8 minutes reading time (1679 words)

The Privacy Cookbook - Chapter 2 – Protecting your DNS

dns

We promised you that within this cookbook we will go deeper into the rabbit hole....well, here we go and in this chapter let's start with something simple! DNS! 



Most people are not aware what DNS is or what it does.


The Domain Name System (DNS) is one of the foundations of the internet, yet most people outside of networking probably don’t realize they use it every day to do their jobs, check their email or waste time on their smartphones.



At its most basic, DNS is a directory of names that match with numbers. The numbers, in this case are IP addresses, which computers use to communicate with each other. Most descriptions of DNS use the analogy of a phone book, which is fine for people over the age of 30 who know what a phone book is.



Ok but why we are bothering with DNS in chapter two?


The central issue is that most people do not appreciate that DNS providers (your own ISP, Google, cloudflare etc.) are able to see everything you do on the internet. Worst than that is that they can then share, modify or intercept and replace your requests anyway they want.


Your signal might slow when watching too many videos via your ISP, ever wonder why?  

Cloudflare is a complete different kinda monster as you can see from here (please refer to this article – insert link). Google DNS servers, which are standard on most android phones, are recording what you do and as such Google should not be a choice when it comes to privacy anyway See chapter 1 ‘Google, Goole, GTF!’.

So what can you do to make your internet experience more private, maybe even faster and best of all lock out some of the bad websites at the DNS level. You could do your very own, but let's do this the easiest, possible way. After all, we did promise to give the non-tech savvy among us access to this actionable information.



Note! This will not hide your IP or make you untraceable. This is not a VPN or TOR! However, it will prevent DNS hijacking and make your DNS requests harder for third parties to eavesdrop and tamper with.



Let's start simple solution called nextdns.io

The beauty of nextdns is that you can block traffic from ads and select your own black lists on this service. It is simple to set up and works on all devices. We will write a review and guide on nextDNS



However, there is a drawback on nextDNS and having dug deeper into this potential solution we really need to get this out........firstly, the company is in the USA and our first rule of business is that this means that the NSA usually can and will be able to see and monitor your traffic! Secondly, there is some Google and Cloudflare stuff in the setup but it is an easy and safer solution than you probably have right now! Plus it lets you block sites the way a pi-hole would (we’ll write on pi-hole setup soon and link it to here).

But we prefer easy and non-US solutions and definitely with no Google or Cloudflare content or involvement!

So what are the better and easier solutions?


AdGuard (which also offers iOS and Android firewalls) is offering a DNS solution based in Cyprus.

It blocks ads, trackers and malicious domains at the DNS level! No Logs!
It offers DoH, DoT, DNSCrypt and DNSSEC.



On Android 9 or higher

Settings -> Connections -> More connections settings -> Private DNS -> Private DNS provider hostname: dns.adguard.com or dns-family.adguard.com



AdGuard has a paid application for iOS and for android. There you are able to block ads system wide and with your own filters. For both devices this is a pretty cool solution and worth a look!



BlahDNS is offering DNS solutions out of Finland, Germany and Japan. 

It blocks ads, trackers and malicious domains at the DNS level! No Logs!
It offers DoH, DoT, DNSCrypt and DNSSEC.



Setup guide: https://blahdns.com/



Android 9 or higher

Settings -> Connections -> More connections settings -> Private DNS -> Private DNS provider hostname: dot-de.blahdns.com



dismail.de is offering DNS solutions out of Germany.

It blocks ads, trackers and malicious domains at the DNS level! No Logs!
It offers DoH, DoT, DNSCrypt and DNSSEC.



DNS-Server (with DNSSEC)


No encryption (Port 53)
   
IPv4: 80.241.218.68
   
IPv6: 2a02:c205:3001:4558::1

DNS-over-TLS:
    
Host: fdns1.dismail.de
    
Port: 853



Android 9 or higher


Settings -> Connections -> More connections settings -> Private DNS -> Private DNS provider hostname: fdns1.dismail.de




Digitalcourage is offering DNS solutions out of Germany.
No Filters! No Logs!

It offers DoH, DoT, DNSCrypt and DNSSEC.



DNS-Server (with DNSSEC)


No encryption (Port 53)
IPv4: 46.182.19.48
       
IPv6: 2a02:2970:1002::18


DNS-over-TLS:
       
Host: dns2.digitalcourage.de
       
Port: 853



Android 9 or higher

Settings -> Connections -> More connections settings -> Private DNS -> Private DNS provider hostname: dns2.digitalcourage.de



Digitale Gesellschaft is offering DNS solutions out of Switzerland.

No Filters! No Logs!

It offers DoH, DoT, DNSCrypt and DNSSEC.



DNS-over-TLS:
       
Host: dns.digitale-gesellschaft.ch
 
Port: 853


DNS-over-HTTPS:
 
Host: https://dns.digitale-gesellschaft.ch/dns-query
       
Port: 443



Android 9 or higher
Settings -> Connections -> More connections settings -> Private DNS -> Private DNS provider hostname: dns2.digitalcourage.de





UncensoredDNS is offering DNS solutions out of Denmark. 

No Filters! No Logs!
It offers DoH, DoT, DNSCrypt and DNSSEC.




