Secure your Wi-Fi in ten steps

By on
Secure your Wi-Fi in ten steps
Page 2 of 2  |  Single page

6. Try a different DNS server

Just as you can install an alternative to the firmware that runs your router, you can choose a different Domain Name System (DNS) server instead of the ISP default. There may come a time when the DNS servers used by your ISP come under attack, by a distributed denial-of-service (DDoS) attack, for example, or someone changing the DNS to effect a cloned banking fraud. The bigger ISPs are a target for this, since the consequences of hacking their DNS servers would be enormous.

We've seen the DNS servers of the larger providers suffer downtime, so having a backup and knowing how to flick the switch is useful. The most common choice will be Google Public DNS server (on and for the IPv4 service) or OpenDNS (on and There's a setup guide, which details changing your DNS for home routers, laptops, smartphones and servers.

Essentially, though, open your router admin panel and look for the Domain Name Server addresses configuration page; input a primary and secondary DNS IP. Some routers will have a third server option, and for OpenDNS this would be And that's it, other than to test it's working by hitting the Test button on the OpenDNS guide pages.

Certain providers prevent you from adjusting the DNS server addresses in their own-brand routers, but you can still set individual computers to seek alternate servers.

7. Install alternative firmware

The more adventurous user may take the “update your firmware” message a step further and install totally new firmware from an alternative source. If you think of your router as being a mini-computer, it's akin to changing the OS on a laptop from the supplied Windows install to a Linux distro.

Why would you do this? To gain functionality missing from the original firmware, especially relating to security. And why wouldn't you? Your warranty will be invalidated, so it's best left to older routers.

If you go ahead, you'll probably find yourself choosing between DD-WRT and Tomato, which is easier to use but at the cost of being less feature-rich.

8. Employ MAC filtering

The information that Fing reveals when you want to block something from using your Wi-Fi is our old friend the Media Access Code (MAC), which every device connecting to a network is allocated. It's a 48-bit digital identifier used by the device to tag network packets, to be precise.

By default, your router will connect to anything that wants access, provided it has the correct password. If you want to prevent a device from connecting, even if the user has the correct password, that's where MAC filtering comes in.

Once you have a MAC address code, you can use an online specialist site such as What's My IP or MAC Vendor Lookup to identify any piece of connected kit that you don't recognise. Fing does the MAC lookup for you in the background and then automatically displays the device maker on-screen as part of its auditing process.

When you've identified the culprit, head to the “access control” section of your router control panel, which is MAC filtering by another name. Here you can either block all new devices, so before anything can join the network you'd have to whitelist the device's MAC address, or block individual devices by blacklisting their MAC.

It isn't foolproof: most devices allow their MAC to be changed in software, so a determined hacker could clone a device that you whitelist and gain access. Ultimately, if you don't want someone to use your Wi-Fi, don't give them the password. If they're already using it, then change the password to something more complex.

9. Use a virtual private network

Whether you're using the original router firmware or have installed an alternative, there's a strong chance that virtual private networks (VPNs) will be supported. When people think of a VPN, they think of a third-party application that re-routes all their internet traffic through a proxy server – at a cost. What's less commonly considered is operating your own VPN through your router.

This will give you the advantage of being able to securely access your home network, across an encrypted internet tunnel, when you're away. It gives you the same end-to-end encryption as a subscription service, so you can securely use that coffee shop or hotel Wi-Fi, but with no fees or bandwidth implications.

You'll almost certainly need a Dynamic DNS (DDNS) service to resolve a domain name to your router as a home user, to get around the fact that most ISPs don't offer a static IP address for your router; the free-to-use No-IP is as good as any for this.

10. Set up a guest network

The trouble with passing out your Wi-Fi passkey to family and friends who visit is that, every time you do, it dilutes your security. Not only do they know your password, but they might also give it to someone else. You could change to a new password after every occasion, which is the most secure, if not the most convenient, solution.

More conveniently, and pretty secure as well, is going the whole nine yards and setting up a guest network for visitors. If the concept of a properly secured guest network isn't supported by your router, all is not lost: simply buy a better router or change the firmware as mentioned earlier. The popular replacement router firmware Tomato supports a guest mode, and means you can provide users with a key that puts them online on a virtual network without exposing your own connected devices.

This article originally appeared at IT Pro.

Previous Page
1 2 Single page
Copyright © ITPro, Dennis Publishing

Most Read Articles


What would you like to see more of on BiT?
How To's
Photo Galleries
View poll archive

Log In

  |  Forgot your password?