explained that in response to Dell installing “Browser Address Error Redirector” software on their PCs, OpenDNS started resolving requests to Google.com. Some of the traffic is handled by OpenDNS typo-correcting service which corrects mistyped addresses and redirects keyword addresses to OpenDNS’s search page, while the rest is transparently passed through to the intended recipient.
Also, a user’s search request from the address bar of a browser that is configured to use the Google search engine (with a certain parameter configured) may be covertly redirected to a server owned by OpenDNS (which is within the OpenDNS Terms of Service). Users can disable this behavior by logging in to their OpenDNS account and unchecking “OpenDNS proxy” option. Additionally, Mozilla users can fix this problem by installing an extension or by simply changing or removing the navclient sourceid from their keyword search URLs.
This redirection breaks some non-Web applications that rely on getting an NXDOMAIN response for non-existent domains, such as e-mail spam filtering, or VPN access where the private network’s nameservers are consulted only when the public ones fail to resolve. Breaking local name resolution can be avoided by configuring the DNS addresses only in the forwarders of the local DNS server or router (the WAN/Internet configuration of a router or other gateway). For other purposes, or when the DNS addresses cannot be configured in a forwarder, domains for which an NXDOMAIN response is expected should be added to the Exceptions for VPN Users section of the OpenDNS Dashboard.
Of course, there is also Google DNS, if you don’t mind every single site to visit being noted and tracked by them. They will know your IP address, and where you go, and share it with Agencies on request. (As, I suspect, will the Telcos and other DNS providers. The NSA is known to have DNS redirection software to grab a given DNS lookup and route ‘targets’ through their servers instead – a nifty way to do a ‘man in the middle’ attack on things like file transfers and site logins and all… Having a self hosted and locked down DNS server is necessary for anyone who wants real privacy, but it is becoming harder to do.)
Google Public DNS operates recursive name servers for public use at the following IP addresses: 184.108.40.206 and 220.127.116.11 for IPv4 service, as well as 2001:4860:4860::8888 and 2001:4860:4860::8844, for IPv6 access. The addresses are mapped to the nearest operational server by anycast routing.
The service does not use conventional DNS name server, such as BIND, instead relying on a custom-built implementation, with limited IPv6 support, conforming to the DNS standards set forth by the IETF. It fully supports the DNSSEC protocol since 19 March 2013. Previously Google Public DNS accepted and forwarded DNSSEC-formatted messages but did not perform validation.
There have been instances of DNS providers practicing DNS hijacking while processing queries, that is, redirecting web browsers to an advertisement site operated by the provider when a nonexistent domain name is entered. This is considered an intentional breaking of the DNS specification. The Google service correctly replies with a non-existent domain (NXDOMAIN) response. The correct implementation of the DNS specification is a reason to justify using the service.
The Google service also addresses DNS security. A common attack vector is to interfere with a DNS service to achieve redirection of web pages from legitimate to malicious servers. Google documents efforts to be resistant to DNS cache poisoning, including “Kaminsky Flaw” attacks as well as denial-of-service attacks.
It is stated that for the purposes of performance and security, only the querying IP address, which is deleted after 24-48 hours, ISP, and location information (kept permanently) are stored on the servers.
And I’m sure they never ever share with the NSA either… /sarc;
Since my Chromebox has a built in specific identifier that is requested (by sites such as Netflix) before content is delivered to it; it is already clear what their intent is. Know everything about you, your location, your equipment, your site and where you go, and what data you move. Disclaimers don’t change that.
Norton claims to have safe DNS, but I’ve never used it. They, too, take broken lookups to be an opportunity to shove ads at you.
Norton ConnectSafe is a free public DNS service offered by Symantec Corporation that claims to offer a faster and more reliable web browsing experience while blocking undesirable websites.
It provides protection from web threats in 3 protection policies. It automatically blocks known unsafe, fraudulent, phishing and infected websites which can cause harm to your devices. It also blocks unwanted content, which is not suitable for children. Users can use Norton ConnectSafe by setting their DNS server addresses to those of the Norton ConnectSafe servers. Client software for Windows, Mac OS X, and Android is available to automatically configure devices to use Norton ConnectSafe.
DNS queries routed through Norton ConnectSafe are checked using the Norton Safe Web database to ensure that they do not point to malicious or inappropriate websites. Symantec thus seeks to block malware and phishing attempts, as well as pornographic and inappropriate websites if the user desires. Norton ConnectSafe will also intercept misspelled domain names and offer suggestions or display advertising. This redirection breaks some non-Web applications that rely on getting an NXDOMAIN response for non-existent domains.
