DNS

Domain Name System

What is it - DNS keeps records of IP addresses that correspond to domain names. This helps you find the page you are looking for and allows all manner of flexible hosting solutions to be used. A real world equivalent would be asking DNS where to find Sherlock Holmes and it would reply 221B Baker Street, London, acting like an advanced phone book. DNS records are handled in an interesting way where there are name servers for each type of domain, which delegate service down to other services, allowing control of domains to be handled and redirected in hierarchical way that allows things to be decentralized on lower levels. DNS records are not just an address book, they handle addressing, email, authentication, proof of ownership and are a major trust and security system for the internet. Here are the basic records that people usually deal with.

  • A records tell you what IP address a domain points to
  • AAAA records are the same for IPv6 addresses
  • MX records handle e-mail routing, pointing to mail servers
  • CNAME records point domains to other domains

I would recommend security conscious people to look at CAA records, which tell what certificate authorities are allowed to issue https certificates for the domain. Also DNSSEC and DNSCrypt are worth a look.

IP addresses can change and often will host more than one domain. Also they can be hard to remember for some people. DNS is used everywhere, though Tor has implemented it's onion-addresses a bit differently, but still in a decentralized way.

Photo by Thomas Jensen / Unsplash

Where do you get it

DNS for most users is handled by their service provider. Your ISP will offer a DNS server to provide access to the internet. This also allows them to have a record of addresses that people look up. If you buy a domain name, your provider will give you access to modify your DNS records, which will also allow you to forward them to another DNS server, even your own. You can also run your own DNS server and technically there is one in most home routers, but it mainly acts as cache. Running your own DNS server is quite an involved thing and not recommended for the layperson.

Public DNS

There are various services and companies which need good DNS to function and are involved in developing products and services related to DNS. Here is a list of services I've used in the past and a few words about them.

OpenDNS - 208.67.220.220, 208.67.222.222

OpenDNS is currently owned by Cisco and offers free high quality DNS for anyone who points their systems to their address. Their solution is good, but it does modify the requests in a way that reveals a bit of info to the domain owners about who is asking. Mainly they use the data for developing security solutions and services.

CloudFlare - 1.1.1.1

Whether you know it or not, you will likely hit Cloudflare's services multiple times a day on the internet. They provide CDN services and protection for a large amount of websites. They are also offering a new public DNS service, with an App for phones and soon for others. Like Cisco, this is one of the bigger companies that is a large part of why and how the internet works today.

Google DNS - 8.8.8.8, 8.8.4.4

Google also offers public DNS and has been going so for quite some time. A lot of services and devices even default to using their reliable DNS. Though knowing Google, the browsing data of people is likely another ingredient in their marketing and search services. So even though it works very well, some people do not enjoy being a product.

Problems

So, I mentioned that your ISP sees what addresses you look up and that Google is interested in that as well. Cisco uses it for analytics and security products, and likely CloudFlare is benefiting from it's services as well, who wouldn't. Personally I don't mind benefiting a single party, as long as my data does not get sold or used to target me for marketing. Recently there was also a change in the regulation of ISPs in the US, that now allows them to sell peoples browsing habits to third parties. Likely many other places record and sell your data too.

Another issue is censorship. Many countries (even Finland) prevent people from finding certain websites that are deemed not acceptable by the government. The most common way to implement this is by controlling and censoring the DNS servers of the local ISPs. Though some countries employ heavier tools like filtering traffic and deep packet inspection that reacts to specific content types and content. It is a shame that developed countries also use these systems, that often are easily bypassed, as that legitimises their use in more oppressive countries to a degree.

Solutions

Specifically for increasing DNS related security and mitigating the above issues. The simplest way is to use third party DNS that is outside your jurisdiction, often using OpenDNS will be enough to unblock many sites. This also prevents your ISP form seeing your browsing habits as easily, but it does move that data to whoever runs the DNS you are using.

Secure DNS

The next level DNS specific answer would be using DNSCrypt to encrypt your DNS query and use privacy conscious providers. This way anyone watching your traffic will not be able to see what sites you are requesting. Though you still need to trust the server you are using. One way around that would be to use multiple DNS servers, but that may be difficult to configure. Using a VPN likely means that you are sharing an IP with multiple other users, which will make it harder to identify who you are. Though your habits can be correlated to a high certainty with some statistical analysis.

Another way to secure your traffic and circumvent censorship is to use a VPN, though you need to make sure that your computer is not using your default DNS. This is one of the common failing points for secure communications. Forgetting to change DNS servers will still leak your habits, even if the content is encrypted and proxied. So I would recommend checking that your VPN provider runs independent DNS servers or configuring public DNS if you have no other options. I write more about this in my article on VPNs.

Sources