UPDATED 21 July 2019 – Additional forms of encrypted DNS added, partially rewritten with the title changed to be more generic.
This is going to be a technical post, so I need to start this off by explaining a few technical terms, which will also be added to our Glossary of Cyber Security Terms.
Some Basic Definitions.
DNS, or Domain Name Service – This is essentially a phone book for the internet. You will type in an address for a website (e.g. https://www.imdb.com) and the DNS service that is used by your computer translates that into a physical address (IP address similar to 192.168.25.246) that can be used by your web browser to access the website. In accessing a web page your browser makes many (sometimes as many as a 100 or more) requests to access resources on the internet ranging from the actual content you want to see to structural entities you will never see as well as Ads, graphics, videos and download items. DNS queries are typically accessed over an un-encrypted protocol (UDP) that is open for anyone to see even if the website you are accessing is encrypted (https).
HTTP – This stands for “HyperText Transport Protocol.” and is the technology that allows for a website to be downloaded and rendered in your web browser.
HTTPS – This is the same as HTTP, but uses a secure protocol (SSL) to encrypt the information coming back from the website. Your web browser will decrypt this and allow the website to be displayed to you.
TLS – Transport Layer Security (TLS) is a protocol that provides communication security between client/server applications that communicate with each other over the Internet. It enables privacy, integrity and protection for the data that’s transmitted between different nodes on the Internet. TLS is a successor to the secure socket layer (SSL) protocol.
The Various Forms of Encrypted DNS
There are various forms of encryption for DNS as follows:
- DNS over TLS (DoT)
- DNS over HTTPS (DoH).
DNSSEC – provides cryptographically signed DNS records which allows a DNSsec-aware Operating System (e.g. Windows, MacOS, Android) to verify that the DNS response received has not been tampered with or altered in any way. Since the DNS reply is signed with a private key which no forger can have, this means that the received DNS reply is authentic. However, DNSSec on its own does NOT encrypt and anyone watching the traffic will see the DNS client’s queries and their replies just as if DNSSec was not in use. If you want to learn more about DNSSEC in Windows then please look at this Microsoft blog on the subject (from Windows 7 onwards, windows was DNSSEC aware, but your actual DNS service might not be – take a look at this resource and test your setup).
DNSCrypt – provides encryption for privacy, but it is not nearly as attack and hack resistant as other forms since it doesn’t use any of the existing public certificate infrastructure. The server’s public key is published over DNS and is implicitly trusted, though it can be verified with DNSSec. This means that DNSCrypt was simple and lightweight, and that it could ride atop either UDP or TCP.
DNS over TLS (DoT) – this is a protocol for encrypting and wrapping DNS queries and their replies in TLS (Transport Layer Security). This offers both privacy via TLS encryption and authentication via TLS support for the entire public key infrastructure. So this prevents eavesdropping and any manipulation of DNS data via man-in-the-middle attacks.
DNS over HTTPS (DoT), instead of the insecure and encrypted protocol used today, DNS queries are encoded over HTTPS and are therefore encrypted. DNS over HTTPS is often abbreviated to DoH. It is a proposed Internet Engineering Task Force (IETF) standard, specified under RFC 8484. As of writing this has not been fully ratified.
What is the Big Deal about Encrypted DNS?
First of all it is encrypted. While your ISP will be able to see you are accessing something on the internet, it wont know what. Under the UDP approach they would be able to see and track what you were accessing. Equally, on an unencrypted WiFi hot spot anyone monitoring the traffic would be able to see what you were accessing and track you if you don’t use DoH even in some cases if you are using a VPN.
So, this is about privacy and security since using an encrypted DNS lookup means that it is less likely that a hacker can intercept your lookup and perform a man-in-the-middle attack and redirect your browser to a malicious website.
If you are accessing the internet through a Virtual Private Network (VPN) these requests should be encrypted as part of the VPN, but not all VPN’s are made equal and some leak the unencrypted requests.
The best solution is to encrypt everything at source.
How do I get Encrypted DNS?
As of writing, Cloudflare, IBM’s Quad9, Google, Quadrant Information Security and CleanBrowsing are providing public DNS resolver services via DNS over TLS. Back in April of 2018, Google announced that Android Pie will include support for DNS over TLS (see below).
In addition, Mozilla, the builders of the FireFox browser, are enabling secure DNS in their browser (look in Options // General // Network Settings – access the Settings button and in the resulting dialog at the bottom you can check a checkbox to enable DNS over HTTPS). It should be noted that DoH is not enabled by default in FireFox and defaults to your systems DNS which in all likelihood is your ISP’s DNS service.
