Your Internet Secrets: Why Encrypted DNS Matters (and Why You Should Care)

Encrypted DNS

Share

Tweet

Linkedin

Share on G+

Pinterest

Reddit

Tumblr

Almost a year ago, we has a look at optimising your DNS for better network performance. We have since explored if it is valuable to host your own DNS server (spoiler: it most definitely is) as well as looking at Technitium DNS. We even went as far as installing and setting up Technitium DNS at home. This drastically shaped the way our network, and by extension, our internet browsing experience has changed. However, there is something we have not looked at yet, and it is something that can add a lot of value to our privacy and security: Encrypted DNS.

What is DNS and Why Do We Need It?

Imagine trying to remember the complex numerical address (like 172.217.160.142 for Google) for every website you visit. Impossible, right? That’s where the Domain Name System (DNS) steps in.

Here’s how it works when you type a website address (like “www.google.com“) into your browser:

  1. Your Computer Asks: Your computer sends a request to a special server called a DNS resolver. Think of this server as a friendly operator who knows the internet’s phonebook.
  2. The Resolver Looks Up the Number: The DNS resolver looks up “www.google.com” in its records and finds the corresponding IP address (the numerical address).
  3. The Resolver Tells Your Computer: The DNS resolver sends the IP address back to your computer.
  4. Your Computer Connects: Your computer uses this IP address to connect to Google’s servers and display the website.

This whole process happens in the blink of an eye every time you visit a new website. It’s essential for making the internet user-friendly.

The Problem with Traditional DNS

The traditional way your computer talks to DNS resolvers is usually unencrypted. This means that anyone that intercepts that request, in this case, the website address you’re trying to visit, can see the address in clear text.

This lack of encryption has a few key drawbacks:

  • Your Browsing History is Exposed: Your internet service provider (ISP), and potentially others eavesdropping on the network, can see every website you try to access. This creates a detailed log of your online activity.
  • Potential for Manipulation: Unencrypted DNS requests can be intercepted and manipulated. Malicious actors could redirect you to fake websites designed to steal your passwords or personal information. This is known as DNS spoofing. We will go into more detail on DNS spoofing in another article, but this is a real threat. Especially if you use your ISP’s default DNS servers for your DNS queries, as is normally the default for most home internet setups.

Encrypted DNS: Securing Your Requests

Encrypted DNS solves these problems by adding a layer of security to the communication between your computer and the DNS resolver. Instead of sending your DNS requests as an open and unencrypted request, it gets encrypted into an unreadable format before sending. This is the same, for example, as visiting your online banking platform. The data is encrypted (via HTTPS) so that someone eavesdropping can’t see the data.

There are a couple of main ways to achieve encrypted DNS:

  • DNS over HTTPS (DoH): This method encrypts DNS requests and responses using the same secure HTTPS protocol that protects your communication with websites when you see “https://” in the address bar. It send the address request (DNS) over the same encryption as the actual data..
  • DNS over TLS (DoT): This is another protocol that encrypts DNS communication using Transport Layer Security (TLS), the same technology underlying HTTPS. It’s a slightly different way of creating that secure connection, also a lot newer and in come cases, more secure.

How Encrypted DNS Works:

Now that we know what it is, let’s look at an example to explain how encrypted DNS works. Imagine you want to look up “www.example.com“.

  1. Your Computer Creates a Secure Connection: Instead of sending a plain DNS request, your computer establishes a secure, encrypted connection with a DNS resolver that supports DoH or DoT.
  2. The Encrypted Request: Your request for the IP address of “www.example.com” is then sent through this secure connection, just like the data between your machine and the actual website.
  3. The Encrypted Response: The DNS resolver looks up the IP address and sends it back to your computer through the same secure connection.
  4. Only You and the Resolver Know: Because the communication is encrypted, anyone trying to eavesdrop will only see gibberish, not the website address you’re trying to visit. In most cases, even your ISP won’t even be able to see this request – as long as you are not using their (default) DNS servers.

The Benefits of Using Encrypted DNS:

  • Increased Privacy: Your ISP and other network observers can no longer easily see the specific websites you are trying to access. This makes your online activity more private.
  • Enhanced Security: Encrypted DNS makes it much harder for malicious actors to intercept and manipulate your DNS requests, protecting you from DNS spoofing and potential phishing attacks.
  • Potential for Faster Browsing (Sometimes): While not always the primary benefit, some encrypted DNS resolvers can offer faster lookups, potentially speeding up your browsing experience.

How Can You Use Encrypted DNS?

