Techno-Agorist

Episode 25 - DNS Security

Seemingly everyone is interested in internet security. They want everything encrypted and secure. But, few people even give a thought to the DNS requests we send all day every day and which are still sent in plain text over the internet.

My name is Ryan and I am an agorist. Today we are talking about DNS security.

DNS or the "Domain Name System" is central to the internet and everything that we do online. When you open your internet browser and begin browsing, you are making use of this system. When it comes down to it, the internet is just a big network. Each machine that enters the network has its own IP address. This address allows the machine to interact with the network by sending and receiving packets of data with other machines.

The interesting thing is that the vast majority of people who use the internet know nothing about IP addresses or how the network works. They don't know the IP addresses of the websites that they want to access. This is where DNS comes to the rescue. The Domain Name System allows you to connect a human-readable name to a machine's address. For example, one IP address for Google.com is 172.217.15.78. Nobody wants to remember that, so Google registered their domain "Google.com" to that IP address. So, when you enter "Google.com" into your address bar, your browser uses the Domain Name Service to look up the IP address or addresses associated with that domain name and connects your computer with that server. Have you ever noticed a message show up at the bottom of your browser which says "resolving host" when you enter a web address? Well, that means your browser is currently figuring out (or resolving) the IP address of the server you are trying to connect with.

But, even though you likely don't think much about IP addresses and DNS requests or queries, there are many people who spend a lot of time thinking about those things.

Your DNS queries offer a glimpse into your life because they show all of the websites that you visit. For most people, the DNS server they use is provided by their internet service provider (ISP). Most routers by default forward all DNS requests you make to your ISP. This means that your internet service provider can see and log every single site that you visit, whether good, bad, or anything in-between. Do you really want your internet service provider to have all of that data? This should concern you.

Also, most people don't realize that every single DNS query they make is generally sent in plain text over the internet. This means that not only can your internet service provider see what sites you are requesting, but anyone in-between can as well. Have you ever wondered how company networks are able to block certain websites? They generally don't try and block IP addresses. What they do is intercept your DNS requests and if they don't want you to visit a particular site, they don't allow your browser to receive that information from the domain name system, and instead, they give you a warning saying that you aren't allowed to visit that site.

Do you really want people on your local network or anyone on the internet between you and your internet service provider to be able to snoop on your internet browsing and mess with the data being returned to your computer?

For many years now, people have been growing more and more concerned about internet security. They want secure, encrypted connections to websites. But, the glaring hole in this whole move toward security has been DNS, which is still in most cases completely unprotected.

Thankfully, we are beginning now to get some options for mitigating this.

The first option (and the one that has been around for the longest), is to manually change your DNS servers so that your DNS requests go to servers outside of your internet service provider. So, when you enter a site's URL into your address bar, your computer won't send your DNS request to your ISP. Instead, it will go somewhere else. This can be helpful if your local network or your internet service provider blocks certain domain names. There is still a major downside, though, to just changing your domain name servers. If you remember, DNS requests are sent in plain text and therefore can still be read by your local network and your ISP. If they wanted to, they could still block your requests, or even worse they could intercept those requests and return wrong and even malicious data to you.

The second option is to use something called DNSSEC, which means "Domain Name System Security Extensions." DNSSEC uses public-key cryptography, which we have spoken about in a previous episode. But, unlike with SSL or TLS, DNSSEC doesn't use cryptography in order to encrypt and protect the contents of your DNS request. DNSSEC uses public-key cryptography for two very important things. First, it verifies that your request has reached the DNS servers that you meant to reach and that the data which was returned to you came from them. This mitigates someone pretending to be the DNS server and sending you false information. Second, it verifies the integrity of the request and the response. This mitigates someone changing the data along the way. You can verify that the data you received is the same data that was sent from the DNS server which you already authenticated with. DNSSEC is a big step forward for DNS. It allows you to trust that the data returned to your computer came from the DNS server which you sent the request to and verifies that the data itself was not messed with between them and you.

But, the big downside of DNSSEC is that it doesn't in any way hide the contents of your DNS requests. The requests are still in plain text and can therefore still be read and logged by anyone between you and the DNS servers. It's great to be able to trust that the data you receive from your DNS servers is authentic, but it is still a major privacy concern since nearly anyone can look over your shoulder and see every request you make.

The third option, and most recent, is DNS over HTTPS, or DoH. With DNS over HTTPS, your browser or app or anything making the DNS request is able to encrypt the contents of your DNS request between you and your DNS server. We are already used to browsing the internet using HTTPS, but this allows us those same security benefits but for our DNS requests as well. With DoH, nobody between you and your destination can see the contents of your request. They are safely encrypted and can only be decrypted by the destination DNS server.

DoH is still not common. Google has been reluctant to implement DNS over HTTPS in their Chrome browser, and it makes sense since their entire business model revolves around violating our privacy. Mozilla, on the other hand, is leading the way and new versions of Firefox already include DoH support, and they have indicated that they want to make DoH the default setting for DNS in the future. Yay!

The ideal DNS setup would include a combination of all that I have mentioned so far, plus more. At home, I use a local DNS server which runs on a $35 Raspberry Pi computer. I changed the settings in my router to send all DNS requests to that little device rather than my Internet Service Provider. Then, I configured my Pi to send all DNS requests using DNSSEC to remote DNS servers provided by Quad9. There are many DNS servers out there, including ones provided by Google and the popular CDN service Cloudfront. I chose Quad9 because they are particularly privacy-oriented, unlike Google and Cloudfront who both run their DNS services specifically for the purpose of collecting people's browsing data. Sure, Quad9 has its own problems, but as I have mentioned in a previous episode, when it comes to the clear net, data decentralization is often the best we can do. People are always going to be collecting your data, so we should at least try and spread the data out so that no one company or group has all of it.

You might have noticed that I didn't mention DNS over HTTPS yet with regard to my home setup. This is because I am still figuring out how to implement it correctly. I don't want some apps (like Firefox) to use DoH and others (like Chrome) to not. I want my home DNS server on my Raspberry Pi to encrypt all DNS requests that I send from any application and from any device. Hopefully, I will have that figured out soon. When I do, my Pi will send all requests directly to Quad9 using DNSSEC and will encrypt the contents using DNS over HTTPS.

We all need to acknowledge the huge privacy concerns of today's DNS system. Once we have acknowledged the issues, then we can work to fix them. There are some options out there today, but on the clear web nothing is perfect just yet. If you want to begin taking steps to protect your DNS data, then check out the show notes for this episode at technoagorist.com/25 for a tutorial on setting up your own local DNS server with DNSSEC using a Raspberry Pi. Hopefully, I'll be able to expand those instructions soon to include setting up DNS over HTTPS as well. Technology is amazing, but unfortunately, it isn't always easy to set it up right. Let's just take it one step at a time.

This is Techno-Agorist, episode 25.

How to build your own local DNS server with DNSSEC and ad-blocking

To download the tutorial, click here.