"Secure DNS" server. What is that really?

During installation of CIS4, I’m asked if I want to use Comodo’s Secure DNS servers. Alas, that is not defined so an informed choice at that time is not possible.

It could mean Comodo secures their DNS servers against attack. It could mean that SSL/TSL is employed during the DNS query to ensure the client (Comodo’s firewall perhaps) will only connect to a server whose cert authenticates itself as owned and operated by Comodo. It could mean that Comodo has joined with other DNS providers that are adopting the DNSSEC extensions to prevent corruption of that database (see http://www.dnssec.net). “Secure DNS” server really doesn’t say HOW their servers or service is secured.

Also, while the user can opt into using Comodo’s “secure” DNS servers during the installation, I found no configuration setting that lets the user opt out. Instead the user has to go into the properties of their network connectoid to configure its TCP/IP settings (back to DHCP or back to whatever statically addressed DNS server they were using before, like OpenDNS). While I and most of my tech wizard friends know about reconfiguring TCP/IP settings, I doubt the majority of Comodo users are familiar with that task. If Comodo is going to offer the service, it seems appropriate that they also provide a means to revert to NOT using their service (i.e., go back to what it was before).

There was also something vague in the description of those secure DNS servers in the last point about the advantage of using them. I didn’t record the text but do remember the sentence was left dangling with “forward”, as in invalid domain names would get forward … but to where wasn’t mentioned. I suspect the DNS lookup failures would result in users getting forwarded (redirected) to a search or info page offered by Comodo. Verisign tried this something like 6 years ago but got lambasted for their attempt to usurp the lookups. Comcast (my ISP) also provided this “feature” but users could opt out. OpenDNS defaults to using the redirection page for failed DNS queries because they garner revenue from the Google search on that “help” page. When I enter “www.intel.coo” and when using Comodo’s “secure” DNS servers, yep, I’m forwarded to Comodo’s “help” page which guesses at what I might’ve meant to enter for a site’s URL. It doesn’t look like Google is involved so I don’t know what search engine is employed by Comodo for those lookups and to where those links might get handled.

So I see the following points about this feature offered by Comodo:

  • I can use Comodo’s “secure” DNS servers but have no good information on just what secure means in the context it is used.

  • Once you opt in, there is no configuration setting to opt out. You’ll have to opt out manually if you realize how you were opted in.

  • And then there’s the “help” lookup page for failed DNS queries which I don’t care for. I opted out of this “service” with my own ISP. I quit using OpenDNS because they force the use of the Google lookup page (unless you go through creating an account and install a DNS updater client to update your account so they know to which IP address to apply your account’s settings). It was a debacle when Verisign tried it. I don’t care for it and it might be sufficient cause for me not to use Comodo’s “secure” DNS servers.