Are you concerned about your digital footprint? Does it bother you that anyone listening can observe which websites you visit? Most people don’t know what DNS is or how much information it leaks. I’ll share with you what the problem is and how to fortify yourself against snoopers.

DNS (Domain Name System) is the backbone of the internet. Without it, browser requests would not resolve a domain name (e.g., howtogeek.com) to an IP address. That’s essential, because the fundamental principles of routing traffic depend upon numbers (IP addresses). However, the designers of DNS did not consider privacy (or security). Consequently, it leaks every website you visit, which mail servers you use, and sometimes a lot more. A snooper can build substantial profiles on all of us, and they do. There is one saving grace, and there’s slow-moving progress in the right direction. Today, I have a solution that’s different from the rest.

An introduction to DNS

The backbone of the internet

This video does an excellent job of explaining how DNS works:

You can see queries do not stop at your DNS server (aka recursive resolver). Further requests occur upstream, incrementally resolving them until they reach the “authoritative nameserver,” which handles domains it controls (called a DNS zone). We will cover the last mile today, the part between your OS (aka stub resolver) and the recursive resolver.

The “last mile” is a term used in telecommunication (from the service provider’s perspective) to describe the last leg between the system and the end-user. Conversely, the (unofficial) term “upstream” refers to all the other links (between the resolver and the nameservers). These words sound awkward together, so they’re worth an explanation.

The woeful problems with DNS

Your packets are showing

The biggest problem with DNS is that the request between the stub resolver (in your OS) and the recursive resolver is unencrypted. These packets contain information about where you shop, where you bank, what times you’re awake, and what you like, watch, and think, and when you do it. Your traffic pattern is so unique that it can fingerprint and track you across networks. So, if you use a VPN, your DNS requests act as a shining beacon, uniquely identifying you. This can occur even with encrypted queries.

Typical DNS requests also take place over connectionless UDP, which does not ensure packet stream integrity. Couple that with a lack of encryption, and they’re alarmingly easy to intercept and manipulate. In fact, it’s common practice for your ISP to do so, forwarding them to their own resolvers or modifying the response. So, if you think you’re using Cloudflare’s DNS, think again. Mass censorship systems also use such tactics: The Great Firewall of China uses deep packet inspection and DNS injection to reroute queries.

It’s important to realize that your DNS requests may traverse many jurisdictions, and often countries and organizations don’t share the same values as you. While some may have ideological differences, others have commercial intent. That’s not limited to foreign countries either. It’s well known that Comcast once redirected its customers to ad-laden web pages upon nonexistent domain (NXDOMAIN) errors.

While you may have nothing to hide, your DNS requests are being intercepted and redirected, which makes you vulnerable to social manipulation and commercial profiling. I don’t know about you, but the unregulated interception of my packets is deeply unsettling.

DNSCrypt to the rescue

Encrypt your data before it goes out

An ASUS Wi-Fi 6E router placed on a box.Credit: Goran Damnjanovic / How-To Geek

We’ve established that unencrypted DNS queries leave them open to interpretation and manipulation, and the strongest solution is always encryption. There are a couple of solutions to do this, with DNS-over-TLS (DoT) and DNS-over-HTTPS (DoH) being two. While good and often recommended, they don’t offer the additional features that DNSCrypt does.

DNSCrypt is my go-to choice because it encrypts and pads your queries. Padding is crucial because upstream packets get decrypted, and a snooper with significant resources (such as an ISP) can correlate the encrypted and unencrypted packets by size and timing, making encryption meaningless. Both DoT and DoH have sparse support for it, so it’s often unused. DNSCrypt makes this feature mandatory, so all your packets are resilient against traffic analysis and correlation.

However, it’s the additional relay feature that seals the deal for me. When requested, DNSCrypt will send your encrypted requests through an intermediary (the relay). It can’t read the data, but it knows who made the request. When it forwards the packets, upstream only sees the relay making the request and the request data—which means they know nothing about you.

So DNSCrypt encrypts, pads, and routes your queries through a relay. All three make DNSCrypt the best choice for protecting your privacy.


DNSCrypt isn’t a silver bullet, but it’s an excellent tool if you use it right

Any form of DNS encryption is a step in the right direction. It’s not yet a silver bullet because TLS connections still send a client hello, which contains the domain you’re connecting to (aka the SNI). In addition, the upstream connection is unprotected. If you use a relay, these requests are anonymous, but they are still susceptible to interception on a mass scale. Presently, work is happening to improve the situation, and in time, technologies like DNSSEC and DNSCurve will provide full verification and encryption of replies.

DNSCrypt also doesn’t solve the “client hello” issue, nor the unencrypted upstream. It does protect your immediate requests, your identity, and your habits. It’s not a perfect system, but it’s the best we have at present.

If you’re interested in DNSCrypt, head over to its homepage. If you’re using Linux, have a look at the Arch Wiki. There is also an informational website that includes server details, the specification, and useful tools. You may also be excited to hear that AdGuard provides a DNSCrypt stub resolver, which does additional ad blocking.


NordVPN on Mac (5)


What Your ISP Still Knows About You, Even With a VPN

You’re not as invisible as you think!



3
By