If you use a VPN (see our VPN technical support on WindowsIf you often tinker with network settings, you've probably seen options like Provider-specific DNS, integrated resolution, public DNS from Google or Cloudflare, Handshake, or custom DNS like Pi-holeAt first glance it seems like just another setting, but the choice of DNS server has a serious impact on your privacy, security, performance, and even which websites you can visit.
In our day-to-day use, we usually leave the settings as they are: DNS from the ISP or VPN provider is already runningHowever, switching to custom DNS (for example, setting up a Pi-hole at home or using a service like Control-D) can give you much more control over your browsing, at the cost of assuming certain risks and responsibilities. It's worth understanding what DNS does and what advantages and disadvantages each alternative has.
What is DNS and why is it so important?
The Domain Name System (DNS) is the "phone book" of the InternetIt translates human-readable addresses (like xataka.com or kaspersky.com) into numerical IP addresses that computers understand. Without this automatic translation, you wouldn't be able to browse the internet by typing domain names; you'd have to remember long numbers for each website.
Your Internet Service Provider (ISP) usually provides you with a router with some preconfigured DNS servers controlled by the operator itselfEvery time you type a web address, your device queries the DNS servers to find the corresponding IP address. This is crucial not only for the website to load, but also determines who can see your queries and who can block or manipulate those requests.
The name resolution process involves several types of servers: a recursive solver that receives your queryThe root servers, top-level domain (TLD) servers (such as .com or .net), and authoritative domain servers ultimately return the correct IP address. In many cases, some of this information is cached to speed up future queries.
When you enter a domain into the browser, the system first tries to resolve it from local caches (computer, operating system, resolver)If it's not there, the query travels to the recursive resolver, then to the root servers, then to the TLD servers, and finally to the authoritative servers that return the final IP address. All of this happens in milliseconds, but each hop is a potential attack surface or point of control.
One critical detail is that, by default, Traditional DNS does not incorporate encryptionThis means that both your ISP and any intermediary with access to your traffic can see which domains you're visiting, although they can't see the exact content of the pages if you're using HTTPS. This design makes it easier to censor, track, and attack if the system isn't properly secured.
What does the person who controls the DNS know about you?
Every DNS request you make leaves a trace. The DNS server owner can see which IP address you are querying from and which domains you are trying to access.With that simple pair of data (IP + domain + time) a very refined profile of your browsing habits can already be built.
Services like Google Public DNS say so openly: They temporarily store your IP address (for example, 24-48 hours) and permanently store other "anonymized" usage dataWith that, they can compile statistics, improve the service… and, in the case of advertising-based companies, enrich their segmentation even if they promise not to directly associate it with you.
Third-party DNS providers that are more focused on privacy, such as Cloudflare or Quad9, advertise themselves by claiming that They don't permanently log your IP address, they minimize logs, and they don't sell data to advertisers.But it's worth remembering that technically They have the same power as any other DNS server to see your queries: trust depends on their policy, transparency, and independent audits.
Furthermore, the DNS is a common control point for governments and operators. Many website blocks are simply applied... denying the resolution of certain domains in the official DNS of the country or the company. By changing your DNS, you can often bypass this basic censorship, although in very restrictive environments other blocking techniques may be combined.
It is essential to understand that Using alternative DNS does not hide your IP address or replace a VPNA free public DNS doesn't work as a virtual private network: the website you visit will still see your real IP address, and your ISP will still be able to see which IPs you connect to, even if they can't see the domain as clearly if you use certain modern technologies. DNS is a layer of privacy and security, but it's not a complete solution.
ISP DNS, VPN DNS, or custom DNS: typical options
Many VPN providers offer several DNS configurations: Use your own DNS, an integrated resolver, Handshake, maintain external DNS (Google, Cloudflare, etc.) or define custom DNS, like a home Pi-holeEach option has different implications.
When you leave the settings at “his ownAll your DNS traffic is resolved through servers controlled by that VPN. This has the advantage that queries travel within the encrypted tunnel, hiding DNS requests from your ISP and reducing DNS leaks, but you place all your trust in the VPN provider, who can see which domains you access while the VPN is active.
If you decide to use external DNS such as Google (8.8.8.8), Cloudflare (1.1.1.1) or othersYou can gain speed and some extra protection depending on the service you choose. However, without a VPN, your queries will still be sent directly to those resolvers, and you'll be sharing your domain history with a large company whose interests may not align with your privacy.
The option "Existing DNSEnabling "Use system DNS" in the VPN retains your existing DNS settings. This is convenient, but it can lead to DNS leaks if the VPN client doesn't force the use of its own resolvers or encrypt those queries. In other words, you might think everything is going through the VPN, but your domain requests are still going to your ISP.
The Custom DNS (For example, pointing to a Pi-hole or your own cloud server) gives you maximum control: you decide what is logged, what is blocked, and how it is filtered. However, you then become responsible for its security, availability, and maintenance, and if you expose it carelessly on the internet, it can become a gateway for attacks.
Advantages of using custom DNS (Pi-hole, Control D and others)
Set up a custom DNS, either with a Pi-hole on your local network, your own server with DNSSEC, or a managed service like Control-DIt offers a good number of advantages over using the ISP's default DNS or even some generic public ones.
The first major advantage is the ability to block threats at the sourceA modern DNS with up-to-date blocklists can prevent your device from resolving domains associated with malware, phishing, cryptojacking, or malicious advertising. Since the "bad" domain name cannot be translated into an IP address, the connection simply isn't established.
This “preventive” approach anticipates what a traditional antivirus would do, which usually reacts. when the threat is already underway in your systemWith a filtering DNS, you simply never come into contact with known dangerous domains, which greatly reduces the risk for home computers and, above all, for business networks with many users.