Policy A — Security
This policy blocks all sites hosting malware, phishing sites, and scam sites. To choose Policy A, use the following IP addresses as preferred and alternate DNS server addresses:
Policy B — Security + Pornography
In addition to blocking unsafe sites, this policy also blocks access to sites that contain sexually explicit material. To choose Policy B, use the following IP addresses as preferred and alternate DNS server addresses:
Policy C — Security + Pornography + Non-Family Friendly
This policy is ideal for families with young children. In addition to blocking unsafe sites and pornography sites, this policy also blocks access to sites that feature mature content, abortion, alcohol, crime, cults, drugs, gambling, hate, sexual orientation, suicide, tobacco, or violence. To choose Policy C, use the following IP addresses as preferred and alternate DNS server addresses
I know nothing about these folks, but they are yet another option:
DNS Advantage is a proprietary, opt-in, free recursive cloud-delivered DNS service by Neustar launched 11 December 2007 providing two recursive nameserver addresses for public use, mapped to the nearest operational server location by anycast routing. The service is based on closed source.
It provides the following two recursive nameserver addresses for public use:
Current services are limited to DNS resolution and blocking of malicious or questionable websites. Independent testing of the malicious site blocking shows that the block list is limited.
Planned services are:
Domain filtering ‘site blocker’
I also stumbled on these folks about whom I know nothing:
Comodo Secure DNS
Comodo Secure DNS is a domain name resolution service that resolves your DNS requests through our worldwide network of redundant DNS servers. This can provide a much faster and more reliable Internet browsing experience than using the DNS servers provided by your ISP and does not require any hardware or software installation. When you choose to use Comodo SecureDNS, your computer’s network settings will be changed so that all applications that access the internet will use Comodo SecureDNS servers. Your computer’s primary/secondary DNS settings will be changed to 18.104.22.168 and 22.214.171.124.
Comodo Secure DNS gives you a safer, smarter and faster Internet because it’s:
More Reliable – Comodo Secure DNS’s server infrastructure currently spans 15 locations (nodes) and five continents around the world. This allows Comodo to offer you the most reliable fully redundant DNS service anywhere. Each node has multiple servers and is connected by several Tier 1 carriers to the Internet.
Faster – Comodo uses strategically placed nodes are located at the most optimal intersections of the Internet. Unlike most DNS providers, the Comodo our request routing technology means that no matter where you are located in the world, your DNS requests are answered by the closest available set of servers, resulting in information becoming available faster and more reliably than ever before.
Smarter – Comodo’s highly structured DNS system and guide pages get you where you want to be, when you inadvertently attempt to go to a site that doesn’t exist. Parked’ or ‘not in use’ domains are automatically detected and forwarded.
Safer – As a leading provider of computer security solutions, Comodo is keenly aware of the dangers that plague the Internet today. SecureDNS helps users keep safe online with its malware domain filtering feature. SecureDNS references a real-time block list (RBL) of harmful websites (i.e. phishing sites, malware sites, spyware sites, and parked domains that may contain excessive advertising including pop-up and/or pop-under advertisements, etc.) and will warn you whenever you attempt to access a site containing potentially threatening content. Additionally, our ‘name cache invalidation’ solution signals the Comodo Secure DNS recursive servers whenever a DNS record is updated – fundamentally eliminating the concept of a TTL. Directing your requests through highly secure servers can also reduce your exposure to the DNS Cache Poisoning attacks that may affect everybody else using your ISP.
The Wiki says they are good-guys in the security cert business, though.
Comodo Group, Inc. is a privately held group of companies providing computer software and SSL digital certificates, based in Clifton, New Jersey in the United States. It has offices in the United Kingdom, Ukraine, Romania, China, India, Turkey and Clifton, NJ.
As of 24 February 2015, Comodo was the largest issuer of SSL certificates with a 34% market share on 5.4% of all web domains.
In the “old days” there were only 13 root servers. It was considered ‘bad form’ to point at them directly unless you were a provider to a significant number of other machines. So, for example, a home user would point to their Telco, and company machines to the company DNS. Only that Telco or Company might have a DNS server pointed directly to the Root Server (and even then, only to pick up a copy once for distribution going forward). Now the technology has moved on, and there can be many machines with the same name / number; so those virtual 13 machines have now multiplied a lot. That makes it less of an offense to look to these servers; but even there I’d only point a local DNS server at them, not a single laptop or desktop. Still, if you want THE authoritative source for IP number DNS lookups, this is them.
Root server addresses
As of February 2013, there are 13 root name servers specified, with names in the form letter.root-servers.net, where letter ranges from A to M. This does not mean there are 13 physical servers; each operator uses redundant computer equipment to provide reliable service even if failure of hardware or software occurs.
Additionally, nine of the servers operate in multiple geographical locations using a routing technique called anycast addressing, providing increased performance and even more fault tolerance.
Ten servers were originally in the United States; some are now operated using anycast addressing. Three servers were originally located in Stockholm (I), Amsterdam (K), and Tokyo (M).
