How to Encrypt Your DNS and Stop Your ISP from Spying.

The Domain Name System (DNS) is a fundamental component of the internet infrastructure, translating human-readable domain names into IP addresses. However, traditional DNS queries are unencrypted, making them vulnerable to surveillance and manipulation by Internet Service Providers (ISPs) and other malicious entities. This paper explores methods to encrypt DNS traffic, focusing on DNS over HTTPS (DoH) and DNS over TLS (DoT), and examines their effectiveness in protecting user privacy and preventing ISP surveillance.

Introduction

The increasing awareness of privacy concerns on the internet has driven the need for secure communication protocols. DNS traffic, being a crucial aspect of internet activity, remains a significant privacy vulnerability. Unencrypted DNS queries allow ISPs to monitor users’ browsing habits, potentially infringing on privacy rights and leading to censorship or targeted advertising. This paper investigates the mechanisms for encrypting DNS traffic and evaluates their potential to mitigate ISP spying.

DNS and Privacy Concerns

DNS operates as the internet’s address book, with each query revealing specific details about a user’s online activities. Traditional DNS queries are sent in plaintext, allowing intermediaries, such as ISPs, to intercept and log this information. This lack of encryption exposes users to privacy breaches and data exploitation.

Traditional DNS Workflow

1. User Request: A user types a domain name into their browser.
2. DNS Query: The browser sends a DNS query to a DNS resolver.
3. Resolver Response: The resolver replies with the corresponding IP address.
4. Connection: The browser connects to the IP address to access the website.

Each step involves transmitting plaintext data that can be intercepted by ISPs.

Encryption Methods for DNS Traffic

To address these privacy concerns, two primary methods for encrypting DNS traffic have been developed: DNS over HTTPS (DoH) and DNS over TLS (DoT).

DNS over HTTPS (DoH)

DoH encrypts DNS queries using the HTTPS protocol, thereby hiding DNS traffic within regular web traffic. This method leverages the widespread adoption of HTTPS to ensure DNS queries remain secure.

• Implementation: DoH can be implemented at the browser level or system-wide.
• Advantages:
• Encryption: Provides robust encryption by utilizing HTTPS.
• Camouflage: DNS queries blend with other HTTPS traffic, making it harder for ISPs to distinguish them.
• Disadvantages:
• Performance: Potential increase in latency due to additional overhead.
• Complexity: Requires configuration changes at the browser or operating system level.

DNS over TLS (DoT)

DoT secures DNS queries by routing them through a TLS-encrypted tunnel, similar to HTTPS but specifically designed for DNS traffic.

• Implementation: DoT is typically configured at the system or network level.
• Advantages:
• Dedicated Protocol: Designed specifically for DNS, offering potentially better performance.
• Encryption: Provides strong encryption through TLS.
• Disadvantages:
• Adoption: Less widely supported compared to DoH.
• Visibility: Easier for ISPs to identify as DNS traffic, although encrypted.

Implementation and Configuration

Enabling DoH in Browsers

Major browsers like Mozilla Firefox and Google Chrome support DoH natively. Users can enable DoH through the browser settings:

• Firefox: Navigate to Settings > General > Network Settings > Enable DNS over HTTPS.
• Chrome: Navigate to Settings > Privacy and Security > Security > Use Secure DNS.

Configuring DoT System-Wide

To configure DoT on a system-wide level, users can modify their network settings or use third-party applications:

• Android: Native support for DoT can be enabled through Network & internet settings.
• Windows: Third-party applications like Simple DNSCrypt can facilitate DoT configuration.

Comparative Analysis

A comparative analysis of DoH and DoT reveals the following:

• Security: Both protocols offer strong encryption, significantly improving privacy over traditional DNS.
• Performance: DoT may provide better performance due to its dedicated nature, though DoH benefits from HTTPS infrastructure.
• Adoption: DoH enjoys broader adoption due to browser support, while DoT’s network-level implementation provides comprehensive coverage.

Step-by-Step Guide to Using AdGuard DNS for Enhanced Privacy

AdGuard DNS provides an easy-to-use solution for blocking ads, trackers, and malicious sites while also enhancing privacy. This guide will walk you through the steps to set up AdGuard DNS on various devices and platforms.

