A network map showing how Verisign’s secure domain lookup works

Secure Domain Lookup Service Protects Your Privacy

One of the pieces of plumbing clanking away behind the scenes when you make any Internet query is a recursive domain name system (DNS) lookup chain that hops from server to server. That hopping is the recursive part. You may think of www.example.com as all one thing, but each of its parts has to be checked.

From .com to example.com to www.example.com is already three stops, and you haven’t even gotten to anything interesting yet. Other Web pages may be deep inside a server hierarchy, and each level needs to be verified to return the page to the requester.

This work is done by the user’s Internet service provider — companies like Verizon and Comcast — and as the Internet has evolved, the rich recursive information stream associated with each click or typed string in a browser has become a valuable source of information for advertisers. To a great degree, Google’s main business is built on this type of data.

There is a huge industry behind the mass collection of recursive DNS data, which is sold to the highest bidder, likely a data mining or aggregating company. These firms are in the business of building ever higher resolution pictures of individuals and specific demographics around the world. Advertisers use this data to target ads at more likely buyers of their products.

In theory, this should be a good thing. You don’t want to see random ads cluttering up your Internet experience, but — if you can get past the creep factor — you might very well want to see ads for used Hobie Cats when you’re reading up on boating laws in the United States after catching up on how to tie common nautical knots. However, all is not benign in this data-flooded world of ours.

Most people have no idea that this data is being collected or how it is being used, and the highest bidder may not have the user’s best interests at heart. For example, there’s nothing to stop a fraudster from aiming a snake oil ad with links to a bank-account-emptying scheme at people who look up information about chronic fatal diseases. People facing death, fearful and ready to try anything, may be more vulnerable to this type of attack. An investment in this type of data may be quite worthwhile for a criminal enterprise.

It’s true, people do share personal information voluntarily on places like Facebook and Twitter, but this stream actually says quite a bit less about them than that involuntary stream that they aren’t even aware of.

Into this breach comes Verisign, which recently launched a service that protects users’ recursive DNS data from being sold to third parties or used to serve users ads. The company calls the service Verisign Public DNS, and it’s designed to protect user privacy. As the operator of the .com and .net domains as well as two of the 13 Internet root servers, Verisign’s business is making sure that the main pipes of the Internet operate smoothly for everyone. It’s not in the information gathering or advertising business.

The Verisign Public DNS service is really quite simple to use. Literally, all you have to do is configure your device to point to the company’s public DNS addresses: 64.6.64.6 and 64.6.65.6 (or in the case of IPv6, 2620:74:1b::1:1 and 2620:74:1c::2:2). The hardest part is typing those strings, and you don’t even have to. You can block-copy and paste them.

Here’s a page that demonstrate how the Verisign recursive resolver finds you what you want without messing with your privacy. And here is a straightforward set of instructions on how to modify your lookup process for various flavors of Windows, Mac OS, and Linux, and on non-PC devices like routers and phones.

Verisign has promised not to sell users’ public DNS data to third parties or redirect any failed queries to sites that serve ads. It also claims to offer improved DNS stability and security over vanilla ISP alternatives.

Oh, and the service is free.