SBN

DNS and Your Privacy: Should you use encrypted DNS?

DNS enables the easy navigation from website to website as you currently know it. However, the system wasn’t exactly designed with your privacy and security in mind.

Many DNS resolvers – such as your internet service provider’s (ISP) – do not encrypt queries and may log data and metadata surrounding your queries. Additionally, unencrypted queries can be captured, viewed, and otherwise “consumed” (used) by eavesdropping third parties since data is exchanged in clear text.

Fortunately, using an encrypted DNS server provider can be a viable option for some users out there. This post aims to explore how and why – and doesn’t leave out the limitations of encrypted DNS.

DNS and your privacy

Assuming you know the basics of DNS and how the system works, privacy issues surrounding DNS frequently involve the potential capture and “snooping” of DNS queries made by a device and the sending of unnecessary information (typical in the absence of QNAME minimization) to DNS servers performing the resolution.

DNS servers can log data about the device making the query, times queries were requested, and of course the query itself – ex: avoidthehack.com. Naturally, the amount of logging or even the presence of logging depends on the DNS service itself; for example, ISPs often log DNS queries and share them with a variety of third parties. Users often get no “say” or may not even be aware of this.

locked padlock on blue tech background concept

With unencrypted queries – which is often the default for most resolvers – third-parties to the transaction between the device and the DNS resolver can “eavesdrop” on queries made by devices. Eavesdropping has been has been performed by public and private organizations alike to surveil DNS traffic (and potentially hijack it.)

With the presence of HTTPS, third-party snooping devices won’t be able to see what data is passed between the client device and the web server – but with unencrypted DNS queries, it would be able to see that a query was made. Captured over time, browsing habits can be inferred from DNS requests observed.

What data is sent to DNS Servers?

Internet connections to visited websites and web apps start out as a DNS request. Assuming the absence of the requested website in a DNS cache – which can be in the browser and/or on the device itself – a query is sent to the DNS resolver.

The DNS resolver can be a machine local to the network or a service managed by a DNS service provider. The latter is generally more common (especially for most users out there); though, it is worth mentioning that local resolvers often pass queries to “upstream” DNS servers.

Again, generally, many users use the ISP’s DNS resolvers as it is the “default” and most do not know these can be changed in the browser or on the device/network (hardware/firmware permitting). Of those who know how to change DNS settings, we can safely assume most of these users, who are already a minority amongst most users, aren’t running a local recursive resolver.

server rack with blue higlights and red data stream

Exact data sent to DNS resolvers vary, but data sent to DNS resolvers typically include:

  • Top-level domain (TLD) requested. This includes link clicked/domains typed into the browser address bar and background connections initiated by apps/services and resources called by websites.
  • If HTTP is used: Visited pages within the TLD. The commonality of HTTPS makes this irrelevant in the modern landscape, though some websites still serve content using a mix of HTTP/HTTPS.
  • Timestamp request was made
  • IP address of client device
  • Protocol (UDP or TCP)
  • Record type (A, AAAA, etc)

Data sent with the queries themselves can also be logged by DNS resolvers, but as mentioned previously, the details of logged data and the action of logging itself ultimately depends on the DNS service provider.

Depending on the service provider, additional information about network subnets and device identifiers (such as MAC addresses) may be embedded within DNS queries, essentially fingerprinting users or their networks.

Who can see DNS information?

Ultimately, it depends.

laptop sitting on desk in low lighting with a data stream on screen

As mentioned, DNS queries are typically unencrypted and thus clear text and readily available for anyone willing to listen.

Even with encrypted DNS, generally your device, the router, and the DNS provider can see DNS requests. If you are using your ISP’s DNS servers – which are usually the default – then they can also see your DNS requests.

Your ISP may log this information and potentially use it for their own endeavors and/or share this data with third parties – which can include advertisers or government agencies.

Unless you are using a virtual private network (VPN) or an onion routing service like the Tor network, your ISP can still see connections to IP addresses.

Benefits of using encrypted (and privacy-friendly) DNS services

Benefits of using encrypted DNS services include preventing third-party DNS query sniffing, keeping DNS traffic private from ISP, and blocking ads on a network.

Eliminate third-party sniffing of DNS queries

The primary benefit of using any encrypted DNS server is preventing third parties from sniffing traffic and seeing what DNS queries users’ devices make. This is true even if the encrypted DNS provider is capturing device information or otherwise logging DNS query data and metadata (though this is far from ideal.)

magnifying glass and small keyhole in wall covered in blue light

However, it’s worth mentioning that if the encrypted DNS server is indeed logging information, they may share this information with third parties – this is a different threat vector than a third party listening or capturing the queries themselves. This can be alleviated by using a “trusted” encrypted DNS provider.

Filtered (and encrypted) DNS servers can block ads/malicious domains on the network level

Some encrypted DNS providers also offer domain filtering. Depending on the provider, they may filter domains known to serve malware, ads, trackers – or any combination of these.

For example, if you set your router to use such a resolver, it will provide blocking services for devices connected to your home network.

red padlock on a dark blue tech background concept

Some DNS providers give users customization options for what is blocked or filtered. Others run specific blocklists on their servers and do not allow the user to customize what is blocked. In either case, devices/networks using DNS providers with filtering services will not connect…

*** This is a Security Bloggers Network syndicated blog from Avoid The Hack! authored by Avoid The Hack!. Read the original post at: https://avoidthehack.com/more-info-dns

Application Security Check Up