Step 1: Choose AdGuard DNS Servers

AdGuard offers several DNS server options. Here are the primary ones:

• Default (Blocks ads, trackers, and phishing sites):
• IPv4: 94.140.14.14 and 94.140.15.15
• IPv6: 2a10:50c0::ad1:ff and 2a10:50c0::ad2:ff
• Family Protection (Blocks adult content in addition to ads and trackers):
• IPv4: 94.140.14.15 and 94.140.15.16
• IPv6: 2a10:50c0::bad1:ff and 2a10:50c0::bad2:ff

Step 2: Configure AdGuard DNS on Different Platforms

Windows 10/11

1. Open Network Settings:

• Right-click on the network icon in the system tray and select “Open Network & Internet settings”.
• Select “Change adapter options”.

1. Access Network Adapter Properties:

• Right-click on your active network connection (Wi-Fi or Ethernet) and select “Properties”.

1. Configure DNS Settings:

• Select “Internet Protocol Version 4 (TCP/IPv4)” and click “Properties”.
• Choose “Use the following DNS server addresses”.
• Enter the AdGuard DNS addresses:
  • Preferred DNS server: 94.140.14.14
  • Alternate DNS server: 94.140.15.15
• Repeat for “Internet Protocol Version 6 (TCP/IPv6)” if necessary, using the IPv6 addresses provided above.
• Click “OK” to save the settings.

1. Restart Network Connection:

• Disable and then re-enable your network connection to apply the new settings.

macOS

1. Open System Preferences:

• Click the Apple menu and select “System Preferences”.
• Select “Network”.

1. Select Network Interface:

• Choose your active network connection (Wi-Fi or Ethernet) from the list on the left.
• Click “Advanced”.

1. Set DNS Servers:

• Navigate to the “DNS” tab.
• Click the “+” button to add new DNS server addresses.
• Enter the AdGuard DNS addresses:
  • IPv4: 94.140.14.14 and 94.140.15.15
  • IPv6: 2a10:50c0::ad1:ff and 2a10:50c0::ad2:ff
• Click “OK” and then “Apply” to save the changes.

Android

1. Open Network Settings:

• Go to “Settings” and select “Network & Internet”.
• Tap on “Private DNS”.

1. Set Private DNS Mode:

• Choose “Private DNS provider hostname”.
• Enter dns.adguard.com for Default or dns-family.adguard.com for Family Protection.
• Tap “Save” to apply the settings.

iOS

1. Open Wi-Fi Settings:

• Go to “Settings” and select “Wi-Fi”.
• Tap on the “i” icon next to your connected Wi-Fi network.

1. Configure DNS:

• Scroll down to “DNS” and tap “Configure DNS”.
• Choose “Manual” and delete any existing DNS servers.
• Add the AdGuard DNS addresses:
  • 94.140.14.14
  • 94.140.15.15
• Tap “Save” to apply the changes.

Routers

1. Access Router Settings:

• Open a web browser and enter your router’s IP address (commonly 192.168.1.1 or 192.168.0.1).
• Log in with your router’s username and password.

1. Navigate to DNS Settings:

• The exact location varies by router model, but look for settings labeled “DNS”, “Network”, or “Internet”.

1. Set DNS Server Addresses:

• Enter the AdGuard DNS addresses:
  • Primary DNS: 94.140.14.14
  • Secondary DNS: 94.140.15.15
• Save the settings and reboot your router if necessary.

By configuring AdGuard DNS on your devices or network, you enhance your online privacy, block unwanted ads, and protect against malicious sites. Whether you’re using Windows, macOS, Android, iOS, or a router, these steps will help you easily integrate AdGuard DNS into your internet setup.

Encrypting DNS traffic is a crucial step in protecting user privacy and preventing ISP surveillance. Both DoH and DoT offer effective solutions, each with its own set of advantages and limitations. As internet privacy concerns continue to grow, the adoption of these protocols will likely increase, providing users with enhanced security and privacy online.

Step-by-Step Guide to Using pfSense and Unbound for Your Own DNS Server

Introduction

pfSense is a widely-used open-source firewall and router that includes many features for network management, including DNS services. Unbound is a validating, recursive, and caching DNS resolver that can be used in conjunction with pfSense to create a robust DNS server. This guide will walk you through the process of setting up and configuring Unbound on pfSense.