Secondly, using a well-optimized custom DNS can improve performance. block ads, trackers, and unnecessary resources (and, for example, remove ads on your Smart TVPages load faster, the number of external requests is reduced, and bandwidth consumption decreases. On modest connections or networks with many connected devices, the difference can be very noticeable.
Another key advantage is enhanced privacy (see our essential online privacy tipsSolutions like Pi-hole or privacy-focused services can prevent trackers and advertising companies from collecting your browsing activity through scripts and tracking domains. While not a cure-all, it does significantly reduce the constant "tip-off" to dozens of advertising networks as you browse the internet.
Finally, many custom DNS servers like Control D offer a relatively simple setup, with filtering templates (e.g., block adults, games, social networks, etc.) and options for integrating the service into large-scale deployments using RMM or MDM in enterprises. This simplifies bringing that layer of security and control to dozens or hundreds of devices.
Risks and disadvantages of custom DNS
The other side of the coin is that a custom DNS also introduces new points of failure and responsibilitiesThe first is obvious: if your DNS server goes down, gets overloaded, or you configure it incorrectly, you can leave your entire network without apparent internet access, because websites will stop resolving even though your connection is working.
If you trust a unknown or dubious DNS serverThe risk multiplies. A malicious or compromised DNS server can manipulate your requests to redirect you to fake websites (phishing), install malware, or intercept sensitive information. DNS cache poisoning or DNS server hijacking are techniques frequently used by attackers to redirect traffic to sites they control.
Additionally, a custom DNS may not have the same protection measures against DDoS or infrastructure attacks than the major providers. A denial-of-service attack against your resolver can take down name resolution for all users who depend on it. Therefore, if you set up your own DNS for a business or critical service, it's advisable to deploy it with redundancy and on a robust network.
Another critical point is that, if you don't implement measures like DNSSEC or secure configurations, your server can be compromised. vulnerable to cache poisoning attacksIn these cases, a criminal tricks the resolver into believing that a legitimate domain name actually points to the IP address of a fraudulent server. From then on, all users who query the domain will receive the manipulated address until the cache is cleared.
Finally, a very aggressive DNS filtering of ads, trackers, or content categories can cause false positives and breaking legitimate functionalitiesWebsites that don't load correctly, services that stop working, or security updates that never arrive because their domains are blocked. Properly adjusting the lists and reviewing the logs is essential.
Specific threats related to DNS and how to mitigate them
Because DNS infrastructure is so critical, it is a target for various attacks. These are the most common:
- DDoS (Distributed Denial of Service) attacks against a website's or provider's DNS servers. By bombarding the server with malicious traffic, they saturate its resources and legitimate requests are no longer processed, causing websites to "disappear" from the internet for the duration of the attack.
- typosquattingThis involves registering domains that are almost identical to those of well-known brands, taking advantage of users' typos. A non-filtered DNS will redirect you to these fake domains if you misspell them, and from there, phishing attacks or credential thefts can be launched very convincingly.
- Domain registration hijacking. If an attacker compromises your domain registrar account, they can change the DNS records and point them to servers they control, potentially even altering the domain's ownership. To reduce this risk, it's crucial to use strong passwords, two-factor authentication, and registrars with robust security measures.
- DNS cache poisoning They go a step further. The attacker inserts false data for specific domains into the DNS server cache, so that future queries from unsuspecting users are resolved using the fraudulent IP address. Because the browser relies on the DNS response, the user can unknowingly end up on a fake copy of their bank or a malware-laden site.
To mitigate these risks, It is recommended to use DNSSEC (DNS security extensions)These systems add cryptographic signatures to DNS responses to ensure that the data has not been tampered with. Complementing this with encrypted communications (DoT, DoH, VPN) and strict DNS server access policies greatly reduces the chances of hijacking or poisoning.
Most common public and private DNS servers
In addition to your ISP's or VPN's DNS servers, you have a wide catalog of Free and open DNS servers which you can manually configure on your router, PC, or mobile device. Some of the most well-known ones are:
- OpenDNS (208.67.222.222 and 208.67.220.220). One of the oldest public services, now owned by Cisco. It offers paid versions and a free version with good speed, high availability, default blocking of phishing websites, and parental control options.
- Cloudflare (1.1.1.1 and 1.0.0.1). Focused on performance and privacy. It promises not to use your data for advertising and not to write your IP address to disk. It's usually very quick and easy to set up, without too many extras.
- Google Public DNS (8.8.8.8 and 8.8.4.4). Designed for less technical users, with good documentation. In exchange for this ease of use and performance, it retains anonymized browsing logs and your IP address for a limited time.
- Comodo Secure DNS (8.26.56.26 and 8.20.247.20). Aimed at blocking dangerous sites, spyware and domains with excessive advertising, relying on Comodo's experience in the field of security.
- Quad9 (9.9.9.9 and 149.112.112.112). Relatively new, but focused on blocking malicious domains using threat intelligence from multiple sources. It offers a good balance between security and performance.
- Yandex. DNS (77.88.8.8 and 77.88.8.1). Russian alternative, with basic profiles and “Safe” variants (77.88.8.88 and 77.88.8.2) to block dangerous websites and “Family” (77.88.8.7 and 77.88.8.3) to filter adult content.
- Public DNS Server ListA huge database where you can search for free DNS servers worldwide, filtering by country.
When choosing between leaving your VPN's DNS, using public servers, or setting up your own Pi-hole, the key factor is deciding who you want to trust to see your domain queries and what level of control you need over filtering, performance, and privacyBy understanding the advantages and risks of each option, it's much easier to adjust the settings to your priorities without unexpected security or navigation issues.
