Latest news of the domain name industry

Recent Posts

Verisign offers free public DNS

Kevin Murphy, September 30, 2015, 17:21:17 (UTC), Domain Tech

Verisign has launched a free recursive DNS service aimed at the consumer market.

Public DNS, as the service is called, is being positioned as a way to avoid having your browsing history collated and sold for marketing purposes by your ISP.

There’s no charge, and the company is promising not to sell your data. It also does not plan to monetize NXDOMAIN traffic.

So what’s in it for Verisign? According to a FAQ:

One of Verisign’s core operating principles is to be a good steward of the Internet. Providing the Verisign Public DNS service supports the overall ecosystem of DNS and solidifies end-user trust in the critical navigation that they have come to depend upon for their everyday interactions.

Verisign also offers paid-for recursive DNS services to enterprises, so there may be an up-sell opportunity here.

The market for free public DNS currently has big players including Cisco’s OpenDNS and Google.

If you want to use the Verisign service, the IP addresses to switch to are 64.6.64.6 and 64.6.65.6.

Tagged: , ,

Comments (12)

  1. Andrew says:

    Interesting. They already have NXD traffic data, but the more usage info they collect, the more valuable it can become (even if it’s not “sold”).

  2. Privacy & Security says:

    Using a public DNS provider in no way prevents your ISP from snooping on your DNS or non-HTTPS web traffic.

    Your ISP can also hijack public DNS requests to modify them, unless the few sites your visiting use DNSSEC (and your browser/client verifies the signatures).

    Yes, using your ISPs name servers makes it easier for them, but it’s pretty easy to watch all port 53 DNS traffic and monetize NXDOMAINs if they choose or mine the data.

    I tested all 3:
    * Verisign – validates DNSSEC
    * Google – validates DNSSEC
    * OpenDNS – no DNSSEC validation (!)

    • Kevin Murphy says:

      Good point, thanks.

    • Security fail says:

      DNSSEC doesnt protect your privacy. Validation at the DNS service end wont help you. You either validate it yourself or use a VPN to the DNS service or (in the future) use services and client software implementing the proposed DPRIVE https://datatracker.ietf.org/wg/dprive/charter/

    • Rubens Kuhl says:

      Such snooping might be illegal in some jurisdictions, so at least in those the change from an ISP DNS recursive to a public DNS service betters that a bit.

      That said, OpenDNS allows an encrypted query service using DNSCurve that does prevent snooping.

      • Security fail says:

        But DNSCurve doesnt prevent answer modification. I’d like both: Privacy plus truthfulness. Truthfulness is the most important, but privacy is pretty close behind.

        • Rubens Kuhl says:

          Just to be clear, Security Fail means answer modification by OpenDNS itself, which it could do; DNSCurve does prevent answer modification by ISP.

          • Privacy & Security says:

            Thanks for the tips about DNSCurve, specifically OpenDNS’s modification called DNSCrypt that encrypts DNS lookups from the client to a recursive resolver.

            DPrive also looks interesting, we’ll see what implementation they decide on. There’s also DNS over TLS, but it’s awkward.

            Yes, DNSSEC is not encryption, but provides verification that the answer is authentic.

            I agree with Security Fail, we need both encryption and verification — ideally from the end user though the entire authority chain.

            • Rubens Kuhl says:

              I don’t think the DPRIVE WG has to settle on a single implementation; we have different devices (mobile x desktop), different access networks (low latency, high latency; Public IP, NAT;) and different threat vectors (ISP, Local censorship/surveillance, Foreign state actors). I don’t think all combinations favor a single response…

      • Kevin Murphy says:

        I’m not sure, but I think Verisign’s ToS says it won’t store or use any of the date.

  3. Rubens Kuhl says:

    Verisign has used lots of their DNS traffic insights from running root servers to promote agendas such as name collision FUD, so running a recursive service can also increase their opportunities for producing scary papers.

  4. Marco says:

    I’m not really interested in IPv4 addresses, because they are old school and legacy.

    Here are the IPv6 addresses:

    2620:74:1b::1:1
    2620:74:1c::2:2

Add Your Comment