DNS¶
Before I start talking about the security aspect of Domain Name System (DNS), I’ll give you a quick overview of what it does. It functions like a phone book for the internet and is what makes it easy to use. In times past, phone books used to be in most houses. If you wanted to call a person or business, you had to open up the phone book and look for the number. DNS is a similar concept, though easier to use, since you only need the name (domain) of the website you want to go to. For example, when you type in Google.com in the search bar of your browser, DNS looks up the phone number (IP address) of the website. This makes it a lot easier to use than having to track down a specific IP address and type that into a search bar.
DNS works by using a resolver, which is just a server that is used to turn domain names into IP addresses. A lot of times, the browser, operating system, and/or router isn’t manually configured. Most of the time, your DNS traffic will go through your internet service provider (ISP). This is where some problems start to come up.
First, most DNS traffic still isn’t encrypted, even after years long efforts of privacy activists and organizations like the EFF trying to spread the word about encryption. This branches down into even more problems. One of those is the lack of privacy. I need to stress that encrypting DNS will not in any way hide you or your traffic, but every little bit of encryption helps. Even with DNS traffic being encrypted, the IP addresses of websites you visit will still be visible, meaning your ISP will know where you’re going and you can still be tracked around the web without much issue. Second, not having encrypted DNS opens you up to some nasty attacks, one of which is DNS hijacking.
Encrypted DNS works in tandem with DNS Security Extensions (DNSSEC), which protects you from multiple types of attacks, including DNS hijacking. These attacks can allow an attacker to cause a lot of issues. For example, you could go to what looks like your real banking website, but it could be a fake site that you enter your login details into because the attacker inserted themselves in the middle. You can learn more about this example in the DNS hacking video, where some embassies suffered something similar.
MoustachedBouncer embassy attacks
In addition to getting a little extra privacy and protecting yourself against multiple types of attacks, you can use DNS filtering as a powerful firewall that requires extremely little effort to set up. This is something I strongly advocate for, since this can stop a lot of threats before they could have a chance to make it to your computer, and then there’s less risk of something making it past your AV. Nothing will ever give you absolute protection, but this is a huge step forward.
This is easiest to do by using a service that provides encrypted DNS. There are quite a few providers available, so make sure to read up on who you might want to use. Some of my favorites are Quad9 and dns0 for something preconfigured that’s plug and play. If you want to have more control over what you’re blocking, you can use something like NextDNS or ControlD. Those two services require a user account to have a custom configuration, so make sure you weigh the privacy aspect of that.
The block rates of these services are excellent. This is something I talk more about in the encrypted DNS video. Some security researchers tested a few of these services against malware websites to see what would be blocked. Quad9 and dns0 were two services tested and they both did great. The test only used services that didn’t require an account. In the test, it showed some big name providers did a garbage job at threat blocking. Now imagine what could happen if you visited one of those many infected sites without encrypted DNS with filtering. Drive-by malware is one of the many things you could end up dealing with.
Benefits of encrypted DNS
To use encrypted DNS, you’ll need to either set it up at the browser level, the operating system level, or the router level. What I find works best for the time being is to set it at the operating system level. This will ensure all DNS traffic out of your computer is being encrypted. It’s more secure than doing it from the browser level and it’s easier to troubleshoot if or when something doesn’t work right than if it’s set at the router level. You’ll need to go to the hardening guide for the OS that you’re using to learn more about using encrypted DNS. For those wondering, you can set up your own DNS server. If you decide to go this route, be thorough in doing it and understand the privacy and security risks that come with it if it's not properly configured.