DNS is one of those key services that stands between you and the internet you surf. If you are wondering, then you must know that [[dns]] is the service that translates the user friendly domain name to a numeric address aka IP address the resource resides on. The resource can be a website, device or a service itself denoted by an easy to remember domain name.
Security
By and large DNS traffic is unencrypted, therefore unprotected from various security attacks. A malicious user / device can eavesdrop to get details of your browsing history. You may have noticed while surfing that you are trying to get to a website but the site that actually loads is not only a different one, but also completely irrelevant. This is commonly known as a [[DNS leak]]. By the way, this is pretty common with the ISPs. They are known to track user’s browsing history for advertisements and/or other purposes and sometimes redirect the traffic to a website of their interest.
This brings us to an important realization. You may have a secured network with your internet access concealed by [[vpn]], but DNS continues to be the weak link in the ecosystem. It’s capable of compromising your privacy and security single handedly. Let’s figure out how to mitigate this, but prior to that let’s understand what DNS is and what are the logical blocks involved.
DNS for the dummies
DNS stands for domain name service. It’s an entity in the network that translates the domain name into an IP address. Every resource in the internet has an unique IP address and majority of the time it also has a user friendly name. The user friendly name is referred to as the domain name of the website. It’s primarily used for easy remembrance. The domain name in itself cannot get you to the website and this is where DNS facilitates. DNS is a service that runs on a server somewhere in the internet. Whenever an end user requests access to an entity on the internet via it’s domain name. The request is directed to the DNS server configured in the user’s pc / device where the domain name gets translated to a numeric IP address and finally the request gets routed to the desired destination. You may have every bit of your network secured and encrypted but the dns isn’t in your control. Most likely it’s your ISP’s or a public dns sever that’s resolving the domain name for you. Therefore, by default the dns traffic is not encrypted.
What is the mitigation?
To prevent your ISP from snooping into your dns history you could direct your dns queries to one of the well known public resolvers, like Cloudflare or Google dns. Please note, the queries continue to remain unencrypted. An attacker with malicious intent can sniff the wire and not only get access to your dns traffic but can also launch a DNS highjack attack. Therefore, redirecting the queries to public resolvers solves only part of the problem.
What about the traffic on the wire?
Well there exists something called DNS over [[TLS (DoT)]] and DNS over [[HTTPS (DoH)]]. However, both have challenges of their own and adoption is low.
While DoT encrypts dns queries via TLS and communicates on port 853, but a person [[sniffing]] the wire can still figure out that dns traffic is on port 853. Therefore, its secure but privacy gets compromised.
On the other hand DoH sends all dns queries via the http secure channel. There is no way to differentiate a normal packet from a DNS query in the secure channel because all queries look the same. However, queries eventually land on a resolver that can now have access to your entire browsing history. It need not be your ISP, but could be any of the public resolvers. The IT giants like Google and Firefox are implementing DoH in their browsers. Google would communicate with Google dns and firefox is likely to collaborate with Cloudflare to make the browser secure. Therefore, surveillance definitely becomes difficult, but note, earlier if the govt wanted they could reach out to the ISP for a user’s browsing history. Now they’d reach out to either of the ones mentioned.
Instead, I’ve been using [[DNSCrypt-Proxy]] it’s a combination of both world’s. It gives me dns encryption via DoH and prevents man in the middle attack and eavesdropping.
DNSCrypt
DNSCrypt is a protocol that authenticates communications between a DNS client and a DNS resolver. It prevents DNS spoofing. It uses cryptographic signatures to verify that responses originate from the chosen DNS resolver and haven’t been tampered with.
Without divulging the gory details; I have configured a dnscrypt-proxy on a raspberry pi and all my internet traffic is diverted through it. Additionally, I have configured it to use public dns resolvers to handle dns queries. It’s been few months and the setup works like a charm without a glitch. This way I have bypassed the ISP and encrypted my dns traffic via cryptographic algorithms. Since the dnscrypt client is lightweight I can continue to use the pi for my personal processing too. The bit remaining is to setup my own resolver. I’ll let you readers know when that’s done.
Feel free to interact and share thoughts in comments below.