Sergey Nivens - Fotolia

Evaluate Weigh the pros and cons of technologies, products and projects you are considering.

Do third-party DNS providers pose security risks?

Third-party DNS providers claim to improve browsing times and speeds, but are they a secure enterprise option? Expert Michael Cobb explains.

I've read that enterprise users sometimes use a DNS other than that provided by our ISP (for example, Google DNS)....

Are there any enterprise security advantages to employees using third-party DNSes? Will going outside the ISP put DNS security at risk?

DNS plays a critical role in Internet communications as it translates human-readable computer hostnames to destinations defined by IP addresses in order for them to be used by networking equipment, computers and software programs; translates to, for example.

DNS is the world's largest distributed database supported by millions of domain name servers and administrators, each providing information about a small segment of the domain name space. DNS lookups can become significant bottlenecks in the browsing experience as today's webpages tend to reference resources from numerous different domains, all of which have to be translated.

As there is no guarantee that an organization's chosen Internet service provider (ISP) will have well-resourced DNS servers, there may be an argument for using a global third-party DNS provider -- such as Google Public DNS, OpenDNS or UltraDNS -- to improve browsing times as they are focused on optimizing DNS lookup times. Google Public DNS, for example, is a free, global DNS resolution service functioning as a recursive name server and providing domain name resolution for any host on the Internet. Google claims various efficiency and speed benefits -- such as using anycast routing to send user requests to the closest data center, overprovisioning servers to handle denial-of-service attacks, and load-balancing servers using two cache levels, with a small per-host cache containing the most popular names and another pool of servers partitioned by the name to be looked up. As of 2014, it is the largest public DNS service in the world, handling over 400 billion requests per day.

Faster Web browsing can obviously improve employee productivity, but there are privacy and security issues to consider before switching to a different DNS service. Certainly don't choose any provider that practices what's known as DNS hijacking while processing queries, as it means users will be redirected to an advertisement site operated by the provider when a nonexistent domain name is entered. More importantly, though, look for services that follow DNS security best practices and are resistant to denial-of-service attacks, DNS cache poisoning and other DNS-related attacks.

Privacy is another issue to consider. An enterprise's ISP is already in a position to monitor its Internet traffic; using a different DNS service means giving a second organization the ability to log and collate what requests are being made, so be sure to check out their privacy policy. For example, Google Public DNS's policy states that "Google Public DNS stores two sets of logs: temporary and permanent. The temporary logs store the full IP address of the machine you're using. We delete these temporary logs within 24 to 48 hours. In the permanent logs, we don't keep personally identifiable information or IP information. We do keep some location information (at the city/metro level) so that we can conduct debugging and analyze abuse phenomena. After keeping this data for two weeks, we randomly sample a small subset for permanent storage." Importantly it also states that, "We don't correlate or combine information from our temporary or permanent logs with any personal information that you have provided Google for other services."

There are various DNS benchmarking tools -- DNS Benchmark and namebench are two free programs that enable DNS performance analysis -- that can help evaluate whether a particular DNS service improves browsing times for commonly accessed sites.

Another option is to run a caching DNS server in-house to do direct lookups for the sites most frequently accessed by employees -- such as, and -- and only forward other requests onto your DNS provider.

The final decision, however, should be based on which technology can provide the most secure and reliable DNS service.

Ask the Expert:
SearchSecurity expert Michael Cobb is ready to answer your application security questions -- submit them now. (All questions are anonymous.)

Next Steps

Learn more about DNS security and avoiding DNS threats

This was last published in September 2015

Dig Deeper on Data security strategies and governance