Prerequisites

• A running pfSense installation.
• Basic understanding of networking and access to the pfSense web interface.

Step 1: Access pfSense Web Interface

1. Open your web browser.
2. Enter the IP address of your pfSense firewall in the address bar.
3. Log in with your pfSense credentials.

Step 2: Enable Unbound (DNS Resolver)

1. Navigate to Services:

• Go to the top menu and click on Services.
• Select DNS Resolver.

1. Enable DNS Resolver:

• Check the box labeled Enable DNS Resolver.
• Ensure Enable Forwarding Mode is unchecked if you want Unbound to perform recursive DNS queries itself.

1. Configure General Settings:

• Network Interfaces: Select the interfaces that should listen for DNS queries (typically LAN).
• Outgoing Network Interfaces: Choose the interfaces Unbound will use to send queries (usually WAN).
• System Domain Local Zone Type: Set to Transparent unless specific configuration requires otherwise.
• DNSSEC: Enable DNSSEC support for additional security if required.

1. Advanced Settings:

• You can adjust settings like cache size, TTL, and other parameters as needed. Default settings are often sufficient for basic setups.

1. Apply Changes:

• Click Save to apply the settings.
• Then click Apply Changes at the top of the page to start the DNS Resolver service.

Step 3: Configure DHCP to Use Unbound

1. Navigate to DHCP Server Settings:

• Go to Services > DHCP Server.

1. Set DNS Servers:

• In the DNS Servers section for each interface (typically LAN), set the DNS server to the IP address of the pfSense interface (e.g., 192.168.1.1).

1. Save and Apply:

• Click Save to apply the changes.

Step 4: Configure Firewall Rules

1. Navigate to Firewall Rules:

• Go to Firewall > Rules.

1. Add Rules for DNS Traffic:

• Ensure there are rules allowing DNS traffic (port 53) from your LAN to the pfSense IP address.
• Typically, this means allowing TCP/UDP traffic on port 53 from the LAN network to This Firewall.

1. Save and Apply:

• Click Save and then Apply Changes.

Step 5: Verify DNS Resolution

1. Test from a Client Device:

• Configure a client device on your network to use the pfSense IP as its DNS server.
• Open a terminal or command prompt on the client device.
• Use the nslookup or dig command to test DNS resolution. For example:
  sh nslookup supportbook.com
  or
  sh dig supportbook.com
• Verify that the queries are being resolved correctly by Unbound.

Step 6: Monitor and Maintain

1. Monitor DNS Queries:

• Go to Status > System Logs > DNS Resolver to view logs and monitor DNS queries handled by Unbound.

1. Periodic Maintenance:

• Regularly check for updates to pfSense and Unbound.
• Monitor performance and make adjustments to caching or other settings as needed.

Additional Configuration (Optional)

• Custom DNS Records: You can add custom DNS records in the DNS Resolver settings under the Host Overrides section.
• Access Control Lists: Set access control lists (ACLs) to restrict which IP ranges can query your DNS resolver.
• Advanced DNS Features: Explore advanced features such as DNS over TLS (DoT) or DNS over HTTPS (DoH) if required for enhanced privacy and security.

Setting up Unbound on pfSense provides a powerful and flexible DNS server solution, offering improved privacy, security, and performance for your network. By following this step-by-step guide, you can ensure that your DNS queries are handled efficiently and securely within your own network infrastructure.

Future Work

Future research should focus on the long-term performance impacts of these encryption methods, the evolution of ISP countermeasures, and the development of new technologies to further enhance DNS privacy.

---

References

• Kintis, P., et al. (2016). “Hiding in Plain Sight: A Longitudinal Study of Internet-Scale Exploitation of DNS-over-HTTPs.” Proceedings of the 2016 ACM Conference on Computer and Communications Security (CCS 2016).
• Lu, Z., & Guo, Y. (2019). “DNS over HTTPS: Privacy or Performance?” IEEE Conference on Communications and Network Security (CNS 2019).
• Holz, R., et al. (2014). “TLS in the wild: An Internet-wide analysis of TLS-based protocols for electronic communication.” Network and Distributed System Security Symposium (NDSS 2014).

---

About the Author

Support Book

Administrator

Visit Website View All Posts