DNS-Server »anycast.censurfridns.dk« (with DNSSEC):
       
No encryption (Port 53)
           
IPv4: 91.239.100.100
           
IPv6: 2001:67c:28a4::


DNS-Server »unicast.censurfridns.dk« (with DNSSEC)
      
No encryption (Port 53)
IPv4: 89.233.43.71
  
IPv6: 2a01:3a0:53:53::

DNS-over-TLS:
           
Host: unicast.uncensoreddns.org
           
Port: 853



Android 9 or higher
Settings -> Connections -> More connections settings -> Private DNS -> Private DNS provider hostname: unicast.uncensoreddns.org





SecureDNS is offering DNS solutions out of Netherlands. 

It blocks ads, trackers and malicious domains at the DNS level! No Logs!
It offers DoH, DoT, DNSCrypt and DNSSEC.



DNS-Server »2.dnscrypt-cert.securedns.eu« (with DNSSEC)



DNS-over-TLS:
       
Host: dot.securedns.eu
       
Port: 853
DNS-over-HTTPS:
       
Host: https://doh.securedns.eu/dns-query
       
Port: 443
DNSCrypt 


To connect with DNSCrypt, use the following settings:

Provider Address: 146.185.167.43:5353 or [2a03:b0c0:0:1010::e9a:3001]:5353

Provider Name: 2.dnscrypt-cert.securedns.eu

Provider Key: F49F:2C73:4D62:B686:319E:D07E:6919:433B:2F13:85F4:1EFB:CA2F:176D:590B:2E45:3E86



DNS-over-HTTPS (DoH)

To connect with a DNS over HTTPS client, use the following settings:

IP Address: 146.185.167.43:443 or [2a03:b0c0:0:1010::e9a:3001]:443

URL: https://doh.securedns.eu/dns-query 


DNS over TLS (DoT)


To connect with a DNS-over-TLS client, use the following settings:

IP Address: 146.185.167.43:853 or [2a03:b0c0:0:1010::e9a:3001]:853


TLS Hostname:
dot.securedns.eu

TLS SPKI Pin: h3mufC43MEqRD6uE4lz6gAgULZ5/riqH/E+U+jE3H8g=
AdBlock

SecureDNS
can be used as an Adblocker by using an alternative hostname/address instead. The advertisements that are getting blocked can be found there.
SecureDNS additionally blocks advertisements on Youtube and Spotify.



DNS over HTTPS URL:
https://ads-doh.securedns.eu/dns-query


DNS over TLS Hostname:
ads-dot.securedns.eu 



A lot is said about things like DNS-over-HTTPS (DoH) so what exactly does this stand for?

Firstly, let’s look at DNS-over-TLS (DoT)?

This is a security protocol for encrypted DNs on a dedicated port (853). Some providers support port 443 which will generally work pretty much everywhere. Restrictive firewalls, however, can block port 853.

DoT has two modes:


Opportunistic mode: this is where a user tries to form a DNS-over-TLS connection to a server via port 853 without initiating certificate validation. If it fails, it uses an unencrypted DNS.

Strict mode: this is where a user connects to a specific hostname and initiates certificate validation. If it fails, no DNS queries can be made until it succeeds.

DNS-over-HTTPS (DoH) by contrast to DoT uses HTTPS rendering it indistinguishable from ‘regular’ HTTPS traffic via port 443.


Finally, DNSCrypt is an older but fairly robust method of encrypting your DNS, probably not recommended when there are simpler and easier solutions that are available.



Ok, so the DNS setup on android 9 and higher seems to be pretty easy!


Settings -> Connections -> More connections settings -> Private DNS -> Private DNS provider hostname:



But what about iOS?

There is nextDNS which has an app that blocks ad systems and replaces your DNS, but as we have mentioned earlier, the service is based in the USA and has some Google and Cloudflare stuff on it. It is still a pretty easy and good solution, especially when you like to block ads.



This said, is there anything else?

There is a really cool application called DNScloak, we will give this app a full review and provide a guide as it is relatively complex.
However, you could download the app, click the DNS resolver you would like to use and your phone will start getting all DNS requests via the resolver.
You can even combine it with a firewall (adblocker and a VPN) but we will give this an entire review and link it to this chapter soon.



Encrypted DNS clients for desktop


Mozilla Firefox is supplied with DoH built-in and with Cloudflare as the default resolver, however. it can be set up with any DoH resolver.

DNS over HTTPS can be enabled in Menu -> Preferences (about:preferences) -> Network Settings -> Enable DNS over HTTPS.
Set "Use Provider" to "Custom", and enter your DoH provider's address.


Advanced users may enable it by setting network.trr.custom_uri and network.trr.uri as the address of your DoH provider and network.trr.mode as 2.
It is also advisable to set network.security.esni.enabled to True. This allows encrypted SNI (Server Network Identification) and make sites supporting ESNI more difficult to track.

Local DNS servers:



Stubby - An open-source application for Linux, macOS and Windows that acts as a local DNS Privacy stub resolver using DoT.
Unbound - a validating, recursive, caching DNS resolver. It can also be ran network-wide and has been supported by DNS-over-TLS since version 1.7.3.



For, network-wide DNS servers, this will be covered in a separate chapter which will fully explains how to set up your own Pi-Hole or Adguard Home to resolve DNS, block ads, tracking and list off every domain you would like to block out.
This is a fantastic and very inexpensive privacy solution.

You can even combine it with a VPN or create it as a hosted solution. Stay tuned for all the info you will need in an upcoming chapter.



Our next chapter will be all about VPN (that’s Virtual Private Networks to all you non-techies) solutions and how to hide your IP address.

 

Comments (0)

Rated 0 out of 5 based on 0 voters
There are no comments posted here yet

Leave your comments

  1. Posting comment as a guest. Sign up or login to your account.
Rate this post:
Attachments (0 / 3)
Share Your Location