Where is Your DNS ? Ever Wondered !
We connect to IP address of the Website if not using Domain Name and we go through the ISP (Internet Service Provider).
If we use Domain Names, we need to resolve those Domain Names by IP stack (full DNS in your OS), applications (usually browsers) call it and all the queries to authoritative server are done by your own device.
Note : This is not how it has worked for last 20-25 years.
In IP stack, piece of software which does the resolution isn’t full resolution.
This is how DNS query works in general :
Stub Resolver (OS Resolver) -> ISP Resolver (Name Server) -> DNS Authoritative Server.
Learn More About DNS queries here.
There are two sides of the DNS network: Authoritative (the content side) and Resolver (the consumer side). Every Domain needs a Authoritative DNS provider. On the other hand, every device that connects to the Internet needs a DNS resolver. The resolver is set depending upon which network you connect to (which is usually your ISP, coffee shop router).
Initially name server was provided by your ISP, your ISP resolver will connect to Authoritative DNS Server ( do caching) called as Local DNS Resolution.
Then Remote DNS Resolution start to happen. Still have to go through ISP to a topologically distant resolver like (paid DNS resolver: CISCO umbrella /opendns) and free ones like Cloudflare.
DoH (DNS over HTTPS Protocol)
On April 1, 2018, Cloudflare announced that they are launching 18.104.22.168 as the fastest, privacy-first consumer DNS Service. This was very disturbing for group of people who wanted to monitor every activity of the common people. Of course by group of people i mean bad people or good people with bad intentions !
- It transmit DNS queries to the Resolver over an HTTPS Connection that is HTTP protocol over SSL (Secure Socket Layer)/TLS (Transport Layer Security) which encrypts the DNS queries.
- Main objective is to mix up DNS traffic with common HTTPS web traffic on port 443 instead of port 53 which sends DNS queries in clear text.
- It can be used by an HTTPS-speaking app, bypassing the OS and its settings.
Main changes to DNS Resolution Process :
- Device to Resolver connection is encrypted and hidden inside web traffic.
- Each application can use different resolver.
- DNS becomes an application level service.
- Each application maker can hardware their own remote resolver, at least as a default.
What are the concerns of ISPs and Governments over DoH ?
The Truth is that even when you are visiting a website that is encrypted – has the little green lock in your browser – that doesn’t keep your DNS resolver (by default your ISP) from knowing the identity of all the sites you visit.
But when DNS queries are transported with encrypted HTTPS traffic, it is impossible from the outside to distinguish weather some HTTPS traffic contains DNS queries or contains normal web page unless you block all the HTTPS traffic.
Real Worries : Suppose you have someone who wants to track you on your path to remote resolver, and of course today DNS is not encrypted, the transport is not encrypted, so they can see all your queries, they can track you and they can make a list of everything you see on the Internet, because everything starts with DNS resolution. For example, your ISP wants to keep track of your activities and somehow monetize it.
Good or Bad Cases with DNS over HTTPS :
It is a privacy and security problem unless you are using Local DNS resolution, not intercepted unless the ISP is hacked. But for people using a remote resolver and there are many people actually wants to use one, this really changes the security of the connection.
There are number of cases if you use remote resolver and its good because in the end it gives you more privacy and security into your connection. Is this Good or Bad ?
Case 1 : ISPs using transparent DNS proxies
There are many ISPs using transparent DNS proxies and you actually think you configured a remote resolver because you put remote resolver in your system but they still intercepting your queries since they are in clear. They can take note and track you and apply some policies, may be some low mandated filtering some stuff, which is prevented by the DoH.
Case 2 : Device to Resolver Connection encrypted and Mixed with Web Traffic
|If you use remote resolution and are tracked or attacked.||If you trust your ISP / it does good things for you.||If you use local resolution and are attacked or tracked. Unless the attacker is on the ISP’s network.|
If your don’t trust your ISP / It does bad things to you.
|Your ISP use transparent proxy for example filtering out botnets and malwares or they give you voluntary Services like Parental Control, Productivity Controls of all that your children can’t see Specific content in certain times of day.|
Case 3 : Each application can use different resolver
|If the application maker is smarter than the user and is honest.||If the application maker is smarter than the User, and is dishonest.||If each DoH application used the OS settings ( but you really can’t force them to ).|
|If you don’t trust your OS.||If the user is smarter than the application maker.|
Configure DNS over HTTPS :
For Firefox Users :
- type “about:config” in address bar
- type “network.trr” in search field
- double click on “network.trr.mode”
- type “2” in field and PRESS OK
- make sure “network.trr.uri” is SET to “https://mozilla.cloudflare-dns.com/dns-query”
- Now encrypt the Server Name Indication
- type “network.security.esni.enabled” in search field
- double click on it, Toggle and SET it to “TRUE”
- Restart your browser ! Congrats , you are awesome !
- At last Check your Browser Security here
- Check your Connection here
For Chrome Users :
- Click here and follow the steps
- It is only available for Chrome Mobile
Solution for Network Administrators for DoH : ” DON’T TALK TO STRANGERS “
The Real Question is who should choose Your Resolver ?
- The User ?
- The ISP ?
- The Browser ?
- ISP, on behalf of User ?
- Browser, on behalf of User ?
Who should be entitled to apply policies to your DNS ?
- The Government ?
- The Resolver ?
- The Network Administrator ?
The DNS resolution is the very first thing is done in background when you connect to Internet and most important to focus on. It totally depends upon you to choose a DNS resolver that you trust and configure it with IP address of remote resolver. But in my opinion Cloudflare is putting great effort in making it secure and fast. So you must use 22.214.171.124 (Cloudflare) or 126.96.36.199 (Quad9) DNS servers. Cloudflare says that they keep DNS queries for only 24 hours and do not write the querying IP address to the disk. They do not use browser data for targeting ads. You can take Domain hosting services from Cloudflare here.
What you think about it ? Let us know in the comments below !!