How secure is your home or office network?

I'll assume you already have an antimalware/antivirus solution in place, such as Windows Security, which is built into Windows 10 and Windows 11 (and which I believe works particularly well). But antivirus isn't enough.

Escalating international tensions -- coupled with an ever-increasing number of professionals working remotely -- are driving the need for small-scale solutions and best practices to secure home- and small-business networks and mobile devices from malware, malvertising, and other threats. 

Recommends

• Best VPN services
• Best security keys
• Best antivirus software
• The fastest VPNs

What follows is a brief guide -- with product recommendations and best practices -- for those of you looking to navigate the rapidly evolving cybersecurity landscape. If you have limited network security experience but want to provide additional security for yourself, your small business, or your friends and family, this guide is for you. (If you're looking for more extensive resources on networking security, CISA's guide is a good place to start.) 

Below are the products I am currently using to protect my family's home networks and mobile devices. (I expect to add more product and service recommendations when I have sufficient time to investigate them.)

Mobile and device-based DNS VPN firewall

NextDNS

If you can have only one solution, because you or your friends or loved ones cannot afford a hardware-based firewall device, look no further than NextDNS, which combines an encrypted VPN traffic tunnel with a hosted firewall and DNS blocking and filtering service. 

When installed as an app on a device, the service creates a private encrypted connection (VPN) to its cloud servers. Its basic functionality includes proxying Domain Name Services (DNS) queries against a large database of potentially malicious sites and blocking them, depending on how restrictive the service is set up. This means if you try to access a site listed on its blocklists, it will stop the connection. This also includes blocklists for advertisements and pornography, if enabled. 

It should be noted that NextDNS is not a VPN service (such as these covered recently by David Gewirtz) for creating anonymized private connections to the public internet and for end-to-end enterprise VPN connectivity (such as with OpenVPN) even though it uses its own VPN for the service to work. However, it can work in tandem with those services as needed.

The service has native clients for iOS, MacOS, Android, Windows, Linux, and Chrome OS, and can be set as the default DNS on a broadband router or an IoT device. And best of all, the lowest tier of service is absolutely free. The "Pro" service has unlimited devices, unlimited queries, unlimited configurations, and is a whole$20 per year.

The only main drawback of this service is that it is client-based -- meaning you need to install this software on every device you use it on. So it's ideal for smartphones, tablets, and laptops when you are on a mobile network or using a public Wi-Fi or ethernet connection, but not suitable for "blanket" device coverage on a home or small office broadband network. It is also a DNS-based solution rather than an IP-based and connection-oriented solution, so it is not a true intrusion prevention solution such as a hardware firewall.

View now at NextDNS

To begin using it, simply visit nextdns.io, and start a new configuration. The first thing you will want to take note of is your randomly-issued ID, which is how you and your family members will identify yourself to the service and how it will apply specific security settings you choose to them.

NextDNS initial configuration screen web user interface

Jason Perlow/ZDNet

The clients all have similar configuration screens and are all easy to install, but the key thing to remember is the Configuration ID and to "Send Device ID", because that ensures you are using the service with your specified configuration and that when the system logs activity, you will be able to narrow down to which device is having an event.

NextDNS Client configuration in iOS

Jason Perlow/ZDNet

Once you have the clients connected to the NextDNS VPN, you can verify they are using the service and that it is logging the connections with theLogstab at the top of the web portal UX. The logs page allows you to look at traffic logs on a device per device basis, for all DNS queries or just blocked queries.

Logs menu of NextDNS user interface

Jason Perlow/ZDNet

Security protection options can be set in theSecuritymenu tab where various services can be enabled, such as for AI-Driven Threats, Google Safe Browsing, Cryptojacking, DNS Rebinding, IDN Homograph Attacks, Typosquatting, Domain Generation Algorithms, Newly Registered Domains, Parked Domains, and Child Sexual Abuse Material. I have all of these currently turned on in my own configuration.

Tracking and Ad blocking are enabled in thePrivacymenu tab. The two blocklists I currently have enabled are NextDNS's maintained list and OISD, which covers enough ground to protect mobile devices for most regular browsing and mobile app use while keeping functionality the least restrictive as possible. If you enable too many lists, you may find that certain apps (such as Facebook, with its Graph API) may begin to misbehave, and then you will need to disable NextDNS for them to work again temporarily. So I would only start adding more blocklists such as AdGuard and a few others on their curated list one at a time to see how it affects your usability. 

NextDNS Privacy menu

Jason Perlow/ZDNet

NextDNS also has aParental Controlsmenu for locking out specific websites, apps, and games, as well as the ability to lock out pornography, piracy, dating, and social networks. NextDNS has the ability to have multiple Configuration IDs per account, so if you want to configure your children's devices, you might want to assign them a separate Configuration ID as well as enter a Parental Passcode in their NextDNS app settings screen so it cannot be altered. You'll also want to set Parental Controls on their devices using native app restrictions (Such as the Content and Privacy Restrictions menu on iOS) so the NextDNS app cannot be deleted.

Open Source wide-spectrum DNS blocking

Pi-Hole (Open Source)

If you are inclined to host your own DNS proxy, and want the most flexible control over the domains you want to block on your premises, look no further than Pi-Hole. Originally built for the Raspberry Pi embedded development board, the open source project has become hugely popular with cybersecurity and privacy enthusiasts alike for its ability to block not just advertisers and trackers, but also malicious domains. 

View now at Pi-Hole

The easiest way to run it is to download Docker Desktop for your operating system (Windows, Mac), or Docker Engine for Linux, and then install Pi-Hole into a Docker Container. 

This sounds scarier than it actually is