Letter IPv4 address IPv6 address AS-number Old name Operator Location #sites (global/local) Software A 126.96.36.199 2001:503:ba3e::2:30 AS19836, AS36619, AS36620, AS36622, AS36625, AS36631, AS64820 ns.internic.net Verisign Distributed using anycast 5/0 BIND B 188.8.131.52 2001:478:65::53 (none) AS4 ns1.isi.edu USC-ISI Marina Del Rey, California 0/1 BIND C 184.108.40.206 2001:500:2::c AS2149 c.psi.net Cogent Communications Distributed using anycast 8/0 BIND D 220.127.116.11 2001:500:2d::d AS27 terp.umd.edu University of Maryland Distributed using anycast 50/67 BIND E 18.104.22.168 N/A AS297, AS42 ns.nasa.gov NASA Distributed using anycast 1/11 BIND F 22.214.171.124 2001:500:2f::f AS3557, AS1280, AS30132 ns.isc.org Internet Systems Consortium Distributed using anycast 57/0 BIND 9 G 126.96.36.199 N/A AS5927 ns.nic.ddn.mil Defense Information Systems Agency Distributed using anycast 6/0 BIND H 188.8.131.52 2001:500:1::803f:235 AS13 aos.arl.army.mil U.S. Army Research Lab Aberdeen Proving Ground, Maryland, San Diego, California 2/0 NSD I 184.108.40.206 2001:7fe::53 AS29216 nic.nordu.net Netnod Distributed using anycast 41/0 BIND J 220.127.116.11 2001:503:c27::2:30 AS26415, AS36626, AS36628, AS36632 Verisign Distributed using anycast 61/13 BIND K 18.104.22.168 2001:7fd::1 AS25152 RIPE NCC Distributed using anycast 5/12 NSD L 22.214.171.124 2001:500:3::42 AS20144 ICANN Distributed using anycast 157/0 NSD M 126.96.36.199 2001:dc3::35 AS7500 WIDE Project Distributed using anycast 6/1 BIND
So if I don’t know anything about some of these, and I’m not using them, why list them? Because you never know when you might need a DNS server address and the more the better. Also, some of them have interesting filtering options that other folks might want. Finally, I’m a tech geek sort who will, inevitably, play with things like the DNS settings on different boxes and this gives me an easy ‘one stop’ to find targets for such play / testing.
With that, it would be a good idea to print off the DNS numbers in this listing and keep a paper copy at hand. When DNS failure happens, it’s nice to be able to just type in a known good number and get back online again. While it is more rare these days, there are still attacks on DNS servers (DDOS or Distributed Denial Of Service) and when that happens, if YOUR server is getting whacked, having a giant company with a gazillion servers and defensive software is a nice thing to have in your pocket.
Also, FWIW, I sometimes rotate the DNS servers I use for ‘upstream’ just so that no one party gets too familiar with me. While many (most? almost all?) DNS providers don’t do tracking, or ad swapping, some do, and I’d rather they had ‘outages’ on my usage. So while I sometimes accept the DHCP / Telco provided numbers, some times I don’t. And that private DNS server also means that I hit the outside server once, it goes to cache, and doesn’t get looked up again until it ages out, also hiding frequency of use information.
Oh, and FWIW, there are some real radicals out there who even run their own Root Domain servers. Just bypassing the whole formal world and doing their own thing. While offcially hated, it is useful for folks wanting to do more, erm, ‘clandestine’ things, or even for folks just liking to be rebels. I’ll leave the reading for their pages, but here’s a pointer to the whole idea:
The Internet uses the Domain Name System (DNS) to associate numeric computer IP addresses with human readable names. The top level of the domain name hierarchy, the DNS root, contains the top-level domains that appear as the suffixes of all Internet domain names. The official DNS root is administered by the Internet Corporation for Assigned Names and Numbers (ICANN).
In addition, several organizations operate alternative DNS roots, often referred to as alt roots. These alternative domain name systems operate their own root nameservers and administer their own specific name spaces consisting of custom top-level domains.
The Internet Architecture Board (IAB) has spoken out strongly against alternate roots in RFC 2826.
The most notable of these being the .onion top level domain used by the TOR network, and the only one that I’ve actually tested / tried. But there are others. And, should a group of folks want to make a private network, nothing prevents setting up your own “top level domain” name in a private root server and going for it. So, for example, I could give myself the domain name “EM.Smith.secretnet” and anyone not using my root server would not be able to resolve that to an IP address. Any leaked documents end up being useless for figuring out where systems live in the IP space.
It is even possible to use bogus IP addresses on an internal network inside VPN spread between sites so that anyone who DOES get the IP number and tries it (but isn’t inside the private network) goes somewhere else. At one time all of Engineering at Apple was using some other company assigned IP number internally. (The folks who originally set up the network were of the opinion that they could use any number since it wasn’t connected to the internet then, and that was true.. then. This became an issue when I was connecting Engineering to the Internet. We used NAT, so it mostly worked… but if anyone wanted to connect to ‘that other company’ it failed as those addresses resolved internally.) For a while this was a security “feature” of sorts, but really one ought to use the officially non-routing IP addresses for internal networks. Things like 10.x.x.x and 192.168.x.x and the one everyone forgets: 172.16.0.0 to 172.31.255.255. But in reality, nothing prevents you from using any numbers you want on a private network, other than the fact that you then can’t get to the place that officially is using that set of numbers.
Hopefully this exposition will help folks find alternatives and get a better feel for what kinds of things you can do with Domain Name Service services. It really can be a useful thing to play with.