ODVR

What is the CZ.NIC ODVR?

CZ.NIC ODVR are Open DNSSEC Validating Resolvers that you might freely use instead of the standard DNS resolvers offered by your Internet service provider.

What is DNS?

The DNS (Domain Name System) acts like a phone directory for internet IP addresses. It pairs the numeric IP addresses with labels, called domain names, that a user can easily remember and type in her web browser (e.g. if she looks for a company called XYZ, she types www.xyz.com). Just like a phone, the browser then searches the "directory", looks up the right record, automatically connects to an IP address assigned to that domain name and finally displays company's webpage to the user.

More information is on the page About domains and DNS.

What is DNSSEC?

DNSSEC is an extension to the Domain Name System (DNS) that enhances its security. DNSSEC guarantees to its users that information they've got from DNS was supplied by a rightful source, is complete and its integrity has not been tampered with. DNSSEC ensures credibility of DNS information.

More information is on the page How DNSSEC works.

How to setup CZ.NIC resolvers?

Change your network configuration so that it uses resolvers with IP addresses 217.31.204.130 and 193.29.206.206. If your network connection supports the IPv6 protocol, you can add IPv6 addresses 2001:1488:800:400::130 and 2001:678:1::206 as well.

Microsoft Windows XP

You have to change setting of a specific network connection.

  1. Open Control Panel
  2. Click on Internet and Network Connections and then on Network Connections.
  3. Choose connection for which you want to use CZ.NIC resolvers. To change a wired (Ethernet) connection, right-click on Local network connection and select Properties. To change a wireless connection right-click on Wireless connection and select Properties.
  4. Choose the General tab. Select Internet protocol (TCP/IP) in the This connection uses the following items: list and click on the Properties button.
  5. In the General tab click on the Advanced… button and choose the DNS tab. If the listbox already contains IP addresses, write them down in case you want to return to them in the future.
  6. Click on the OK button.
  7. Select Use the followinfg DNS server addresses:.
  8. Enter the CZ.NIC resolvers' IP addresses 217.31.204.130 and 193.29.206.206 to the fields Preferred DNS server and Alternate DNS server.
  9. Restart the connection you selected in step 3.
  10. Check that your new CZ.NIC resolvers work correctly - open page www.dnssec.cz and check that a key on the right side is green. If the key is broken and red, your setup is not correct.
  11. Repeat the previous steps for all network connections where you want to use the CZ.NIC Open DNSSEC Validating Resolvers.

Mac OS X 10.5/10.6

  1. In the Apple menu select System Preferences, then click on Network.
  2. If the lock icon in the bottom left corner is locked, click on it to authorize changes you will make. You have to enter your password.
  3. Select connection for which you want to setup the CZ.NIC resolvers. For example to change a wired network setup select Ethernet in the list and click on Advanced… To change a wireless network setup select Airport in the list and click on Advanced…
  4. Choose the DNS tab.
  5. Click on the + button and replace IP addresses already there with the CZ.NIC resolvers' IP addresses: 217.31.204.130 and 193.29.206.206.
  6. Click on the OK button and then on the Apply button.
  7. Check that your new CZ.NIC resolvers work correctly - open page www.dnssec.cz and check that a key on the right side is green. If the key is broken and red, your setup is not correct. This may take some time in Safari browser.
  8. Repeat the previous steps for all network connections where you want to use the CZ.NIC Open DNSSEC Validating Resolvers.

Linux (Network Manager)

If your Linux distribution does not use Network Manager, consult your distribution's documentation or vendor for instructions on changing DNS resolvers.

  1. Right-click on the Network Manager icon and choose Edit connections…
  2. Select a network connection which you want to use with the CZ.NIC resolvers. For example, for a wired connection choose the Wired tab, select Auto eth0 from the list and click on the Edit button. For a wireless connection choose the Wireless tab, select Auto <connection_name>_ from the list and click on the _Edit button.
  3. Choose the IPv4 Settings tab. If you already have Automatic (DHCP) in the Method combobox, change it to Automatic (DHCP) addresses only.
  4. After you have selected either method Automatic (DHCP) addresses only or Manual, you can edit DNS servers field. If this field already contains IP addresses, write them down in case you want to cease using CZ.NIC resolvers in the future. Type the CZ.NIC resolvers' IP addresses into the DNS servers field, separated with commas: 217.31.204.130, 193.29.206.206.
  5. Click on the Apply button. You might need to enter your password, depending on your system setup.
  6. Click on the Close button.
  7. Check that your new CZ.NIC resolvers work correctly - open page www.dnssec.cz and check that a key on the right side is green. If the key is broken and red, your setup is not correct.
  8. Repeat the previous steps for all network connections where you want to use the CZ.NIC Open DNSSEC Validating Resolvers.

What benefits do I get from using CZ.NIC resolvers?

Most Internet service providers (and DNS resolvers) do not support DNS validation on their servers. Using CZ.NIC ODVR ensures that your DNS queries are validated with the DNSSEC technology.

Will all my DNS queries be secured if I use CZ.NIC resolvers?

No. There are two reasons that only some DNS queries would be secured:

  1. Most domain names are not yet signed with the DNSSEC technology. Validation (i.e. security check) is possible only for signed domain names.
  2. Most applications, e.g. web browser and stub resolver (operating system component responsible for the communication with DNS) in your computer does not support the DNSSEC technology. That means that unless you use specialized application, like for example DNSSEC Validator add-on for the Firefox browser, you won't know whether a given page is secured or not.

Is using CZ.NIC resolvers safe?

That depends on many factors. There's a theoretical possibility that an adversary could attack the connection between your computer and CZ.NIC resolvers if your stub resolver did not use well randomized ports for the communication with the CZ.NIC resolvers.

How is my personal information secured?

CZ.NIC resolvers neither collect any personal data nor gather information on pages where your computer sends personal data.

But open DNS resolvers are evil, aren't they?

Open DNS resolvers that are not tightly monitored by their administrators might be abused for distributed DoS attacks. CZ.NIC's Open DNSSEC Validating Resolvers are configured such that it's difficult to misuse them for DDoS against third party servers. Additionally the servers are monitored and security mechanisms will alert to any unusual activity. Those are analysed and countermeasures taken if needed.