Goggle’s Chrome browser is starting to experiment with this and this will be coming in a future release of Chrome. Currently the Microsoft Edge browser does not support this and at this point I don’t think Safari does either although there are ways to enable it using apps on IOS and MacOS.
Android v9 (Pie) does support secure DNS (Settings App // Network & Internet // Advanced // Private DNS). This will use Google’s own offering and is set to automatic (i.e. on) by default. However you can configure your own if you wish, assuming you know the host name of the DNS server and/or the advanced settings for the resolver. If you want to use CloudFlare’s you can use the following instructions:
- Go to Settings // Network & internet // Advanced // Private DNS
- Select the Private DNS provider hostname option
- Enter one.one.one.one or 1dot1dot1dot1.cloudflare-dns.com and hit Save
- Visit 22.214.171.124/help to verify DNS over TLS is enabled.
I have tested this on my own Android 9 phone. It connects to CloudFlare’s DNS over TLS resolver on WiFi, but defaults to my cellular network providers DNS over cellular data. This may be a configuration with my cellular provider, so it would be interesting to hear anyone else’s experiences via the contact form.
If you set this up and it doesn’t work for you, just switch back to automatic mode where you will then use Google’s DNS over TLS service.
For CloudFlares service you can download an app for your Android phones below v9 and for IOS. However I have not tested these.
In Windows you can also implement CloudFlare’s service by changing the DNS settings on your network adapter. However when I tried their instructions, this did not work for me, although this could have been due to my router blocking the request which will need further testing on my part.
You can also override the DNS settings in your router, but this does require some support in your routers firmware. This would have the affect of encrypting all DNS lookups on your network. As my router does not appear to support this at this time, I am unable to test and verify this. This currently will require support for a feature called OpenWRT. I suspect this will also be supported in the future on most new routers. If you want to read up about this the CloudFlare website has a discussion on it.
The Debate over Encrypted DNS
As the DNS lookup will be encrypted, ISP’s are not that happy as they lose the ability to track what websites you are looking at. DNS is often provided by your ISP although you are able to select alternatives.
The UK Internet Services Provider’s Association recently voted Mozilla as an ISPA Internet Villain but promptly retracted it following a ZDNet article and uproar in the Internet community at large. Their issue was that Mozilla plans to support DoH “in such a way as to bypass UK filtering obligations and parental controls, undermining internet safety standards in the UK.” The comments came after several months of criticism aimed at both Mozilla and Google from the UK Government and various advocacy groups. In their retraction they do raise some sensible points that can be summarized as:
- Exercising user choice over switching to a DoH provider
- Enforcing user consent in switching
- Exercises all the required data protection requirements of the local jurisdiction
- The DoH service is secure and s capable of replicating existing security policies and capabilities such as malware protection that are currently in place for that user
- Enforces Online Safety protocols and standards
- Makes it clear that the local ISP will not be able to support any outages and that it is available typically 24/7.
It should also be noted that in the UK the ISP’s are required by law to block certain types of websites (particularly those advocating terrorism, Islamic radicalization, child abuse and other violent acts). If the DNS lookup is encrypted they can’t effectively block it. While some UK ISPs have supported encrypted DNS, others do not.
Encrypted DNS also blocks the geo-fencing restrictions around accessing adult sites (see my blog Privacy & Cyber Security Concerns around Changes to Adult Site Age Verification in the UK for more information).
I see a very simple solution here, and I am surprised no-one has mentioned it. The ISP’s should implement an encrypted DNS service that replaces their existing one. That way they could enforce their legally required obligations since they would be able to track all traffic through that service. However, this will cost them money which will be passed on to their subscribers probably at extra cost.
I think Encrypted DNS will become the norm over the next couple of years and ISP’s will support it going forward. It does help to keep your activity private from anyone else using the same router/hot-spot as you which can only be a plus point. It is also more secure.
The downside is that this is yet another way law enforcement will be blocked in surveillance of criminal activity. See also my blogs on:
If you want to use encrypted DNS now, then FireFox’s current version and CloudFlare support it on PC’s using an app and Android 9 also supports it by default. It is possible to set it up on MacOS and IOS using apps.
A useful tool to download and run (no install required) is DNS Sniffer that allows you to see exactly what DNS look-ups are happening on your PC (only available for Windows at this point). If you see anything shown on there that you don’t recognize, then it is probably time to refresh your PC by either using the built-in tools or by reloading a fresh image of Windows 10 as you may have something dodgy installed or something is miss-behaving.