Enabling encrypted DNS is becoming increasingly easy. Here are a few common ways:

  • Operating System Settings: Some modern operating systems, like Windows and macOS, allow you to configure encrypted DNS directly in their network settings. Look for options related to “DNS over HTTPS” or “DNS over TLS”.
  • Web Browser Settings: Major web browsers like Chrome, Firefox, and Edge offer built-in support for DNS over HTTPS. You can usually find these settings in the browser’s privacy and security sections.
  • Router Settings: Some advanced routers allow you to configure encrypted DNS for your entire home network. This protects all devices connected to your Wi-Fi.
  • Specialized Apps and VPNs: Some privacy-focused apps and VPN services automatically use encrypted DNS to protect your browsing activity.

Popular Encrypted DNS Services:

Many organizations and companies offer public DNS resolvers that support encryption (DoH and DoT). Here are a few widely used examples:

  • Cloudflare (1.1.1.1): Known for its speed and privacy focus, Cloudflare’s 1.1.1.1 service is a popular choice. They emphasize not logging personally identifiable information and have their privacy practices audited. They offer standard, malware-blocking, and family-friendly versions.
  • Google Public DNS (8.8.8.8 and 8.8.4.4): A very widely used and reliable service. Google Public DNS supports encryption and provides a robust infrastructure. While they state they have temporary logs for troubleshooting, they remove personally identifiable information from permanent logs.
  • Quad9 (9.9.9.9): This service has a strong focus on security. Quad9 blocks access to known malicious websites and domains by consulting threat intelligence databases. It’s a great option if you want built-in protection against malware and phishing.
  • OpenDNS (208.67.222.222 and 208.67.220.220): Owned by Cisco, OpenDNS offers reliability and also includes optional content filtering features, which can be useful for families.
  • AdGuard DNS: Known for its ability to block ads and trackers at the DNS level, AdGuard DNS also offers encrypted options for increased privacy.
  • NextDNS: This is a highly customizable encrypted DNS service that allows you to block ads, trackers, and specific types of content based on your preferences. It offers a free tier with a generous query limit.

These are just a few examples, and many other reputable providers offer encrypted DNS services. When choosing a provider, consider their privacy policy, speed, and any extra features they might offer (like content filtering or threat blocking).

A Warning About Your Default ISP DNS:

Your internet service provider (ISP) automatically assigns your devices their default DNS servers when you connect to their network. While convenient, relying on your ISP’s DNS has significant drawbacks, primarily related to privacy and security:

  • Lack of Privacy: As discussed earlier, traditional ISP DNS is typically unencrypted. This means your ISP can see every website you visit. This information can potentially be used for targeted advertising, sold to third parties, or even accessed by authorities in some regions without a warrant. Your Browse history is essentially an open book to them.
  • Potential for Data Logging: ISPs often log your DNS queries, creating a detailed record of your online activities. Even if they claim not to use this data for malicious purposes, the fact that it’s collected at all is a privacy concern for many.
  • Vulnerability to Manipulation: Unencrypted DNS is susceptible to DNS spoofing, where an attacker (or even the ISP itself) can redirect you to a fake website when you try to visit a legitimate one. This can be used for phishing attacks, displaying unwanted advertisements, or even censorship.
  • Limited Security Features: Default ISP DNS servers generally don’t offer the enhanced security features that many third-party encrypted DNS providers do, such as blocking access to known malicious domains or providing protection against DDoS attacks specifically targeting DNS.
  • Potential for Censorship or Redirection: In some cases, ISPs may use their DNS servers to block access to certain websites or redirect you to specific pages, even if it’s not for security reasons. Using a third-party encrypted DNS can help bypass such restrictions.

By switching to an encrypted DNS service from a provider you trust, you take back control of your Browse privacy and add a crucial layer of security against potential threats and unwanted monitoring. It’s a simple yet effective step towards a more secure and private online experience.

In Conclusion:

While DNS might seem like a technical detail, it plays a crucial role in your everyday internet experience. Traditional, unencrypted DNS leaves your browsing activity exposed. Encrypted DNS acts like a vital shield, protecting your privacy and enhancing your security online. By understanding what it is and how it works, you can take simple steps to enable it and enjoy a more private and secure internet experience. It’s like upgrading from sending postcards to sending secure, confidential letters – a small change with a significant impact on your online well-being.

We will be adding encryption to our Technitium DNS we installed in our Build your own homelab series. We will also have a quick look at Unbound as well as that is also a very popular DNS server for Homelabbers.

Share

Tweet

Linkedin

Share on G+

Pinterest

Reddit

Tumblr

Related Articles: